Secure Tomorrow

Linux Magazine has the info about NMAP 4.75. Some cool new stuff in the new version.

“If we are going to call Nmap the ‘Network Mapper’, it should at least be able to draw you a map of the network! ” writes developer Fyodor in announcing the newest version 4.75 of the Nmap security scanner.

It’s a nice addition to the product. From the article, “Developers have integrated a network topology visualization tool in the Nmap’s Zenmap graphical user interface by using RadialNet. And the network scanner now also recognizes iPhones and Wii consoles.”

Check out the full article here.

Kevin Blanchard

Protection from computer viruses that is

With Valentine’s Day just a couple of days away it is important to be aware that malicious viruses and worms do not take holidays off. The Storm Worm is the most likely candidate to ruin this Hallmark romantic holiday. Not even two months ago the Storm Worm took advantage of the Christmas holiday using various means to infect users. With Valentine’s Day approaching we could see similar tactics used to try to infect users again.

The FBI posted a warning yesterday to their Cyber Investigation E-scam site warning of possible Storm Worm attacks as we approach Valentines Day.

“02/11/08—With the Valentine’s Day holiday approaching, be on the lookout for spam e-mails spreading the Storm Worm malicious software (malware). The e-mail directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm Worm botnet. A botnet is a network of compromised machines under the control of a single user. Botnets are typically set up to facilitate criminal activity such as spam e-mail, identity theft, denial of service attacks, and spreading malware to other machines on the Internet.

The Storm Worm virus has capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. Valentine’s Day has been identified as the next target.

Be wary of any e-mail received from an unknown sender. Do not open any unsolicited e-mail and do not click on any links provided.

If you have received this, or a similar e-mail, please file a complaint at www.ic3.gov.”

Kevin Blanchard botnet, malware, storm worm, worm

The Register has a story about Swedish police investigating a new outbreak of crimes involving the robbing of cargo holds of coaches. The kicker? Swedish police are investigating “people of limited stature” with criminal records because the police believe the crimes are possibly being committed by dwarves being smuggled on board in baggage. Sounds like something out of a movie.

Full Story: Dwarves hidden in sports bags target Swedish coaches

Kevin Blanchard crime ring, strange news

VoIP News is running a story right now about what they list as the top 5 VoIP Security Threats of 2008.

If you want the 30 second quick version of the article, they list the top 5 VoIP threats as:

1. DoS (denial of service) Attacks on VoIP Networks
2. VoIP Eavesdropping
3. Microsoft Office Communications Server
4. Vishing by VoIP
5. VoIP Attacks Against Service Providers

The full article goes in a fair amount of detail about these attacks and ways to combat them. The article can be found here.

The article also links to a white paper titled “A Proactive Approach to VoIP Security”. This white paper may be of interest to some of my readers. You can download the white paper from here (registration required).

Kevin Blanchard voip

Not just words yelled by boys to one another on a school playground anymore but it may be true if your mom has a Myspace account.

A bug discovered over the past few months and finally fixed last week exploited a backdoor in the design of MySpace that allowed anyone to see your photos, even in private profiles. Third party websites started popping up when the bug was first discovered making it even easier to exploit the bug and view photos. To no surprise, many of the sites sold themselves as “voyeur” and pedophile type sites focusing on viewing photos in private profiles of MySpace members under 18. By default, a profile owned by a user under 16 is set to private. According to MySpace, this should allow only MySpace friends you allow access to the ability to view your profile information and photos.

The exploit was mainly targeted at MySpace users who have their profiles set to “private”. Clicking on the photo link of a private profile should normally give non-friends this message, “This profile is set to private. This user must add you as a friend to see his/her profile.” But using this exploit anyone with or without a MySpace account can access the photo by replacing the friend ID in the URL with the friend ID of the user whose profile they are trying to view.

The only users safe from this exploit are those who specifically set their MySpace photo galleries to private in addition to their profile security settings. This comes at a bad time for MySpace. Though this exploit didn’t just target underage users, MySpace had already been under a microscope for other pedophile related investigations. MySpace had reached agreements with 49 state attorney generals this week that was hopefully going to bring agreements to allow MySpace to make it’s site safer for underage users.

This exploit has been around for over 3 months now. MySpace shouldn’t have been in the dark on this issue. I can understand a company not being aware of a zero day exploit or maybe even a first week exploit, but 3+ months? Not only has it been circulating around message boards this entire time but (ad driven) 3rd party websites have been profiting off this exploit and making it easier to view private photos and profiles. You think with all of this going on SOMEONE at MySpace would have jumped on this and fixed it. This shows MySpace still has a long ways to go before users, parents and government agencies can trust MySpace to do a proper job of ensuring the safety and privacy of it’s users.

Kevin Blanchard MySpace, social networking

It’s been a while since I have updated. This time of year is always crazy. But at least I return with a good one. This time of year is stressful enough for many, without having to worry about things like this while trying to spread holiday cheer.

‘Tis the season and there’s a storm a brew’n. The Storm Worm that is… and it’s back. < / awful puns >

We saw the Storm Worm back at the beginning of the year (2007). It was a huge headache for home users and system admins alike. According to Wikipedia, “The Storm Worm began infecting thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, “230 dead as storm batters Europe”.[6] During the weekend there were six subsequent waves of the attack.As of Monday, January 22, 2007 the Storm Worm accounted for 8% of all infections globally.”

If you thought parents elbowing and kicking each other for the last Tickle Me Elmo doll this time of year was bad , the creators of the Storm Worm had a surprise for you, just in time for Christmas. A new version of the Storm Worm has surfaced, taking advantage of users during this holiday season.

Arstechnica is reporting that “Storm-infected systems are kicking out spam mail directing recipients to the Merry Christmasdude.com website (space inserted for security purposes). Once there, visitors are bounced to a few shell sites, shown various “holiday-themed” images and offered a (fake) video codec download. Download and install it, and the worm promptly connects to various P2P sites and begins spamming. Russ MCree at HolisticInfoSec.org has a writeup on the worm’s specific activities and system modifications for those curious about how Storm does what it does. This new iteration of Storm appears to duplicate most, if not all, of its predecessor’s approach to infecting and configuring the target PC.”

If you are concerned about infection, you should check the website of the company that makes your anti-virus program and/or a little google-fu should let you know if you are currently protected.

Some of the observed email subjects from Storm Worm include (but not limited to):

• The Twelve Girls Of Christmas
• Time for a little Christmas Cheer
• Merry Christmas To All
• Christmas Email
• Warm Up this Christmas
• The Perfect Christmas
• Santa Said, HO HO HO
• I love this Carol!
• Find Some Christmas Tail
• Mrs. Clause Is Out Tonight!
• Cold Winter Nights
• Jingle Bells, Jingle Bells

Sadly I was on vacation and unable to post about this sooner. Most of the damage will have been done on Christmas, two days ago. Hopefully this post will at least minimize any aftershocks or allow users who may have been infected and not realize it to be aware of this worm and do something about it.

Kevin Blanchard botnet, storm worm, worm

Let me start by saying I am not endorsing the use of P2P for illegal uses. The goal of my blog is to raise security awareness as a whole. Now, that said…

Arstechnica is running a story right now about a team of California researchers looking at the impact of using a blocklist when connecting to P2P networks and how that coincided with how likely you were to be tracked. Their findings?

“The old cliché “You’re not paranoid if they really are out to get you” turns out to apply quite nicely to the world of P2P file-sharing. A trio of intrepid researchers from the University of California-Riverside decided to see just how often a P2P user might be tracked by content owners. Their startling conclusion: “naive” users will exchange data with such “fake users” 100 percent of the time.”

I will highlight the conclusions for those who do not wish to read the whole article.

1. If you don’t use a blocklist, you will be tracked. Every one of the researchers’ test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.
2. Trackers aren’t that hard to avoid. While “naive” clients may all connect to blocklisted users, it wasn’t that hard to stay away from the vast majority of such “fake users.” Researchers found that “avoiding just the top 5 blocklisted IPs reduces the chance of being tracked to about 1 percent.”
3. Content owners hide their tracks. Much of this tracking work is farmed out from content owners to companies like SafeNet and BayTSP, and these companies in turn take care to hide their tracks. When the researchers ran reverse DNS lookups on the blocklisted ranges, they found that only 0.5 percent of those addresses resolved back to media companies in an obvious way.
4. Meet the BOGONS. One of the strategies for remaining anonymous is to operate from BOGON IP ranges. These ranges are unallocated blocks of addresses that should ordinarily not be used on the public Internet. Of the top fifteen blocklist entities that were discovered during testing, 12 were in BOGON ranges. The researchers note that “these sources deliberately wish to conceal their identities while serving files on P2P networks,” and reverse DNS queries on these addresses produce little useful information.

If you are using a P2P network, know the value of a blocklist. Using a blocklist isn’t a silver bullet by any means. Whether it be someone gathering information for a future lawsuit or a malicious user or group doing information reconnaissance, it will at least give you an additional layer of security.

The original article isn’t very long (one page). If you wish to read the full article you can find it here: P2P researchers: use a blocklist or you will be tracked… 100% of the time

If you wish to read the the results of the study they are outlined in a recent paper here: “P2P: Is Big Brother Watching You?” (PDF)

Kevin Blanchard blocklist, p2p, research

DRM has never been a popular way to distribute music. It has been common, but not popular. Traditional DRM has been criticized for good reason. It’s a technology that supports a business model where it treats every customer like a criminal. In the case of music, the assumption is, “well some people may share their purchased music with friends or online so we are going to cripple what you can do with it from the get go”. Again, DRM in the case of music, assumes everyone is a criminal. I am not saying that there aren’t people bending the law, or flat out breaking it when it comes to the distribution of music files but that doesn’t mean that every user should have to be forced to purchase crippled music files. If piracy really is a problem, then a suitable technology should be developed that will thwart piracy (if such a solution could even exist) without restricting or removing fair usage for Joe User.

Apple’s online media store, iTunes Store has been one of the top retailers of online music sales over the past couple of years. On Febuary 6, 2007 Steve Jobs wrote an open letter to the music industry voicing his dislike of DRM. Steve Jobs was not the first to publicly criticize DRM, but he was one of the first to openly criticize it while being the head of a company in the market of selling online music. Not to be hypocritical, two months later Apple then followed up by offering non-DRM music on the iTunes Store for a slightly higher price. Now, in a move that will surely shake up the online music market, Amazon has just launched their music catalog DRM FREE.

Is this the beginning of the end for DRM? Users of (legally) downloaded music have always complained about the restrictive nature of DRM’ed music. They have felt betrayed being treated like a criminal with music they legally paid for, but yet have had little to no control over. Whether it be what player they use, what format it is in, or sometimes even how long they have “permission” to play the song before it is unplayable. With major players like Apple and now Amazon jumping on board, this may signal a new shift away from DRM in the online music industry and not only offering consumers what they want but by sending a loud message to the music industry, “DRM is NOT the way to do it”.

Kevin Blanchard Amazon, Apple, DRM, iTunes, Steve Jobs

Unless you have been living under an internet rock this past week, you have heard all the news surrounding the company MediaDefender. From MediaDefender’s website, “MediaDefender, Inc. is the leading provider of anti-piracy solutions in the emerging Internet-Piracy-Prevention (IPP) industry. We provide services that stop the spread of illegally traded copyrighted material over the Internet and Peer-to-Peer networks.”

In February 2007, MediaDefender launched a video sharing site called Miivi.com. Back on July 4th it was discovered that the video download site MiiVi was really a “honey pot” (fake site) put up to track individual downloading videos illegally. In an interview with Ars Technica, chief executive Randy Saaf stated that “MediaDefender was working on an internal project that involved video and didn’t realize that people would be trying to go to it and so we didn’t password-protect the site”. MiiVi was showdown that same day, July 4th, 2007.

This past week, 6 months (700 MB) worth of emails were leaked out and spread all over the internet. The emails contain information about the various tactics and technical solutions for tracking p2p users, and disrupting p2p services. Following MediaDefender’s subsequent email leak, TorrentFreak alleged that MediaDefender’s statement about it being an “internal project” (see quote above) was revealed to be a deliberate falsehood. The emails revealed that the site was closed when this fact became public knowledge, and was scheduled to be re-launched as www.viide.com. Viide.com has not yet been opened up to the public.

Quoted from an article on Arstechnica
“MediaDefender’s damage control program went into full swing shortly after that. When Douglas pointed out that information about MiiVi had been added to the MediaDefender Wikipedia page, Saaf decided that he wanted it taken down. “Can you please do what you can to eliminate the entry? Let me know if you have any success,” Saaf wrote. “I will attempt to get all references to miivi removed from wiki,” developer Ben Ebert replied. “We’ll see if I can get rid of it.”

After a statement Saaf sent to Digital Daily was included in a blog entry, Saaf sent an e-mail to a handful of MediaDefender employees asking if it would be a good idea to post it to the Digg.com news site. He also suggested possibly having MediaDefender employees post comments. Referring to the Digg community, MediaDefender co-founder Octavio Herrera replied, ‘They aren’t going to believe you.’”

In an additional blow (and I am sure not the last), the group known as the “MediaDefender-Defenders”, who are responsible for distributing the leaked emails initially, have today leaked the source code MediaDefender used “for the ‘trapping’ and decoy software that MediaDefender uses to spread fake files on P2P networks.”

As security professionals we all understand that hacking, in and of itself, is not evil or wrong. Hackers are no more “terrorists”, as locksmiths are cat burglars. In fact, hacking is merely the discovery of information whether it be in software or hardware. It’s the choices you make and how you use said knowledge that really starts to define the “white” versus “black” hats in this realm. That said, I’d like to state I don’t endorse or condone pirating movies or music, nor hacking with mal intent. Now that I have gotten all the disclaimers out of the way, I would also like to state that I also don’t endorse or condone MediaDefenders tactics in “preventing piracy”. These unethical and in some cases illegal business techniques are really the root cause of why they are in such hot water now. Two Wrongs Do Not Make a Right. Some might say what the hackers did falls under this mantra too, but in this case, they didn’t hack for mal intent per se. It was an expose. They revealed the unethical techniques used by this corporation, no differently than any undercover journalist would. Just because the technology has changed doesn’t make it any different then a 20/20 hidden camera or “to catch a predator” style journalism. These hackers are the modern day “deep throat” (the informer not the movie). I don’t want to glorify there actions too much, but at the same time it had to be said to squash any “double standard” remarks. Infecting P2P networks is not the way to handle this issue. MediaDefender is no different then the bored 13 year old kid in China who writes the next big worm or virus. I could go on and on about the techniques they used but with a little help from Google you can read the leaked emails and see for yourself. Regardless of how you feel about illegal downloading or swapping of music and movies, I think you should read over them and ask yourself if you feel the actions by this corporation was ethical as a business, and if there techniques are any better than the “criminals” they were out to prevent.

I really do think in this case MediaDefender is really only a victim of one thing, karma.

Kevin Blanchard hackers, IPP, MediaDefender

For those of you who read this blog through Live Journal syndication this change should be transparent. For others, I am working with my host to allow the change in feed to be transparent for you as well. But if you would like to switch manually in the mean time it might not be a bad idea. The current atom feed has moved to FeedBurner. If you read this blog through a reader please point your reader to http://feeds.feedburner.com/SecureTomorrow instead of the atom.xml file that had been used previously.

Kevin Blanchard site maintenance