Leonardo Musumeci

For people of my age and generation and I’d guess for most readers of Darknet, Michael Jackson would have had a great influence on our lives.

The biggest news last week was most certainly his death, as usual the bad guys were extremely quick to capitalize on this and were sending out spam within hours of the announcement.

It was suspected malware would follow shortly after, and it did according to F-secure.

Within hours of the death of pop star Michael Jackson, spam trading on his demise hit inboxes, a security firm said today as it warned that more was in the offing.

Just eight hours after news broke about Jackson, U.K.-based Sophos started tracking the first wave of Jackson spam, which used a subject head of “Confidential — Michael Jackson.” The spam wasn’t pitching a product or leading users to a phishing or malware Web site, but instead was trying to dupe users into replying to the message in order to collect e-mail addresses and verify them as legitimate.

“The body of the spam message does not contain any call-to-action link such as a URL, e-mail or phone number,” said Sophos in its company’s blog today. “But the spammer can harvest receivers’ e-mail addresses via a free live e-mail address if the spam message is replied to.”

The original versions were just plain old spam to harvest addresses, but later malware laden versions followed which dropped IRC bots and backdoors detected as “Trojan.Win32.Buzus.bjyo”.

It’s sad to see such things happening, but social engineering attacks to spread malware are always expected when some big news like this breaks.

Nothing is sacred to the dark side of the Internet.

The timing of that campaign was not coincidental: It followed Jackson’s acquittal on all charges in child sexual abuse. “The news of his suicide attempt was believable,” said Cluley, who noted that scammers and hackers often trade on tragedies to get people to click links. In that case, users were hit with a hacker toolkit that tried several exploits against Internet Explorer.

“I wouldn’t be surprised to see hackers claiming that they have top-secret footage from the hospital, perhaps [allegedly] taken by the ambulance people, that then asks you to install a video codec,” said Cluley, talking about a common malware ploy. Users who click on the supposed codec update link are, in fact, then infected with attack code, often a bot that hijacks their computer.

So do warn people, if someone e-mails them pictures or videos claiming to be secret or exclusive footage surrounding the death of Michael Jackson – it’s most likely an infection vector.

Common sense prevails, but is sadly not common.

RIP Michael.

Source: Network World

Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting).

In the current compilation state it allows to log into a Linux system as ’root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

It was mainly created for Ubuntu, later the author has made a few add-ons to cover some other Linux distributions.

Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.

Latest Updates – Kon-Boot for Windows

Kon-Boot was moved to Windows platforms. So now it provides support for Microsoft Windows systems and also the Linux systems listed below. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually – without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot:

• Windows Server 2008 Standard SP2 (v.275)
• Windows Vista Business SP0
• Windows Vista Ultimate SP1
• Windows Vista Ultimate SP0
• Windows Server 2003 Enterprise
• Windows XP
• Windows XP SP1
• Windows XP SP2
• Windows XP SP3
• Windows 7

No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any password you want. You lost your password? Now it doesnt matter at all.

It has been tested with the following Linux distributions:

• Gentoo 2.6.24-gentoo-r5 GRUB 0.97
• Ubuntu 2.6.24.3-debug GRUB 0.97
• Debian 2.6.18-6-6861 GRUB 0.97
• Fedora 2.6.25.9-76.fc9.i6862 GRUB 0.97

You can download Kon-Boot here:

Floppy Image – FD0-konboot-v1.1-2in1.zip
CD ISO Image – CD-konboot-v1.1-2in1.zip

Or read more here.

Like anyone else who’s been on the net for twenty years or more, I’ve had a few email addresses in my time. One of them, which I barely ever use, is for a website I created more than 15 years ago and hardly ever update. And it receives an awful lot of Russian language spam. In fact it gets more Russian spam than spam in any other language.

I don’t particularly mind this, and have never bothered to put an anti-spam filter in place for it. After all, in my line of work it’s kind-of interesting to get to see spam.

Here’s an example of some Russian language spam I received last night in that email account:

As you can see, the spammers have created the electronic equivalent of a traditional ransom note. They may not have cut each letter of their ransom demand from a newspaper, but they’ve produced the electronic equivalent. And they are using an image rather than text in the email in an attempt to slip past the more rudimentary anti-spam filters.

I asked Dmitry in our labs to translate the message for me, and he tells me that this is spam about spam!

It reads:

“We have access to your potential clients. If you want to contact them, order bulk email services from us. Tel: ….”

A Russian language spam offering bulk-mailing services isn’t actually that unusual. We see many messages promoting Russian services to send spam, and clearly there is a feeling amongst some firms that this is an acceptable way for their products and services to be marketed.

Furthermore, unlike a lot of the spam we see worldwide, it’s not unusual for Russian-language spam to contain contact telephone numbers rather than a web address.

Presenting your service using the traditional methods of a kidnapper, however, makes me raise an eyebrow. I mean, what company would take an approach like this seriously? Would you really want to do some shady business with guys like this?

Source: Russian spam about spam looks like a ransom note

From the press release:

Unlike existing computer forensics solutions, EnCase Portable runs on a USB drive, rather than a laptop, and enables the user to easily and rapidly boot a target computer to the USB drive, and run a pre-configured data search and collection job. The ease-of-use and ultra-portability of EnCase Portable creates exciting new possibilities in data acquisition. Even personnel untrained in computer forensics can forensically acquire documents, Internet history and artifacts, images, and other digital evidence, including entire hard drives, with a few simple keyboard clicks.

Source : New Computer Snooping Tool

One of the risks of using a commercial OS for embedded systems like ATM machines: it’s easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

Source: Malware Steals ATM Data

I’m selling my laptop on eBay. It’s basically new, although the box has been opened. I wanted to downgrade the OS, but learned that one of the key drivers — it controls the camera and the hibernate function — was only available for Vista.

So it’s up for sale, at a good price.

ETA: It’s been sold.

Source: I’m Selling My Laptop

I am optimistic about President Obama’s new cybersecurity policy and the appointment of a new “cybersecurity coordinator,” though much depends on the details. What we do know is that the threats are real, from identity theft to Chinese hacking to cyberwar.

His principles were all welcome — securing government networks, coordinating responses, working to secure the infrastructure in private hands (the power grid, the communications networks, and so on), although I think he’s overly optimistic that legislation won’t be required. I was especially heartened to hear his commitment to funding research. Much of the technology we currently use to secure cyberspace was developed from university research, and the more of it we finance today the more secure we’ll be in a decade.

Education is also vital, although sometimes I think my parents need more cybersecurity education than my grandchildren do. I also appreciate the president’s commitment to transparency and privacy, both of which are vital for security.

But the details matter. Centralizing security responsibilities has the downside of making security more brittle by instituting a single approach and a uniformity of thinking. Unless the new coordinator distributes responsibility, cybersecurity won’t improve.

As the administration moves forward on the plan, two principles should apply. One, security decisions need to be made as close to the problem as possible. Protecting networks should be done by people who understand those networks, and threats needs to be assessed by people close to the threats. But distributed responsibility has more risk, so oversight is vital.

Two, security coordination needs to happen at the highest level possible, whether that’s evaluating information about different threats, responding to an Internet worm or establishing guidelines for protecting personal information. The whole picture is larger than any single agency.
This essay originally appeared on The New York Times website, along with several others commenting on Obama’s speech. All the essays are worth reading, although I want to specifically quote James Bamford making an important point I’ve repeatedly made:

The history of White House czars is not a glorious one as anyone who has followed the rise and fall of the drug czars can tell. There is a lot of hype, a White House speech, and then things go back to normal. Power, the ability to cause change, depends primarily on who controls the money and who is closest to the president’s ear.

Because the new cyber czar will have neither a checkbook nor direct access to President Obama, the role will be more analogous to a traffic cop than a czar.

Gus Hosein wrote a good essay on the need for privacy:

Of course raising barriers around computer systems is certainly a good start. But when these systems are breached, our personal information is left vulnerable. Yet governments and companies are collecting more and more of our information.

The presumption should be that all data collected is vulnerable to abuse or theft. We should therefore collect only what is absolutely required.

As I said, they’re all worth reading. And here are some more links.

I wrote something similar in 2002 about the creation of the Department of Homeland Security:

The human body defends itself through overlapping security systems. It has a complex immune system specifically to fight disease, but disease fighting is also distributed throughout every organ and every cell. The body has all sorts of security systems, ranging from your skin to keep harmful things out of your body, to your liver filtering harmful things from your bloodstream, to the defenses in your digestive system. These systems all do their own thing in their own way. They overlap each other, and to a certain extent one can compensate when another fails. It might seem redundant and inefficient, but it’s more robust, reliable, and secure. You’re alive and reading this because of it.

Source : Obama’s Cybersecurity Speech

Research:

Hiding Information in Retransmissions

Wojciech Mazurczyk, Milosz Smolarczyk, Krzysztof Szczypiorski

The paper presents a new steganographic method called RSTEG (Retransmission Steganography), which is intended for a broad class of protocols that utilises retransmission mechanisms. The main innovation of RSTEG is to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram instead of user data in the payload field. RSTEG is presented in the broad context of network steganography, and the utilisation of RSTEG for TCP (Transport Control Protocol) retransmission mechanisms is described in detail. Simulation results are also presented with the main aim to measure and compare the steganographic bandwidth of the proposed method for different TCP retransmission mechanisms as well as to determine the influence of RSTEG on the network retransmissions level.

I don’t think these sorts of things have any large-scale applications, but they are clever.

Source : Steganography Using TCP Retransmission