Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences - while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) - I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail - based in Canada,
Guardster - based in USA,
and
SAFe-mail.net - based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

I came across this blog entry, which tries to help German citizens - and others people that are under similar circumstances - confuse the authorities that might be monitoring traffic originating from a single IP address in other to deter him (the citizen) from doing illegal things ( government stated illegal - in the German case security research).

The project named Hayneedle tries to baffle agencies monitoring Internet traffic by generating a multitude of apparently random traffic in order help you to better hide what you are actually looking for - in laymen term, generate enough “noise” so that the “signal” is hidden.

In my opinion, the idea is pretty nice, but I would think that in this case a TOR like solution would be better, as the government seeks here to monitor your IP address’s access to sites, TOR’s goal is to eliminate that ability. In any case I wish the Hayneedle project best of luck, and hope it will make the government understand how fullish they are - no big hops on this part

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

The IMF (IT-Incident Management & IT-Forensics conference) is going to be boring this year, and I am not saying this because I wasn’t invited (hint ) its because Germany has recently passed a law that forbids:
German citizens to research, discuss or disclouse security problems.

Making it illegal for German citizens to participate in the conference and possibly making the guys organizing this conference act in an illegal manner.

The only ray of light here is the fact that RUS-CERT are the guys behind it, and they might be linked high enough to avoid prosecution - hopefully .

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

Mr. Stefan Esser of Hardened-PHP Project has informed that exploit codes of Month of PHP Bugs are not part of his Web site any more.

The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in.

This list includes PoC exploits too, sees Mr. Esser.
But we know that The Internet remembers many things.

http://www.spamsuite.com/node/129 (Search warrant application)
http://www.spamsuite.com/node/130 (Schmutz affidavit)
http://www.spamsuite.com/node/131 (Reyes affidavit)

Original post:
http://blogs.securiteam.com/index.php/archives/914

A big victory against spam. From the nwsource.com article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

http://www.mortgagespam.com/soloway/

Early press accounts:

http://www.kndo.com/Global/story.asp?S=6587991

http://seattletimes.nwsource.com/html/nationworld/2003727576_webspam30m.html

http://seattlepi.nwsource.com/local/317795_soloway31.html?source=mypi

Update post and more documents:
http://blogs.securiteam.com/index.php/archives/919

From USA Today article:

“If that information is out there, it’s very easy to find out who they are,” said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

This is really serious now.

The subject could be “I’m Federal Air Marshal and I bought my identity from TSA’s HD” as well.

It’s been roughly two months since Accidental backdoor by ISP. Dan Goodin has written this whole thing nicely for everyone to read.
ISP ejects whistle-blowing student
Don’t forget to digg it :p

I checked with Sid why he hasn’t been answering my emails and learned that his ISP beThere disconnected him after he warned them about a trivial-to-exploit backdoor on all their customers’ routers.
The disturbing thing about this incident is that beThere were very quick to contact us asking that we take down (or modify) the article, and apparently they were fairly quick in disconnecting Sid, but when it comes to their customers’ security they are not as diligent - the problem is obviously still there.

I thought Sid was too nice when he removed the exploit details from his post (the ‘bad’ guys can get those themselves anyway) and I think I was very correct there. On the other hand I gave beThere a compliment about how fast they reacted to this incident and I was very wrong there - it seems their concerned was solely about the bad PR.

Let me change my previous comment to this: If I were a beThere customer I’d be concerned about the fact there’s a gaping backdoor on my router and all my ISP is doing is to threaten and disconnect a CS student for making this fact public.

If you don’t know about the Julie Amero case, you probably should. The case says all kinds of disturbing things about authorities who don’t take responsibility for the technology under their control, prosecution on the basis of public outrage, total failures of forensic procedures, and media witch hunts. The case has been written about all over the place. Here’s a recent sample:

http://www.internetnews.com/bus-news/article.php/3668451

> All she appears to be guilty of is being utterly clueless about computers.

This seems to be an all-too-common theme. While I think we can all appreciate the support, in terms of outrage over the conviction itself, I wish people wouldn’t keep sounding the “clueless” drum.

(If you don’t have any background on the case, then you’re ignorant of it, correct? You might want to do a search on “Julie Amero.” I’ll wait.)
I recall, way back when I was first getting involved with info tech, an editiorial in “The Computing Teacher” (as it happened). It stated that, even if you didn’t have a computer, the simple fact that you subscribed to the magazine meant you were more tech savvy than 95% of your colleagues. (It was undoubtedly correct.)

Most people only *think* they know about computers. OK, so these smart-alecs know that turning off a monitor means you don’t turn off the computer. Good for them. (I can recall working on machines where, if you did turn off the monitor, you lost the session. Guess who’d be laughing at the smart-alecs in that case …)

I work in some fairly esoteric areas of technology. Any of the bloggers, and even tech rag columnists, that have made comments about cluelessness (on the part of Julie, the school, or even our good friend Mark) would be similarly woefully ignorant of things I take for granted. Everybody is ignorant, only on different topics (to quote another Mark).

I’d say that one of the important points to be made about this whole situation is that society at large is clueless about the technology that is increasingly important in all of our lives. And that includes those of us who supposedly know about it …

If you remember, e360 filed against Spamhaus. Now they filed against the NANAS Usenet newsgroup maintainer.

This is what happens when you open the door.

http://www.taugh.com/e360-complaint.pdf (Thanks to John L).

Gadi Evron,
ge@linuxbox.org.

The SEC is doing the right thing by fighting stock spam. The best way to fight the ‘pump and dump’ schemes is through the body that is responsible for controlling stock trading.

However, this is a slippery slope - is it the company’s fault that someone is running a scam on their stock? Quite the contrary - the company’s stock usually takes a dive, and unless the company’s owners are in on the scheme they have the most to lose from this fraud. Some would say the SEC is doing a favor to those companies by suspending trade, but remember how anonymous email is and how easy it is to spam to million of people - if I run a fake pump-and-dump on MSFT or GOOG (in order for it to work I would need a less high-profile stock, but you get the point) should that result in a trading suspension?

This Wired news article reports that

A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

The countries participating in this Xenon project are Austria, Canada, Denmark, The Netherlands and United Kingdom. They are in co-operation with Amsterdam-based data mining company Sentient Machine Research.

A very interesting detail is that the search process is very “slow” to prevent finding it in server logs!