REVIEW – “The Florentine Deception”, Carey Nachenberg

BKFLODEC.RVW   20150609

“The Florentine Deception”, Carey Nachenberg, 2015, 978-1-5040-0924-9,
%A   Carey Nachenberg
%C   345 Hudson Street, New York, NY   10014
%D   2015
%G   978-1-5040-0924-9 150400924X
%I   Open Road Distribution
%O   U$13.49/C$18.91
%O   Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   321 p.
%T   “The Florentine Deception”

It gets depressing, after a while.  When you review a bunch of books on the basis of the quality of the technical information, books of fiction are disappointing.  No author seems interested in making sure that the technology is in any way realistic.  For every John Camp, who pays attention to the facts, there are a dozen Dan Browns who just make it up as they go along.  For every Toni Dwiggins, who knows what she is talking about, there are a hundred who don’t.

So, when someone like Carey Nachenberg, who actually works in malware research, decides to write a story using malicious software as a major plot device, you have to be interested.  (And besides, both Mikko Hypponen and Eugene Spafford, who know what they are talking about, say it is technically accurate.)

I will definitely grant that the overall “attack” is technically sound.  The forensics and anti-forensics makes sense.  I can even see young geeks with more dollars than sense continuing to play “Nancy Drew” in the face of mounting odds and attackers.  That a vulnerability can continue to go undetected for more than a decade would ordinarily raise a red flag, but Nachenberg’s premise is realistic (especially since I know of a vulnerability at that very company that went unfixed for seven years after they had been warned about it).  That a geek goes rock-climbing with a supermodel we can put down to poetic licence (although it may increase the licence rates).  I can’t find any flaws in the denouement.

But.  I *cannot* believe that, in this day and age, *anyone* with a background in malware research would knowingly stick a thumb/jump/flash/USB drive labelled “Florentine Controller” into his, her, or its computer.  (This really isn’t an objection: it would only take a couple of pages to have someone run up a test to make sure the thing was safe, but …)

Other than that, it’s a joy to read.  It’s a decent thriller, with some breaks to make it relaxing rather than exhausting (too much “one damn thing after another” gets tiring), good dialogue, and sympathetic characters.  The fact that you can trust the technology aids in the “willing suspension of disbelief.”

While it doesn’t make any difference to the quality of the book, I should mention that Carey is donating all author profits from sales of the book to charity:

copyright, Robert M. Slade   2015   BKFLODEC.RVW   20150609

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

AV is dead … again …

Antivirus software only catches 45% of malware attacks and is “dead”, according to a senior manager at Symantec.”

85.4% of statistic can be interpreted in the opposite way, and AV has been declared dead regularly since 1987.

Symantec “invented commercial antivirus software in the 1980s”?  That must come as news to the many companies, like Sophos, that I was reviewing long before Symantec bought out their first AV company.

“Dye told the Wall Street Journal that hackers increasingly use novel methods and bugs in the software of computers to perform attacks.”

There were “novel attacks” in 1986, and they got caught.  There have been novel attacks every year or so since, and they’ve been caught.  At the same time, lots of people get attacked and fail to detect it.  There’s never a horse that couldn’t be rode, and there’s never a rider that couldn’t be throwed.

“Malware has become increasingly complex in a post-Stuxnet world.”

So have computers.  Even before Stuxnet.  I think it was Grace Hopper who said that the reason it is difficult to secure complex systems is because they are complex systems.  (And she died a while back.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CyberSec Tips: Malware – advice for the sysadmin

This is possibly a little out of line with what I’m trying to do with the series.  This advice is aimed a little higher than the home user, or small business operator with little computer experience.  Today I got these questions from someone with an advanced computer background, and solid security background, but no malware or antivirus experience.  I figured that this might apply to a number of people out there, so here was my advice:


> Question 1: What is the best way to obtain some good virus samples to
> experiment with in a clean-room environment?

Just look for anything large in your spam filters  :-)

> What I see doing is setting up a VM that is connected to an isolated
> network (with no connection to any other computer or the internet except
> for a computer running wireshark to monitor any traffic generated by the
> virus/malware).

VMs are handy when you are running a wholesale sample gathering and analysis operation, but for a small operation I tend not to trust them.  You might try running Windows under a Mac or Linux box, etc.  Even then, some of the stuff is getting pretty sneaky, and some specifically target VMs.  (I wonder how hard it would be to run Windows in a VM under iOS on ARM?)

> Also, any other particular recommendations as to how to set up the
> clean-room environment?

I’m particularly paranoid, especially if you haven’t had a lot of background in malware, so I’d tend to recommend a complete airgap, with floppies.  (You can still get USB 3 1/2″ floppy drives.)  CDs might be OK, but USB drives are just getting too complex to be sure.

> Question 2: What products are recommended for removing viruses and malware
> (i.e. is there a generic disinfector program that you recommend)?

I wouldn’t recommend a generic for disinfection.  For Windows, after the disaster of MSAV, MSE is surprisingly good, and careful–unlikely to create more problems than it solves.  I like Avast these days: even the free version gives you a lot of control, although it seems to be drifting into the “we know what’s best for you” camp.  And Sophos, of course, is solid stuff, and has been close to the top of the AV heap for over two decades.  F-Secure is good, although they may be distracted by the expansion they are doing of late.  Kaspersky is fine, though opinionated.  Eset has long had an advantage in scanning speed, but it does chew up machine cycles when operating.

Symantec/Norton, McAfee, and Trend have always had a far larger share of the market than was justified by their actual products.

As always, I recommend using multiple products for detection.

> I assume the preferred approach is to boot the suspect computer from USB
> and to run the analysis/disinfection software from the USB key (i.e. not to boot
> the infected computer until it has been disinfected).

A good plan.  Again, I might recommend CD/DVD over USB keys, but, as long as you are careful that the USB drive is clean …

> Question 3: How/when does one make the decision to wipe the hard drive and
> restore from backup rather than attempt to remove the malware?

If you have an up-to-date backup, that is always preferred when absolute security is the issue.  However, the most common malware is going to be cleanable fairly easily.  (Unless you run into some of the more nasty ransomware.)

Pushing backup, and multiple forms of backup, on all users and systems, is a great idea for all kinds of problems.  I’ve got a “set and forget” backup running to a USB drive that automatically updates any changes about every fifteen minutes.  And every couple of days I make a separate backup (and I have different USB drives I do it to) of all data files–which I then copy on to one of the laptops.  I just use an old batch file I created, which replaces any files with newer versions.  (Since it doesn’t delete anything I don’t change, it also means I have recovery possibilities if I make a mistake with deleting anything, and, by using multiple drives, I can rotate them for offsite storage, and even have possibilities of recovering old versions.)

> Question 4: Any recommended books or other guides to this subject matter?

Haven’t seen anything terrifically useful recently, unfortunately.  David Harley and I released “Viruses Revealed” as public domain a few years back, but it’s over ten years old.  (We released it about the time a vxer decided to upload it to  He probably thought he was hurting our sales, but we figured he was doing us a favour  :-)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CyberSec Tips: Email – Spam – Phishing – example 3 – credit checks

A lot of online security and anti-fraud checklists will tell you to check your credit rating with the credit rating reporting companies.  This is a good idea, and, under certain conditions, you can often get such reports free of charge from the ratings companies.

However, you should never get involved with the promises of credit reports that come via spam.

Oddly, these credit report spam messages have very little content, other than a URL, or possibly a URL and some extra text (which usually doesn’t display) meant only to confuse the matter and get by spam filters.  There are lots of these messages: today I got five in only one of my accounts.

I checked one out, very carefully.  The reason to be careful is that you have no idea what is at the end of that URL.  It could be a sales pitch.  It could be an attempt to defraud you.  It could be “drive-by” malware.  In the case I tested, it redirected through four different sites before finally displaying something.  Those four different sites could simply be there to make it harder to trace the spammers and fraudsters, but more likely they were each trying something: registering the fact that my email address was valid (and that there was a live “sucker” attached to it, worth attempting to defraud), installing malware, checking the software and services installed on my computer, and so forth.

It ended up at a site listing a number of financial services.  The domain was “”  One indication that this is fraudulent is that the ownership of this domain name is deeply buried.  It appears to be registered through GoDaddy, which makes it hard to check out with a normal “whois” request: you have to go to GoDaddy themselves to get any information.  Once there you find that it is registered through another company called Domains By Proxy, who exist solely to hide the ownership of domains.  Highly suspicious, and no reputable financial company would operate in such a fashion.

The credit rating link sent me to a domain called “”  The .ca would indicate that this was for credit reporting in Canada, which makes sense, as that is where I live.  (One of the redirection sites probably figured that out, and passed the information along.)  However, that domain is registered to someone in Chicago.  Therefore, it’s probably fraud: why would someone in Chicago have any insight on contacts for credit reporting for Canadians?

It’s probably fraudulent in any case.  What I landed on was an offer to set me up for a service which, for $17 per month, would generate credit ratings reports.  And, of course, it’s asking for lots of information about me, definitely enough to start identity theft.  There is no way I am signing up for this service.

Again, checking out your own credit rating is probably a good idea, although it has to be done regularly, and it only really detects fraud after the fact.  But going through offers via spam is an incredibly bad idea.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.


In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.


    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               “Microsoft HelpDesk” <>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.


Lest you think I exaggerate any of this, you can read the actual report.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.