|------------------------------------------| |- Astalavista Group Security Newsletter -| |- Issue 11 2 December 2004 -| |- http://www.astalavista.com -| |- security@astalavista.net -| |------------------------------------------| - Table of contents - [01] Introduction [02] Security News - Online fraud tutorials... from the Secret Service? - Alleged DDoS kingpin joins most wanted list - Cisco firewall source code is for sale - Trojan horse targets mobile phones - New MyDoom attacks may signal 'Zero Day' [03] Astalavista Recommends - PGP 101 - Getting, installing, and using PGP Freeware - Vtrace 0.1 - Exploit Mitigation Techniques - presentation - Net Tools 3.1 - AppRecon - applications identification [04] Site of the month - FutureWar.net [05] Tool of the month - Vodka-tonic - cryptography-steganography hybrid tool [06] Paper of the month - Wireless devices vulnerability list [07] Free Security Consultation - We have recently found out that sensitive documents were available.. - A network attack was responsible for shutting down.. - It's not that I don't trust the people that I employ, it's the.. [08] Enterprise Security Issues - Company's best practices on anti-spam prevention [09] Home Users Security Issues - How to effectively fight spam - pratical tips [10] Meet the Security Scene - Interview with Dave Wreski, LinuxSecurity.com [11] Security Sites Review - Shellcode Archive - Security-guide.de - ToolCrypt - Web-Hack.ru - TheHacktivist.com [12] Astalavista needs YOU! [13] Astalavista.net Advanced Member Portal [14] Astalavista Banner Contest - 2004 [15] Final Words 01. Introduction ------------ Dear Subscribers, Welcome to Issue 11 of Astalavista's Security Newsletter! In this edition we have covered the most significantsecurity events during November;we featured two articles, concerning both corporate and home users on how to effectively deal with spam;we also chatted with Dave Wreski from LinuxSecurity.com on various emerging security topics. Astalavista Banner Contest - 2004 is now live, more information is available at: http://www.astalavista.com/index.php?page=107 Enjoy your time, holidays are coming :) Astalavista's Security Newsletter is mirrored at: http://packetstormsecurity.org/groups/astalavista/ If you want to know more about Astalavista.com, visit the following URL: http://astalavista.com/index.php?page=55 Previous Issues of Astalavista's Security Newsletter can be found at: http://astalavista.com/index.php?section=newsletter Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net 02. Security News ------------- The Security World is a complex one. Every day a new vulnerability is found, new tools are released, new measures are made up and implemented etc. In such a sophisticated Scene we have decided to provide you with the most striking and up-to-date Security News during the month, a centralized section that contains our personal comments on the issue discussed. Your comments and suggestions about this section are welcome at security@astalavista.net ------------- [ ONLINE FRAUD TUTORIALS...FROM THE SECRET SERVICE? ] As a jaunty flourish in its high-profile roundup of fraudsters and forgers last Thursday, the agency took over Shadowcrew.com, a New Jersey-based online crime bazaar that sits at the center of the government's "Operation Firewall" investigation. Officials locked out the user accounts and swapped in a new front page featuring a Secret Service banner, an image of a prison cell, and a list of federal charges against some site members. More information can be found at: http://securityfocus.com/news/9866 http://www.shadowcrew.com/ Astalavista's comments: The Secret Service's "deface" of the group's site simply sends out a message to a very large and malicious audience, the group's other members, given the fact that the investigation itself must have taken a great deal of coordination and resources. I wonder how many groups like this are still active, and how many are to come having in mind the rise of phishing and id thefts,? [ ALLEGED DDOS KINGPIN JOINS MOST WANTED LIST ] The fugitive Massachusetts businessman charged in the first criminal case to arise from an alleged DDoS-for-hire scheme has appeared on an FBI most wanted list, while the five men accused of carrying out his will are headed for federal court. More information can be found at: http://securityfocus.com/news/9870 http://www.fbi.gov/mostwant/alert/echouafni.htm Astalavista's comments: Why is the government going after such a small fish with green bucks after all - probably because of the good publicy, but this is not the best way to send a message for potential DDoS-for-hire schemes since the people behind these attacks are still out there, building zombie networks, underground economics, DDoS and phishing services on demand. [ CISCO FIREWALL SOURCE CODE IS FOR SALE ] A group describing itself as the Source Code Club (SCC) has offered to sell source code for Cisco's Pix proprietary security firewall software to any taker for $24,000. In a note posted on a Usenet newsgroup, the group also said that it would also make available other, unnamed source code to those who paid. More information can be found at: http://nwc.networkingpipeline.com/shared/article/showArticle.jhtml?articleId=51202557 Astalavista's comments: Although Cisco have had quite a lot of source code leakeges recently, I doubt whether this is a serious one, or perhaps the folks behind it are desperately looking for cash. Cisco, as the world's most established networking company, should put more efforts into safeguarding its source code. News reports like these make a mockery of the company's image. [ TROJAN HORSE TARGETS MOBILE PHONES ] A new Trojan horse that sends unauthorized spam to mobile phones via sms has been detected by anti-virus authority Sophos, marking a new trend in the convergence of viruses and mass-mail attacks. The Troj/Delf-HA Trojan horse infects a PC, then downloads instructions on which spam campaign to launch from a Russian telecom Web site, according to Gregg Mastoras, senior security analyst at Sophos. It can plague owners of cell phones by sending them unsolicited junk text messages over the carrier's network. More information can be found at: http://wireless.newsfactor.com/story.xhtml?story_title=Trojan-Horse-Targets-Mobile-Phones&story_id=28307 Astalavista's comments: Welcome to the new borne world of mobile viruses, mobile spam, and with the number of banks doing banking over mobiles, mobile phishing attacks are soon to appear as well. A couple of interesting papers for you to read on the topic are available at: http://www.sourceo2.com/NR/rdonlyres/ehunutobhlesv6szirdn2sd4ltxg7vkbhuh2ak4ziznoe4xgk3ezbsfdxlhi7i76zlsik5ujllbf4tetdzzw7vqajwb/CabirWormInfo.pdf http://www.astalavista.com/index.php?section=dir&cmd=file&id=2315 http://www.astalavista.com/index.php?section=dir&cmd=file&id=1586 [ NEW MYDOOM ATTACKS MAY SIGNAL 'ZERO DAY' ] The newest version of the MyDoom worm now circulating suggests to security experts that the much-anticipated "Zero Day attack" may have arrived. Zero Day refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This new MyDoom appeared only two days after a security flaw in Windows IE was made public, according to reports. More information can be found at: http://www.pcworld.com/news/article/0,aid,118580,00.asp Astalavista's comments: Slaves of the botnets?! Yes we are, the whole industry is. They fill every security gap, they make patching pointless, they update and fully load each other whenever a public or Zero Day exploit is found, thus creating yet another news story and a couple of thousands new zombies by the time administrators respond. Further reading: http://www.columbia.edu/~medina/docs/resnet/medina-resnet2004.pdf http://www.sfbay-infragard.org/SUMMER2004/Botnets_Botherds-1.pdf 03. Astalavista Recommends ---------------------- This section is unique with its idea and the information included within. Its purpose is to provide you with direct links to various white papers covering many aspects of Information Security. These white papers are defined as a "must read" for everyone interested in deepening his/her knowledge in the Security field. The section will keep on growing with every new issue. Your comments and suggestions about the section are welcome at security@astalavista.net " PGP 101 - GETTING, INSTALLING, AND USING PGP FREEWARE " A tutorial on PGP for the complete beginner, screenshots included as well http://www.astalavista.com/?section=dir&act=dnd&id=3190 " VTRACE 0.1 " Tool for visual tracert, shows the geographical location of a certain host http://www.astalavista.com/?section=dir&act=dnd&id=3187 " EXPLOIT MITIGATION TECHNIQUES - PRESENTATION " Various exploit mitigation techniques revealed http://www.astalavista.com/index.php?section=dir&act=dnd&id=3151 " NET TOOLS 3.1 " Over 70 network/security tools application, recommended! http://www.astalavista.com/index.php?section=dir&act=dnd&id=3163 " APPRECON - APPLICATIONS IDENTIFICATION " AppRecon is a small java tool that tries to identify applications by sending appropriate discovery broadcast packets. http://www.astalavista.com/?section=dir&act=dnd&id=3214 04. Site of the month ------------------ http://www.futurewar.net/ FutureWar.net is a site dedicated to provide its visitors with quality and extensive information on various information warfare issues. 05. Tool of the month ------------------ Vodka-tonic - cryptography-steganography hybrid tool Vodka-tonic is a cryptography-steganography hybrid tool. It a three level security system for paranoid people. http://www.astalavista.com/index.php?section=dir&act=dnd&id=3181 06. Paper of the month ------------------- Wireless devices vulnerability list Info on default settings and related vulnerabilities http://www.astalavista.com/index.php?section=dir&act=dnd&id=3218 07. Free Security Consultation -------------------------- Have you ever had a Security related question but you weren't sure where to direct it to? This is what the "Free Security Consultation" section was created for. Due to the high number of Security-related e-mails we keep getting on a daily basis, we have decided to initiate a service, free of charge. Whenever you have a Security related question, you are advised to direct it to us, and within 48 hours you will receive a qualified response from one of our Security experts. The questions we consider most interesting and useful will be published at the section. Neither your e-mail, nor your name will be present anywhere. Direct all of your Security questions to security@astalavista.net Thanks a lot for your interest in this free security service, we are doing our best to respond as soon as possible and provide you with an accurate answer to your questions. --------- Question: Hello, Astalavista. I'm an IT manager for a small U.S based IT solutions company. We have recently found out that we have had sensitive information leaked out from our webserver to Google. By the time we removed it, there had been numerous downloads of the file. Although it's now gone from our server, Google still keeps a cache of it, any thoughts on this issues would be greatly appreciated from you, guys? --------- Answer: Thanks for the email. The power of Google has created an entirely new group of malicious users - the google hackers, namely individuals locating sensitive data, exploiting services and servers with the help of Google. It will take a while, up to a week and a half based on previous removal procedures I took care of; after that the file will be gone from Google's cache as well. There're a couple of things you can do ; keep the file but with wrong information.Thus you'll be able to misinform or detect competitors trying to locate sensitive data; the most important thing is to have a word with the person responsible for all web servers, and make him/her take advantage of robots.txt approaches, so that you can protect your entire web infrastructure, and keep the sensitive files/directories out of Google. More info is available at Google's site: http://www.google.com/remove.html --------- Question: A network attack of some kind was recently responsible for shutting down the connection between our branches in two different cities; we weren't able to detect a DDoS attack, nor was our ISP able to detect anything unusual. We have started an investigation - any ideas on what happened would be appreciated? --------- Answer: Thanks for the extensive email and your request for advice on this issue. From what I've read it sounds like either an insider had knowledge of critical infrastructure and the physical insecurities around it, or an application level DoS attack simply shut down these vital servers. I would recommend you make sure that the servers aren't compromised by the use of integrity checkers, since you alredy have them in place, and pay attention to a possible insider treat. I'm sure if you look deeper, you will be able to clarify what happened. A useful paper on Application level DoS attacks can be found at: http://www.corsaire.com/white-papers/040405-application-level-dos-attacks.pdf Another useful article on insiders can be found at: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci906437,00.html ---------- Question: Hi, folks at Astalavista.com. Congratulations on the security resource you've been providing me with for the past several years. It helped me achieve a lot in my ITSec career. I wanted to request additional opinion on an issue that has been bothering me for a very long time. It's not that I don't trust the people that I employ, I do, since trust is vital, but how do I protect from insiders, so taht the company does not turn into a commercial BigBrother :) ---------- Answer: Depends on what you're doing and how sensitive it is. You might need to turn your enterprise into a BigBrother to a certain extent. Staff monitoring is a hot and complicated topic given the different laws and regulations across the globe. Most of all, staff monitoring should act as an enformecement tool when implementing your company's security policy; otherwise the amount of information gathered could be abused to a great extent. Your employees aren't watched, there're just monitored - this is the feeling that your monitoring program should represent and enforce. 08. Enterprise Security Issues -------------------------- In today's world of high speed communications, of companies completely relying on the Internet for conducting business and increasing profitability, we have decided that there should be a special section for corporate security, where advanced and highly interesting topics will be discussed in order to provide that audience with what they are looking for - knowledge! - Company's best practices on anti-spam prevention - Spam represents one of the biggest threats to our business and personal email communication. Every day millions of spam messages are sent, a couple of hundred people are lured into the ads, several thousand think they've removed themselves on the mail servers - a certain loss of productivity when employees are constantly bothered by spam. In this issue we have decided to provide company or IT managers with practical tips on how to deal with the problem. The problems with mail server bandwidth Given the different sizes of organizations and the publicity of their emails, the unecessary flood of daily spam can cause additional, sometimes above the average bandwidth costs to an organization. It can contribute to the certain delays in processing emails as well. The problems with loss of productivity The flood of spam targeting your employees can result in significant loss of productivity; everyone has to manually go through the spam and delete it. Employees' mode of thinking is that they believe the company has better anti-spam filters than the ones they have at their free web based or ISP mail accounts; this is why they often use these emails on public forums etc. Practices to safeguard the company's infrastructure - the anti-email exposure policies Your company has to develop and closely monitor the enforcement of an anti-email exposure policy, namely that the company's email accounts shouldn't be used at public www boards, mailing lists etc. If enforced successfully, this might significantly limit the amount of spam towards your mail servers. - the use of web forms The use of web forms instead of plain info@example.com emails is strongly recommended. Yes it's very convinient for a customer to reach you, the same goes out about the spammer as well. Beside all, users don't mind filling out web forms. - the use of cost-effective open-source solutions The Spam Assassin Project (http://spamassassin.apache.org/ ) is one of the most effective anti-spam approaches I have used so far, besides developing an effective white listing model. It works perfectly well even on a high bandwidth server processing thousands of mails daily. 09. Home Users' Security Issues -------------------------- Due to the high number of e-mails we keep getting from novice users, we have decided that it would be a very good idea to provide them with their very special section, discussing various aspects of Information Security in an easily understandable way, while, on the other hand, improve their current level of knowledge. - How to effectively fight spam - practical tips - How many messages did you got today? I got 14 even though I've thought there's a spam protection in place. The truth is that spammers are getting smart - they're not using our own computers once breached to distribute spam. Yes this is right - you might be actually sending all that spam to yourself and your friends even without knowing it. This article will provide you with practical tips on how to deal with spam and avoid the most general mistakes. How spammers harvest your emails - from public web forums or places where your email is in plain text like you@yahoo.com - from fake mailing lists and sites created with the idea to gather as much emails as possible How to protect your email - have a couple of emails, one for personal reasons, other for business, and yet another one to give out for mailing lists and web site submissions, so you can be sure if there're unetchical activities behind the site you'll be able to find that very easily - Read your email offline. As a large number of spammers no longer require you to reply or somehow interact with the message, once you open it, it sends back a confirmation so your email is now known as an active one, meaning you'll get even more spam. - Never reply to a spammer or try to manualy remove yourself from the list, simply because this is just another way to confirm that your email is real and active. - Whenever posting your email somewhere, make sure it is in the following form, thus protecting against spam harvesters: you@yahoo.com would be you AT yahoo DOT com or you [at] yahoo.com. A recommended article that will give you more details on how to protect yourself can be downloaded at: http://www.astalavista.com/?section=dir&act=dnd&id=3194 10. Meet the Security Scene ----------------------- In this section you are going to meet famous people, security experts and all personalities who in some way contribute to the growth of the community. We hope that you will enjoy these interviews and that you will learn a great deal of useful information through this section. In this issue we have interviewed Dave Wreski from LinuxSecurity.com Your comments are welcome at security@astalavista.net ------------------------------------------------ Interview with Dave Wreski, http://www.linuxsecurity.com/ Astalavista: Dave, tell us something more about your background in the InfoSec industry and what is LinuxSecurity.com all about? Dave: I have been a long-time Linux enthusiast, using it before version v1.0 on my 386DX40 home PC, which prompted me to dump Windows shortly thereafter and I've never looked back. In early 1993 I began to realize the tremendous value that Linux could bring to the security issues I was facing. I found the decisions I was making, with regard to managing computer systems, were more and more based on the impact security had on the data residing on those systems. It's certainly more challenging to keep the bad guys out than it is the other way round - the bad guys have to only be right once, while the good guys have to always make the right decisions. So I created a company to help ensure the good guys had the tools necessary to make the most effective options to keep their networks secure. The void in comprehensive information on security in the Linux space was the primary reason I started LinuxSecurity.com in 1996. Since then, we have seen millions of visitors make it their primary information resource. In fact, we're completely revamping the site with new features, greater functionality and a whole new look -launching December 1st. Astalavista: What was the most important trend in the open-source security scene during the last couple of years,in your opinion? Dave: Actually, there have been so many that it's difficult to focus on any one in particular. Certainly, the adoption of open standards by many vendors and organizations makes it much easier to communicate between disparate systems securely. The maturity of the OpenSSH/OpenSSL projects, IPsec, and even packet filtering has enabled companies, including Guardian Digital, to create solutions to Internet security issues equal to, or better than, their proprietary counterparts. Astalavista: The monopolism of Microsoft in terms of owning more than 95% of the desktops in the world has resulted in a lot of debates on how insecure the whole Internet is because of their insecure software. Whereas my personal opinion is that if Red Had had 95% of the desktop market, the effect would be the same. Do you think their software is indeed insecure, or it happens to be the one most targeted by hackers? Dave: I think the mass-market Linux vendors try to develop a product that's going to provide the largest numbers of features, while sacraficing security in the process. They have to appeal to the lowest common denominator, and if that means delivering a particular service that is requested by their customers, then much of the responsibility of security falls on the consumer, who may or may not be aware of the implications of not maintaining a secure system, and in all likelihood, do not possess the ability to manage the security of their system. Astalavista: The appearance of Gmail and Google Desktop had a great impact on the privacy concerns of everyone, however these expanditures by Google happened to be very successful. Do you think there's really a privacy concern about Google, their services and privacy policy, and, most importantly, the future of the company? Dave: No, not really. I actually think that most of us gave up our privacy years ago, and any privacy that remains is only in perception. There's far more damage that could be done through things like the United States Patriot Act than there is through Google reading your general communications. Anyone who has half a brain and wants to make sure their communications are not intercepted is using cryptography for electronic issues. Astalavista: We've recently seen an enormous increase of phishing attacks, some of which are very successful. What caused this in your opinion? What is the way to limit these from your point of view? Dave: Reduce the human factor involvement somehow. Phishing is just the new "cyber" term for social engineering, which has existed forever. Through the efforts of Guardian Digital, and other companies concerned about the privacy and security of their customers' data, we are making great strides towards user education, and providing tools for administrators to filter commnications. Astalavista: Spyware is another major problem that created an industry of companies fighing it, and while the government is slowly progressing on the issue, the majority of PCs online are infected by spyware. Would you, please, share your comments on the topic? Dave: This issue is different from issues such as phishing because the end-user is not aware is it occurring. The responsibility here falls directly on the operating system vendor to produce an environment where security is maintained. In other words, by creating software that enables the end-user to better define what constitutes authorized access, users can develop a situation where this type of attack does not succeed. In the meantime, application-level security filters and strict corporate information policies thwart many of these types of attacks. Astalavista: What do you think will happen in the near future with Linux vs. Microsoft? Shall we witness more Linux desktops, or entire countries will be renovating their infrastructure with Unix-based operating systems? Dave: We are already seeing a growing trend on an international level in the migration from Windows operating systems to Linux. Guardian Digital has implemented several Linux-based solutions for multi-national and international corporations who recognize the costs and security risks associated with a Windows system, and if our business is any indication of the growth potential, I'd say Microsoft is going to have a real fight on their hands. Although I'm not too involved in the desktop space itself, I am completely comfortable with my cobbled-together Linux desktop, much more than just a few years ago. I think that as more and more computing tasks become distributed - moved from the desktop to being powered by a central server - it will become easier to rely on Linux on the desktop and the growth will continue. 11. Security Sites Review --------------------- The idea of this section is to provide you with reviews of various highly interesting and useful security related web sites. Before we recommend a site, we make sure that it provides its visitors with quality and a unique content. - Shellcode Archive - http://www.shellcode.com.ar/ Large shellcode and papers archive - Security-guide.de - http://www.security-guide.de/ A German security related web site, quality content. - ToolCrypt - http://www.toolcrypt.org/ Various crypto and security related tools, a must visit. - Web-Hack.ru - http://www.web-hack.ru/ A Russian security web site, useful content. - The Hacktivist.com - http://www.thehacktivist.com/ A resource discussing hacktivism and electronic civil disobedience. 12. Astalavista needs YOU! --------------------- We are looking for authors that would be interested in writing security related articles for our newsletter, for people's ideas that we will turn into reality with their help, and for anyone who thinks he/she could contribute to Astalavista in any way. Below we have summarized various issues that might concern you. - Write for Astalavista - What topics can I write about? You are encouraged to write on anything related to Security: General Security Security Basics Windows Security Linux Security IDS (Intrusion Detection Systems) Malicious Code Enterprise Security Penetration Testing Wireless Security Secure programming What do I get? Astalavista.com gets more than 200 000 unique visits every day, our Newsletter has more than 22,000 subscribers, so you can imagine what the exposure of your article and you will be, impressive, isn't it! We will make your work and you popular among the community! What are the rules? Your article has to be UNIQUE and written especially for Astalavista, we are not interested in republishing articles that have already been distributed somewhere else. Where can I see a sample of a contributing article? http://www.astalavista.com/media/files/malware.txt Where and how should I send my article? Direct your articles to security@astalavista.net and include a link to your article. Once we take a look at it and decide whether is it qualified enough to be published, we will contact you within several days, please be patient. Thanks a lot all of you, our future contributors! 13. Astalavista.net Advanced Member Portal Promotion ------------------------------------------------- Astalavista.net is a world known and highly respected Security Portal, offering an enormous database of very well-sorted and categorized Information Security resources - files, tools, white papers, e-books and many more. At your disposal are also thousands of working proxies, wargames servers where all the members try their skills and, most importantly, the daily updates of the portal. - Over 3.5 GByte of Security Related data, daily updates and always working links. - Access to thousands of anonymous proxies from all over the world, daily updates - Security Forums Community where thousands of individuals are ready to share their knowledge and answer your questions; replies are always received no matter of the question asked. - Several WarGames servers waiting to be hacked; information between those interested in this activity is shared through the forums or via personal messages; a growing archive of white papers containing info on previous hacks of these servers is available as well. http://www.astalavista.net/ The Advanced Security Member Portal 14. Astalavista Banner Contest - 2004 ----------------------------------- Are you good at designing creatives (banners, buttons, wallpapers etc.)? Would you like to contribute to Astalavista.com with your talent and creativity? And would you appreciate if we provide the most talented of you with the brand new Astalavista DVD or a FREE Astalavista.net membership? All you have to do is simple - participate! At Astalavista.com we have always valued designers and provided them with the opportunity to publish their work at our Gallery section, while rewarding the best creatives with Astalavista.net memberships. So far we have had several successful creative contests, namely because we are well aware of the high number of designers visiting our site. Enjoy this year's creative contest! We are looking for the following Astalavista.com and Astalavista.net related creatives: - banners Banners should be in the following size only (468 x 60) - buttons Buttons should be in the following size only (88 x 31) - Prize The brand new Astalavista DVD, or a free membership to Astalavista.net - Advanced Security Member Portal More information is available at: http://astalavista.com/index.php?page=107 15. Final Words ----------- Dear Subscribers, Thanks for your feedback and participations at our contests, hope you've enjoyed issue 11. Thanks for your time, till the next Christmas issue of Astalavista Security Newsletter. Editor - Dancho Danchev dancho@astalavista.net Proofreader - Yordanka Ilieva danny@astalavista.net