This month’s Patch Tuesday release from Microsoft is particularly light this month, and includes two bulletins that are rated important with an aggregate Exploitability Index rating of “1” which should be addressed as soon as possible. From an impact perspective, both bulletins may require a restart, and may have an impact on operations: one in Microsoft Office and one in Microsoft Windows. To view a full description of the Microsoft bulletin as well as other vendor patches, click here.
Moving Again (Visible Risk)
So I think this is the last time I’ll ask you to move with me…. I hope it is anyway….
As of last week I’ve started a new venture. My company is named “Visible Risk”. Visible Risk other than being a great name for a company, is my effort to help push information security forward over the next few years. I’ll be working with certain organizations on integrating intelligence and security operations, and a huge area of focus for me will be providing “live” use-case based content for security products (like SIEM).
Additionally, I’m starting a new podcast and video/webcast under the Visible Risk brand over the next few weeks so please be on the look out for that as I’d love to involve you in it!
Visible Risk Blog RSS Feed: http://www.visiblerisk.com/blog/rss.xml
Thank you again to everyone who has helped me over the years to better understand my strengths and weaknesses and for always pushing me forward!
If you’re not already following my new blog here are links to some of my recent postings:
1. A primer on starting a new company: http://www.visiblerisk.com/blog/2010/3/10/so-you-want-to-work-for-yourself.html or http://bit.ly/aX7WWB
2. RSA Recap - Round 1: http://www.visiblerisk.com/blog/2010/3/10/rsa-conference-2010-recap-round-1.html or http://bit.ly/aPA63z
Thank You,
Rocky
Posted in Security.
HM Revenue & Customs Refund Portal - Ten Phish in One
This morning I was reading a report from Kenneth Paschal, a member of the UAB Phishing Operations research team, that contained an interesting group of new phishing sites. The campaign advertises an “HM Revenue & Customs” page called the “Tax Refund Portal”, which looks like this:
Each of the icons takes the visitor to a very professional looking phishing site to have the credentials for that bank stolen. The banks currently making up the pool including:
Barclays
Lloyds TSB
Halifax
Abbey
HSBC
Cahoot
Royal Bank of Scotland
Egg Bank
NatWest
Alliance & Leicester
In most cases the URL advertised in the phishing email actually is a forwarder to another location. For instance, the most recent phish from today forwarded to this site to show the actual content:
hxxp://daegups.com/bbs/data/bbs2/folder/folder/New Folder/United2/Folder/Folder/Folder/Folder/Folder/Folder/Folder/empty/empty/empty/United2/United/United/United/index.htm
We had previously seen seventeen such phishing sites, in July and August of 2009, but the front has been quiet until March 1st. A quick peek into the UAB PhishURLs database shows that we’re seeing an escalated number of these sites being created.
2010-03-01 | http://www.tvlinko.com/refundportal.htm
2010-03-02 | http://www.tvlinko.com/hmrc/refundportal.htm
2010-03-03 | http://romeningh.dz/img/glyph/hmrc/refundportal.htm
2010-03-03 | http://www.michaelmucklow.com/wp-content/hmrc/refundportal.htm
2010-03-04 | http://www.urbanecology.org/szjtd/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/me/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/ms/hmrc/hmrc/refundportal.htm
2010-03-04 | http://www.ardeola.org/lib/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/hmrc/hmrc/refundportal.htm
2010-03-04 | http://kaptan-electricite.dz/images/all/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.bloomingdaledc.org/joomla/cache/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/file/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/images/image/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/pro/hmrc/hmrc/refundportal.htm
2010-03-05 | http://www.demo.wecandesign.com.tw/gojahn/upimg/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.planet-promo.de/roxx/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://mojwlasnydom.com/gallery/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/lingerie/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.peterkinitsolutions.com/demos/Jewellery/images/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/cache/hmrc/hmrc/refundportal.htm
2010-03-06 | http://planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm
2010-03-06 | http://www.examsheets.net/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.cz.etechsol.pk/cp/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/fotos/hmrc/hmrc/refundportal.htm
2010-03-07 | http://bogatypolak.com/uk/hmrc/hmrc/refundportal.htm
2010-03-07 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/images/hmrc/hmrc/refundportal.htm
2010-03-07 | http://artemoda.uol.com.br/downloads/hmrc/hmrc/refundportal.htm
2010-03-07 | http://mojwlasnydom.com/libs/hmrc/hmrc/refundportal.htm
2010-03-08 | http://www.ingatlanok.erdelyitelkek.ro/re_images/UK/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/templates/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/myimages/hmrc/refundportal.htm
2010-03-08 | http://www.cotogarden.com/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_private/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/images/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/_vti_bin/hmrc/refundportal.htm
2010-03-09 | http://www.cotogarden.com/banners/hmrc/refundportal.htm
2010-03-10 | http://www.restoretherepublic.com/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/images/hmrc/refundportal.htm
2010-03-10 | http://www.eab-gmbh.de/cgi-bin/hmrc/refundportal.htm
The UAB Spam Data Mine had samples in our March 6th spam at 12:30 AM, 1:30 AM, 4:30 AM and 5:45 AM spam collections for “planet-promo.de/roxx/logs/hmrc/hmrc/refundportal.htm”. After that site was terminated, the bad guys relaunched in our 12:15 PM spam collection with “www.examsheets.net/images/hmrc/hmrc/refundportal.htm”.
Just looking at a few of those emails as an example, here is what the spam body looks like:
After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 988.50 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.Click Here to submit your tax refund request
Note : A refund can be delayed a variety of reasons, for example submitting invalid records or applying after deadline.
Best Regards
HM Revenue & Customs
We’ll continue to watch for emerging patterns like this one, and share with you what we find. For now, be wary of this “Tax Refund Portal”!
Posted in Security.
Log review Checklist for Security Incidents
Anton Chuvakin, a well-known security expert and consultant in the field of log management and PCI DSS compliance and author of many books, and Lenny Zeltser, leader of the security consulting team at Savvis and senior faculty member at SANS, have created a “Critical Log Review Checklist for Security Incidents”.
“The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review,” says Chuvakin on his popular blog, where the checklist can be downloaded in HTML, PDF or DOC format.
Posted in Security.
Monoprice.com Shuttered After Fraud Complaints
Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information.
Check out the article – [KrebsonSecurity]
Posted in Security.
SDL的故事: IE8和Office 2007
Microsoft今天发了两个文章, 以IE8和Office2007的实例讲述SDL的故事:
Internet Explorer 8 and the Security Development Lifecycle (SDL)
Posted in Security.
NoVA Hackers Dinner Wrap-Up
Last night I attended the NoVA Hackers Association monthly dinner meetup. Instead of having one or two longer talks, this meeting had four shortened 15 minute presentations … often called fireside talks Firetalks. The talks were great and there was plenty of time to catch up with some of the local infosec pros. Approximately 15 people attended the event hosted at ICS International’s corporate headquarters in Fairfax, VA.
After a bit of networking, @elwing started off giving an overview of CACert. This is an open source-styled certificate authority (CA) where your assurance is vouched for through points given by assuruers who check identification documents. There is a basic level certificate you can get with no points similar to the old Thawte-style certificates. Each assurer can give up to 35 points and with 150 points you can also apply to become an assurer. CACert’s root certificate is already present by default in several Linux OSs and the group is working on Firefox and Safari. Getting its root certificate into IE may be a bit harder due to the processing costs of approximately $150,000. They are also looking for volunteers to help out in different roles, e.g., policy writing, developing website workflows, and obtaining placement by default in browsers. Contact @elwing if you’re interested in helping out or what to be assured.
Next, Rob “@mubix” Fuller presented on his frustrations of completeness in doing pen tests and offered some interesting solutions via DNS foo in his talk titled “IP Contra.” Unfortunately, I (or anyone else at the meeting) can’t talk about the details as we had to sign a NDA before he presented. 
But what I can say is that DNS is not geographic!
We all have done a lot of NMAP scans at some point and have been overwhelmed in trying to make sense of all the data you collect over time. Enter Chris “@carnal0wnage” Gates and his talk “Nmap XML Ruby Stuff.” The general idea was a way to push the XML scan results into a database that can be searched. Back in January he started piecing things together and posted some of his initial ideas and code. Since then he’s experimented with several frameworks but ended up just writing his own Ruby implementation. The end result was a fairly complete database for NMAP results with command line searching. Chris continues to evolve his implementation and is looking for help. He’s especially looking for anyone with GUI development experience to write a frontend. Contact @carnal0wnage if you’d like to help or want to try his updated implementation.
Finally, Terrence “@kingtuna” Gareau pulled in a little late but presented and demoed a USB attack on a fully patched Windows computer. He created a Metaspoit module that returns a shell to an attacker by simply inserting a USB drive into a victim computer. Although this is not new, the demo was against a fully patched Windows box. The trick was to add the attack code on the USB drive so it looks like a CD. By default, Windows still autoplays CDs! Enterprises can help protect against this attack by configuring their policy to not autoplay ANY media.
Anyway, that was it for the official talks. There were plenty of great side conversations or “round table talks” (RTTs) as well. NovaHackers may even incorporate this RTT idea into future meetings. Thanks to Lucus and Jonathan of ICS International for setting the facility up, providing refreshments, and organizing dinner. And for future events, check out the NoVA Hackers Association blog. Also, we setup up the @novahackers Twitter account that pushes out tweets whenever Rob and Chris put out new blog posts. This is another great way to keep up with what’s going on with this group.
///
There are a lot of other infosec events going on around DC. If you are the sponsoring group or attended one of these meetups or conferences and would like to submit a summary to be posted on this site, please send us a message from our Contact Us page or mention @grecs on Twitter. See ya!
Posted in Security.
Cryptanalysis of the Sasfis Registry Key
Recently I’ve been working on an analysis of Sasfis botnet communications. During the tests I noticed that when the bot installs itself, it adds a registry key named “idid”, with some random looking data in it. The data was added under the name “url0″, so it seemed like it must be an encrypted URL. Here is an example from one of the bot variants:
Key Name: HKEY_CLASSES_ROOT\idid
Name: url0
00000000 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17
00000010 1a 80 78 cc d6 bb c4 55 73 b5 07 77 a4 81 3a 71
00000020 a4 98 ba d8 2c 85 17 ad ce c0 b1 a5 9f c8 07 0b
But what URL could this be, if it is one? Most of these bytes are not in the normal text range, so it would have to be encrypted. Even when there was no network connection, the url0 data was added, so I knew it must be hard coded into the bot. From the tests I had been doing, I also knew that the bot contained a hard coded URL for its Command and Control server. So it seemed possible that the C&C URL was encrypted here, but of course I would have to prove that.
The first 16 bytes of the url0 values, from six bot tests, with their test identifiers (T3, M2 etc.), are listed below. The list is sorted by the opening bytes. They fall into two groups where the first seven bytes are identical. The T2 data is slightly different from the ones below it, but the one different byte (f1) could be the result of an encryption error.
T3 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17
M2 1e 9b 6d d8 89 e6 c4 5f 60 ff 12 7b bd ea f3 4c
T2 f1 9b 20 62 fc 48 d0 3e 27 fc 1d f7 94 5a ff 3f
T1 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
M1 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
M5 f8 9b 20 62 fc 48 d0 2b 2a fd 17 e2 87 46 ea 7e
Looking at this, it seems fairly likely that each group was encrypted with the same key. And if these are URLs, the seven common bytes at the beginning of each line could be “http://”, if we are on the right track.
The obvious move at this point is to test this theory. We can start with the first row of hex data from the T3 and M2 tests, recover the key for T3 using the hard coded URL for that variant, then find out if the key is correct by decrypting M2 with it. The worksheet below shows the hard coded URL and the url0 registry data for T3 in the first two lines. At the bottom is the URL in text format and in the plain line are the equivalent hex bytes.
T3 http://gnfdt.cn/loader/bb.php
00000000 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17 (encrypted in registry)
key
plain 68 74 74 70 3a 2f 2f 67 6e 66 64 74 2e 63 6e 2f (url in hex format)
text h t t p : / / g n f d t . c n / (known hard coded URL)
We will assume that the key was XORed with the plaintext to produce this encryption. That is the most likely case, but if we are wrong it will be necessary to try some other methods. From this basis we will now XOR the encrypted and plain bytes to recover the key.
T3 http://gnfdt.cn/loader/bb.php
00000000 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17 (encrypted in registry)
key 76 ef 19 a8 b3 c9 eb 37 11 9b 77 1f d4 81 9a 38 (recovered key)
plain 68 74 74 70 3a 2f 2f 67 6e 66 64 74 2e 63 6e 2f (url in hex format)
text h t t p : / / g n f d t . c n / (known hard coded URL)
Now we have some key bytes, but there is no proof that they are real. To prove that, we can use the key bytes to decrypt M2. The result is below. Part of the URL that is hard coded into the M2 bot has been revealed.
M2 http://hqdedikit.com/mld/bb.php
00000000 1e 9b 6d d8 89 e6 c4 5f 60 ff 12 7b bd ea f3 4c (encrypted in registry)
key 76 ef 19 a8 b3 c9 eb 37 11 9b 77 1f d4 81 9a 38 (recovered key)
plain 68 74 74 70 3a 2f 2f 68 71 64 65 64 69 6b 69 74 (decrypted hex)
text h t t p : / / h q d e d i k i t (decrypted text)
So our case is proved, the hard coded URL is the one hidden in the registry key. We can easily extend this through the rest of the encrypted data to show the whole URL, and remove any lingering doubt.
But what would we do if each bot variant had its own key? The method above would not work, but there are other ways to approach this problem. One way is to check whether this is a repeating key encryption system. They are very common, and if it is we can make comparisons within one URL, instead of using two as we did above.
Let’s try this method with T3. The simple way is to use the whole URL to find as many key bytes as possible, then look for repetitions.
T3 http://gnfdt.cn/loader/bb.php
00000000 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17
key 76 ef 19 a8 b3 c9 eb 37 11 9b 77 1f d4 81 9a 38
plain 68 74 74 70 3a 2f 2f 67 6e 66 64 74 2e 63 6e 2f
text h t t p : / / g n f d t . c n /
00000010 1a 80 78 cc d6 bb c4 55 73 b5 07 77 a4 81 3a 71
key 76 ef 19 a8 b3 c9 eb 37 11 9b 77 1f d4
plain 6c 6f 61 64 65 72 2f 62 62 2e 70 68 70
text l o a d e r / b b . p h p
Here we can see that the key starts to repeat at the start of the second row. So the key length is 16 bytes, and again we have proved that the key holds the hard coded URL. Decrypting the next byte at the end provides a little bonus, 0×81 XOR 0×81 = 0×00, the null terminator for the string. Decryption from this point onward exposes bytes that appear to be random.
But now consider another scenario, what would we do if we had no idea what the encrypted URLs were? If we have bots with different URLs using the same key, the problem is not beyond solution. To demonstrate I will use the data from T1 and M1, from the other key group. It turns out, in the end, that only the first two lines of hex are needed for this, so the example below will not show the third line.
First we need to locate the key repetition. We can try “http://” at the start to find the first seven key bytes. With these key bytes we can decrypt at different locations until some URL-like text appears. The bot code probably processed this as DWORDs, so we will take a shortcut by checking at four byte intervals, and use only four key bytes for each decryption. If this fails we will have to try decrypting at different intervals, possibly even at every byte. The “?” marks below indicate decrypted bytes outside the normal text range, which we would not expect in a URL.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 90 ef 54 12 90 ef 54 12
plain 68 74 74 70 3a 2f 2f ac 13 43 e3 01 be be 2d
text h t t p : / / ? ? C ? ? ? ? -
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 90 ef 54 12 90 ef 54 12 90 ef 54 12
plain 63 6e 2f 6d 3a ec 84 2f b7 51 5c ea 15 d8 10 95
text c n / m : ? ? / ? Q \ ? ? ? ? ?
The true decryption appears to be “cn/m”, at the start of the second row. None of the others is even close. So it looks like we have found the key repetition and the key length. With this information we can set up our work sheet, with the known key bytes and decryptions they give us filled in. It can be seen below, where the decrypted parts confirm our work so far.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff
plain 68 74 74 70 3a 2f 2f
text h t t p : / /
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff
plain 63 6e 2f 6d 6c 64 2f
text c n / m l d /
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff
plain 68 74 74 70 3a 2f 2f
text h t t p : / /
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff
plain 74 2f 6c 6f 61 64 65
text t / l o a d e
Now we need to extend the URL text parts to uncover more key bytes. In other words we need to make some good guesses, but because the structure of URLs is well known to us, this should not be too difficult.
Notice that the second text line under T1 starts with “cn/mld/”. This looks like a “.cn” top level domain, so let’s fill in the “.” and apply the key byte we get.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 11
plain 68 74 74 70 3a 2f 2f 2e
text h t t p : / / .
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff 11
plain 63 6e 2f 6d 6c 64 2f 96
text c n / m l d / ?
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff 11
plain 68 74 74 70 3a 2f 2f 65
text h t t p : / / e
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff 11
plain 74 2f 6c 6f 61 64 65 00
text t / l o a d e \0
Now we have some more decrypted bytes. There is a null at the end of M1, this must be the URL string terminator, and a non-text byte (0×96), but let’s ignore that one for now. It may be junk from beyond the end of the URL string, and we will know soon enough if this was a bad guess. At the end of the first M1 line the text character is an “e”, so that we now have “et/loade”. This looks like it must be “.net/loader”, so next we will fill this in and decrypt some more.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 5f 34 98 11
plain 68 74 74 70 3a 2f 2f 6d 65 72 2e
text h t t p : / / m e r .
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff 5f 34 98 11
plain 63 6e 2f 6d 6c 64 2f 62 00 dc 96
text c n / m l d / b \0 ? ?
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff 5f 34 98 11
plain 68 74 74 70 3a 2f 2f 75 2e 6e 65
text h t t p : / / u . n e
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff 5f 34 98 11
plain 74 2f 6c 6f 61 64 65 72 68 70 00
text t / l o a d e r h p \0
There is nothing very obvious here, but at the end of the second row of M1 we have “hp\0″. This looks like it could be “.php”, so let’s try that next.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 5f 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 6d 61 64 65 72 2e
text h t t p : / / m a d e r .
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff 5f 90 f5 34 98 11
plain 63 6e 2f 6d 6c 64 2f 62 68 70 00 dc 96
text c n / m l d / b h p \0 ? ?
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff 5f 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 75 69 74 2e 6e 65
text h t t p : / / u i t . n e
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff 5f 90 f5 34 98 11
plain 74 2f 6c 6f 61 64 65 72 2e 70 68 70 00
text t / l o a d e r . p h p \0
This looks good, and now we have some good hints. In T1, in the first line, it looks like we have “//m?loader.” and in the second line another “.php” is developing. We can put these in.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 5f 90 78 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 6d 6c 6f 61 64 65 72 2e
text h t t p : / / m l o a d e r .
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff 5f 90 78 90 f5 34 98 11
plain 63 6e 2f 6d 6c 64 2f 62 2e 70 68 70 00 dc 96
text c n / m l d / b . p h p \0 ? ?
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff 5f 90 78 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 75 6c 69 69 74 2e 6e 65
text h t t p : / / u l i i t . n e
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff 5f 90 78 90 f5 34 98 11
plain 74 2f 6c 6f 61 64 65 72 62 62 2e 70 68 70 00
text t / l o a d e r b b . p h p \0
Now, in the second line of M1, we have “bb.php”, and it looks like this also appears in “mld/b?.php” at second line of T1. With this we can fill in the last missing byte.
T1 00000000 f8 9b 20 62 fc 48 d0 32 3c fc 17 f1 91 51 ea 3f
key 90 ef 54 12 c6 67 ff 5f 45 90 78 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 6d 79 6c 6f 61 64 65 72 2e
text h t t p : / / m y l o a d e r .
00000010 f3 81 7b 7f aa 03 d0 3d 27 be 08 f8 85 34 44 87
key 90 ef 54 12 c6 67 ff 5f 45 90 78 90 f5 34 98 11
plain 63 6e 2f 6d 6c 64 2f 62 62 2e 70 68 70 00 dc 96
text c n / m l d / b b . p h p \0 ? ?
M1 00000000 f8 9b 20 62 fc 48 d0 2a 2e fc 11 f9 81 1a f6 74
key 90 ef 54 12 c6 67 ff 5f 45 90 78 90 f5 34 98 11
plain 68 74 74 70 3a 2f 2f 75 6b 6c 69 69 74 2e 6e 65
text h t t p : / / u k l i i t . n e
00000010 e4 c0 38 7d a7 03 9a 2d 6a f2 1a be 85 5c e8 11
key 90 ef 54 12 c6 67 ff 5f 45 90 78 90 f5 34 98 11
plain 74 2f 6c 6f 61 64 65 72 2f 62 62 2e 70 68 70 00
text t / l o a d e r / b b . p h p \0
So even if the URLs are unknown, we can still decrypt them if bots with different URLs use the same key. In fact all of the pairs from this group {T1-M1, M1-M5, and T1-M5} can be solved without any really difficult guessing, and using all three makes it much easier. Even when it is not clear what text to fill in next, we can always try different guesses until we find the right one.
Of course the weaknesses in this encryption could have been avoided, or at least reduced. For example, not re-using keys would have helped. What we may be seeing here is evidence that, like many computer users, bot herders don’t take security as seriously as they should.
Posted in Security.
The converse of the Nagell-Lutz theorem
The Nagell-Lutz tells us that rational points of finite order have integer coordinates, but it doesn’t tell us that points with integer coordinates have finite order. As a reminder, here’s the statement of the Nagell-Lutz theorem.
Let y2 = x3 + ax + b be an elliptic curve with integer coefficients and let D = 4 a3 + 27 b2. Then if P = (xP,yP) is a rational point of finite order then P has integer coordinates and either yP = 0 or yP2|D.
Here are some examples of points with integer coordinates that don’t have finite order.
The point P = (1,2) is on the elliptic curve
y2 = x3 + 3
but (1,2) isn’t a point of finite order. We have that
2P = (-23/16,-11/64)
for example. Since 2P doesn’t have integer coordinates, it’s not a point of finite order, so P isn’t either.
For another example, consider the elliptic curve
y2 = x3 + 17
There are 16 points with integer coordinates on this curve. These are the following
(-2,±3)
(-1,±4)
(2,±5)
(4,±9)
(8,±23)
(43,±282)
(52,±375)
(5234,±378661)
Although we can find a few cases where adding these points gives another point with integer coordinates, like
(-2,3) + (-1,4) = (4,9)
most cases don’t. We have that
(-1,4) + (-1,4) = (137/64, -2651/512)
for example.
Even worse, we have that
(5234,378661) + (5234,378661) = (187618163896928/143384152921, -1/4)
None of these points actually have finite order although they have integer coordinates. So points of finite order have to have integer coordinates, but not all points with integer coordinates have finite order.
Posted in Security.
Is your social media message in-tune?
After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?
The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.
As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.
So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!
Sharing is caring!
Posted in Security.
Is your social media message in-tune?
After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?
The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.
As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.
So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!
Sharing is caring!
Posted in Security.
Daily Anti-Spam Test Results Published by ICSA Labs for Feb 2010
In the market for an anti-spam solution? Already deploying an anti-spam device but wondering how well it protects you compared to other similar products? ICSA Labs tests anti-spam devices every day of the year. Following each month we post succinct and free 1-page reports that depict how effective and accurate ICSA Labs certified anti-spam products are. To see the February reports for the ICSA Labs certified anti-spam products, click on each hyperlink:
Of course, you can view and bookmark the ICSA Labs anti-spam certified product list. Please contact the ICSA Labs anti-spam program manager if you have any questions, comments, or suggestions.
Posted in Security.
Top 8 Ways To Protect Your Home
Ever stay awake at night wondering if your home, family members and valuables are protected enough? FBI data reports that a place of residence is burglarized every 15 seconds, but the latest security technology can make your home safer than ever before. Sleep easy knowing you and your family is safe by having these top 8 security products that protect you from danger.
Posted in Security.
Katana: portable multi-boot security suite [Wouter Veugelen]
Katana is a portable multi-boot security suite designed for many of your computer security needs. The idea behind this tool is to bring together all of the best security distributions to run from one USB drive. Katana includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, Malware Removal and more.
Distro’s that are currently included in Katana:
- Backtrack 4
- the Ultimate Boot CD
- Ultimate Boot CD for Windows
- Ophcrack Live
- Puppy Linux
- Kaspersky Live
- Trinity Rescue Kit
- Clonezilla
- Derik’s Boot and Nuke
http://www.hackfromacave.com/katana.html
Posted in Security.
Network OPML