You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

I’m a dinosaur.  I freely admit it.  I use computers for far too long.  I use programs for even longer.

My word processor of choice is WordPerfect.  Version 4.2.  It does what I need, since most of what I do in terms of writing has to do with actual writing.  In other words, words.  Text.  I don’t care much about graphics, desktop publishing (does anyone even know what that means anymore), or mindmaps.  I’ve been using WordPerfect since 1985, although I admit I’ve moved up from 4.1 to 4.2 in the early days.  My wife uses a much more advanced version: she uses 5.1, since she does more with actually printing stuff out.
Over the years I’ve had to learn a few tricks to get WordPerfect to run, and print, with various versions of MS Windows.  (I’ve actually got a copy of WordPerfect Office 8 for Windows around, but it really was kind of a step backwards, so we’ve never really used it.)  Recently the (very old) HP LaserJet 4L that we’ve been using (for quite some time) started printing messy pages.  It was the advice of people in the printer biz that it would be cheaper to buy a new printer than to have the old one cleaned.  Since a new HP LaserJet P1005 was slightly less than $60 (getting a USB cable for it cost almost half again as much, and getting a new cartridge for the thing is even more) this seemed to be the case.

So, my Scottish soul bemoaning the fact that I was sending an almost-perfectly-good printer to the recycling centre, I got a new printer, and installed it.  The print quality is fine (slightly better than the old machine) and it even prints faster.  Under Windows, it’s just fine.

As I said, I’ve had to learn a few tricks over the years to keep the old proggie printing, so I knew about “net use lpt1:.”  DOS programs want to use the old parallel and serial ports, and desktop printers don’t come with those ports anymore: they all use USB.  So you have to install the printer, and then fake DOS out by redirecting the LPT1: output to the installed printer.  Set it up, fired up WordPerfect for a test, and tried a page.  Nothing.

Opened up the print queue and watched.  Job went to the print queue all right, stayed for about a minute, disappeared without an error–and nothing came out of the printer.  “Net use” is obviously working, but the printer isn’t.
Asked for help from HP.  Got back a message saying to turn on Microsoft Loopback Adapter.  Even had detailed instructions on how to do it.

Trouble is, MLA is only useful if you haven’t got any kind of a network.  The “net use” stuff won’t work if you haven’t got a network, so using MLA kinda pretends you’ve got a network, so the redirection stuff works perfectly happily.  (Is it just me, or is there something wrong with a technology that requires you to hack your own system to use basic and normal functions?)  Since everybody who has a high speed connection to the Internet these days (and that is a pretty large majority) has a “local” network, MLA is pretty much unnecessary.  So I replied back to HP thanking them and explaining
why their workaround didn’t help much.  Got back a snarky reply saying that they were just trying to help, and telling me to do it again.  No help from HP, then.

Turned to friends.  (Probably where I should have started in the first place, right?)  Got some suggestions to use PRN2FILE (old and free), DOS2PRN (newer and shareware), and Printfil (newer and very commercial).  All of these basically do the same thing as the “net use” command, so they didn’t help very much.

Another friend looked to the online documentation at HP.  (You don’t get any documentation with printers anymore.  Not even for the installation.  If I hadn’t installed an HP combo scanner a few years back I wouldn’t even have known that you have to install the software and start the setup running before you connect the printer.  HP doesn’t even include a sheet telling you that anymore.)  As far as he was concerned it should work, since the printer I had did support the HP PCL.  Unfortunately, the documentation isn’t very good on versioning.  You see, there is not only an HP LaserJet P1005, there is also an HP LaserJet 1005, as well as an HP LaserJet 1500 series.  The HP LaserJet P1005 doesn’t have PCL.  I’d bought a (*&^@#+”~ Winprinter.

OK, that’s it. right?  Game over.  You can’t make a Winprinter, which basically expects a bitmap from MS Windows, to print anything else.

Not quite.

Enter yet another friend with a pointer to http://www.columbia.edu/~em36/wpdos/winprint.html#usbprint.  Good old Columbia U.  (Good people at Columbia.  They brought us Kermit.  You’ve never heard of Kermit?  Kids these days …)  Starting there, I eventually found http://www.columbia.edu/~em36/wpdos/v5macroanyprinter.html.  I mean, how particular do you need to get?  Not only is it specifically for WordPerfect version 5.1, it even has a Ghostscript printer driver, and the macros to make it all happen with one keystroke.  Beauty job, guys.

I should also mention the Ghostscript and Ghostgum people.  I’ve actually been aware of those programs for some time.   I used to use them for reading PDFs, since it was generally quicker and more useful to use them than the Adobe reader products.  (I haven’t been able to turn WordPerfect docs into PDFs just yet: something odd with the GSviewer macro, but at least I know it’s possible.)

There’s always more than one way to skin a computerized cat …

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

I’m writing this post, as I really feel that this course needs to get more publicity. Over the last few years I have done countless security courses, and exams from some of the top players in this market, and nothing has come close to the OSCP training.

I first signed up for the training in May, as I saw it advertised on the Offensive Security website and thought that it sounded fun. At a first glance, I really wasn’t too sure about the training materials, as you get a Flash based CBT and a PDF, I initially ran thought the CBT side of things in a week, when I actually got around to doing the training, and thought that it needed a bit of work. I think that I wasn’t looking at the training from the right angle, and that’s why I misjudged it, it’s not designed to teach you everything in one sitting, it’s designed to give you enough information to go away and actually spend some time researching the different areas that they cover, and in which case, it’s the best training that I’ve ever taken!

There is no way that a training course could cover everything that they cover without expecting you to go away and do some research yourself, and well to me, doing the research on my own time really paid off, as I feel that I learnt more in the time that I spent either going through the training or researching bits of it, than I have in the last 2 years.

Now on to the actual challenge that you must pass to obtain the certification, this is a live hack of a number of predefined hosts, and you have 24 hours to get through them all. You can pretty much use any publicly available exploits or ever write your own to compromise these hosts, and well let me tell, this has be the most insane 24 hours that I have ever had. It took me 23 hours and 55 minutes, and even then I didn’t manage to fully finish the last question, but I knew that 5 minutes wouldn’t have been enough for me to finish it. throughout the whole 24 hour period, I had 2 hours sleep, and the rest of the time was spent trying to compromise the various hosts. It may not take other people as long as it took me, but “Challenge” is definitely the right choice of words for it. If you don’t know how to exploit systems to a level where you have root/Administrator access then in no way are you ready for the Challenge.

Thankfully I made it through, and if I hadn’t I would have sat it again, but it would have been a while before I did, as it really does take it out of you. From my side though, when I come across another OSCP, I will show them the respect they deserve, as honestly, if you can get through the Challenge, they you should have a pretty good idea about how to conduct a proper penetration test, and no other training that I’ve done has ever been as hands on or in depth.

To anyone thinking about taking the course, do yourself and your employer a favour and sign up for it, you won’t regret it.

I just wrote an OT post to my personal blog about the CCC Camp, but I figured it was a security camp after all, so I will link to myself here:

http://gevron.livejournal.com/8859.html

About a month back it was SecuriTeam Blogs birthday, and I have been meaning to write something about this for a while now. As we all know though, when we actually get around to doing the things that we want to, is usually an entirely different story.

I was going to write about my favourite article over the last year, but to be honest, I can’t think of an article that I didn’t enjoy either reading or writing on here, so this post is going to be a little bit different.

I’ve seen the statistics of how many returning visitors we have coming to this site on a daily basis and how many new and unique visitors we got in the last year, and all that I can honestly say is WOW! The numbers were huge, so I guess between all the bloggers on here, we must be doing something right, whether that’s writing about the latest Virus that’s doing the rounds, hiring penetration testers, botnets or running IE7 on Linux.

I think that all the bloggers that write for SecuriTeam will agree with me on this one, we’re not going to stop writing these stories, as we enjoy writing them, probably as much as you enjoy reading them. Hopefully in time the quality of our stories will exceed the levels that they’re at now, and we’ll find even more interesting things to write about. I think that in this ever evolving world that we call security, that’s really not going to be too difficult to do, and all of us on here are probably writing way to many reports anyway, so that always helps to keep the writing interesting.

So to end this post, I’d like to say a big thank you to all our readers, as you’re the people that keep this site going, we just write the articles, if it wasn’t for you, this site probably wouldn’t exist. If there are any issues that you’d like covered in the future, let us know, and we’ll do our best to oblige.

This is a forwarded message from a mailing list I am on. I wrote on my fun blog, but figured it is cool enough to be sent here as OT:.

From: Rick Moen

The ansible has been patented.

—– Forwarded message from Dan Fingerman —–

Date: Thu, 12 Jul 2007 18:04:18 -0700 (PDT)
From: Dan Fingerman
Subject: Patent for hyper-light-speed antenna

U.S. Patent No. 6,025,810 is titled “Hyper-Light-Speed Antenna”. It
claims an antenna that can send and receive information faster than
the speed of light.
The background of the invention is described:

All known radio transmissions use known models of time
and space dimensions for sending the RF signal.

The present invention has discovered the apparent existence
of a new dimension capable of acting as a medium for RE
signals. Initial benefits of penetrating this new dimension
include sending RF signals faster than the speed of light,
extending the effective distance of RF transmitters at the
same power radiated, penetrating known RF shielding devices,
and accelerating plant growth exposed to the by-product
energy of the RF transmissions.

The patent is available at:
http://www.google.com/patents?vid=USPAT6025810
http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6025810

It’s been a long two years, and blogs has under-gone many changes. Heck, we now have 15K unique readers a day (not including RSS) !!
The main point behind blogs is that although we aim to provide with high-quality content, our content-generation is done mostly by our fellow site visitors. Sometimes it’s busy, sometime’s it’s better. It’s always done in the same spirit and open to peer criticism. More importantly, it’s fun.

Sometimes we speak of news, other times of concepts and then again on low-level assembly. It is what interests our visitors which they (us) write about

One of my personal favorite posts of all time was the one by dmitry, speaking in a very funny tone about our industry.
How to get a job with pen-testing team.

Truly, a must read! The comments on that post are especially good.

Before I wish us all a happy birthday and an even more productive future which we can use all we learned so far to get better in… here’s what I learned first when I started blogging, and it isn’t about security or writing…

I like mailing lists, and I participate on some, depending on time and interest concerns. Before I started blogging with SecuriTeam, I used to be more active, and felt these different discussion forums were a home. I had a problem.
I’d start talking about something there and say to myself “hey, why not write about it in blogs?” and I would. Or the other way around, I’d blog something and say “hey, wouldn’t this interest community home #21?”

I went through several phases before settling down on what was best:
1. Email in that I wrote about something in my blog.
2. Email in just a bit or a summary, as I don’t want to write twice, and send a link to my blog.
3. Copy the entire blog post, and add a link (which was useful when updates to the text were made).
4. Include a link to your blog in your signature.
5. Email in a copy, and unless I have a specific reason, don’t mention the blog.

I keep seeing other people repeating the above process (more or less), with minor changes as to which step comes first, and what is considered acceptable. Some people call them spammers, others just smile or pout. One thing is for sure, it is something many new bloggers who were part of at least one community before their blogging days, go through.

My problem is that I am my own worst critic, and had to feel comfortable with posting. My solution ended up being #5 (althought #4 is also okay, as critics of that one are just nit-picking flamers). More specifically, I decided:

“Stop worrying. Post what you want where you want, and try to avoid duplication. Do not mention the blog. Mention URL to the blog only when you have a reason to, such as *necessary* updates that will follow.”

So, even if I did like the idea of people hearing of my blog (obviously), marketing was far from my main intent. I didn’t like the fact it ended up appearing like spam, in their eyes or in mine.

I learned how to participate in these communities while having a topical blog, which for some reason was not as straight-forward for me originally.

I enjoyed these past two years on blogs, and invite you all to start blogging with us.

What was your favorite moment on blogs?

Happy birthday!

Gadi.

As other recent posts have mentioned, these blogs have just turned 2 years old. In order to celebrate the event I wanted to look back at the archives and find a post that stood out. This is hard when you’re talking about a blog of this high calibre. I started various popular posts, they were all very well written, technically and linguistically, so I had a hard time choosing. I decided to take an alternate route, I decided to read the posts that were made around the time I joined the site, the ones that convinced me as to the greatness of this blog.

I went back to January 2006 and one post in particular jumped right out at me; Interview: Ilfak Guilfanov. This was a great post addressing what at the time was a major issue and something that made me realise just what type of people make up this blog. I suggest you have a read of that post and other similar great posts, they make great reading for a Monday morning/early afternoon.
Happy birthday blogs, may your next 2 years be even greater.

Richard M. Smith wrote on Funsec:

Subject: Tracking down the London bombers via an IP address

Was London Bomb Plot Heralded On Web?

Internet Forum Comment From Night Before: “London Shall Be Bombed”

Hours before London explosives technicians dismantled a large car bomb in the heart of the British capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist Internet forums, saying: “Today I say: Rejoice, by Allah, London shall be bombed.”

CBS News found the posting, which went on for nearly 300 words, on the “al Hesbah” chat room. It was left by a person who goes by the name abu Osama al-Hazeen, who appears regularly on the forum. The comment was posted on the forum, according to time stamp, at 08:09 a.m. British time on June 28 — about 17 hours before the bomb was found early on June 29.

Al Hesbah is frequently used by international Sunni militant groups, including al Qaeda and the Taliban, to post propaganda videos and messages in their fight against the West.

There was no way for CBS News to independently confirm any connection between the posting made Thursday night and the car bomb found Friday.

Al-Hazeen’s message begins: “In the name of God, the most compassionate, the most merciful. Is Britain Longing for al Qaeda’s bombings?”

Al-Hazeen decries the recent knighthood of controversial author Salman Rushdie as a blow felt by all British Muslims. “This ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all Muslim lands,” he said, in an apparent reference to the British role in Iraq.

This is of course, scary and interesting, but I’d like to concentrate on the subject line of Richard’s message:
Tracking down the London bombers via an IP address

The more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

It may be stating the obvious, and these forums are likely already tracked: I am unsure if this article will hurt plausible current surveilance efforts, but I am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

Gadi Evron,
ge@linuxbox.org.

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around
2010.

http://www.ivhs.com/pdf/FactSheet_OTTO_FactSheet1_101105.pdf

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the
mind….

Which I didn’t read.

Then, this thread happened:

> - — “Suresh Ramasubramanian” wrote:
>
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
>
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
>
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?

It is not every day that a member of our community passes away, especially not in such a fashion.

I feel very badly, and hope the family gets through this without unnecessary difficulties on top of what they already have to face.

“I’m sorry” doesn’t really cut it and I feel uncomfortable saying it. I am honoured to quote this blog post by Randy Abrams of ESET, Michael’s co-worker and friend, instead:

Not Your Typical Security Blog

Sometimes you just have to take a step back and appreciate what really matters. Security is important. The problems we face are enormous and can cost a lot of money to deal with – even more if not dealt with correctly. But for all that, there is something much more valuable – our friends.

We at ESET mourn the loss of one of our friends who passed away on Memorial Day Weekend. Mike Lowery was our Training Manager. A highly talented and skilled individual, Mike possessed a smile and heart that warmed all - he was the consummate professional and friend.

The measure of our loss is equal to the blessings we received in knowing and working with Mike.

As we continue our work at ESET we will all endeavor to honor his memory by making ESET the best company we possibly can. Great work, great fun, and great kindness are the attributes to which we at ESET can best aspire in order to honor the memory of our dear friend.

Randy Abrams
Friend of Michael Lowery

Gadi Evron.

I figured it is high time for an off-topic post, and it was so off-topic I ended up just moving it to my “fun blog” which I haven’t updated in over a year.

Here it is just for kicks:

A friend recently wrote to the SF-hackers mailing list that she loved Spiderman III. I couldn’t resist writing how much I disagree with her. (SF-hackers is a mailing list for hackers, security dorks, old NANOG and IETF folks, etc. who love science fiction, anime, comics, etc.).

Honestly? I’d suggest to people to skip it. I love Spiderman. His sarcasm rulez!!!111!!11111111

I didn’t like the movie.

Reasons vary from too much B/S (rambling, crying, crying, rambling, more crying) to comic abuse (as a friend said “did they really put these two girls together in one film? Might as well have brought in Lois Lane”).
Did I mention the crying yet?

They were very comic-faithful in other occasions, though, such as the Church bell scene, and there were many scenes only devoted fans probably understood (mostly with old men in them).

Also, what’s with having 3 bad guys in one movie?!

As to the friendly neighborhood Spiderman jumping on flags, I found it quite cool considering it’s Spiderman III. Everything after it made me realize just how disgusting Hollywood movies are these days with politics everywhere (even 300 - spit - had a “for freedom!!” element).
The movie could only be more ideological if it mentioned Iraq. As a good friend said: “that’s why they don’t make a Captain America movie!”

I had fun, but as I read in some SF forum: “you laughed when you were supposed to cry, and cried when you were supposed to laugh”. Another comment there was “I came ready for Auntie May’s lecture, but this movie was really just too much!”

All the foreplay, no game. In the same forum I mention above someone suggested just watching the action scenes would be great (about 10 minutes out of the very long movie). I got reminded of a British late-evening (get back from the pub) show not many brits have actually watched - Coupling. Amazing show. Cult for me.

In Coupling, Jeff often watches movies in a very similar fashion (not exact quote):
“Yeah, the nudity in that movie was amazing!”
“Jeff, it was just one scene!”
“Depends how you watch it!”

I’d rather watch a Coupling re-run, than Spiderman III.

[Important note: not the failed US version of Coupling]

Yes, as bad as it was I did have fun. I contradict myself? That’s nothing new. I love supporting different view-points, even (or especially) if they are mine.
On that note, at defcon 14 (2006) someone spoke with me on how I liked defcon after a prolonged discussion between goons in the speaker room on what they thought, I said “I’m having fun” or something in that playground. Paul Vixie was not convinced and chimed in: “Don’t take Gadi’s viewpoint on these things, his country is currently in war being bombed, and people die over there.”. I am not sure if he was suggesting I am not in touch with reality or being overly optimistic, but I tend to believe both of these have some merit.
As usual, not an exact quote.

Gadi Evron.

If you are into security, anti-spam, or perhaps you are a NANOG or IETF person of old, this mailing list is for you.

To subscribe:
http://whitestar.linuxbox.org/mailman/listinfo/sf-hackers

Keep it low-traffic, keep it fun. Books, TV shows, etc. all welcome.

Gadi Evron,
ge@linuxbox.org.

One of the greatest surprises for me at 23C3 was my personal introduction to Monochrom (Wikipedia page), a group of hacker artists from Austria. I know Jacob Appelbaum.. but I had no idea about the Austrian group, or how great they are.

In very simple terms they are artists, very contemporary and very very scene-connected. Life hacking, real hacking and any type of hacking, these guys are just l33t. We need to get them a stage one evening at defcon so they can play for us.
As a quick introduction to them, sing along with their RFID song (special for 23C3). I know I did… (although I couldn’t follow their German songs, Danke sounded like a lot of fun - yes, I saw you singing Fukami!)
http://youtube.com/watch?v=Ywg53D8_iVw

For their lecture at 23C3, which is very cool and presents a lot of very interesting art projects heavily relating to hacking (not work safe! Porn! Could be considered very offensive! PG18, etc.) download the wmv:

ftp://ftp.c3d2.de/congress/23c3/monochrom-t4s3.wmv

Some of the projects they discuss include porn, indeed, but others are more interesting. They created an entirely fictional artist (Georg Paul Thomann) and had him represent Austria in an International art show (and “save” Taiwan when China wanted them out of the show). They showed (both by using 50 real Euros and with a mathematical calculation) how many times it would take to blow the several Trillian Euros in circulation by going to a bank and exchanging to USD and Euro again and again, etc.

Cool people! RFID!!
Gadi Evron,
ge@linuxbox.org.