Phishing just got a little less tedious

I know I shouldn’t be merely referencing others’ blog posts, but this is just too good. Kuza55 has written up how a phisher can very easily get around the phishing-filter implemented in IE7, Firefox and Opera.


London Car Bombs and Internet Forums

richard m. smith wrote on funsec:

subject: tracking down the london bombers via an ip address

was london bomb plot heralded on web?

internet forum comment from night before: “london shall be bombed”

hours before london explosives technicians dismantled a large car bomb in the heart of the british capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist internet forums, saying: “today i say: rejoice, by allah, london shall be bombed.”

cbs news found the posting, which went on for nearly 300 words, on the “al hesbah” chat room. it was left by a person who goes by the name abu osama al-hazeen, who appears regularly on the forum. the comment was posted on the forum, according to time stamp, at 08:09 a.m. british time on june 28 — about 17 hours before the bomb was found early on june 29.

al hesbah is frequently used by international sunni militant groups, including al qaeda and the taliban, to post propaganda videos and messages in their fight against the west.

there was no way for cbs news to independently confirm any connection between the posting made thursday night and the car bomb found friday.

al-hazeen’s message begins: “in the name of god, the most compassionate, the most merciful. is britain longing for al qaeda’s bombings?”

al-hazeen decries the recent knighthood of controversial author salman rushdie as a blow felt by all british muslims. “this ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all muslim lands,” he said, in an apparent reference to the british role in iraq.

this is of course, scary and interesting, but i’d like to concentrate on the subject line of richard’s message:
tracking down the london bombers via an ip address

the more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

it may be stating the obvious, and these forums are likely already tracked: i am unsure if this article will hurt plausible current surveilance efforts, but i am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

gadi evron,


IPv6, C&C (not botnets, coffee and cats)

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the

Which I didn’t read.

Then, this thread happened:

> – — “Suresh Ramasubramanian” wrote:
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?


PDF spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me :P


CPU vulnerabilities, the future is here?

On funsec, Richard M. Smith send this in after spotting it on /.

Critical update for Intel Core CPUs is out
Have Intel processor? Download the fix right now
By Theo Valich: Tuesday 26 June 2007, 07:26

A COUPLE OF WEEKS ago, we heard that Dell was dealing with a certain situation considering Intel dual-core MCW and quad-core KC marchitecture, and that the company was releasing urgent BIOS and microcode versions for its line up.

We learned that the affected CPUs are the Core 2 Duo E4000/E6000, Core 2 Quad Q6600, Core 2 Xtreme QX6800, QX6700 and QX6800.

In the mobile world, people with the Core 2 Duo T5000 and T7000 need to visit Microsoft’s site, while the server guys will want to use motherboard BIOSes if they do not rely on Microsoft Windows operating systems.

A microcode reliability update is available that improves the reliability of systems that use Intel processors


Article on DDoS Tarpitting

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

The full article can be found at:


CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


Burb Proxy open for orders

I’m writing this purely to pass on a message. If you’ve ever used the burp suite and have a comment about the software, now is the time to let the developers know. If you haven’t tried it yet, give it a go, you won’t regret it.

This is just to let you know that work is underway on the next release of Burp Suite, which should be available later this year. This will be a major upgrade with lots of new features in all of the tools.

At this point, it would be good to hear any other feature requests that you may have, however large or small. Please reply to me directly or join the discussion here:

and I’ll address as many as I can.

I’d be grateful if you would pass this email on to anyone else in your team who uses Burp Suite.


Plain-text FTP credentials and YouTube: a bad combination

The MOSEB campaign (Month of Search Engine Bugs) shared a good example of dangers of Googledorks this week.

When using the search string “clicks from ftp @” we’ll see 257 results.

When googling

“clicks from ftp” + filter=0, in turn, we will get 508 results.


Microsoft really trust to IIS 7.0

Redmond giant has switched to IIS 7.0 on their Web site. Netcraft report of

IP address: OS: Windows Server 2003

Web Server: Last changed:
IIS/7.0 13-Jun-2007

They don’t care about reports like this:

Web Server Software and Malware


Safari 3.0.1 fixes three flaws – what about the others?

The recent Safari update version 3.0.1 includes fixes for the following issues in Beta release:

Protocol Handler issue reported by Thor Larholm, CVE-2007-3186
DoS-type race condition issue reported by Aviv Raff, CVE-2007-3185
HTML handling issue reported by David Maynor, CVE-2007-2391

It took not many days to release a fixed version, but there are many other vulnerabilities reported in Safari 3.0 Beta (for Windows and OS X) too.

But the download link of Safari 3.0.1 Public Beta is


Next to come: Nigerian scam ads in the New York Times

Davis Freeberg wrote an excellent piece on penny stock scammers putting advertisements in the top financial magazines. This is embarrassing enough – you’d expect Forbes to do a minimal background check on their advertisers, especially when the advertisement is stock related. But to make matters worse, Business Week and Smart Money ignored Davis’s email, while Investors Business Daily went as far as tagging this as “new and interesting investment opportunities”. Hey guys, I have a bridge to sell. Mind if I run the ad in your newspaper?

David also does an interesting analysis on the performance of those stocks, and sums it up well: You Can Get Better Odds In Vegas.

More here:


The Ballad of the Anonymous Explorer

Long, long ago on a planet, far, far away, a rag-tag group of explorers discovered valuable gems beneath the surface of the planet. The explorers could barely walk without stumbling over a protruding gem. “Stub a toe and find a gem”, they gleefully cried. The explorers were happy and spent much of their free time exploring the planet and enjoying the company of their fellow explorers. This was a time of love and general ‘hippiness’.

As time went on, the gems closer to the surface were exhausted and the explorers had to use their hands to scrabble into the hard soil in search of the gems. Those who had accumulated many gems retired to Alpha-9 (also known as the ‘playboy’ planet as 99.9% of the inhabitants of this planet were beautiful, 19-year-old virgins). Those who were frivolous with their gems (or greedy, some were just plain greedy) had to develop tools to help them get even deeper into the surface. These tools were, of course, of great value and the researchers separated into cabals which shared the same tools. The cabals hated each other but they at least understood that which drove them. This was the time of greed and vendettas.

As time went even further on, the tools which extracted the gems became free to all and many, many more explorers were seen taking the shuttle to this now-desolate planet. These new explorers were without cabal affiliation and were seen as immoral renegades. Some explorers paid a ransom and were taken under the wing of a particular cabal – Most perished. This time was dubbed ‘the great explorer genocide’ or ‘The Civil war of our discontent’ (by the more romantic explorer-historians).

In the end times, a few new cabals decided to pay each explorer for the gems that they discovered. In this way, explorers did not have to any longer associate with a particular cabal. Gems were harvested at an incredible rate and the newer (smarter) cabals grew in power and influence. One of the older cabals, understandably perturbed, created a blog and whine about it daily.

This is the part of the story where a hero steps in, or Peace descends on the valley…or, some crap like that. Not in this story. This story ends with the explorers tearing each other to shreds, killing each other in droves, until a large governing body of Explorers steps in and banishes all the greedy explorers to Alpha-2 (also known as the ‘buggery’ planet…for all the obvious reasons).

The end.



Oh, did we forget to write “spam” in the subject line?

The Jerusalem Post just sent me an interesting apology today. Here is how I would summarize it:

“We sold the email you gave us to a third party so that they can send you advertisements. Unfortunately they forgot to mark it clearly as spam – no idea how that happened and we’ll ask future spammers to clearly say so when we sell them the list again”.

Of course they are wrapping it with niceties and sincere apologies; I would appreciate a proper explanation on why the email I gave them when I asked to view an article online was later used to send me “alerts” and “updates” not to mention given to 3rd parties I’m not gonna vote for. BTW, this is not the first time I get an advertisement from the jp, but they are usually better disguised as “informationals”.

The Jerusalem Post

Aviram Jenik (an email address reserved only for the Jerusalem Post)

Today 04:37:28 pm


In recent days, registered users of have received a paid email advertisement for Rudy Giuliani.

The bottom of this email advertisement stated that it was “Paid for by the Rudy Giuliani Presidential Committee, Inc.” However, correct practice is to mark such emails as advertising in the “Subject” box as well. Because of an internal error, this practice was not followed. We have taken steps to insure that it will be in future.

We would like to stress again that the content of this advertisement has no connection to The Jerusalem Post newspaper or its online content, and does not reflect the editorial views of The Jerusalem Post in any way.

Commercial Department

The Jerusalem Post online


Cracking to Windows with System Recovery – and no warning from Redmond

There was an interesting press meeting here in Finland today. Mr. Kimmo Rousku presented the Command Prompt feature of Vista’s System Recovery – i.e. how to crack to Vista/XP/2003 computer using only Vista installation media and System Recovery option.

This is a short version of summary described at Web page of Mr. Rousku:

This problematic security feature exists because Windows Vista Repair Computer / System Recovery program enables the use of command prompt without any user authentication with highest possible – system-level – priviledges.

Cracking Windows operating systems has been possible by using cracking software found from various web pages. This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge.

The report shows in a very detailed way how it’s possible to use Takeown and Icacls command to take ownership of ACL-protected files or folders too.
Mr. Kimmo Bergius, the Chief Security Advisor of Microsoft Finland confirmed today in the press meeting mentioned that there is not an update coming. Additionally, Mr. Bergius states that there is a documentation advising the use of HD encryption and BIOS password, BUT this documentation doesn’t mention this security problem in any way.

Yes, this is not the first time when this problem was disclosed. But where is the missing KB document, instructions related to bootup order and the benefit of encryption when switching to Vista.

The most important part comes here.

* How to protect:

1. Change BIOS boot order to disable booting from other media than hard disk
2. Then, set BIOS password to prevent bad guys to change this setting
3. Encrypt files with EFS
4. When using laptops, you have no reasons not to use HD encryption!

Mr. Rousku is well-known non-fiction writer. He works as CIO of Finnish National Research and Development Centre for Welfare and Health (aka Stakes).

Update: Pictures from the press meeting:

Mr. Rousku
Mr. Bergius
A screenshot of System Recovery / Command Prompt menu


RSS Spam

a friend just sent me this link. take a look.

newsgator online. indeed, it’s usually a smart strategy for keeping track of your company, products and identity in the blogosphere.

except when nude japanese nurses sneak into the picture

gadi evron,