Friday, October 30, 2009

SANS, Cyber Security Awareness Month

The guys @ SANS are putting daily articles on 31 different ports/services/protocols/applications during October, the list is very good and the comments of the readers also worth checking.


123 NTP
53 DNS
22 SSH
25 smtp
23 Telnet
514 syslog
5900 VNC
20,21 FTP
5060,5061 SIP
445 SMB over TCP
1433,1434 MS-SQL
67,68 bootp and DHCP
80,443 HTTP/HTTPS
995,465,993 Secure Mail
1521 Oracle TNS Listener
135 epmap/loc-srv
6667/8/9, 7000 IRC
161,162 SNMP
502 Modbus
179 BGP
RPCBind
3389 RDP
IPSEC Protocols
Active Directory ports
various questionable ports
small services
Proxies
Port 0
31337
ICMP

Tuesday, October 27, 2009

Awareness Material, FREE

This is a list of some useful awareness materials including videos, posters, presentations, ...etc

Enisa posters, cartoons and videos
OnGuard: tips, games, and videos.
Secure Bytes: posters and wallpapers


Sunday, October 25, 2009

Koobface, Arabic Localized Attack


A new localized wave with SEO in Arabic, making use of Palestinian internal conflict, seems like a new direction, the link points to a blog on blogspot. (hxxp://otkiwmxoakdklfbyc.blogspot.com/)

A redirection from the blog to infected urls, will result in the the below page:

Setup.exe file is downloaded to the machine, the anti-virus detection rate of that file is below 35%.


Friday, October 23, 2009

Koobface New Campaign - updated list of infected domains

Here is another list of infected domains used in Koobface campaign.

http://armadasound.com/498/
http://phobos.de/619/
http://javanesemassage.com/361/
http://jean-jacques-goldman.hostzi.com/393/
http://www.redsparkmusic.com/757/index.php
http://geci-international.net16.net/568/
http://osenf.com/247/
http://suhaibalsheikh.com/376/
http://sereshgi.com/328/
http://seassociation.sg/232/
http://geci-international.net16.net/568/
http://volleyroncadelle.it/726/
http://nawrasjob.com/595/
http://likkewaan.co.za/562/
http://monprolo.com/160/
http://www.trumps.com.hk/351/
http://grand-corps-malade.comxa.com/261/
http://patrick-bruel.net16.net/828/
http://aplusphotography.com/122/index.php
http://www.bjsim.com/106/
http://seassociation.sg/232/
http://www.lionkitchen.com.sg/401/
http://www.fyigroup.com.sg/535/
http://trainerchristy.com/927/
http://genealogy.dk/996/
http://shzcollection.com/279/
http://www.bjsim.com/106/
http://goldcoastcontracting.com/220/
http://royal-directory.com/458/

Thursday, October 22, 2009

Koobface New Campaign

A friend of mine just got hit with what it seems to be new koobface campaign; hundreds of posts from his account to his friend's walls with the following message samples:

You musst see tthis vvideo nnow! It'ss the bbest one!!
You mmust see tthis viideo now!! It'ss the bestt onne!
You mustt see thhis vvideo now!! It''s the bbest one!!


and

I ccan't falll assleep affter viiewing tthis videoo. I havven't seenn annything likee thiis
I can'tt falll asleepp afterr viewiing thiis videeo. I hhaven't sseen anythinng liike tthis
I ccan't faall aasleep aftter vviewing thhis videoo. I hhaven't seenn annything likee thiis



It is using a slightly different subject every post.

The links in the posts are pointing to compromised hosts, the list is below:


http://www.mdl-job.com/243
http://attheshorerealty.com/779/
http://t4lshotgun.com/278/
http://msstory.2us.co.il/889/
http://www.ctambulancebilling.com/311/
http://dev.top4life.com/880/
http://sereshgi.com/328/
http://www.hookedonthewharf.com/397/
http://HillCountryHeritage.com/592/
http://kul-alnas.com/848/
http://george-o-malley-grey-s-anatomy.comxa.com/192/
http://shamshotels.com/932/index.php
http://south-beach-bistro.com/289/
http://moltaqana.com/641/
http://marahebcars.com/709/
http://www.ctambulancebilling.com/311/
http://drive.dubaigatehost.com/594/
http://officeimmobilier.com/615/
http://rcsonline.com/681/
http://bchampion.com/577/
http://christine-paolilla.hostzi.com/583/
http://jalawicenter.com/567/
http://myms.wek.co.il/509/
http://saraenterprises.com/714/
http://tahanialkhaleej.com/526/
http://www.aliano.mobi/154/
http://gboahomes.com/406/
http://osenf.com/247/


The above sites are using different languages, some using php, or vBulletin.


The urls from Dubai are all developed by a single company (www.dubaigateweb.com), seems like they are compromised somehow...

The above sites are used for re-direction, sample re-directions from JS file is below:


http://66.199.114.246/go.js?0x3E8/view/console=yes/

http://98.200.147.100/go.js?0x3E8/view/console=yes/

http://68.205.233.173/go.js?0x3E8/view/console=yes/

http://173.35.77.135/go.js?0x3E8/view/console=yes/

http://88.203.98.96/go.js?0x3E8/view/console=yes/

http://24.2.19.73/go.js?0x3E8/view/console=yes/

http://99.135.196.172/go.js?0x3E8/view/console=yes/

http://98.194.129.106/go.js?0x3E8/view/console=yes/

http://76.168.177.248/go.js?0x3E8/view/console=yes/

http://98.235.12.107/go.js?0x3E8/view/console=yes/

http://93.173.18.52/go.js?0x3E8/view/console=yes/

http://99.164.38.181/go.js?0x3E8/view/console=yes/

http://82.226.229.170/go.js?0x3E8/view/console=yes/

http://24.152.164.90/go.js?0x3E8/view/console=yes/

http://96.28.170.78/go.js?0x3E8/view/console=yes/

http://72.224.239.216/go.js?0x3E8/view/console=yes/

http://68.146.79.57/go.js?0x3E8/view/console=yes/


http://123.202.3.107/go.js?0x3E8/view/console=yes/


http://75.85.89.242/go.js?0x3E8/view/console=yes/


http://66.72.174.146/go.js?0x3E8/view/console=yes/


http://85.102.4.145/go.js?0x3E8/view/console=yes/


http://66.108.68.36/go.js?0x3E8/view/console=yes/


http://77.125.245.113/go.js?0x3E8/view/console=yes/


http://98.212.38.39/go.js?0x3E8/view/console=yes/


http://84.110.234.54/go.js?0x3E8/view/console=yes/


http://82.158.208.29/go.js?0x3E8/view/console=yes/


http://71.61.33.205/go.js?0x3E8/view/console=yes/


http://83.251.150.59/go.js?0x3E8/view/console=yes/


http://84.229.215.70/go.js?0x3E8/view/console=yes/


http://81.233.153.135/go.js?0x3E8/view/console=yes/


http://70.22.209.112/go.js?0x3E8/view/console=yes/


http://24.52.159.40/go.js?0x3E8/view/console=yes/


http://76.16.155.218/go.js?0x3E8/view/console=yes/


http://99.237.44.207/go.js?0x3E8/view/console=yes/


http://64.150.245.105/go.js?0x3E8/view/console=yes/


http://67.242.155.202/go.js?0x3E8/view/console=yes/


http://77.127.152.181/go.js?0x3E8/view/console=yes/


http://208.126.179.18/go.js?0x3E8/view/console=yes/


http://85.64.40.13/go.js?0x3E8/view/console=yes/


http://99.148.29.132/go.js?0x3E8/view/console=yes/


http://89.139.59.144/go.js?0x3E8/view/console=yes/


http://85.64.23.98/go.js?0x3E8/view/console=yes/


http://71.255.229.171/go.js?0x3E8/view/console=yes/


http://75.66.127.60/go.js?0x3E8/view/console=yes/


http://74.77.103.98/go.js?0x3E8/view/console=yes/


http://93.172.189.248/go.js?0x3E8/view/console=yes/


http://70.121.232.23/go.js?0x3E8/view/console=yes/


http://74.220.9.223/go.js?0x3E8/view/console=yes/


http://24.167.144.143/go.js?0x3E8/view/console=yes/


http://123.203.13.156/go.js?0x3E8/view/console=yes/


I have the rest of JS files, if anyone is interested, just drop me a line on twitter@okamalo
No further investigations for now, it is 3:30AM now, need to sleep....

Facebook Privacy and Security Guide


For Facebook users, this guide is a must read.

Wednesday, October 21, 2009

Reports, Web Application Security Statistics






Web Application Security Consortium (WASC) released statistics from 2008 project, the goals are:

  1. Identify the prevalence and probability of different vulnerability classes.
  2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

They have scanned over 12,000 web site, resulting in 4 data sets:
  • Overall statistics by all kinds of activities;
  • Automatic scanning statistics;
  • Black box method security assessment statistics;
  • White box method security assessment statistics.

The report is available here.


Saturday, October 17, 2009

Building a Virtual Lab



A couple of recent blog posts by Andrew Waite, Infosanity, has put some details on implementing a full visualized lab, using VMWare ESXi with Vyatta (virtual FW and router), De-ICE PenTest LiveCDs , and BT4.

Wednesday, October 14, 2009

Keep your Firefox Plugins up to date!



Mozilla has just released a web page that will check your main plugins for updates, all what you need to do is visiting this page. Mozilla plan for automatic updating of Firefox plugins, that is a major step in fighting malware propagation methods.

Wednesday, October 7, 2009

47 Egyptians Arrested in Phishing Attack


U.S. and Egyptian authorities are arresting dozens of people in an identity theft ring. The gang used phishing attacks and successfully managed to get financial and personal information from thousands of victims. Expected loss is around 2 million US$.

The story is alarming in the middle east, for the number of charged people (47 in Egypt, 33 in USA), and the ease of attacks.

The indictment is available here.

Egyptian Coverage in Arabic, here and here.

Friday, October 2, 2009

Data Visualization



Improving data visualization for the public sector project, an amazing source of visualization techniques, articles, tools, and samples.



Smashing Magazine also has an article on useful resources for visualization.

Not to mention SecVis, the most useful source for sharing visualization ideas.

Updated:

Gephi is a very good interactive visualization tool.

Event Data Visualization, based on Afterglow




Thursday, October 1, 2009