|------------------------------------------|
|- Astalavista Group Security Newsletter  -| 
|- Issue 9 01 October 2004                -|
|- http://www.astalavista.com            -|      
|- security@astalavista.net             -|
|------------------------------------------| 

- Table of contents -

[01] Introduction
[02] Security News
        - Image virus spreads via chat
        - U.N warns of nuclear cyber attack risk
        - Sasser Netsky virus coder lands job with security firm
        - Feds invite comment on Internet wiretaps
        - Phising tab to reach $500 million
[03] Astalavista Recommends
        - Tx - The Smallest VC++ Coded Universal Windows Backdoor
        - Fwknop - Firewall Knock Operator
        - Strike Out
        - Network Wiretapping and the Government's Role
        - Mail Non-delivery Notice Attacks
[04] Site of the month - Thawte Crypto Challenge
[05] Tool of the month - Spybot - Search&Destroy
[06] Paper of the month - The Phishing Guide
[07] Free Security Consultation
        - Our university has recently discovered that..
        - I have recently purchased "vendor's software" to protect against spyware..
        - Like almost everyone, I'm a Windows user, how come..
[08] Enterprise Security Issues
        - Overview of Web Filtering
[09] Home Users Security Issues
        - Getting the best search results
[10] Meet the Security Scene
        - Interview with Candid Wuest - a security researcher
[11] Security Sites Review
        - Knowngoods.org
        - GoogleDorks
        - OpenWall
        - WorldWideWardrive.org
        - PerlMonks.org
[12] Astalavista needs YOU!
[13] Astalavista.net Advanced Member Portal
[14] Astalavista Feedback Contest - 2004
[15] Final Words

01. Introduction
   ------------

Dear Subscribers,

Issue 9 of Astalavista's Security Newsletter is out! In this issue you're going to
read a small overview of Web Filtering, learn more about how to use Google's advanced
searching options, and you will be able to enjoy an interview with a security 
researcher. You will also have the chance to participate in Astalavista's Feedback
Contest and win an Astalavista.net membership.

Enjoy your time!

Astalavista's Security Newsletter is mirrored at:

http://packetstormsecurity.org/groups/astalavista/

If you want to know more about Astalavista.com, visit the following URL:

http://astalavista.com/index.php?page=55

Previous Issues of Astalavista's Security Newsletter can be found at:

http://astalavista.com/index.php?section=newsletter

Editor - Dancho Danchev
dancho@astalavista.net 

Proofreader - Yordanka Ilieva
danny@astalavista.net

-------
Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!

http://ad.doubleclick.net/clk;10740215;10262135;j
-------

02. Security News
   -------------

The Security World is a complex one. Every day a new vulnerability is found,
new tools are released, new measures are made up and implemented etc.
In such a sophisticated Scene we have decided to provide you with the most
striking and up-to-date Security News during the month, a centralized
section that contains our personal comments on the issue discussed.
Your comments and suggestions about this section are welcome at
security@astalavista.net 
   -------------

[ IMAGE VIRUS SPREADS VIA CHAT ]

A virus that exploits the recently discovered JPEG vulnerability has been discovered
spreading over America Online's instant-messaging program.

More information can be found at:

http://news.zdnet.com/2100-1009_22-5390463.html
http://www.techworld.com/opsys/news/index.cfm?NewsID=2236
http://www.webpronews.com/it/security/wpn-23-20040930WindowsJPEGVulnerabilityProtection.html
http://www.us-cert.gov/cas/techalerts/TA04-260A.html
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=48800179
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Astalavista's comments:

In a time when users are still unaware of the current worms' spreading techniques,
the worst case malware scenario, namely a real JPEG vulnerability, is in the wild, 
which against opens the gap between Microsoft providing updates and end users lack
of awareness on the topic.

[ U.N WARNS OF NUCLEAR CYBER ATTACK RISK ]

The United Nations' nuclear watchdog agency warned Friday of growing concern about
cyber attacks against nuclear facilities. 

More information can be found at:

http://securityfocus.com/news/9592

Astalavista's comment:

We have previously seen such attempts, and such a scenario should be well taken care
of, considering the obvious interest:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=nuclear%2Bhacker%2Bsecurity

[ SASSER AUTHOR GETS ITSECURITY JOB ]

Sven Jaschan,a self-confessed creator of the destructive NetSky and Sasser worms,
has been hired by the German security company Securepoint. He's been offered 
work as a trainee software developer working on security  products, such as firewalls,
even though he may go to prison for creating one of the most destructive computer
viruses to date. Jaschan was charged this month with computer sabotage. No trial
date has been set.

More information can be found at:

http://www.theregister.co.uk/2004/09/20/sasser_kiddo_offered_job/

Astalavista's comment:

Unbelieavable.On one hand we see Microsoft and the law enforcement agencies trying
to get those authors scared with huge rewards and prosecutions, while on the other
hand, we see local companies "admiring" the "know-how" of malware  creators with the
idea to build better products. Who else sees the big picture here?

[ FEDS INVITE COMMENTS ON INTERNET WIRETAPS ]

The Federal Communications Commission (FCC) on Thursday launched a public comment
period on its plan to compel Internet broadband and VoIP providers to open
their networks up to easy surveillance by law enforcement agencies.

More information can be found at:

http://securityfocus.com/news/9582

Astalavista's comment:

It's time to see if an E-nation is as privacy-conscious as it should be.

http://gullfoss2.fcc.gov/cgi-bin/websql/prod/ecfs/upload_v2.hts?ws_mode=proc_name&proc_id=04-295

[ PHISHING TAB TO REACH $500 MILLION  ]

A new study weighs in with estimates as to how much online fraud, or phishing, is
costing consumers.Seventy-six percent of consumers are experiencing an increase in spoofing
and phishing incidents, researchers found, and 35 percent said they receive fake e-mails at least
once a week.

More information can be found at:

http://www.cio-today.com/story.xhtml?story_title=Phishing_Tab_To_Reach______Million&story_id=27279

Astalavista's comment:

Recently, we've seen an enormous activity on the phishing scene given the fact that
a large number of companies had the chance to build trust-based relations with their online customers, not
secured ones.

03. Astalavista Recommends
   ----------------------

This section is unique with its idea and the information included within. Its
purpose is to provide you with direct links to various white papers covering
many aspects of Information Security. These white papers are defined as a "must
read" for everyone interested in deepening his/her knowledge in the Security field.
The section will keep on growing with every new issue. Your comments and suggestions
about the section are welcome at security@astalavista.net

" TX - THE SMALLEST VC++ CODED UNIVERSAL WINDOWS BACKDOOR "

The Smallest VC++ Coded Universal Windows Backdoor for all versions of Windows
NT/2K/XP/2003 with any service pack.B- ut not for Windows 98/ME! since Microsoft stopped the sup- port for
them, I can't code for an unsupport Operating sy- stem. A Tini, Small, Petite app that listens on a
fixed port and creates a command shell when it receives a conne- ction. Default port of listening
is : 8080

http://www.astalavista.com/?section=dir&cmd=file&id=2872

" FWKNOP - FIREWALL KNOCK OPERATOR "

fwknop implements network access controls (via iptables) based on a flexible port
knocking mini-language, but with a twist; it combines port knocking and passive operating
system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to
connect to your SSH daemon.

http://www.astalavista.com/?section=dir&cmd=file&id=2879

" STRIKE OUT "

A beta version of the tool to automatically detect and index change tracking
information in a collection of Word documents published on a website (or stored on a disk, mounted
via SMB/NFS, etc) is now available. This tool, written and used by Michal Zalewski, allowed him to
recover very interesting information off the Word file given out by Microsoft, as can be seen at:
http://lcamtuf.coredump.cx/strikeout/

http://www.astalavista.com/?section=dir&cmd=file&id=2836

" NETWORK WIRETAPPING AND THE GOVERNMENT'S ROLE "

The Internet is becoming a commonplace technology that everyone relies upon.
Consequently, we must also look at the policy concerns that the new medium thrusts upon us. This document
addresses the legal issues surrounding digital wiretaps. It is targeted at a computer-literateaudience. I briefly 
explain the technical issues involved and explore their ramifications focusing on the role the government has played.

http://www.astalavista.com/?section=dir&cmd=file&id=2830

" MAIL NON-DELIVERY NOTICE ATTACKS "

Analysis of e-mail non-delivery receipt handling by live Internet bound e-mail
servers has revealed a common implementation fault that could form the basis of a new range of
DoS attacks. Our research in the field of email delivery revealed that mail servers may respond
to mail delivery failure with as many non-delivery reports as there are undeliverable Cc:
and Bcc: addresses contained in the original e-mail.

http://www.astalavista.com/?section=dir&cmd=file&id=2884

04. Site of the month
   ------------------

Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!

http://ad.doubleclick.net/clk;10740215;10262135;j

05. Tool of the month
   ------------------

Spybot - Search&Destroy

Spybot - Search&Destroy is a freeware anti-spyware/anti-adware application that has
a large database of malicious
programs, hijackers etc. You're strongly recommended to use it, as it will
definitely give you excellent results.

http://www.astalavista.com/?section=dir&act=dnd&id=2548

06. Paper of the month
   -------------------

The Phishing Guide - Understanding and Preventing Phishing Attacks

A document discussing and giving a detailed overview of various phishing attacks,
intended both for corporate and home readers.

http://www.astalavista.com/?section=dir&act=dnd&id=2886

07. Free Security Consultation
   --------------------------

Have you ever had a Security related question but you weren't sure where to 
direct it to? This is what the "Free Security Consultation" section was created for.
Due to the high number of Security-related e-mails we keep getting on a
daily basis, we have decided to initiate a service, free of charge. Whenever you
have a Security related question, you are advised to direct it to us, and within 48 hours
you will receive a qualified response from one of our Security experts. 
The questions we consider most interesting and useful will be published at
the section. Neither your e-mail, nor your name will be present anywhere.

Direct all of your Security questions to security@astalavista.net 

Thanks a lot for your interest in this free security service, we are doing our best
to respond as soon as possible and provide you with an accurate answer to your questions.

---------
Question: Hi there, thanks for the service! Our university has recently discovered
that a large number of our desktop computers are infected with spyware. Since we 
don't have a centralized methodology to deal with the issue, we require
users to run Ad Aware and various other applications ;also we try to block certain
sites at the server level. Any recommendations on how to deal with the issue will be appreciated?
---------

Answer: Users are not to be trusted when it comes to regularly updating software.
What you should have in place is more filtering at the server level in terms of
hosts known to be affiliated with spyware vendors, as well as apply general 
protection practices for their browsers, which ,I'm almost 100% sure, are Internet
Explorer ones, which pretty much makes all other efforts pointless. If I were you,
I would undertake an initiative to educate users on how insecure IE is when it comes to
spyware, and even debate on enforcing the use of another more secure browser,
anything else besides IE.

---------
Question: I have recently purchased "vendor's software" to protect against spyware,
it's considered to be one of the best among what I've read on major security sites. In the
end I got infected with something that bypasses my firewall and my anti-spyware software,
can I rely on anything at all?
---------

Answer: No software can guarantee you 100% protection. Just think for a while how
you might be getting infected, so that you wouldn't do it again. The majority of visitors
get infected through visiting untrusted, cracks or porn related web sites, or even by following
"hot" links offering "hot and free" stuff for their visitors. If it wasn't the software you're
using now, you would be probably infected with many more pests.

---------
Question: Like almost everyone I'm a Windows user, how come Windows is so insecure,
it's software buggy and the whole world is still using it? Yes, it's dominating, but I
really don't like the thought of having to learn how to work with Linux to stay secure.
---------

Answer: Each OS has its advantages and dissanvantages, so Linux wouln't save you
from getting hacked - things don't work on the basis of the OS although the OS itself
is an important issue when building with security in mind. Microsoft are put under
pressure from the whole world in order to provide vulnerabilities-free software, but
so are to provide improvements and new software. Anyway, things will change and if
they don't establish certain social responsibility for the insecurity of their
software, an alternative OS of solution will take some of their market share, but
don't forget that we still live in a Microsoft dominated world.

08. Enterprise Security Issues
   --------------------------

In today's world of high speed communications, of companies completely
relying on the Internet for conducting  business and increasing profitability, we have
decided that there should be a special section for corporate security, where
advanced and highly interesting topics will be discussed in order to provide
that audience with what they are looking for - knowledge! 

- Overview of Web Filtering -

What are the benefits of web filtering?

Web filtering will ensure that potential malicious web sites will not be accessible
by anyone in the organization, thus protecting the internal assets and the sensitive
information contained within. Web filtering is useful when enforcing a company's security policy;
namely that visiting online gambling or hacking related web sites is forbidden for example.
Web filters rely on IP blocking and keywords blocking. Although the second method is
AI based, it doesn't yet provide perfect results, although a combination of both will give remarkable results.

What are the disadvanates of web filtering?

In the majority of cases users spend a lot of time trying to bypass the restrictions
through using web proxies, online translators etc. thus wasting productivity in the 
process. The ones creating the filtering rules should also be aware that blocking popular
and heavily visited sites would result in your employees' anger. Make sure you have clear rules and logical
understanding of why a certain site is considered forbidden.

What is the solution?

Educating the end users on various threats possed by their Internet usage at work,
or establishing a "you're monitored" policy with the idea to restrict their(defined by you)
forbidden activities at work. Mainly emphasize on the fact how expensive it is 
for you to keep the company's current level of security, compared to
their insecure behaviour while using the company's systems.

09. Home Users' Security Issues
   --------------------------

Due to the high number of e-mails we keep getting from novice users, we have
decided that it would be a very good idea to provide them with their very
special section, discussing various aspects of Information Security in an 
easily understandable way, while, on the other hand, improve their current level of
knowledge.

If you have questions or recommendations for the section, direct 
them to security@astalavista.net

- Getting the best search results -

Many of you are probably frustrated while a search engine or the majority of results
you get are commercial ones. But why commercial pages appear whenever you're searching?
Just because these sites have positioned themselves so that simple search techniques
which represent the majority of searches today will attract larger audience.
Let's assume that you use Google, probably because it's still the best and most
popular search engine our there. 

We have decided to provide you with various resources that will help you get the
best results ever:

Google's Advanced Search Tips - http://www.google.com/help/refinesearch.html
Advanced Search Tips - http://www.seorank.com/google-advanced-search-tips.htm
Tips for using Google - http://www.searchforancestors.com/archives/google.html
Google Tips and Tricks - http://astalavista.com/index.php?section=dir&cmd=file&id=2546

10. Meet the Security Scene
   -----------------------

In this section you are going to meet famous people, security experts and
all personalities who in some way contribute to the growth of the community.
We hope that you will enjoy these interviews and that you will learn a great deal of
useful information through this section. In this issue we have interviewed Candid
Wuest, an active participant in the security industry.

Your comments are welcome at security@astalavista.net 

------------------------------------------------
Interview with Candid Wuest

Astalavista: Candid, would you, please, introduce yourself to our readers and tell us
more about your background in the security industry?

Candid: Well, my name is Candid and I have been working in the computer security
field for several years now, performing different duties for different
companies. For example, IBM Security Research and Symantec to name the
most known ones. I got a master degree in computer science but, in my opinion, in this
business curiosity is the main thing that matters.

Astalavista: What do you think has had a major impact on the popularity of malware
in recent years? Is it the easiness of coding a worm/trojan or the fact that the authors don't get caught?

Candid: Why do people code worms? Because they can?

The first point I would like to mention here is the growth of the Internet as a whole
in the last years. More people getting a system and more people getting
broadband access means more people are exposed to the risks. You may say
the fish tank has grown over the years; therefore it is clear that there
is now also more space for sharks in it.

I think the few people which where caught have scared some and stopped
them from doing the same, but the media hype they have caused has for sure
attracted new ones to get started with the whole idea. So this might
balance out even and these were mostly smaller fishes, which didn’t take
enough precautions.

Another point to mention is that it is really easy to download a source
code and create your own malware and it is getting easier every day.
There are many bulletin boards out there with fast growing communities
helping each other in developing new methods for malware or simply
sharing their newest creations.

When recalling the last hundreds of worms we saw in the wild for the last
time, most of them were similar and much alike.  Nearly no direct
destructive payload and not much innovation in regards to the used
methods. Just a mass mailer here or an IRC bot there.

That’s why I think the motivation is a mixture of the easiness of doing
so and the mental kick suggested from the media, which pushes the bad
underground hacker image. (Even though the media uses the term hacker
seldom correctly in its original meaning.)
This seems to motivate many to code malware: just because they can.

In the future money might become a new motivation for malware writers,
when industrial parties get involved in it.

Astalavista: Where's the gap between worms in the wild and the large number of
infected computers? Who has more responsiblity, the system administrators
capable of stopping the threat at the server level, or the large number of
people who don't know how to protect themsvels properly?

Candid: As we all should know 100% security will never be reached, regardless of
what the sysadmin and the end user do. A good example for this is the
recent issue with the JPEG and TIFF malware, which sneaked through many
filters.

In my opinion the sysadmins have the easier task, as they can enforce
their restriction; often it’s just a question of having the time to do it
properly. Don’t get me wrong here. I know the whole patching issue may be
quite a pain sometimes. Of course, they have all the users and the
management complaining if the restrictions are (too) tight but that’s
how it works, right :- )

Therefore I think often it is the end user who has not enough
protection or simply does not care enough about it. Many users still
think that no one will aim at them, as they are not an interesting
target, but DDoS attacks for example do exactly target such a user. Of
course, many end users don’t have the possibilities of a sysadmin. In
general, it comes down to an AntiVirus and a personal firewall
application, which still leaves enough space for intruders to slip through.

So, as always, it should be a combination of an ISP, a sysadmin and an end user
working together to protect themselves.

Astalavista: We've recently seen a DDoS mafia, something that is happening even now.
What is the most appropriate solution to fight these? Do you think this
concept is going to evolve in time?

Candid: DDoS attacks are quite hard to counter if they are performed in a clever
way. I have seen concepts for which I haven’t seen a working solution yet.
Some can be countered by load balancing and traffic shaping or by simply
changing the IP address if it was hard coded.
More promising would be if you could prevent the DDoS nets from being
created, but this goes back to question number three.

Astalavista: Have you seen malware used for e-spionage, and do you think it's the
next trend in the field?

Candid: This is nothing new; malware has been used for industrial e-spionage for
years. Usually, it just isn't that well known as those attacks might
never get noticed or admitted in public. I have seen plenty of
such attacks over the last years. This for sure will increase in time as
more business relevant data gets stored in vulnerable environments. In
some sort you could even call phishing an art of espionage. But I think
the next big increase will be in the adware & spyware filed where
malware authors will start getting hired to write those applications as
it already happens today. Or are you sure that your favourite
application is not sending an encoded DNS request back somewhere?

11. Security Sites Review
   ---------------------

The idea of this section is to provide you with reviews of various highly interesting
and useful security related web sites. Before we recommend a site, we make sure that
it provides its visitors with quality and a unique content.

http://knowngoods.org/

The web interface is fairly straight forward, point your favorite web browser here,
choose an OS and enter an application name, or full path to the file. 

http://johnny.ihackstuff.com/index.php?module=prodreviews

An inept or foolish person as revealed by Google. A recommended page.

http://openwall.com/

An open-source information security software.

http://worldwidewardrive.org/

The WorldWide WarDrive is an effort by security professionals and hobbyists to
generate awareness of the need by individual users and companies to secure their access points

http://perlmonks.org/

For all the Perl geeks out there, one of the best community sites.

12. Astalavista needs YOU!
   ---------------------

We are looking for authors that would be interested in writing security related
articles for our newsletter, for people's ideas that we will turn into reality with
their help and for anyone who thinks he/she could contribute to Astalavista 
in any way. Below we have summarized various issues that might concern you.

- Write for Astalavista -

What topics can I write about?

You are encouraged to write on anything related to Security:

General Security
Security Basics
Windows Security
Linux Security
IDS (Intrusion Detection Systems)
Malicious Code
Enterprise Security
Penetration Testing
Wireless Security
Secure programming

What do I get?

Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has
more than 22,000 subscribers, so you can imagine what the exposure of your article and you
will be, impressive, isn't it!
We will make your work and you popular among the community!

What are the rules?

Your article has to be UNIQUE and written especially for Astalavista, we are not
interested in republishing articles that have already been distributed somewhere else.

Where can I see a sample of a contributed article?

http://www.astalavista.com/media/files/malware.txt

Where and how should I send my article?

Direct your articles to dancho@astalavista.net and include a link to your article.
Once we take a look at it and decide whether is it qualified enough to be published,
we will contact you within several days, please be patient.

Thanks a lot all of you, our future contributors!

13. Astalavista.net Advanced Member Portal Promotion
   -------------------------------------------------

Astalavista.net is a world known and highly respected Security Portal offering
an enormous database of very well-sorted and categorized Information Security
resources, files, tools, white papers, e-books and many more. At your disposal
are also thousands of working proxies, wargames servers where all the members
try their skills and most importantly - the daily updates of the portal.

- Over 3.5 GByte of Security Related data, daily updates and always working
links.
- Access to thousands of anonymous proxies from all over the world, daily updates
- Security Forums Community where thousands of individuals are ready to share
their knowledge and answer your questions, replies are always received no matter
of the question asked.
- Several WarGames servers waiting to be hacked, information between those
interested in this activity is shared through the forums or via personal 
messages, a growing archive of white papers containing info on previous
hacks of these servers is available as well.

http://www.astalavista.net/
The Advanced Security Member Portal

-------
Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!

http://ad.doubleclick.net/clk;10740215;10262135;j
-------

14. Astalavista Feedback Contest - 2004
   -----------------------------------
Don't have an Astalavista.net membership? Are you a fan of Astalavista.com?

topic -"Astalavista.com - The beginning, the future and me in between”
description - write your own story, how you fist knoew about Astalavista.com, how
long you have been visiting the site,  how it helped you improve your security, or 
your organization's security, what makes you visit the site over and over again,
when we evolved and what has changed. Share a funny or a serious situation related somehow
to Astalavista.com - remember what it was when you first visited it and what it
turned into. What do we have to improve, how do you see the page in 5 years from now on,
what are our strong and weak points, but most of all, share a story that's worth telling!

minimum - 5 pages

maximum - up to you, the more comprehensive and original the feedback, the higher
the chance to win the contest

deadline - 1st of November, 2004

prize - the most original and inspiring stories will be rewarded with a lifetime 
Astalavista.net - Advanced Security Member Portal membership

More information is available at:

http://www.astalavista.com/index.php?page=106

15. Final Words
   -----------

Dear Subscribers,

Astalavista's Feedback Contest is now live at the site, we'll be expecting your
comments and impressions about the site.

Hope you have enjoyed Issue 9, watch our for Issue 10 with a lot of new content.

Editor - Dancho Danchev
dancho@astalavista.net

Proofreader - Yordanka Ilieva
danny@astalavista.net