Interesting paper addressing the failure of NAC released 2 weeks ago.
Key findings
-NAC will not succeed as a niche market.
-NAC will be a feature set, not a product.
-Much confusion of NAC stems from ambiguous terminology, a result of NAC’s evolution from other products.
-The hindrances in adoption of NAC are due to technical challenges.
Key recommendations
-Vendors should focus on standards of interoperability in order to succeed.
-NAC solutions should be renamed, based on the feature components they offer.
-Consumers of NAC technology must demand standards and roadmaps from vendors.a way to make it work.
Wednesday, September 30, 2009
Monday, September 28, 2009
Mariposa, the new botnet
50 of the world’s Fortune 100 companies are actively participating in this new botnet named Mariposa, discovered by Defense Intelligence on May 2009.
- 70 variants
- Seems to be driven from butterfly bot kit
- Butterfly bot kit uses 3 methods for propagation: MSN, USB, and P2P
- Features: password stealing, email harvesting, DDOS, browser password harvesting, ....
- Detection: check your DNS records for queries to "butterfly.sinip.es" or domains contains "butterfly"
Updated:
- Several Anti-Virus vendors claim that this malware is not a new one and they are already detecting it.
- Wireshark plugin for obfuscated Mariposa traffic.
- STATS
Sunday, September 27, 2009
Saturday, September 26, 2009
Detecting Malicious Tweets, VB2009
Detecting malicious tweets, slides from VB2009 Conference. The concept is simple and effective, I should utilize something similar.
Wednesday, September 23, 2009
Torpig Takeover, presentation
Do you remember Torpig botnet takeover? Now a presentation is available online with more details revealed.
Monday, September 21, 2009
Anti-Virus Comparison
August report from av-comparatives is online now, summary in the graphs.
False Positive:

Missed Samples:
False Positive:
Missed Samples:
Sunday, September 20, 2009
Websense Security Report, H1, 2009
Websense Security Report for H1, 2009 released few days ago, here is the summary of findings:
- 233% growth in malicious web sites in 6 months
- 77% of web sites hosting malicious code are legitimate compromised web sites
- 61% of top 100 sites (mostly social networking and search) lead to malicious content
- 95% of user generated comments to blogs, chat rooms are spam or malicious
- 57% of data-stealing attacks are conducted over the web
- 69% of all web pages with objectionable content link (e.g. Sex, Adult Content, Gambling, Drugs) are serving malicious content
- WebSense detected more thsn 900,000 instance of 623 unique pieces malware
- 233% growth in malicious web sites in 6 months
- 77% of web sites hosting malicious code are legitimate compromised web sites
- 61% of top 100 sites (mostly social networking and search) lead to malicious content
- 95% of user generated comments to blogs, chat rooms are spam or malicious
- 57% of data-stealing attacks are conducted over the web
- 69% of all web pages with objectionable content link (e.g. Sex, Adult Content, Gambling, Drugs) are serving malicious content
- WebSense detected more thsn 900,000 instance of 623 unique pieces malware
Friday, September 18, 2009
Turn off AutoPlay functionality in Windows
Microsoft is now providing an update to turn off USB AutoPlay functionality for all Windows versions . Do it now!
Thursday, September 17, 2009
IETF Draft, Remediation of Bots in ISP Networks
IETF released a new draft for the ISPs for detection, notification and remediation of botnets on their networks, it is time for ISPs to take actions and take the responsibility of cleaning the pipes. Only enforcement on the countries level will make this happen, otherwise it is up to the ISP to decide (many will not bother!)
Detection techniques:
- netflow, and anomaly detection
- Data sharing with 3dr party, like Block listing services and data clearing house
- DNS-based techniques
- Sinkholing or honeynets
- Scan for vulnerable user's hosts (Questionable !)
- User complaints
Notification methods:
- email
- postal mail (bad suggestion)
- phone call (another bad suggestion)
- Quarantine the user
- Instant message notification (one more bad idea)
- SMS
- Web browser notification, with no quarantine
Remediation techniques:
- Provide tools and education to the user, to perform remediation himself (good examples are given)
Update:
Dutch ISPs have agreed to launch a botnet eradication agreement to fight botnets, check the details.
Comcast in USA is implementing a pop-up notification system, to notify users of infected machines.
Detection techniques:
- netflow, and anomaly detection
- Data sharing with 3dr party, like Block listing services and data clearing house
- DNS-based techniques
- Sinkholing or honeynets
- Scan for vulnerable user's hosts (Questionable !)
- User complaints
Notification methods:
- postal mail (bad suggestion)
- phone call (another bad suggestion)
- Quarantine the user
- Instant message notification (one more bad idea)
- SMS
- Web browser notification, with no quarantine
Remediation techniques:
- Provide tools and education to the user, to perform remediation himself (good examples are given)
Update:
Dutch ISPs have agreed to launch a botnet eradication agreement to fight botnets, check the details.
Comcast in USA is implementing a pop-up notification system, to notify users of infected machines.
Wednesday, September 16, 2009
Enterprise Secure DNS Service, OpenDNS
OpenDNS guys are going to extend the free service and provide a paid secure DNS service for enterprises, I am a big fan of what they are doing, will be waiting for the general availability of the service.
Tuesday, September 15, 2009
SANS Top Cyber Security Risks
SANS Top Cyber Security Risks report highlighted two major issues:
- Unpatched client-side software
- Vulnerable web sites
No surprises in the report. Here are some points to summarize:
- Client-side vulnerabilities are the primary initial infection vector
- Major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities
- 60% of attacks observed are targeting web applications.
- 80% of web applications attacks are SQL injection and XSS
Saturday, September 12, 2009
Botnets using Google Groups
The recent discovery of a Trojan that uses Google Groups as a C&C method is a similar technique to the one uses twitter as C&C channel.
Both techniques have a drawback for the attacker, all commands, updates and communication can be easily traced and analyzed.
Both techniques have a drawback for the attacker, all commands, updates and communication can be easily traced and analyzed.
Friday, September 11, 2009
How much your identity worth in underground market?
Symantec has an online risk calculator, just answer few questions about your behavior on the internet, and you will get the value that cyber criminals will sell your identity information for.
My digital life worth 10$, not bad .... :)
My digital life worth 10$, not bad .... :)
Tuesday, September 8, 2009
Free Personal Security Tools
This is my preferred list of free security tools.
Must-have:
- Install 2 different types of Anti-Virus, example: Avira+Threatfire or MS Essentials + Threatfire
- Install a Spyware Removal, Spybot-Search-and-Destroy
- Make sure that all your software, tools, plugins, add-ons are up-to-date, Secunia PSI will help a lot
- Use a secure DNS service, OpenDNS
Optional:
- Encrypt hard drive, TrueCrypt
- Wipe your confidential data, FileShredder
- Rescue CD, Trinity Live-CD
Must-have:
- Install 2 different types of Anti-Virus, example: Avira+Threatfire or MS Essentials + Threatfire
- Install a Spyware Removal, Spybot-Search-and-Destroy
- Make sure that all your software, tools, plugins, add-ons are up-to-date, Secunia PSI will help a lot
- Use a secure DNS service, OpenDNS
Optional:
- Encrypt hard drive, TrueCrypt
- Wipe your confidential data, FileShredder
- Rescue CD, Trinity Live-CD
- Private browsing, Comodo Dragon Internet Browser
- Protect your privacy from google, Googlesharing firefox addon
Monday, September 7, 2009
IBM H1 2009 report, by graphs
A picture is worth a thousand words. This is a summary of IBM ISS mid-year security trend report H1 2009, just the graphs.






Friday, September 4, 2009
Malware online databases and analysis sites
This is my list of free online malware analysis, scanners, databases.
Malware Scanner and Database:
http://www.virustotal.com
http://mwdb.my-honeynet.org/
http://www.csrrt.org/maldb/index.pl
http://www.honeynet.cz
http://www.nothink.org/binaries/malware-archive.html
http://www.offensivecomputing.net/
http://scanner.virus.org/advanced
Malware Scanner and Database:
http://www.virustotal.com
http://mwdb.my-honeynet.org/
http://www.csrrt.org/maldb/index.pl
http://www.honeynet.cz
http://www.nothink.org/binaries/malware-archive.html
http://www.offensivecomputing.net/
http://scanner.virus.org/advanced
http://www.team-cymru.org/Services/MHR/
Malware Analysis:
http://www.threatexpert.com/submit.aspx
http://anubis.iseclab.org
http://www.sunbeltsecurity.com/sandbox/
Malware Analysis:
http://www.threatexpert.com/submit.aspx
http://anubis.iseclab.org
http://www.sunbeltsecurity.com/sandbox/
http://wepawet.cs.ucsb.edu/
https://aerie.cs.berkeley.edu/
http://eureka.cyber-ta.org/
http://www.joebox.org/submit.php
https://aerie.cs.berkeley.edu/
http://eureka.cyber-ta.org/
http://www.joebox.org/submit.php
Stand Alone
Ether (using Hardware Virtualization extensions)
Thursday, September 3, 2009
Koobface botnet, Reports and Articles
Just got interested by koobface worm, the name came from facebook, it uses social engineering attacks and Search Engine Optimization techniques for propagation.
Analysis:
Trendmicro detailed report
Koobface infrastructure
Koobface wrecks search results
Automatic user account creation on facebook, twitter, blogspot and others
Koobface on twitter
Koobface tweets
Business model
Distribution techniques
Analysis:
Trendmicro detailed report
Koobface infrastructure
Koobface wrecks search results
Automatic user account creation on facebook, twitter, blogspot and others
Koobface on twitter
Koobface tweets
Business model
Distribution techniques
Subscribe to:
Posts (Atom)