|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 9 01 October 2004 -| |- http://www.astalavista.com -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - Image virus spreads via chat - U.N warns of nuclear cyber attack risk - Sasser Netsky virus coder lands job with security firm - Feds invite comment on Internet wiretaps - Phising tab to reach $500 million [03] Astalavista Recommends - Tx - The Smallest VC++ Coded Universal Windows Backdoor - Fwknop - Firewall Knock Operator - Strike Out - Network Wiretapping and the Government's Role - Mail Non-delivery Notice Attacks [04] Site of the month - Thawte Crypto Challenge [05] Tool of the month - Spybot - Search&Destroy [06] Paper of the month - The Phishing Guide [07] Free Security Consultation - Our university has recently discovered that.. - I have recently purchased "vendor's software" to protect against spyware.. - Like almost everyone, I'm a Windows user, how come.. [08] Enterprise Security Issues - Overview of Web Filtering [09] Home Users Security Issues - Getting the best search results [10] Meet the Security Scene - Interview with Candid Wuest - a security researcher [11] Security Sites Review - Knowngoods.org - GoogleDorks - OpenWall - WorldWideWardrive.org - PerlMonks.org [12] Astalavista needs YOU! [13] Astalavista.net Advanced Member Portal [14] Astalavista Feedback Contest - 2004 [15] Final Words 01. Introduction ------------ Dear Subscribers, Issue 9 of Astalavista's Security Newsletter is out! In this issue you're going to read a small overview of Web Filtering, learn more about how to use Google's advanced searching options, and you will be able to enjoy an interview with a security researcher. You will also have the chance to participate in Astalavista's Feedback Contest and win an Astalavista.net membership. Enjoy your time! Astalavista's Security Newsletter is mirrored at: http://packetstormsecurity.org/groups/astalavista/ If you want to know more about Astalavista.com, visit the following URL: http://astalavista.com/index.php?page=55 Previous Issues of Astalavista's Security Newsletter can be found at: http://astalavista.com/index.php?section=newsletter Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net ------- Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win! http://ad.doubleclick.net/clk;10740215;10262135;j ------- 02. Security News ------------- The Security World is a complex one. Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most striking and up-to-date Security News during the month, a centralized section that contains our personal comments on the issue discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ IMAGE VIRUS SPREADS VIA CHAT ] A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over America Online's instant-messaging program. More information can be found at: http://news.zdnet.com/2100-1009_22-5390463.html http://www.techworld.com/opsys/news/index.cfm?NewsID=2236 http://www.webpronews.com/it/security/wpn-23-20040930WindowsJPEGVulnerabilityProtection.html http://www.us-cert.gov/cas/techalerts/TA04-260A.html http://www.internetweek.com/allStories/showArticle.jhtml?articleID=48800179 http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Astalavista's comments: In a time when users are still unaware of the current worms' spreading techniques, the worst case malware scenario, namely a real JPEG vulnerability, is in the wild, which against opens the gap between Microsoft providing updates and end users lack of awareness on the topic. [ U.N WARNS OF NUCLEAR CYBER ATTACK RISK ] The United Nations' nuclear watchdog agency warned Friday of growing concern about cyber attacks against nuclear facilities. More information can be found at: http://securityfocus.com/news/9592 Astalavista's comment: We have previously seen such attempts, and such a scenario should be well taken care of, considering the obvious interest: http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=nuclear%2Bhacker%2Bsecurity [ SASSER AUTHOR GETS ITSECURITY JOB ] Sven Jaschan,a self-confessed creator of the destructive NetSky and Sasser worms, has been hired by the German security company Securepoint. He's been offered work as a trainee software developer working on security products, such as firewalls, even though he may go to prison for creating one of the most destructive computer viruses to date. Jaschan was charged this month with computer sabotage. No trial date has been set. More information can be found at: http://www.theregister.co.uk/2004/09/20/sasser_kiddo_offered_job/ Astalavista's comment: Unbelieavable.On one hand we see Microsoft and the law enforcement agencies trying to get those authors scared with huge rewards and prosecutions, while on the other hand, we see local companies "admiring" the "know-how" of malware creators with the idea to build better products. Who else sees the big picture here? [ FEDS INVITE COMMENTS ON INTERNET WIRETAPS ] The Federal Communications Commission (FCC) on Thursday launched a public comment period on its plan to compel Internet broadband and VoIP providers to open their networks up to easy surveillance by law enforcement agencies. More information can be found at: http://securityfocus.com/news/9582 Astalavista's comment: It's time to see if an E-nation is as privacy-conscious as it should be. http://gullfoss2.fcc.gov/cgi-bin/websql/prod/ecfs/upload_v2.hts?ws_mode=proc_name&proc_id=04-295 [ PHISHING TAB TO REACH $500 MILLION ] A new study weighs in with estimates as to how much online fraud, or phishing, is costing consumers.Seventy-six percent of consumers are experiencing an increase in spoofing and phishing incidents, researchers found, and 35 percent said they receive fake e-mails at least once a week. More information can be found at: http://www.cio-today.com/story.xhtml?story_title=Phishing_Tab_To_Reach______Million&story_id=27279 Astalavista's comment: Recently, we've seen an enormous activity on the phishing scene given the fact that a large number of companies had the chance to build trust-based relations with their online customers, not secured ones. 03. Astalavista Recommends ---------------------- This section is unique with its idea and the information included within. Its purpose is to provide you with direct links to various white papers covering many aspects of Information Security. These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue. Your comments and suggestions about the section are welcome at security@astalavista.net " TX - THE SMALLEST VC++ CODED UNIVERSAL WINDOWS BACKDOOR " The Smallest VC++ Coded Universal Windows Backdoor for all versions of Windows NT/2K/XP/2003 with any service pack.B- ut not for Windows 98/ME! since Microsoft stopped the sup- port for them, I can't code for an unsupport Operating sy- stem. A Tini, Small, Petite app that listens on a fixed port and creates a command shell when it receives a conne- ction. Default port of listening is : 8080 http://www.astalavista.com/?section=dir&cmd=file&id=2872 " FWKNOP - FIREWALL KNOCK OPERATOR " fwknop implements network access controls (via iptables) based on a flexible port knocking mini-language, but with a twist; it combines port knocking and passive operating system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. http://www.astalavista.com/?section=dir&cmd=file&id=2879 " STRIKE OUT " A beta version of the tool to automatically detect and index change tracking information in a collection of Word documents published on a website (or stored on a disk, mounted via SMB/NFS, etc) is now available. This tool, written and used by Michal Zalewski, allowed him to recover very interesting information off the Word file given out by Microsoft, as can be seen at: http://lcamtuf.coredump.cx/strikeout/ http://www.astalavista.com/?section=dir&cmd=file&id=2836 " NETWORK WIRETAPPING AND THE GOVERNMENT'S ROLE " The Internet is becoming a commonplace technology that everyone relies upon. Consequently, we must also look at the policy concerns that the new medium thrusts upon us. This document addresses the legal issues surrounding digital wiretaps. It is targeted at a computer-literateaudience. I briefly explain the technical issues involved and explore their ramifications focusing on the role the government has played. http://www.astalavista.com/?section=dir&cmd=file&id=2830 " MAIL NON-DELIVERY NOTICE ATTACKS " Analysis of e-mail non-delivery receipt handling by live Internet bound e-mail servers has revealed a common implementation fault that could form the basis of a new range of DoS attacks. Our research in the field of email delivery revealed that mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable Cc: and Bcc: addresses contained in the original e-mail. http://www.astalavista.com/?section=dir&cmd=file&id=2884 04. Site of the month ------------------ Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win! http://ad.doubleclick.net/clk;10740215;10262135;j 05. Tool of the month ------------------ Spybot - Search&Destroy Spybot - Search&Destroy is a freeware anti-spyware/anti-adware application that has a large database of malicious programs, hijackers etc. You're strongly recommended to use it, as it will definitely give you excellent results. http://www.astalavista.com/?section=dir&act=dnd&id=2548 06. Paper of the month ------------------- The Phishing Guide - Understanding and Preventing Phishing Attacks A document discussing and giving a detailed overview of various phishing attacks, intended both for corporate and home readers. http://www.astalavista.com/?section=dir&act=dnd&id=2886 07. Free Security Consultation -------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security-related e-mails we keep getting on a daily basis, we have decided to initiate a service, free of charge. Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts. The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be present anywhere. Direct all of your Security questions to security@astalavista.net Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible and provide you with an accurate answer to your questions. --------- Question: Hi there, thanks for the service! Our university has recently discovered that a large number of our desktop computers are infected with spyware. Since we don't have a centralized methodology to deal with the issue, we require users to run Ad Aware and various other applications ;also we try to block certain sites at the server level. Any recommendations on how to deal with the issue will be appreciated? --------- Answer: Users are not to be trusted when it comes to regularly updating software. What you should have in place is more filtering at the server level in terms of hosts known to be affiliated with spyware vendors, as well as apply general protection practices for their browsers, which ,I'm almost 100% sure, are Internet Explorer ones, which pretty much makes all other efforts pointless. If I were you, I would undertake an initiative to educate users on how insecure IE is when it comes to spyware, and even debate on enforcing the use of another more secure browser, anything else besides IE. --------- Question: I have recently purchased "vendor's software" to protect against spyware, it's considered to be one of the best among what I've read on major security sites. In the end I got infected with something that bypasses my firewall and my anti-spyware software, can I rely on anything at all? --------- Answer: No software can guarantee you 100% protection. Just think for a while how you might be getting infected, so that you wouldn't do it again. The majority of visitors get infected through visiting untrusted, cracks or porn related web sites, or even by following "hot" links offering "hot and free" stuff for their visitors. If it wasn't the software you're using now, you would be probably infected with many more pests. --------- Question: Like almost everyone I'm a Windows user, how come Windows is so insecure, it's software buggy and the whole world is still using it? Yes, it's dominating, but I really don't like the thought of having to learn how to work with Linux to stay secure. --------- Answer: Each OS has its advantages and dissanvantages, so Linux wouln't save you from getting hacked - things don't work on the basis of the OS although the OS itself is an important issue when building with security in mind. Microsoft are put under pressure from the whole world in order to provide vulnerabilities-free software, but so are to provide improvements and new software. Anyway, things will change and if they don't establish certain social responsibility for the insecurity of their software, an alternative OS of solution will take some of their market share, but don't forget that we still live in a Microsoft dominated world. 08. Enterprise Security Issues -------------------------- In today's world of high speed communications, of companies completely relying on the Internet for conducting business and increasing profitability, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! - Overview of Web Filtering - What are the benefits of web filtering? Web filtering will ensure that potential malicious web sites will not be accessible by anyone in the organization, thus protecting the internal assets and the sensitive information contained within. Web filtering is useful when enforcing a company's security policy; namely that visiting online gambling or hacking related web sites is forbidden for example. Web filters rely on IP blocking and keywords blocking. Although the second method is AI based, it doesn't yet provide perfect results, although a combination of both will give remarkable results. What are the disadvanates of web filtering? In the majority of cases users spend a lot of time trying to bypass the restrictions through using web proxies, online translators etc. thus wasting productivity in the process. The ones creating the filtering rules should also be aware that blocking popular and heavily visited sites would result in your employees' anger. Make sure you have clear rules and logical understanding of why a certain site is considered forbidden. What is the solution? Educating the end users on various threats possed by their Internet usage at work, or establishing a "you're monitored" policy with the idea to restrict their(defined by you) forbidden activities at work. Mainly emphasize on the fact how expensive it is for you to keep the company's current level of security, compared to their insecure behaviour while using the company's systems. 09. Home Users' Security Issues -------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easily understandable way, while, on the other hand, improve their current level of knowledge. If you have questions or recommendations for the section, direct them to security@astalavista.net - Getting the best search results - Many of you are probably frustrated while a search engine or the majority of results you get are commercial ones. But why commercial pages appear whenever you're searching? Just because these sites have positioned themselves so that simple search techniques which represent the majority of searches today will attract larger audience. Let's assume that you use Google, probably because it's still the best and most popular search engine our there. We have decided to provide you with various resources that will help you get the best results ever: Google's Advanced Search Tips - http://www.google.com/help/refinesearch.html Advanced Search Tips - http://www.seorank.com/google-advanced-search-tips.htm Tips for using Google - http://www.searchforancestors.com/archives/google.html Google Tips and Tricks - http://astalavista.com/index.php?section=dir&cmd=file&id=2546 10. Meet the Security Scene ----------------------- In this section you are going to meet famous people, security experts and all personalities who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a great deal of useful information through this section. In this issue we have interviewed Candid Wuest, an active participant in the security industry. Your comments are welcome at security@astalavista.net ------------------------------------------------ Interview with Candid Wuest Astalavista: Candid, would you, please, introduce yourself to our readers and tell us more about your background in the security industry? Candid: Well, my name is Candid and I have been working in the computer security field for several years now, performing different duties for different companies. For example, IBM Security Research and Symantec to name the most known ones. I got a master degree in computer science but, in my opinion, in this business curiosity is the main thing that matters. Astalavista: What do you think has had a major impact on the popularity of malware in recent years? Is it the easiness of coding a worm/trojan or the fact that the authors don't get caught? Candid: Why do people code worms? Because they can? The first point I would like to mention here is the growth of the Internet as a whole in the last years. More people getting a system and more people getting broadband access means more people are exposed to the risks. You may say the fish tank has grown over the years; therefore it is clear that there is now also more space for sharks in it. I think the few people which where caught have scared some and stopped them from doing the same, but the media hype they have caused has for sure attracted new ones to get started with the whole idea. So this might balance out even and these were mostly smaller fishes, which didn’t take enough precautions. Another point to mention is that it is really easy to download a source code and create your own malware and it is getting easier every day. There are many bulletin boards out there with fast growing communities helping each other in developing new methods for malware or simply sharing their newest creations. When recalling the last hundreds of worms we saw in the wild for the last time, most of them were similar and much alike. Nearly no direct destructive payload and not much innovation in regards to the used methods. Just a mass mailer here or an IRC bot there. That’s why I think the motivation is a mixture of the easiness of doing so and the mental kick suggested from the media, which pushes the bad underground hacker image. (Even though the media uses the term hacker seldom correctly in its original meaning.) This seems to motivate many to code malware: just because they can. In the future money might become a new motivation for malware writers, when industrial parties get involved in it. Astalavista: Where's the gap between worms in the wild and the large number of infected computers? Who has more responsiblity, the system administrators capable of stopping the threat at the server level, or the large number of people who don't know how to protect themsvels properly? Candid: As we all should know 100% security will never be reached, regardless of what the sysadmin and the end user do. A good example for this is the recent issue with the JPEG and TIFF malware, which sneaked through many filters. In my opinion the sysadmins have the easier task, as they can enforce their restriction; often it’s just a question of having the time to do it properly. Don’t get me wrong here. I know the whole patching issue may be quite a pain sometimes. Of course, they have all the users and the management complaining if the restrictions are (too) tight but that’s how it works, right :- ) Therefore I think often it is the end user who has not enough protection or simply does not care enough about it. Many users still think that no one will aim at them, as they are not an interesting target, but DDoS attacks for example do exactly target such a user. Of course, many end users don’t have the possibilities of a sysadmin. In general, it comes down to an AntiVirus and a personal firewall application, which still leaves enough space for intruders to slip through. So, as always, it should be a combination of an ISP, a sysadmin and an end user working together to protect themselves. Astalavista: We've recently seen a DDoS mafia, something that is happening even now. What is the most appropriate solution to fight these? Do you think this concept is going to evolve in time? Candid: DDoS attacks are quite hard to counter if they are performed in a clever way. I have seen concepts for which I haven’t seen a working solution yet. Some can be countered by load balancing and traffic shaping or by simply changing the IP address if it was hard coded. More promising would be if you could prevent the DDoS nets from being created, but this goes back to question number three. Astalavista: Have you seen malware used for e-spionage, and do you think it's the next trend in the field? Candid: This is nothing new; malware has been used for industrial e-spionage for years. Usually, it just isn't that well known as those attacks might never get noticed or admitted in public. I have seen plenty of such attacks over the last years. This for sure will increase in time as more business relevant data gets stored in vulnerable environments. In some sort you could even call phishing an art of espionage. But I think the next big increase will be in the adware & spyware filed where malware authors will start getting hired to write those applications as it already happens today. Or are you sure that your favourite application is not sending an encoded DNS request back somewhere? 11. Security Sites Review --------------------- The idea of this section is to provide you with reviews of various highly interesting and useful security related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. http://knowngoods.org/ The web interface is fairly straight forward, point your favorite web browser here, choose an OS and enter an application name, or full path to the file. http://johnny.ihackstuff.com/index.php?module=prodreviews An inept or foolish person as revealed by Google. A recommended page. http://openwall.com/ An open-source information security software. http://worldwidewardrive.org/ The WorldWide WarDrive is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points http://perlmonks.org/ For all the Perl geeks out there, one of the best community sites. 12. Astalavista needs YOU! --------------------- We are looking for authors that would be interested in writing security related articles for our newsletter, for people's ideas that we will turn into reality with their help and for anyone who thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might concern you. - Write for Astalavista - What topics can I write about? You are encouraged to write on anything related to Security: General Security Security Basics Windows Security Linux Security IDS (Intrusion Detection Systems) Malicious Code Enterprise Security Penetration Testing Wireless Security Secure programming What do I get? Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than 22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it! We will make your work and you popular among the community! What are the rules? Your article has to be UNIQUE and written especially for Astalavista, we are not interested in republishing articles that have already been distributed somewhere else. Where can I see a sample of a contributed article? http://www.astalavista.com/media/files/malware.txt Where and how should I send my article? Direct your articles to dancho@astalavista.net and include a link to your article. Once we take a look at it and decide whether is it qualified enough to be published, we will contact you within several days, please be patient. Thanks a lot all of you, our future contributors! 13. Astalavista.net Advanced Member Portal Promotion ------------------------------------------------- Astalavista.net is a world known and highly respected Security Portal offering an enormous database of very well-sorted and categorized Information Security resources, files, tools, white papers, e-books and many more. At your disposal are also thousands of working proxies, wargames servers where all the members try their skills and most importantly - the daily updates of the portal. - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions, replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked, information between those interested in this activity is shared through the forums or via personal messages, a growing archive of white papers containing info on previous hacks of these servers is available as well. http://www.astalavista.net/ The Advanced Security Member Portal ------- Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win! http://ad.doubleclick.net/clk;10740215;10262135;j ------- 14. Astalavista Feedback Contest - 2004 ----------------------------------- Don't have an Astalavista.net membership? Are you a fan of Astalavista.com? topic -"Astalavista.com - The beginning, the future and me in between” description - write your own story, how you fist knoew about Astalavista.com, how long you have been visiting the site, how it helped you improve your security, or your organization's security, what makes you visit the site over and over again, when we evolved and what has changed. Share a funny or a serious situation related somehow to Astalavista.com - remember what it was when you first visited it and what it turned into. What do we have to improve, how do you see the page in 5 years from now on, what are our strong and weak points, but most of all, share a story that's worth telling! minimum - 5 pages maximum - up to you, the more comprehensive and original the feedback, the higher the chance to win the contest deadline - 1st of November, 2004 prize - the most original and inspiring stories will be rewarded with a lifetime Astalavista.net - Advanced Security Member Portal membership More information is available at: http://www.astalavista.com/index.php?page=106 15. Final Words ----------- Dear Subscribers, Astalavista's Feedback Contest is now live at the site, we'll be expecting your comments and impressions about the site. Hope you have enjoyed Issue 9, watch our for Issue 10 with a lot of new content. Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net