I have just Googled up some Securiteam pages. Can you imagine my shock when I saw the Google Alert Saying Securiteam can harm my computer?

Isn’t that great?

Just before I push the Panic Button, I Googled up one more term.

This is what I got:

When I saw this one, I relaxed.

On regular days when you see the message saying “This site may harm your computer” it means that google believes that this site may install malicious software on your computer.
Today Google’s Safe Browsing feature probably freaked out for some reason.

In any case, according to Google, the whole Internet can harm your computer right now, so be careful!

Update: Marissa Mayer wrote in the google blog that the problem happened because the URL of ‘/’ was mistakenly added to the ‘bad sites’ file and ‘/’ expands to all URLs. She also wrote that this problem started at  6:27 a.m. and ended at 7:25 a.m. PST.

SecuriTales is a secure proxy service that allows internet users to unblock facebook, unblock twitter, unblock youtube and unblock google

Richard Stiennon has a nice writeup on TweetTornado. It started with a previous post where Stiennon detailed how TweetTornado may be damaging for tweeter. Judging by this last post it seems the TweetTornado guy is quite the asshole which may indicate that those features in TweetTornado were not really accidental.

I think one of the largest weaknesses of Twitter is the fact that the open API and easy interconnectivity between all users makes it easier for spammers to write clients that ‘cheat’ the system, while its reliance on a single infrastructure will make it easy for someone to take it down or make it practically unusuable for everyone. Look at Orkut, for example.

from alsaher99@hotmail.com

to me
date Wed, Jan 21, 2009 at 4:09 PM
subject Vacation reply
mailed-by col0-omc1-s1.col0.hotmail.com

i’m out of service
plz don’t send any mail again
or i will hack your system

You can’t make this stuff up.. ha. Well, you can, but I didn’t. Really.

Somebody recently asked, on the CISSPforum, for some kind of reference supporting the concept that it was a good idea not to do development or testing on production systems.

I think Mim Britt said it best:

“Separation of test and production environments is one of those things that is such basic common sense that it wouldn’t occur to me to have to point to something that says to do it. The first time you test something on your production network and it breaks something else which breaks something else, etc etc etc is the LAST time they will ask you why it has to be done on a separate network.”

Somebody said we should make that into a sigquote, or blog it.  Mim said she’d be flattered if anyone did.  I think it’s a great idea.

I came across an interesting list of famous hackers with information and photos today and I thought I would share them with everyone.

Wozniak, Ritchie, and Mitnick all made the cut

This is interesting:

Dear Vonage Member,

Your Vonage Account will expire in: January, 20 2009

This might have happened due to the following reasons:
- You did not accessed your account for more than a month.
- You have dynamic IP address and due to that our system might have interpretated it as a hacking attempt.
- You entered a wrong password 3 times when you tried to connect to your Vonage Account.

To avoid an account suspension, please click link below:

http://www.adsmirchi.com/vonage/login.htm

*We will check your IP address, time zone, and confront it with our database logs.

We are very sorry if this affects you in any way but our client’s security is a top priority for Vonage Inc.

Regards,

Vonage Security Team.

The link points to a phishing site that is stored in India and collects your vonage username and password. Go one directory up to see the complete kit.

This is a cute attack: you may be thinking, what can they possibly gain by logging into a vonage account? Well, Vonage has a useful feature of redirecting your calls to another number. If that other number is a paid service (or an international number, say, in India) you will pay extra and Vonage will pay that service provider (or telcom company). At that point, they just need to call your number and hold the line while counting the revenue coming in - very oldschool.

I was about to delete this spam comment when I realized it’s very relevant - it shows how comment spam works and gives some insight on the programming behind comments that try to disguise as legitimate.

Thanks anonymous spammer!

The NATO Parliamentary Website –> www.nato-pa.int was defaced by a Turkish hacker recently.

According to www.nato-pa.int:

“Bringing together members of parliaments throughout the Atlantic Alliance, the NATO Parliamentary Assembly has provided for half a century an essential link between NATO and the parliaments of the NATO nations, helping to build parliamentary and public consensus in support of Alliance policies.”

The server looks like its running Windows 2003 and IIS 6. My guess: SQL Injection, WebDAV exploit, or some other web bug. But something else to think about would be rumors of an IIS 6 0day floating around a while back…

Argh!  YASMA!  (Yet Another Stupid Marketing Acronym.)  VDI pops up in my email.  And when I search for it (using two kettles worth of carbon emissions), what do I find?  “Virtual desktop infrastructure.”  In other words, thin client, or cloud computing, or just plain virtualization.

It is to weep.

Recent news that UK government approving Police hacking into suspected home computers has caused a bubble in the info-sec world. They can hack into private computers either by sending an e-mail containing a virus to the suspect’s computer or breaking into a residence to install a keystroke logger onto a machine or simply place a surveillance van in the vicinity of a wireless network to intercept the traffic. Computers of users who are suspected of terrorism, pedophilia or identity or credit card theft will be targeted.

They have even asked the security product/services providers to stop detecting/blocking their keyloggers and other spyware tools. However few security vendors have raised an issue and expressed their inability to cooperate with the federals. As per Znet, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack. Symantec has not commented on this. However in the past they have Symantec has said that its antivirus software will not scan for the FBI’s Magic Lantern keylogging software. This is a spyware program that the Feds can hack into your machine to log and report all keystrokes back to them.

I personally find this very scary and “privacy intruded” and since conceptually there’s no difference between a malicious code and the one used for the Government, there are BIG chances that an AV can miss it!!!

This means punching a BIG hole in the security device which in turn is surely a big Boom for malware authors. If Cops drop a trojan on suspect’s system installed with antivirus software white-listing Police hacking tools and if this suspect turns out to a prestigious member of underground malware writers, then he can reverse engineer the cop-hack-tool to write his own code and compromise more such systems.

I personally feel Kaspersky Labs and Sophos are really doing a good job by taking their stand on not creating a backdoor for malware writers.

The Madoff story is extremely interesting, for a number of reasons.  However, primarily, the tales now coming to light of ongoing suspicions and investigations (such as this Wall Street Journal piece) point out the weaknesses and limitations of audit and internal controls in controlling insider attacks and fraud.

I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).

By all indications we have a year with many vulnerabilities ahead of us - it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.

I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.

!@#$%

I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*

Megacubo 5.0.7 Download & Execute Remote Exploit

JJunior

PHP GD Library Information Leak Exploit

Hamid Ebadi

Destiny Media Player 1.61 “lst file” Local Buffer Overflow Exploit

Encryt3d.M!nd

VMware Remote DoS Exploit

Laurent Gaffie

Konqueror 4.1 XSS & Crash Exploits

staker

I live in Vancouver.  Despite the fact that this is in Canada, we do not live in igloos, nor do we have to get around by dogsled.  Most of the time.  At the moment, we are having an unusual spell of snowy weather.  It’s here, for one thing.  It’s been here for more than two weeks, for another.  It’s also much deeper than usual: more than 30 cm (a foot, US) is on level areas in many places, and the piles where the snow has been shovelled are getting pretty high.

That’s not unusual in many places, but in Vancouver it is practically unheard of.

The weather in Vancouver is very similar to the weather in Seattle, so Seattle is snowed in, too.  And I was discussing this with a much younger friend in that area.  I was complaining that nobody around here was shovelling their sidewalks.  He was complaining that people in his area were.

Those of you who live in the deep snow areas will probably not understand his complaint.  You see, in this region, when we do get snow, the temperatures tend to hover around the freezing point.  So, some days the snow will start to melt.  And at nights, or on other days, it freezes again.  So if you don’t shovel the sidewalk properly, you create a bit of skating rink.

The key is to shovel properly.  There are a few factors involved in this, but the primary one is to shovel right to the edge of the sidewalk.  If you can see even one blade of grass as the edge, then, when the snow starts to melt, the meltwater does into the ground.  Leave even a centimetre of snow on the edge of the walk, and the meltwater runs all over the sidewalk, and, when it freezes, you’ve got the slickest, most treacherous footing imaginable.

Which brings me to security.  For a number of years, many of us in the field have been faced with the extreme frustration of preparing security architectures, designs, and plans to fit the particular business and environment in which we find ourselves.  Finely tuned, appropriate to the assets and risks involved, and complete.  Only to have some bean-counter come along and say that this is great, but a bit too expensive: couldn’t we get half the security for half the cost.

The answer, as we know, is no.  Security is not something you buy by the kilogram.  Security is not like a blanket, where the more you have, the warmer you are: it’s like a roof or tent, where you’ve either got one up or not.  Security is not like a road, where, no matter how long it is, it is of some use: it’s like a bridge, where, if it’s even a little bit too short it is no use at all.

So, here’s another illustation for you.  Security is like clearing the snow in Vancouver.  Do it right, out to the very edge, and you’re golden.  Do it quick and dirty and cheap, with one shovel width down the middle, and you’re creating a problem for yourself.  And others.

This is a few weeks old, but I think it’s very cool. First, because it implements in real life what an attack that is constantly done on the Internet -  life imitating art, so to speak. Second, because it reminds me of the “Panther Moderns” terrorist attack in Neuromancer and remembering Neuromancer is a great way to start the year.

The only problem, of course, is that it’s easy to catch who did it - for one, there’s a picture of their real car.