A question of trust: the hacking of Root CAs (Certificate Authorities)
Back in March, a root certificate authority named Comodo was hacked, and used by a self-proclaimed Iranian hacker to issue legitimate SSL certificates for a number of sites, including Google, Skype, Mozilla, Live.com and Yahoo. SSL certificates confirm that a secure site really is what it says it is; your browser has a list built into it of certificate authorities that it trusts, so when you visit an SSL site it checks the certificate against the issuer. If the issuer isn't on the list, you get a warning.
If a hacker creates a "fake" certificate from the real authority, then any site is, as far as your computer or phone knows, legitimate if it presents that certificate. The implications for shopping or other interaction are huge: you become vulnerable to a man-in-the-middle (MITM) attack, where someone operates a site using the "fake" certificate between you and the real site. From your end, it's a legitimate SSL site. For the person running it, they can see everything passing between you and the real site. Comodo's dodgy certificates were revoked, but it depended on whether people accepted a browser update as to whether or not they would be protected.
Then in July, the Dutch SSL certificate authority Diginotar (which provided the SSL certificates for thousands of sites including the Dutch government) was hacked, and a number of certificates, including one for Google, issued. These certificates were used for a MITM attack on Iranian users of Google Mail – another indication that web security really does have human consequences.
Many experts now believe that the current SSL CA system is broken. One expert in this area, Moxie Marlinspike, proposes that all of the current problems with the CA system can be reduced to a single missing property, called "Trust Agility", and he has proposed a secure replacement for the existing the SSL CA system called "Convergence".
This story is perhaps the most important thing to have happened to InfoSec in 2011 – and how it is dealt with in 2012 may be crucial.
Full story: here
Anonymous gets busy
The loose collective of hackers known as Anonymous were quite busy in 2011. The group first gained widespread attention back in 2008 with their "Project Chanology" raids on the Church of Scientology. One of their symbols, the Guy Fawkes mask (first popularized by the comic book and film "V for Vendetta) has now become instantly recognisable, as well as becoming associated with the Occupy Wall Street movement. Their self description in the form of an aphorism is: "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us."
Here are some of their more memorable activities of the year ...
* Operations in support of the Arab Spring Democracy movements in Egypt, Tunisia and Libya - Anonymous performed DDoS attacks on eight Tunisian government websites which may have led to an upsurge of internet activism among Tunisians against their government. Anonymous also attacked the websites of the incumbent governments in Egypt and Libya along with the internet censorship methods being used in these countries.
* In February came the attack on HBGary Federal - in retaliation for the CEO's (Aaron Barr) claims of having infiltrated Anonymous, members of Anonymous hacked the website of HBGary Federal, took control of the company's e-mail, dumped 68,000 e-mails from the system into the public domain, erased files, and took down their phone system.
* Next came the attack Sony websites (Operation Sony) in response to Sony's lawsuit against George Hotz and, specifically due to Sony's gaining access to the IP addresses of all the people who visited George Hotz's blog as part of the libel action, terming it an 'offensive against free speech and internet freedom'. Although Anonymous admitted responsibility to subsequent attacks on the Sony websites, Anonymous branch AnonOps denied that they were the cause behind a major outage of the Playstation Network and Qriocity services in April 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.
* In August 2011, Operation BART was launched in response to San Francisco Bay Area Rapid Transit's shutdown of cell phone service in an attempt to disconnect protesters from assembling violently in response to a police shooting, Anonymous sent out a mass email/fax bomb to BART personnel and organized multiple mass physical protests at the network's Civic Center station.
* Several contingents of Anonymous have given vocal support to the Occupy Wall Street movement, with vast numbers of members attending local protests and several blogs run by members covering the movement extensively.
* In early August, Anonymous launched Operation Syria and hacked the Syrian Defense Ministry website. In September, a group tied to Anonymous appeared on Twitter, calling themselves RevoluSec (Revolution Security). They defaced Syrian websites, including the Syrian Central Bank and other pro-regime sites. Telecomix worked with Anonymous to show Syrians how to bypass the internet censorship put in place by the regime.
* Operation Mayhem: on November 18, Anonymous released a video claiming to have released the "Guy Fawkes Virus" on Facebook and that they will release it on Twitter soon. The first reason claimed for its release was to protest the violence of the police force against Occupy Wall Street protestors, the second was to protest the Stop Online Piracy Act and the third reason was to counter anyone who claims to be against Anonymous.
* Ending off the year, on December 24th, Anonymous gained access to thousands of e-mail addresses and credit card information from security firm Stratfor and made it public. Anonymous commented that they did it because the data was unencrypted - to let the public know about their vulnerability.
Full story: here
Hacking the power plant
At Black Hat USA, SCADA security researcher Dillon Beresford gave one of the most alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens industrial control systems let him get inside, capture passwords and reprogram PLC logic such that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Remember that the same Siemens industrial control systems were targeted successfully by the Stuxnet worm in 2010, which infected several Iranian nuclear facilities with devastating effect by making use of custom a PLC rootkit along with several zero-day vulnerabilities and fake SLL certificates from two compromised CAs.
Full story: here
Hacking insulin pumps
SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.
An attacker could remotely disable the pumps or alter the insulin dosage that's automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the user's knowledge. "It's basically like having root on the device, and that's like having root on the chemistry of the human body," he said. It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.
Full story: here
'Warflying': hacking in midair
For around US$6,000, security researchers Mike Tassey and Richard Perkins built a radio-controlled model airplane with an onboard computer running linux with 4G connectivity that could be used as a hacking "drone" to wage aerial attacks on targets that are unreachable on land. They brought their Wireless Aerial Surveillance Platform (WASP) to Las Vegas for Defcon to demonstrate the potential threat of "warflying."
Full story: here
Hacking MacBook laptop batteries
Security researcher Charlie Miller demonstrated this year that the embedded controllers on laptop batteries are hackable. Miller found that Apple's laptop battery has two hardcoded passwords that could be exploited to make changes to the smart battery system's firmware. The passwords are a way for Apple to update the firmware, but they also leave it wide open for abuse. Miller disassembled his MacBook's batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.
Full story: here
The return of Google-fu
Australian security consultant Daniel Grzelak made an unexpected discovery as he searched for publicly accessible databases containing e-mail address and password pairs. The entire user database of Groupon's Indian subsidiary Sosasta.com including cleartext usernames and passwords was accidentally published to the Internet and indexed by Google.
Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail". "A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."
As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised. Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.
Full story: here
Pension fund shoots itself in the foot
Australian information security professional Patrick Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via a "direct object reference" bug - one which is included in OWASP's infamous top ten list of Web Application security bugs. Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. The details revealed on the statement were a fraudster's dream, including full names, addresses, email addresses, membership number, age, insurance information, pension amount, fund allocations, beneficiaries and employer information.
First State’s response to being quietly tipped off by Webster with his valuable information was extremely stupid, which is why it attracted a large amount of media attention ... they got police and lawyers involved to threaten Webster with arrest and also issued him a bill for the amount it would cost to fix the bug, then demanded access to his computer equipment.
After the storm of controversy following their heavy handed approach, they backed down from their stance but are now facing an investigation by the Australian Federal Privacy Commissioner as to why the security vulnerability was out there, undiscovered, for a period of 18 months or more. The fund's contracts with Australian government departments, such as ASIO (Australia's CIA), were also looking a little bit shaky.
Full story: here
Remotely starting a car via text message
There's war driving, and then there's war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.
Full story: here
Mini-hacker time-travels
A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. "CyFi" said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging. What she didn't realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems. "I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said. It wasn't until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever child's trick: CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom said.
Full story: here
+ - - - - - - - - - - - - - - - - - - - - - - - +
| Harris Walker Real Estate, Perth, WA, AUS |
| Specialists in residential housing sales and |
| property management in Perth, Australia. |
+ - - - - - - - - - - - - - - - - - - - - - - - +
Friday, December 30, 2011
Sunday, October 2, 2011
12 Effective Ways To Improve Your Programming
1. Never Stop Learning and Reading
Read books, not just websites.
Read for self-improvement, not just for the latest project.
Read about improving your trade, not just about the latest technology.
Some of the books listed here would be a good start: The most influential programming books of all time
2. Work With People Smarter Than Yourself
Working with smarter and/or more experienced developers will teach you a great deal.
3. Become a Polymath (or 'Jack-of-all-Trades')
Decide to be a 'Jack-of-all-Trades', allowing you to avoid becoming 'pigeon-holed' into one specialty, which can stagnate your programming skills, as well as hurt your future employment prospects.
4. Read and Document Other People's Code
Writing code is significantly easier than reading someone else's code and figuring out what it does.
5. Get Programming Experience on a Real Project
There is nothing like getting in and coding, especially under pressure - work on a real project, with real fickle customers, with real, ever-changing requirements and with real engineering problems.
6. Teach Others About Programming
This will force you to understand something at a completely different level, since you have to explain it to someone else.
7. Learn One New Programming Language Every Year
One year gives you enough time to get past the basics - it pushes you towards understanding what's beneficial in that language, and to be able to program in a style native to that language.
8. Complete One New Pet Project Every Year
Start a "pet" project and follow it to completion and delivery; a good pet project will push your boundaries and keep you interested.
9. Learn Assembly Language
Learning a low level language like assembly gives you insight into the way computers 'think' without any high-level abstractions; the elegance at this level is surprising.
10. See Your Application From the End User's Perspective
Interact with the end-user to see, through their eyes, how they use the software; end users are typically not technical, and they often see software as a magical piece of work, while you see software as a logical set of steps.
11. Start a Physical Exercise Program
You work a whole lot better when you're in good physical shape - problems become easier and less overwhelming, wasting time is much less of a temptation, you can think clearer, and working through things step by step doesn't seem an arduous task.
12. Learn Touch Typing
Learning to touch type is a quick and effective way to give your productivity a boost as a programmer.
Cross posted from: Dodgy Coder - How To Become a Better Programmer
Follow @dodgy_coder
Subscribe to posts via RSS
Read books, not just websites.
Read for self-improvement, not just for the latest project.
Read about improving your trade, not just about the latest technology.
Some of the books listed here would be a good start: The most influential programming books of all time
2. Work With People Smarter Than Yourself
Working with smarter and/or more experienced developers will teach you a great deal.
3. Become a Polymath (or 'Jack-of-all-Trades')
Decide to be a 'Jack-of-all-Trades', allowing you to avoid becoming 'pigeon-holed' into one specialty, which can stagnate your programming skills, as well as hurt your future employment prospects.
4. Read and Document Other People's Code
Writing code is significantly easier than reading someone else's code and figuring out what it does.
5. Get Programming Experience on a Real Project
There is nothing like getting in and coding, especially under pressure - work on a real project, with real fickle customers, with real, ever-changing requirements and with real engineering problems.
6. Teach Others About Programming
This will force you to understand something at a completely different level, since you have to explain it to someone else.
7. Learn One New Programming Language Every Year
One year gives you enough time to get past the basics - it pushes you towards understanding what's beneficial in that language, and to be able to program in a style native to that language.
8. Complete One New Pet Project Every Year
Start a "pet" project and follow it to completion and delivery; a good pet project will push your boundaries and keep you interested.
9. Learn Assembly Language
Learning a low level language like assembly gives you insight into the way computers 'think' without any high-level abstractions; the elegance at this level is surprising.
10. See Your Application From the End User's Perspective
Interact with the end-user to see, through their eyes, how they use the software; end users are typically not technical, and they often see software as a magical piece of work, while you see software as a logical set of steps.
11. Start a Physical Exercise Program
You work a whole lot better when you're in good physical shape - problems become easier and less overwhelming, wasting time is much less of a temptation, you can think clearer, and working through things step by step doesn't seem an arduous task.
12. Learn Touch Typing
Learning to touch type is a quick and effective way to give your productivity a boost as a programmer.
Cross posted from: Dodgy Coder - How To Become a Better Programmer
Follow @dodgy_coder
Subscribe to posts via RSS
Sunday, September 25, 2011
Forgotten Windows 2008 Server Password
HOW TO: Gain access to a Windows Server 2008 running RAID when the local administrator password is forgotten
The original problem
The IT team was diagnosing an issue with all inbound connections being rejected to a Windows 2008 server machine (a dual quad-core Dell Poweredge running 4 disk RAID PERC 6/i). It turned out the problem was that Windows Firewall was setup as using the "public" profile for its firewall rules.
Since the server should have been assigned to the "domain" profile for the firewall rules, and it seemed like the machine was not on the domain, the IT team decided it would be a good idea to "bump" the server onto the domain, that is, take it off the domain and then re-add it to the domain. Unfortunately the server ran the accounting software (including payroll) for the company. Also, the domain controller was administered in a country half way around the world, such that any access to higher up IT support would have had to wait another 12 hours or so.
The new problem
The IT team didn't have the local administrator password for the server. And since they had now taken the server off the domain, it could no longer be accessed using the domain user and password combination that they had always used in the past. But nobody in the company knew the local administrator password for the machine. In 14 hours time the company's payroll would need to be processed and there was no way to access the application server running the accounting software. If there's anything that motivates people to work hard its the possibility of not being payed their wages due to a technical issue.
The admin password, it now seemed, was just lost forever. About this point I came upon the following Q&A post on the excellent ServerFault.com ...
http://serverfault.com/questions/428/what-is-the-best-way-to-gain-access-when-the-password-is-unknown
There is two main types of free linux-based "boot crackers" which crack windows machines by booting a custom version of linux with a limited user interface ...
Type 1: Rainbow Table Cracker
A boot cracker that brute forces passwords using lookup tables (rainbow tables). This type does not need to actually change the file system of the machine, but just reads the encrypted Windows SAM (Security Accounts Manager) password file from the machine and cracks it using lookup tables to gain access to the administrator password. Various comments on forums generally say that in most cases this will succeed, and will take no more than a few minutes.
Type 2: Password Reset Cracker
A boot cracker that resets the local administrator password on the machine. This type just clears the password and in doing so has to write to the file system. For this reason it is considered a little more risky. Also that fact that if the EFS (Encrypted File System) is being used, then it can result in the password not being cleared but actually being scrambled, and furthermore, irretrievable.
Using the cracker
I initially decided to try ophcrack since it was type 1, and didn't write back to the file system. This seemed initially to work like a charm, booting first time into its linux GUI, but when we tried to mount the file system (which was 4 disk RAID) we realised that the PERC 6/i RAID controller wasn't recognised by the cracker's linux distro. The linux command "fdisk -l" only listed one drive - that of the DVD-ROM drive which the cracker booted with - so it didn't have access to the RAID file system.
Success!
So onto the next option; using a type 2 cracker called "NTPASSWD" - we burnt the files to a CD-ROM and booted. This one has a command line only interface, but it worked like a charm - booted first time and had access to the RAID file system. It listed all the local users on the system. So we selected which one to clear the password for (Administrator) and this was all that was needed. Hey presto, restarted the machine and no login was needed - it had worked!
If this one hadn't worked, there was one final cracker that I probably would have tried, a commercial cracker, here, that boots in a "Pre-installation" version of Windows and claims to support all major RAID controllers and hard disk hardware around. The cost was something like $199 but this would have been well worth it if the other free crackers hadn't worked.
Follow @dodgy_coder
Subscribe to posts via RSS
The original problem
The IT team was diagnosing an issue with all inbound connections being rejected to a Windows 2008 server machine (a dual quad-core Dell Poweredge running 4 disk RAID PERC 6/i). It turned out the problem was that Windows Firewall was setup as using the "public" profile for its firewall rules.
Since the server should have been assigned to the "domain" profile for the firewall rules, and it seemed like the machine was not on the domain, the IT team decided it would be a good idea to "bump" the server onto the domain, that is, take it off the domain and then re-add it to the domain. Unfortunately the server ran the accounting software (including payroll) for the company. Also, the domain controller was administered in a country half way around the world, such that any access to higher up IT support would have had to wait another 12 hours or so.
The new problem
The IT team didn't have the local administrator password for the server. And since they had now taken the server off the domain, it could no longer be accessed using the domain user and password combination that they had always used in the past. But nobody in the company knew the local administrator password for the machine. In 14 hours time the company's payroll would need to be processed and there was no way to access the application server running the accounting software. If there's anything that motivates people to work hard its the possibility of not being payed their wages due to a technical issue.
The admin password, it now seemed, was just lost forever. About this point I came upon the following Q&A post on the excellent ServerFault.com ...
http://serverfault.com/questions/428/what-is-the-best-way-to-gain-access-when-the-password-is-unknown
There is two main types of free linux-based "boot crackers" which crack windows machines by booting a custom version of linux with a limited user interface ...
Type 1: Rainbow Table Cracker
A boot cracker that brute forces passwords using lookup tables (rainbow tables). This type does not need to actually change the file system of the machine, but just reads the encrypted Windows SAM (Security Accounts Manager) password file from the machine and cracks it using lookup tables to gain access to the administrator password. Various comments on forums generally say that in most cases this will succeed, and will take no more than a few minutes.
Type 2: Password Reset Cracker
A boot cracker that resets the local administrator password on the machine. This type just clears the password and in doing so has to write to the file system. For this reason it is considered a little more risky. Also that fact that if the EFS (Encrypted File System) is being used, then it can result in the password not being cleared but actually being scrambled, and furthermore, irretrievable.
Using the cracker
I initially decided to try ophcrack since it was type 1, and didn't write back to the file system. This seemed initially to work like a charm, booting first time into its linux GUI, but when we tried to mount the file system (which was 4 disk RAID) we realised that the PERC 6/i RAID controller wasn't recognised by the cracker's linux distro. The linux command "fdisk -l" only listed one drive - that of the DVD-ROM drive which the cracker booted with - so it didn't have access to the RAID file system.
Success!
So onto the next option; using a type 2 cracker called "NTPASSWD" - we burnt the files to a CD-ROM and booted. This one has a command line only interface, but it worked like a charm - booted first time and had access to the RAID file system. It listed all the local users on the system. So we selected which one to clear the password for (Administrator) and this was all that was needed. Hey presto, restarted the machine and no login was needed - it had worked!
If this one hadn't worked, there was one final cracker that I probably would have tried, a commercial cracker, here, that boots in a "Pre-installation" version of Windows and claims to support all major RAID controllers and hard disk hardware around. The cost was something like $199 but this would have been well worth it if the other free crackers hadn't worked.
Follow @dodgy_coder
Subscribe to posts via RSS
Sunday, September 18, 2011
Top Ten Books about Hackers
Here is my list of what I believe are ten of the best books about hackers in real life. All of these include descriptions of actual events, and the personalities involved in hacking. Feel free to post your alternative suggestions in the comments section below. For a brief description of each one please check this page out here. Enjoy!
Follow @dodgy_coder
Subscribe to posts via RSS
- Ghost in the Wires: My Adventures as the World's Most Wanted Hacker [2011]
By Kevin Mitnick, Steve Wozniak and William L. Simon
- Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground [2011]
By Kevin Poulsen
- The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage [1985]
By Cliff Stoll
- The Fugitive Game: Online with Kevin Mitnick [1997]
By Jonathan Littman
- Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet [2010]
By Joseph Menn
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers [2005]
By Kevin Mitnick and William L. Simon
- The Hacker Crackdown: Law And Disorder On The Electronic Frontier [1993]
By Bruce Sterling
- The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen [1997]
By Jonathan Littman
- Masters of Deception: The Gang That Ruled Cyberspace [1995]
By Michele Slatalla
- Unmasked [2011]
By Peter Bright, Nate Anderson, Jacqui Cheng, Eric Bangeman and Aurich Lawson (of ArsTechnica)
Follow @dodgy_coder
Subscribe to posts via RSS
Sunday, September 4, 2011
Top Ten Most Influential Programming Books of All Time
As voted on by several thousand members of StackOverflow in this article here.
The original question was:
"If you could go back in time and tell yourself to read a specific book at the beginning of your career as a developer, which book would it be."
Since it was first posed back in 2008, this question has become the second most popular question of all time on StackOverflow.
Here are the results:
The original question was:
"If you could go back in time and tell yourself to read a specific book at the beginning of your career as a developer, which book would it be."
Since it was first posed back in 2008, this question has become the second most popular question of all time on StackOverflow.
Here are the results:
- Code Complete (2nd Edition)
By Steve McConnell
Published: July 7, 2004
Publisher: Microsoft Press
Amazon Link: here
Widely considered one of the best practical guides to programming, this book has been helping developers write better software for more than a decade. The second edition was updated with leading-edge practices and hundreds of new code samples, illustrating the art and science of software construction. Capturing the body of knowledge available from research, academia, and everyday commercial practice, McConnell synthesizes the most effective techniques and must-know principles into clear, pragmatic guidance. No matter what your experience level, development environment, or project size, this book will inform and stimulate your thinking, and help you build the highest quality code.
- The Pragmatic Programmer: From Journeyman to Master
By Andrew Hunt and David Thomas
Published: October 30, 1999
Publisher: Addison-Wesley Professional
Amazon Link: here
Like any other craft, computer programming has spawned a body of wisdom, most of which isn't taught at universities or in certification classes. Most programmers arrive at the so-called tricks of the trade over time, through independent experimentation. In The Pragmatic Programmer, Andrew Hunt and David Thomas codify many of the truths they've discovered during their respective careers as designers of software and writers of code. The cool thing about this book is that it's great for keeping the programming process fresh. The book helps you to continue to grow and clearly comes from people who have been there.
- Structure and Interpretation of Computer Programs, Second Edition
By Harold Abelson, Gerald J Sussman and Julie Sussman
Published: August 1, 1996
Publisher: McGraw-Hill Science/Engineering/Math
Amazon Link: here
Teaches readers how to program by employing the tools of abstraction and modularity. The authors' central philosophy is that programming is the task of breaking large problems into small ones. You will learn a thing or two about functional programming, lazy evaluation, metaprogramming (well, metalinguistic abstraction), virtual machines, interpreters, and compilers. The book was originally written for the famous 6.001, the introductory programming course at MIT. It may require an intellectual effort to read, but the reward is well worth the price.
- The C Programming Language (2nd Edition)
By Brian W Kernighan and Dennis M Ritchie
Published: April 1, 1988
Publisher: Prentice Hall
Amazon Link: here
Concise and easy to read, it will teach you three things: the C programming language, how to think like a programmer, and the C abstract machine model (what's going on "under the hood"). Co-written by Dennis Ritchie, the inventor of the C programming language.
- Introduction to Algorithms
By Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford Stein
Published: July 31, 2009
Publisher: The MIT Press
Amazon Link: here
Introduction to Algorithms, the 'bible' of the field, is a comprehensive textbook covering the full spectrum of modern algorithms: from the fastest algorithms and data structures to polynomial-time algorithms for seemingly intractable problems, from classical algorithms in graph theory to special algorithms for string matching, computational geometry, and number theory. The revised third edition notably adds a chapter on van Emde Boas trees, one of the most useful data structures, and on multithreaded algorithms, a topic of increasing importance.
- Refactoring: Improving the Design of Existing Code
By Martin Fowler, Kent Beck, John Brant and William Opdyke
Published: July 8, 1999
Publisher: Addison-Wesley Professional
Amazon Link: here
Refactoring is about improving the design of existing code. It is the process of changing a software system in such a way that it does not alter the external behavior of the code, yet improves its internal structure. With refactoring you can even take a bad design and rework it into a good one. This book offers a thorough discussion of the principles of refactoring, including where to spot opportunities for refactoring, and how to set up the required tests. There is also a catalog of more than 40 proven refactorings with details as to when and why to use the refactoring, step by step instructions for implementing it, and an example illustrating how it works The book is written using Java as its principle language, but the ideas are applicable to any OO language.
- Design Patterns: Elements of Reusable Object-Oriented Software
By Erich Gamma, Richard Helm, Ralph Johnson and John Vlissides (Also known as "The Gang of Four")
Published: November 10, 1994
Publisher: Addison-Wesley Professional
Amazon Link: here
Design Patterns is a modern classic in the literature of object-oriented development, offering timeless and elegant solutions to common problems in software design. It describes patterns for managing object creation, composing objects into larger structures, and coordinating control flow between objects. The book provides numerous examples where using composition rather than inheritance can improve the reusability and flexibility of code. Note, though, that it's not a tutorial but a catalog that you can use to find an object-oriented design pattern that's appropriate for the needs of your particular application--a selection for virtuoso programmers who appreciate (or require) consistent, well-engineered object-oriented designs.
- The Mythical Man-Month: Essays on Software Engineering
By Frederick P. Brooks
Published: August 12, 1995
Publisher: Addison-Wesley Professional
Amazon Link: here
Few books on software project management have been as influential and timeless as The Mythical Man-Month. With a blend of software engineering facts and thought-provoking opinions, Fred Brooks offers insight for anyone managing complex projects. These essays draw from his experience as project manager for the IBM System/360 computer family and then for OS/360, its massive software system. Now, 20 years after the initial publication of his book, Brooks has revisited his original ideas and added new thoughts and advice, both for readers already familiar with his work and for readers discovering it for the first time.
- Art of Computer Programming, Volume 1: Fundamental Algorithms (3rd Edition)
By Donald E. Knuth
Published: July 17, 1997
Publisher: Addison-Wesley Professional
Amazon Link: here
The bible of all fundamental algorithms and the work that taught many of today's software developers most of what they know about computer programming. One of the book's greatest strengths is the wonderful collection of problems that accompany each chapter. The author has chosen problems carefully and indexed them according to difficulty. Solving a substantial number of these problems will help you gain a solid understanding of the issues surrounding the given topic. Furthermore, the exercises feature a variety of classic problems.
- Compilers: Principles, Techniques, and Tools (2nd Edition)
By Alfred V. Aho, Monica S. Lam, Ravi Sethi and Jeffrey D. Ullman
Published: September 10, 2006
Publisher: Prentice Hall
Amazon Link: here
Known to professors, students, and developers worldwide as the "Dragon Book," the latest edition has been revised to reflect developments in software engineering, programming languages, and computer architecture that have occurred since 1986, when the last edition published. The authors, recognizing that few readers will ever go on to construct a compiler, retain their focus on the broader set of problems faced in software design and software development.
Follow @dodgy_coder
UPDATE: There was just too many great books that finished outside of the top 10 to ignore... below I've added the programming books which finished placed 11th through to 30th in the survey... enjoy!
- Head First Design Patterns
By Elisabeth Freeman, Eric Freeman, Bert Bates and Kathy Sierra
Published: November 1, 2004
Publisher: O'Reilly Media
Amazon Link: here
- Gödel, Escher, Bach: An Eternal Golden Braid (20th Anniversary Edition)
By Douglas Hofstadter
Published: February 5, 1999
Publisher: Basic Books
Amazon Link: here
- Effective C++: 55 Specific Ways to Improve Your Programs and Designs (3rd Edition)
By Scott Meyers
Published: May 22, 2005
Publisher: Addison-Wesley Professional
Amazon Link: here
- Clean Code: A Handbook of Agile Software Craftsmanship
By Robert C Martin
Published: August 11, 2008
Publisher: Prentice Hall
Amazon Link: here
- Programming Pearls (2nd edition)
By Jon Bentley
Published: October 7, 1999
Publisher: Addison-Wesley Professional
Amazon Link: here
- Working Effectively with Legacy Code
By Michael Feathers
Published: October 2, 2004
Publisher: Prentice Hall
Amazon Link: here
- CODE: The Hidden Language of Computer Hardware and Software
By Charles Petzold
Published: November 11, 2000
Publisher: Microsoft Press
Amazon Link: here
- Peopleware: Productive Projects and Teams (2nd Edition)
By Tom DeMarco and Timothy Lister
Published: February 1, 1999
Publisher: Dorset House
Amazon Link: here
- Coders at Work: Reflections on the Craft of Programming
By Peter Seibel
Published: September 16, 2009
Publisher: Apress
Amazon Link: here
- Effective Java (2nd Edition)
By Joshua Bloch
Published: May 28, 2008
Publisher: Prentice Hall
Amazon Link: here
- Patterns of Enterprise Application Architecture
By Martin Fowler
Published: November 15, 2002
Publisher: Addison-Wesley Professional
Amazon Link: here
- The Little Schemer (4th Edition)
By Daniel P. Friedman, Matthias Felleisen, Duane Bibby
Published: December 21, 1995
Publisher: The MIT Press
Amazon Link: here
- The Inmates Are Running The Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
By Alan Cooper
Published: March 5, 2004
Publisher: Sams - Pearson Education
Amazon Link: here
- The Art of UNIX Programming
By Eric S Raymond
Published: October 3, 2003
Publisher: Addison-Wesley Professional
Amazon Link: here
- Practices of an Agile Developer
By Venkat Subramaniam and Andy Hunt
Published: July 1, 2005
Publisher: Pragmatic Bookshelf
Amazon Link: here
- The Elements of Style: 50th Anniversary Edition
By William Strunk and E. B. White
Published: October 25, 2008
Publisher: Longman
Amazon Link: here
- Test-Driven Development: By Example
By Kent Beck
Published: November 18, 2002
Publisher: Addison-Wesley Professional
Amazon Link: here
- Don't Make Me Think: A Common Sense Approach to Web Usability
By Steve Krug
Published: August 28, 2005
Publisher: New Riders Press
Amazon Link: here
- Domain Driven Design: Tackling Complexity in the Heart of Software
By Eric Evans
Published: August 30, 2003
Publisher: Addison-Wesley Professional
Amazon Link: here
- Modern C++ Design: Generic Programming and Design Patterns Applied
By Andrei Alexandrescu
Published: February 23, 2001
Publisher: Addison-Wesley Professional
Amazon Link: here
Follow @dodgy_coder
Sunday, August 28, 2011
Meet Ice IX, Son Of ZeuS
Earlier this year the online banking malware ZeuS trojan's source code was leaked. One of the predictions made by security researchers at the time was that the leaked code would be used by independent malware developers, who would explore it and develop their own hybridized versions of ZeuS, adding custom features and advancements to it.
A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.
What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.
Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.
A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.
Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:
Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.
Main Functions
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.
Licensing and Prices for Version 1.0.5
Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.
Upcoming Enhancements
In an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:
Conclusion
So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.
Follow @dodgy_coder
Subscribe to posts via RSS
A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.
What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.
- Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.
- Ice 9 is an album by Russian rock band Smyslovye Gallyutsinatsii, two songs from which won the Russian Golden Gramophone award twice. The band is also known under a much shorter name "Glyuki", a slang term, which means basically the same as the long name: glitches in your brain. More: http://en.wikipedia.org/wiki/Smyslovye_Gallyutsinatsii
- ICE is a well known cyberpunk reference to "Intrusion Countermeasures Electronics" - software which works to prevent intruders/hackers/cyberpunks getting access to sensitive data. It is "visible" in cyberspace as actual walls of ice, stone, or metal. Black ICE refers to ICE that are capable of killing the intruder if deemed necessary or appropriate; some forms of black ICE may be artificially-intelligent. More: http://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics
- In cryptography, ICE (Information Concealment Engine) is a block cipher published by Kwan in 1997. The ICE algorithm is not subject to patents, and the source code is in the public domain. More: http://en.wikipedia.org/wiki/ICE_(cipher)
- The term ICE, referencing the cyberpunk usage, has been adopted by some real-world security software manufacturers: BlackICE, security software made by IBM Internet Security Systems. Black Ice Defender, security software made by Network ICE. Network ICE, a security software company.
- On April 28, 2009, the Information and Communications Enhancement Act, or ICE Act for short, was introduced to the United States Senate by Senator Tom Carper to make changes to the handling of information security by the federal government, including the establishment of the National Office for Cyberspace. More: http://www.opencongress.org/bill/111-s921/show
- Ice IX is a form of solid water stable at temperatures below 140 K and pressures between 200 and 400 MPa. It has a tetragonal crystal lattice and a density of 1.16 g/cm³, 26% higher than ordinary ice. It is formed by cooling ice III from 208 K to 165 K (rapidly—to avoid forming ice II). Its structure is identical to ice III other than being proton-ordered. More: http://en.wikipedia.org/wiki/Ice_IX
- Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure. More: http://en.wikipedia.org/wiki/Ice-nine
- Ice 9 is a song by Joe Satriani from his album Surfing with the Alien.
- Ice Nine is a first-person shooter game for the Game Boy Advance console. More: http://en.wikipedia.org/wiki/Ice_Nine_(game)
- A substance called Ice 9 is referred to in the Nintendo DS game "999: Nine Hours, Nine Persons, Nine Doors". It seems to be a reference to Vonnegut's ice-nine substance, and not to the real thing. More: http://en.wikipedia.org/wiki/999:_Nine_Hours,_Nine_Persons,_Nine_Doors
- Ice Nine is the name of a new screenplay which is currently in development by New York production company Whiskey Outpost. More: http://whiskeyoutpost.com/ice.html
Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.
A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.
Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:
Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.
Main Functions
- Keylogging
- HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers (Maxton, AOL, etc..), as well as Mozilla FireFox.
- .sol Cookie Grabbing and scraping info from saved forms
- FTP client credentials grabbing: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1, 2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
- Windows Mail, Live Mail, Outlook grabbing
- Socks with backconnect possibility
- Real-Time screenshots, plus the option to automate taking screenshots while the bot browses to preset URLs
- Grabs certificates from MY storage space and clears storage (certificates marked as “Non-Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to the bot master's C&C server.
- Upload specific files from the infected machine or perform searches on local disks enabling wildcards.
- TCP protocol traffic sniffer
- Elaborate set of commands to control the infected PCs
- Protected from trackers¹
- Host your botnet with conventional hosting, not needing bulletproof servers, which will save you loads of money.
- Better bot conversion rate², frequent version upgrades and tech support.
- Developing more modules and features may be negotiated per the client’s request.
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.
Licensing and Prices for Version 1.0.5
- BASIC LICENSE: Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.
- COMPLETE LICENSE: Open Trojan with unlimited Builder license: $1,800
Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.
Upcoming Enhancements
In an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:
- HTML & JavaScript injections that will work on the Firefox browser.
- A function that will block the SpyEye trojan on Ice IX-infected PCs (this sounds exactly like the 'Kill ZeuS' feature of SpyEye).
- As with ZeuS, Ice IX will encrypt communication with the C&C server, using a different encryption algorithm to ZeuS.
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:
- JavaScript files are easily injected, and you can’t say that about ZeuS
- CSS files are successfully injected; it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website's look and feel. This improvement steps-up the appearance of injected content and web page replicas.
- The order of data_before, data_after, data_inject blocks plays no role. The trojan understands them in any block order. When referring to data_before / data_after blocks, the fraudster is speaking of the delimitations that must be specified to a web injection. For example:
- Data_before: When a login set requires username, password and secret question, the data_before is all three sets
- Data_inject: The additional data that the fraudster would like to inject into the page
- Data_after: The lower limit field of the data the trojan looks for
Conclusion
So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.
Follow @dodgy_coder
Subscribe to posts via RSS
Monday, August 22, 2011
Classifying Hacking in 4D: Impact, Illegality, Evilness and Complexity
This chart is an attempt to classify hacking events and methods with something more than the simple black, white and grey hat hacking classification. After looking through a number of different possible attributes, the ones I came up with were the following, each rated on a scale of 0 to 10.
- IMPACT
what sort of damage has been done to systems or to finances. a score of 0 means an improvement was made to the system due to the hack.
- ILLEGALITY
where on the legal scale does the event lie in the range of 100% legal to 100% illegal, or it might be a bit of a "grey area"?
- EVILNESS
yes, a bit subjective I know, but can we generalize that the motivation of the attacker is good, evil or maybe something in between?
- COMPLEXITY
how complex was the attack, is it a simple DDOS or an advanced threat like an online banking password stealing botnet?
Any comments would be most appreciated.
Follow @dodgy_coder
Subscribe to posts via RSS
Thursday, August 18, 2011
Online Banking Safety
Specialist eBanking Malware
The ZeuS malware package has been around long enough to earn the title "crimeware toolkit" from Symantec. The relatively newer SpyEye, first seen in 2010, includes a component called KillZeus that destroys its "competitor", ZeuS, on any machine they share. In addition to eliminating a competing botnet operator on an infected machine, being able to delete the older ZeuS Trojan gives the newer SpyEye operator a pre-configured bot which has already proven that its owner isn't going to discover the infection immediately. In both ZeuS and SpyEye, the malware developers have tried to build anti-kill functions into their own malware, so ZeuS can now defend itself against SpyEye's KillZeus module. It seems that in the world of botnet development, as with legitimate product sales, existing victims (read customers) are a lot more stable and valuable than new, unproven ones.
Attack Prevention and Mitigation Methods
July, 2011 Total scammed: $217,000
Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center in Omaha, Nebraska was targeted by unspecified malware infecting one computer via an email attachment. Details here.
July, 2011 Total scammed: $28,000
The Town of Eliot, Maine - the PC belonging to the town controller was infected with unspecified banking trojan malware. Details here.
February, 2011 Total scammed: $150,000
Port Austin, Michigan based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller had been infected with the ZeuS trojan. Details here.
January, 2011 Total scammed: $378,000
The town of Poughkeepsie, New York was hit by unspecified cyber criminals from Ukraine who took over control of their online bank account. Details here.
November, 2010 Total scammed: $63,000
Green Ford Sales of Abilene, Kansas was infected with the ZeuS trojan malware. Details here.
October, 2010 Total scammed: $600,000
The city of Brigantine, New Jersey had their online banking credentials compromised by unspecified malware. Details here.
March, 2010 Total scammed: $465,000
California-based real estate escrow company, Village View Escrow infected by the ZeuS trojan. Details here.
November, 2009 Total scammed: $200,000
Plano, Texas based Hillary Machinery Inc. was hit by cyber criminals from Romania and Italy who transferred $801,495 out of their account in 48 hours. In this case the bank, PlainsCapital, managed to retrieve roughly $600,000 of the money. Details here.
- Specialized trojan malware infecting PCs used for internet banking are becoming prevalent.
- For example the ZeuS Trojan or SpyEye Trojan are both designed to infect a Windows-based PC and enlist it into a botnet of controlled PCs, from which can be harvested online banking usernames, passwords and credit card credentials.
What Happens During An Attack
- The trojan malware only becomes active when a user on the infected computer connects to a bank website, during which the trojan starts to record account details, passwords and other confidential information.
- The trojan malware will typically add one or more new employees or payee accounts in the name of "money mules".
- A transfer between $1,000 and $10,000 will be made to a "money mule" account - a legitimate bank account held by a real customer.
- Owners of these "money mule" accounts have agreed to transfer sums they receive to someone else, after taking a cut. They are often unaware of being involved in a crime, and are typically targeted by "work at home" type scams offering easy money, or given some other legitimate reason why they are required to transfer the money.
- By the time the police have investigated the attack, the recipient of the money will usually have collected the transferred money, and is usually residing outside of the country of both the victim, and the money mule.
The Source of the Problem
- The source code for the ZeuS Trojan was originally offered for sale for approx $10000 to enable criminal gangs to control their own botnet or customise it for their particular market's needs.
- The source code of the ZeuS trojan has now been leaked and is available for free (or at a nominal cost) on hacker forums.
- The leak of the ZeuS source on May 7, 2011 is described here.
- The SpyEye 'builder' crack was leaked on August 11, 2011, as described here.
- French security researcher Xyliton, part of the Reverse Engineers Dream (RED) Crew reverse engineered the 'builder' (the tool that generates the SpyEye malware) and was able to crack its hardware identification (HWID) layer which locked the SpyEye builder to a particular physical device.
- The cracked SpyEye builder enables new trojan developers to avoid the attribution that was previously associated with the high-priced toolkit and launch their own, untraceable versions of SpyEye. Where previous trojans built using the kit could be traced back to the original buyer of the toolkit, this will make it more difficult to track SpyEye botnets back to the source, since they have no attribution.
The ZeuS malware package has been around long enough to earn the title "crimeware toolkit" from Symantec. The relatively newer SpyEye, first seen in 2010, includes a component called KillZeus that destroys its "competitor", ZeuS, on any machine they share. In addition to eliminating a competing botnet operator on an infected machine, being able to delete the older ZeuS Trojan gives the newer SpyEye operator a pre-configured bot which has already proven that its owner isn't going to discover the infection immediately. In both ZeuS and SpyEye, the malware developers have tried to build anti-kill functions into their own malware, so ZeuS can now defend itself against SpyEye's KillZeus module. It seems that in the world of botnet development, as with legitimate product sales, existing victims (read customers) are a lot more stable and valuable than new, unproven ones.
Attack Prevention and Mitigation Methods
- Ensure an up to date browser and operating system.
- Avoid Microsoft Internet Explorer if possible; Mozilla Firefox and Google Chrome are generally safer.
- Ensure an up to date and effective commercial anti-virus software is installed.
- If possible use a dedicated PC specifically for commercial internet banking only. This means it will see no general-purpose internet usage, and is therefore less likely to get infected.
- Change online banking passwords regularly, at least once per month for commercial internet banking.
- Implement two-factor authentication for banking/payroll transfers.
- Ask your bank to remove or restrict the capability to add new employees and/or new payee accounts from your online account. Replace this operation with a secure method, requiring at least two factor authentication and/or phone support.
July, 2011 Total scammed: $217,000
Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center in Omaha, Nebraska was targeted by unspecified malware infecting one computer via an email attachment. Details here.
July, 2011 Total scammed: $28,000
The Town of Eliot, Maine - the PC belonging to the town controller was infected with unspecified banking trojan malware. Details here.
February, 2011 Total scammed: $150,000
Port Austin, Michigan based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller had been infected with the ZeuS trojan. Details here.
January, 2011 Total scammed: $378,000
The town of Poughkeepsie, New York was hit by unspecified cyber criminals from Ukraine who took over control of their online bank account. Details here.
November, 2010 Total scammed: $63,000
Green Ford Sales of Abilene, Kansas was infected with the ZeuS trojan malware. Details here.
October, 2010 Total scammed: $600,000
The city of Brigantine, New Jersey had their online banking credentials compromised by unspecified malware. Details here.
March, 2010 Total scammed: $465,000
California-based real estate escrow company, Village View Escrow infected by the ZeuS trojan. Details here.
November, 2009 Total scammed: $200,000
Plano, Texas based Hillary Machinery Inc. was hit by cyber criminals from Romania and Italy who transferred $801,495 out of their account in 48 hours. In this case the bank, PlainsCapital, managed to retrieve roughly $600,000 of the money. Details here.
Monday, August 8, 2011
Sunday, August 7, 2011
AntiSec Hacks US Law Enforcement: 10GB of Emails and Data Made Public
The home page of the website where AntiSec have dumped the leaked data |
In retaliation for recent arrests, the AntiSec hacking group say they've released their "largest cache yet" of data stolen from law enforcement agencies in the US, and have dubbed it "Shooting Sheriffs Saturday".
The Leaked Data Contains:
- Over 300 email accounts from 56 law enforcement domains, totaling more than 200,000 messages.
- 7000+ home addresses, usernames, passwords, phone numbers, credit card numbers, and SSNs (Social Security Numbers) from the Missouri Sheriff account dump (mosheriffs.com).
- Online Police Training Academy files (PDFs, videos, HTML files).
- List of "Report a Crime" informants (60+ entries).
- Plesk (Website administration tool) server passwords giving access to FTP, SSH, Email, CPanel and .HTACCESS Protected directories.
Recent Arrests
Law enforcement around the globe have arrested several suspected Anonymous members in recent days, including the UK's Jake Davis who is suspected to be LulzSec spokesman Topiary. Before this came the arrests of 16 people in the US, four in the Netherlands, and a 16-year-old in London (suspected to be LulzSec member Tflow) as part of a global investigation into denial-of-service attacks on PayPal late last year in support of WikiLeaks, and other attacks. The AntiSec release says this attack was made "in solidarity with Topiary and the Anonymous PayPal LOIC defendants as well as all other political prisoners who are facing the gun of the crooked court system".
DHS Bulletin
One of the motives for AntiSec seems to be a recent DHS (US Department of Homeland Security) bulletin.
From AntiSec: "A recent DHS bulletin has called us "script kiddies" that lack "any capability to inflict damage to critical infrastructure" yet we continue to get in and out of any system we please, destroying and dropping dox on the mightiest of government systems that are supposed to be protecting their sick nightmare of "law and order". GIVE UP. You are losing the cyberwar, and the attacks against the governments, militaries, and corporations of the world will continue to escalate."
Here are the two relevant passages from the DHS bulletin which seem in particular to have irked AntiSec:
- "The actors who make up the hacker group “Anonymous” and several likely related offshoots like “LulzSec”, continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures (TTPs) commonly associated with less skilled hackers referred to as “Script Kiddies”. [Script Kiddie: Unskilled individuals who use scripts or programs developed by others to attack computer systems and networks and deface websites.] Members of Anonymous routinely claim to have an overt political agenda and have justified at least a portion of their exploits as retaliation for perceived ‘social injustices’ and ‘freedom of speech’ issues. Attacks by associated groups such as LulzSec have essentially been executed entirely for their and their associates’ personal amusement, or in their own hacker jargon “for the lulz”.
- "So far, Anonymous has not demonstrated any capability to inflict damage to critical infrastructure, instead choosing to harass and embarrass its targets."
The initial compromise to the sheriff websites was done about two weeks ago on Arkansas-based web designers Brooks-Jeffrey Marketing (BJM), which hosts sheriff association websites. The hackers say they were easily able to get back into the compromised servers after they were taken offline to have their security beefed up by the law enforcement agencies. "We were surprised and delighted to see that not only did they relaunch a few sites less than a week later, but that their 'bigger, faster server that offers more security' carried over our backdoors from their original box. This time we were not going to hesitate to pull the trigger: in less than an hour we rooted their new server and defaced all 70+ domains while their root user was still logged in and active."
An internet security expert claims AntiSec may have gone after the sheriffs' offices because their hosting company was an easy target. Dick Mackey, vice-president of consulting at SystemExperts of Sudbury, Massachusetts, said many organizations did not see themselves as potential targets for international hackers, causing indifference that could leave them vulnerable. "It seems to me to be low-hanging fruit," he said. "If you want to go after someone and make a point and want to have their defences be low, go after someone who doesn't consider themselves a target."
In a further embarrassment, AntiSec used the stolen credit card details to make donations to the American Civil Liberties Union, the Electronic Frontier Foundation, and the Bradley Manning Support Network, according to the statement. They are strong supporters of whistle-blower site WikiLeaks and Manning, the Army soldier arrested last year for leaking classified data to the site.
Links
AntiSec's original media release: http://pastebin.com/iKsuRkUj
The AntiSec statement signs off with some poetry/rap:
I take a left at the light, turn off the headlights and ride real slow
Now holla at me when you see the 5-0
Alright Dirty, yall boys ready?
Bout to turn drive-bys revolutionary
*POW POW POW POW POW* YEAH MUTHAFUCKA YEAH!
*POW POW POW POW POW* YEAH MUTHAFUCKA YEAH!
Look at 'em run, too scared to pull they guns
Outta shape from them coffees and them cinnamon buns
This shit is fun, how I feel when the tables is turned
Hollow tips hit yah flesh through yo vests and it burn
That's a lesson you learn, comin straight from the slums
And it don't stop till we get full freedom
Friday, August 5, 2011
McAfee Operation Shady RAT: A Media Storm is Unleashed
On Thursday morning August 4, I switched on the radio on the way to work to listen to the news headlines by the local radio station and was gobsmacked to be hearing them talking about the "biggest cyber attack" ever having been found by McAfee, dubbed Operation Shady RAT. For the first time I can every remember, an infosec story had made it on the news headlines of my local radio station, and in the process gained some valuable PR and credibility for McAfee...
How it played out
The storm of media interest was sparked at 9.14pm, Tuesday night US time, August 2, when the original blog post and research report was released by McAfee researcher Dmitri Alperovitch. The first media article appeared on Vanity Fair which was given the web exclusive story first.
Many thousands of other media outlets then ran with the story on the following day (Wednesday), typically
summarising the research report, with many claiming it to be the biggest cyber attack in history. Many also pointed the finger of blame squarely at China, without any real evidence. Jim Lewis, a cyber expert with the Center for Strategic and International Studies who was briefed on the hacking discovery by McAfee, said it was very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing. "Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.
The facts of the case, as presented by McAfee's report
As Graham Cluley of Sophos' Naked Security Blog stated "What the report doesn't make clear is precisely what information was stolen from the targeted organisations, and how many computers at each business were affected." Cluley decried the way the media has rushed to blame China for the attacks. "I don't think we should be naive. I'm sure China does use the internet to spy on other countries. But I'm equally sure that just about *every* country around the world is using the internet to spy. Why wouldn't they? It's not very hard, and it's certainly cost effective compared to other types of espionage." he wrote.
Hon Lau from Symantec has poured cold water on the "biggest cyber attack" headlines surrounding the case - "While this attack is indeed significant, it is one of many similar attacks taking place daily." He also outlines the way the attackers used spear phishing to target individuals, typically through email attachments including Word documents, Excel documents, PDF files or PowerPoints. "These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised." he wrote.
One thing is for sure, it may not have been the biggest cyber attack in history, but it is certainly one of the most successful infosec media releases ever made, and for that McAfee must be congratulated: at least it has again focused some much needed attention in the media for such an important topic.
Follow @dodgy_coder
Subscribe to posts via RSS
How it played out
The storm of media interest was sparked at 9.14pm, Tuesday night US time, August 2, when the original blog post and research report was released by McAfee researcher Dmitri Alperovitch. The first media article appeared on Vanity Fair which was given the web exclusive story first.
Many thousands of other media outlets then ran with the story on the following day (Wednesday), typically
summarising the research report, with many claiming it to be the biggest cyber attack in history. Many also pointed the finger of blame squarely at China, without any real evidence. Jim Lewis, a cyber expert with the Center for Strategic and International Studies who was briefed on the hacking discovery by McAfee, said it was very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing. "Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.
The facts of the case, as presented by McAfee's report
- Botnet-like malware communicating with a single C&C (Command and Control) server was found on the 72 infected computers.
- A variety of different exploits were used to gain access to the victims computers, largely through spear phishing type attacks.
- 72 organisations were identified across a swathe of areas including government, industrial, technology, defense, sporting, corporate and non-profit NGOs.
- 49 of the victims were from the USA.
- There was no evidence presented of any specific or important data being lost.
- There was no mention of the total number of unique IP addresses that were found to be infected.
As Graham Cluley of Sophos' Naked Security Blog stated "What the report doesn't make clear is precisely what information was stolen from the targeted organisations, and how many computers at each business were affected." Cluley decried the way the media has rushed to blame China for the attacks. "I don't think we should be naive. I'm sure China does use the internet to spy on other countries. But I'm equally sure that just about *every* country around the world is using the internet to spy. Why wouldn't they? It's not very hard, and it's certainly cost effective compared to other types of espionage." he wrote.
Hon Lau from Symantec has poured cold water on the "biggest cyber attack" headlines surrounding the case - "While this attack is indeed significant, it is one of many similar attacks taking place daily." He also outlines the way the attackers used spear phishing to target individuals, typically through email attachments including Word documents, Excel documents, PDF files or PowerPoints. "These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised." he wrote.
One thing is for sure, it may not have been the biggest cyber attack in history, but it is certainly one of the most successful infosec media releases ever made, and for that McAfee must be congratulated: at least it has again focused some much needed attention in the media for such an important topic.
Follow @dodgy_coder
Subscribe to posts via RSS
Subscribe to:
Posts (Atom)