As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

• Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
• Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
• Replace facebook ads with match.com affiliation blocks.
• Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S 192.168.0.1 -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) 192.168.0.1 (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

Ladeeeeez and gentlemen!

Well, methinks Linus is going to be “security villain of the week” for a few days again.

http://www.networkworld.com/news/2008/081408-torvalds-security-circus.html?hpg1=bn
Problem is, he’s actually got a good point.  Unfortunately, his use of “security circus” is going to be read as the whole security community, when he is actually referring to the lunatic fringes at both ends of the “disclosure” spectrum.  There are those who still cling to the outdated and disproved dogma of “security by obscurity,” and there are the self-promoters (with egos the size of the MS Windows Vista source code) who are eager to trumpet any little flaw they find as a “security” vulnerability.  Those of us in the trenches have been trying to keep vendors and consultants from using these arguments on the uninformed for years.  Linus is saying the same thing.  He’s as frustrated as we are, and for the same reasons.  He just uses more sensational phrases.

How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

Gmail is a little bit more sophisticated with one major difference:

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did!

Got better ideas? Share them with us!

Bank robbers using remote control device to control the mouse cursor of bank employee have been jailed now, report the headlines.

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious - and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often

Polish security researcher Adam Gowdiak is the only person in the world (we really hope he is!) who knows the details of the recent J2ME vulnerabilities affecting to Nokia mobile phones.

The research material includes information about

reliable MIDP 2.0 privilege elevation technique for Nokia Series 40 devices

and

Nokia specific exploitation technique leading to the remote and persistent deployment of a backdoor shell application into the target Nokia Series 40 phone

Mr. Gowdiak has tested 7 Nokia Series 40 models.

Needless to say that this information in the hands of bad guys is dangerous.

And related to the devices - Nokia Series 40 shipped with 3rd edition Feature Pack 2 and 3rd edition are affected.

A few media sources seem to be picking up a press release from the University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).

ESET, the anti-malware company for which I work, has just published its half-yearly report on global malware trends, based on data generated by automatic threat-tracking systems. Few people who read this blog will be interested in the marketing aspects of that document, but I thought you might find some of the conclusions interesting.

• We’ve noticed (actually over far longer than six months) a huge number of detections of malware that uses the Windows AutoRun facility to self-install from removable media (USB flash drives, CDs and so on). It may seem slightly surprising that other vendors haven’t flagged this trend particularly, but it doesn’t mean they don’t detect the same things: it’s just that we have a heuristic that highlights that trend. In the same way, another vendor has a detection that highlights a high proportion of iFrame exploits. We’re very aware of the ever-increasing volume of web-hosted threats, but we don’t have an exact equivalent to that heuristic, so that particular trend isn’t so obvious from our (prevalence-based) figures.
• Possibly Unwanted Applications (PUAs) and other adware and spyware detections occupy several places in our top ten. That’s not a complete novelty, but the impact of the Virtumonde Trojan in particular is dramatic. Virtumonde is a real pain: its authors work hard at hiding it from specific anti-malware products, and it can be grim trying to remove it from a system when it’s in memory. Leaving it there isn’t much of an option, either: it has a habit of pounding an infected system with so much advertising that it becomes unusable.
• There’s been a dramatic decline in the use of email to distribute new malicious attachments: of course, it remains a prime vector for the dissemination of malicious URLs. What interested me was the sheer volume of antique mass mailers like Netsky.Q, but my guess is that these are mostly generated by unprotected home machines running obsolescent Windows versions.
• Password stealing attacks on online gamers and haunters of metaverses like Second Life have been around for a while, too, but they’ve overtaken AutoRun exploits in the “top ten” over the past few months. And that’s not even taking into account other attacks like griefing and replicative “grey goo” style attacks.

David Harley
ESET Malware Intelligence Team

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today - it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection - that’s we need with a delay less than 4 or 5 days.

Alberto Trivero posted an interesting whitepaper on the weaknesses of HTML5’s client-side storage features.

The paper is available here.

…and, like Juha-Mati wrote SecuriTeam blogs is now 3 years old. Oddly enough, after more than 1,000 posts, the most popular post is not one of Juha-Matti’s famous FAQs, Gadi’s rants or Rob’s washing-machine story. It’s a meaningless post by Noam (no offense, Noam) about IE4Linux. Go figure.

It was about three years again - exactly on 25th July 2005 when the First Post entry was posted to this Web site.

Today, the blog statistics show that there are currently 1,037 posts and 3,435 comments written.

Time to say a big Thank You to you, readers and all blogger colleagues!

You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

The InformationWeek reports that Microsoft had just became an Official Apache sponsor.
The article says that the sponsorship is a “Platinum Sponsor” which means a donation of more than $100,000 per year.

My first reaction was “Oh now, please don’t touch this one, it is working so good. ”

MS and Open Source in the same sentence simply doesn’t sound right. Especially when it comes to Apache. Something tells me this is not good news. I don’t know why. On the other hand, $100K for MS is peanuts. Maybe I’m just paranoid?…

I’m a dinosaur.  I freely admit it.  I use computers for far too long.  I use programs for even longer.

My word processor of choice is WordPerfect.  Version 4.2.  It does what I need, since most of what I do in terms of writing has to do with actual writing.  In other words, words.  Text.  I don’t care much about graphics, desktop publishing (does anyone even know what that means anymore), or mindmaps.  I’ve been using WordPerfect since 1985, although I admit I’ve moved up from 4.1 to 4.2 in the early days.  My wife uses a much more advanced version: she uses 5.1, since she does more with actually printing stuff out.
Over the years I’ve had to learn a few tricks to get WordPerfect to run, and print, with various versions of MS Windows.  (I’ve actually got a copy of WordPerfect Office 8 for Windows around, but it really was kind of a step backwards, so we’ve never really used it.)  Recently the (very old) HP LaserJet 4L that we’ve been using (for quite some time) started printing messy pages.  It was the advice of people in the printer biz that it would be cheaper to buy a new printer than to have the old one cleaned.  Since a new HP LaserJet P1005 was slightly less than $60 (getting a USB cable for it cost almost half again as much, and getting a new cartridge for the thing is even more) this seemed to be the case.

So, my Scottish soul bemoaning the fact that I was sending an almost-perfectly-good printer to the recycling centre, I got a new printer, and installed it.  The print quality is fine (slightly better than the old machine) and it even prints faster.  Under Windows, it’s just fine.

As I said, I’ve had to learn a few tricks over the years to keep the old proggie printing, so I knew about “net use lpt1:.”  DOS programs want to use the old parallel and serial ports, and desktop printers don’t come with those ports anymore: they all use USB.  So you have to install the printer, and then fake DOS out by redirecting the LPT1: output to the installed printer.  Set it up, fired up WordPerfect for a test, and tried a page.  Nothing.

Opened up the print queue and watched.  Job went to the print queue all right, stayed for about a minute, disappeared without an error–and nothing came out of the printer.  “Net use” is obviously working, but the printer isn’t.
Asked for help from HP.  Got back a message saying to turn on Microsoft Loopback Adapter.  Even had detailed instructions on how to do it.

Trouble is, MLA is only useful if you haven’t got any kind of a network.  The “net use” stuff won’t work if you haven’t got a network, so using MLA kinda pretends you’ve got a network, so the redirection stuff works perfectly happily.  (Is it just me, or is there something wrong with a technology that requires you to hack your own system to use basic and normal functions?)  Since everybody who has a high speed connection to the Internet these days (and that is a pretty large majority) has a “local” network, MLA is pretty much unnecessary.  So I replied back to HP thanking them and explaining
why their workaround didn’t help much.  Got back a snarky reply saying that they were just trying to help, and telling me to do it again.  No help from HP, then.

Turned to friends.  (Probably where I should have started in the first place, right?)  Got some suggestions to use PRN2FILE (old and free), DOS2PRN (newer and shareware), and Printfil (newer and very commercial).  All of these basically do the same thing as the “net use” command, so they didn’t help very much.

Another friend looked to the online documentation at HP.  (You don’t get any documentation with printers anymore.  Not even for the installation.  If I hadn’t installed an HP combo scanner a few years back I wouldn’t even have known that you have to install the software and start the setup running before you connect the printer.  HP doesn’t even include a sheet telling you that anymore.)  As far as he was concerned it should work, since the printer I had did support the HP PCL.  Unfortunately, the documentation isn’t very good on versioning.  You see, there is not only an HP LaserJet P1005, there is also an HP LaserJet 1005, as well as an HP LaserJet 1500 series.  The HP LaserJet P1005 doesn’t have PCL.  I’d bought a (*&^@#+”~ Winprinter.

OK, that’s it. right?  Game over.  You can’t make a Winprinter, which basically expects a bitmap from MS Windows, to print anything else.

Not quite.

Enter yet another friend with a pointer to http://www.columbia.edu/~em36/wpdos/winprint.html#usbprint.  Good old Columbia U.  (Good people at Columbia.  They brought us Kermit.  You’ve never heard of Kermit?  Kids these days …)  Starting there, I eventually found http://www.columbia.edu/~em36/wpdos/v5macroanyprinter.html.  I mean, how particular do you need to get?  Not only is it specifically for WordPerfect version 5.1, it even has a Ghostscript printer driver, and the macros to make it all happen with one keystroke.  Beauty job, guys.

I should also mention the Ghostscript and Ghostgum people.  I’ve actually been aware of those programs for some time.   I used to use them for reading PDFs, since it was generally quicker and more useful to use them than the Adobe reader products.  (I haven’t been able to turn WordPerfect docs into PDFs just yet: something odd with the GSviewer macro, but at least I know it’s possible.)

There’s always more than one way to skin a computerized cat …

The linux kernel group would be the last group of people I would expect to support obscuring helpful messages in an attempt to improve security.
Brad Spengler says it well. You should read his entire message, but the punch line is this section:

They seem to have the impression that people who find an exploit kernel vulnerabilities rely on the commit messages fixing the vulnerability including some mention of security. As it should be clear to anyone actually involved in the security community, or anyone who has ever written an exploit (particularly for the myriad silently fixed vulnerabilities in Linux), this is far from reality. The people who *do* rely on these messages and announcements however are the smaller distributions and individual users. Yet Linus et al believe they’re helping you by pulling the wool over your eyes regarding the exploitable vulnerabilities in their OS.

I can’t say it better than Brad, so instead I’ll say it shorter: In Security, the more information becomes public, the more secure everyone is. There are very few exceptions to this rule.

Ever wondered what name is behind some obscure gmail address? M