It was about three years again - exactly on 25th July 2005 when the First Post entry was posted to this Web site.

Today, the blog statistics show that there are currently 1,037 posts and 3,435 comments written.

Time to say a big Thank You to you, readers and all blogger colleagues!

You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

The InformationWeek reports that Microsoft had just became an Official Apache sponsor.
The article says that the sponsorship is a “Platinum Sponsor” which means a donation of more than $100,000 per year.

My first reaction was “Oh now, please don’t touch this one, it is working so good. ”

MS and Open Source in the same sentence simply doesn’t sound right. Especially when it comes to Apache. Something tells me this is not good news. I don’t know why. On the other hand, $100K for MS is peanuts. Maybe I’m just paranoid?…

I’m a dinosaur.  I freely admit it.  I use computers for far too long.  I use programs for even longer.

My word processor of choice is WordPerfect.  Version 4.2.  It does what I need, since most of what I do in terms of writing has to do with actual writing.  In other words, words.  Text.  I don’t care much about graphics, desktop publishing (does anyone even know what that means anymore), or mindmaps.  I’ve been using WordPerfect since 1985, although I admit I’ve moved up from 4.1 to 4.2 in the early days.  My wife uses a much more advanced version: she uses 5.1, since she does more with actually printing stuff out.
Over the years I’ve had to learn a few tricks to get WordPerfect to run, and print, with various versions of MS Windows.  (I’ve actually got a copy of WordPerfect Office 8 for Windows around, but it really was kind of a step backwards, so we’ve never really used it.)  Recently the (very old) HP LaserJet 4L that we’ve been using (for quite some time) started printing messy pages.  It was the advice of people in the printer biz that it would be cheaper to buy a new printer than to have the old one cleaned.  Since a new HP LaserJet P1005 was slightly less than $60 (getting a USB cable for it cost almost half again as much, and getting a new cartridge for the thing is even more) this seemed to be the case.

So, my Scottish soul bemoaning the fact that I was sending an almost-perfectly-good printer to the recycling centre, I got a new printer, and installed it.  The print quality is fine (slightly better than the old machine) and it even prints faster.  Under Windows, it’s just fine.

As I said, I’ve had to learn a few tricks over the years to keep the old proggie printing, so I knew about “net use lpt1:.”  DOS programs want to use the old parallel and serial ports, and desktop printers don’t come with those ports anymore: they all use USB.  So you have to install the printer, and then fake DOS out by redirecting the LPT1: output to the installed printer.  Set it up, fired up WordPerfect for a test, and tried a page.  Nothing.

Opened up the print queue and watched.  Job went to the print queue all right, stayed for about a minute, disappeared without an error–and nothing came out of the printer.  “Net use” is obviously working, but the printer isn’t.
Asked for help from HP.  Got back a message saying to turn on Microsoft Loopback Adapter.  Even had detailed instructions on how to do it.

Trouble is, MLA is only useful if you haven’t got any kind of a network.  The “net use” stuff won’t work if you haven’t got a network, so using MLA kinda pretends you’ve got a network, so the redirection stuff works perfectly happily.  (Is it just me, or is there something wrong with a technology that requires you to hack your own system to use basic and normal functions?)  Since everybody who has a high speed connection to the Internet these days (and that is a pretty large majority) has a “local” network, MLA is pretty much unnecessary.  So I replied back to HP thanking them and explaining
why their workaround didn’t help much.  Got back a snarky reply saying that they were just trying to help, and telling me to do it again.  No help from HP, then.

Turned to friends.  (Probably where I should have started in the first place, right?)  Got some suggestions to use PRN2FILE (old and free), DOS2PRN (newer and shareware), and Printfil (newer and very commercial).  All of these basically do the same thing as the “net use” command, so they didn’t help very much.

Another friend looked to the online documentation at HP.  (You don’t get any documentation with printers anymore.  Not even for the installation.  If I hadn’t installed an HP combo scanner a few years back I wouldn’t even have known that you have to install the software and start the setup running before you connect the printer.  HP doesn’t even include a sheet telling you that anymore.)  As far as he was concerned it should work, since the printer I had did support the HP PCL.  Unfortunately, the documentation isn’t very good on versioning.  You see, there is not only an HP LaserJet P1005, there is also an HP LaserJet 1005, as well as an HP LaserJet 1500 series.  The HP LaserJet P1005 doesn’t have PCL.  I’d bought a (*&^@#+”~ Winprinter.

OK, that’s it. right?  Game over.  You can’t make a Winprinter, which basically expects a bitmap from MS Windows, to print anything else.

Not quite.

Enter yet another friend with a pointer to http://www.columbia.edu/~em36/wpdos/winprint.html#usbprint.  Good old Columbia U.  (Good people at Columbia.  They brought us Kermit.  You’ve never heard of Kermit?  Kids these days …)  Starting there, I eventually found http://www.columbia.edu/~em36/wpdos/v5macroanyprinter.html.  I mean, how particular do you need to get?  Not only is it specifically for WordPerfect version 5.1, it even has a Ghostscript printer driver, and the macros to make it all happen with one keystroke.  Beauty job, guys.

I should also mention the Ghostscript and Ghostgum people.  I’ve actually been aware of those programs for some time.   I used to use them for reading PDFs, since it was generally quicker and more useful to use them than the Adobe reader products.  (I haven’t been able to turn WordPerfect docs into PDFs just yet: something odd with the GSviewer macro, but at least I know it’s possible.)

There’s always more than one way to skin a computerized cat …

The linux kernel group would be the last group of people I would expect to support obscuring helpful messages in an attempt to improve security.
Brad Spengler says it well. You should read his entire message, but the punch line is this section:

They seem to have the impression that people who find an exploit kernel vulnerabilities rely on the commit messages fixing the vulnerability including some mention of security. As it should be clear to anyone actually involved in the security community, or anyone who has ever written an exploit (particularly for the myriad silently fixed vulnerabilities in Linux), this is far from reality. The people who *do* rely on these messages and announcements however are the smaller distributions and individual users. Yet Linus et al believe they’re helping you by pulling the wool over your eyes regarding the exploitable vulnerabilities in their OS.

I can’t say it better than Brad, so instead I’ll say it shorter: In Security, the more information becomes public, the more secure everyone is. There are very few exceptions to this rule.

Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

How to do it:

- Go to the ’share this calendar’ tab

- Enter the email address in the ‘person’ box

- Click ‘add person’ and ’save’

- When you return to this screen you will see the first and last name along with the gmail address

Screenshots:

I always wondered who was behind admin@gmail.com

Oh, I guess they figured people like me would be interested…

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

If you play any sort of sport, you’ll be familiar with the means by which an athlete develops their skill.  I like to box, so I’ll use that as an analogy.  Before you ever get in the ring, you have to know how to balance your body, hold your hands, throw a punch, move your feet and head, etc.  Once you master the FORM, you can then move to SPEED and STRENGTH training.  You don’t start on the heavy bag.  Kids who start on the heavy bag learn how to push a heavy bag…not how to fight.  Kids who start with shadow-boxing, footwork, then move to double-end or speed work, and finally end up on the heavy bag, have the correct form to punch through an object and not push an object.  I digress…

There is a discussion on the dailydave mailing list regarding the benefits of being able to reliably write exploit code in order to do pen-testing.  Writing exploit code, reversing binary apps, and fuzzing are great skills.  I liken them to a knockout punch.  Not many people have these skills (relative to the total number of pen-testers).  The problem is that you don’t want to start learning how to knock people out until you have figured out how to get close enough to throw the punch.  How many times have you seen a pen-tester show up on site with his/her interpreter?  I don’t mean a literal interpreter, I mean the person tasked with harnessing the creative maelstrom that is the pen-tester.  These two (or more) often have their shtick all worked out and the Corporate folks grin along with the show.

Corporate folks: whatcha got on that leash there?

Interpreter: the whooly behemoth, recently returned from a heap-overflow bloodbath at Antigua

Corporate folks: AH!  EEH!  is it…is it like the others?

Interpreter: Unlike any other that has been seen in this part of the corporate world.  Terribly destructive.

Corporate folks: Do we treat it like the others and put it in a cube near the bathroom, feed it pizza and caffeine and never, ever look it in the eyes?

Interpreter: Yes.  Further, you have been blessed with the fact that I have been blessed with the ability of communicating with Bob…errr…the Behemoth.  [turns to behemoth] ukkle snarp miselthrape dominos pizza muhgarkle

Behemoth: muhgarkle?  jasi blem blam Papa Johns [and shuffles off to cube]

Interpreter: He’s on it now.  [winks at crowd]  I don’t know howwwwwww he does it [glances over shoulder at shuffling behemoth]…different breed, that’s for sure.

Corporate folks: [laughing].  Well, we sure are glad they sent You.  Some companies [wink wink] just leave their behemoths on site with no supervision.

Interpreter: Oh, no.  Yeah, we could never do that with this one…I could tell you some stories…oh my…leave him alone on site…horrible…hey, it’s almost 11:00.  Who’s up for lunch?

This is roughly akin to a boxer entering the ring on the shoulders of another guy.  The other guy lugs him around the ring, trying to position him to throw haymakers at the opponent.  How much better if the guy throwing the haymakers had mastered the form necessary to get close enough to land a punch.  With respect to corporate consultants, the form isn’t really that hard to come by.  A few things:

1) You should be and smell clean.  Often overlooked, a consultant should be well dressed, groomed, and not reek of the margarita shots that he/she was taking at the strip club 3 hours before the work day began.

2) You should be able to communicate with the business professionals that are paying for your consulting.  This includes both speaking AND writing in a clear and intelligible fashion.

3) You should be able to understand business drivers and how they might *possibly* apply to your consulting engagement. This is an important point - The company will tell you what needs to be accomplished.  Not the other way around.

!Dmitry

There is always a lot of talk about disaster recovery being important against, flood, weather, power failures, etc. But very little talk on disaster recovery due to security events.

When a security event happens, it is a disaster. It can mean downtime to your web site, or that your records were deleted or modified, and sometimes the biggest disaster is the bad PR day.

Typical disaster plans talk about a short failover time, but neglect to take into account what happens if one server was compromised. In this case, how will the short failover time affect it - will the corrupt or modified data propagate to the failover server causing two failed sites instead of one?

With recent break-ins reaching the news, where extremist groups hacking into any site they can gain access to, I see too often the web site show a banner, just after the break in, saying that it will be back in a few days. I’m left wondering if when they’re back, will they still suffer from the same security hole (most likely an SQL injection) that allowed the attackers in the first place? What about hidden malware - was the server reinstalled from scratch? And what backup was used to restore - the one with the attacker’s backdoor? I think we all know the answers…

In many Word 0-day vulnerabilities covered by SecuriTeam Blogs Word Viewer utility is being included to affected products.

This week the situation is different, however.

Related to the most recent MS Word vulnerability Word Viewer 2003 and Word Viewer 2003 Service Pack 3 are not vulnerable (Microsoft’s advisory here). Word Viewer 2003 SP3 KB document here, in turn.
To readers not familiar with these cases: Normally these vulnerabilities are being reported related to targeted attacks via e-mail. References are listed here: CVE-2008-2244. This particular case in known as so-called attachement.doc case. Trojan malware related to this case is from MSWord.Agent.cq series.

There are connections to Beijing Olympics too - in the form of attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijin.doc files too.

A fix for this vulnerability is not expected before August ’s Black Tuesday. The most important question is: how to implement the use of Word Viewer in your organization.

As Microsoft released the Office file specs for the upcoming Office 2007, I can’t stop from thinking that even though these are specs for Office 2007 files, they must have similarities and are at least partly backward compatible with Office 200x.

This means they can be used by vulnerability researchers (good and bad) to more easily discover new vulnerabilities in Office as with the spec laid out, complete and systematic searching can be done.

Time will tell - lets start counting how many Office related vulnerabilities are released over the next few months - and see if we can find a correlation.