tag:blogger.com,1999:blog-2497406606833863372011-11-23T14:07:41.216-08:00OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.comBlogger2331100tag:blogger.com,1999:blog-249740660683386337.post-6341691721159195212011-02-27T04:13:00.001-08:002011-04-19T05:47:45.411-07:00

This is a list of annual security reports by vendors, non-vendors and governments that I was able to collect in the last few weeks.Vendors list:Akamai, state of the internet report, (pdf)Arbor, Network Infrastructure Security Report 2010, (pdf)Blue Coat, 2011 Web Security Report, (pdf)Cisco 2010 Annual Security Report, (pdf)Damballa Top 10 Botnet threat Report, (pdf)GFI Labs, 2010 report on Fake

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-7374708095117335842011-01-05T21:23:00.000-08:002011-01-05T21:54:20.187-08:00

The recently ended 27C3 event in Berlin was a good closing of 2010, with some interesting GSM security related topics.1st presentation is about running your own GSM stack on your phone using OsmocomBB Open Source Baseband software on old Motorola phone, while it does not sound like a threat, but it opened the door into conducting lots of attacks, considering that you now have full access to what

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-59770406723196723162010-12-14T00:50:00.000-08:002010-12-14T01:00:43.035-08:00

Here is a very nice explanation on how a drive-by-download was done in the recent attack using Ad networks such as DoubleClick and MSN, the attack seems to be started with a social engineering on the Ad networks to allow adshuffle.com to post adds on their networks instead of the legitimate addshuffle.com.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-31701302245346765182010-11-22T22:37:00.000-08:002010-11-22T22:41:30.605-08:00

SecTor presentations and videos are now available online.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-15938163408590287602010-11-16T00:46:00.000-08:002010-11-16T00:49:37.628-08:00

Google Hacking Database (GHDB) is now actively maintained and updated here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-72375939537909416152010-10-24T23:59:00.000-07:002010-10-25T00:27:03.114-07:00

CA released their Threat Landscape report for 2010, here is a summary:- Notable movement from Windows executables to the web as an executable platform.- IE, Java, PDF, and Flash player vulnerabilities are the biggest Zero-day attacks vectors.- 84% of the total active exploited vulnerabilities are found in browser-based attacks.- The top most prevalent worms propagate through removable drives,

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-68431138661422851362010-10-21T01:02:00.000-07:002010-10-21T01:02:00.315-07:00

Virus bulletin conference slides are now available here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-64392034408256162402010-10-20T03:08:00.000-07:002010-10-20T03:14:35.370-07:00

NSSLabs released a public consumer report on the effectiveness of Anti-malware products. Here are some summary statistics:

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-73462731217679500332010-10-16T21:37:00.000-07:002010-10-16T22:35:10.904-07:00

HITB Malaysia is over, here are the slides.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-67703663850333256482010-10-12T23:32:00.000-07:002010-10-12T23:43:00.652-07:00

Huge number of patches released by Microsoft, and Oracle, Good luck....Microsoft16 updates covering 49 vulnerabilities Oracle85 Security fixJava29 Security fix

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-67265772231155015282010-10-12T23:02:00.000-07:002010-10-12T23:22:40.364-07:00

Cyveillance released their Cyber Intelligence report for 1st Half 2010, as usual, a picture worth a thousand words....

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-32495969733958492872010-09-28T23:53:00.000-07:002010-09-29T00:06:01.072-07:00

Check out the presentations of BruCON 2010, lots of interesting presentations.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-42317124630339882302010-09-19T01:11:00.000-07:002010-09-19T03:45:44.928-07:00

AV-Comparatives released their Mobile Security report, testing 4 different AV for smart phones, vendors tested are: ESET, F-Secure, Kaspersky, and Trend Micro.The test examine several features of those security software including:- Theft- Protection- Virus Protection- FirewallThe report is missing some important players in the mobile security area, such as Lookout which provide an additional

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-32622968386693507332010-08-19T01:01:00.000-07:002010-08-26T14:05:23.037-07:00

An interesting tool "Collage", will be released soon to allow people to exchange hidden messages through user-generated content, utilizing public websites such as Flicker, Youtube, Twitter, or other social media websites ....The tool require NO dedicated infrastructure. The sender use Collage to: - Encrypt and embed the message in UGC (User-Generated Content)- Upload the UGC with embedded message

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-48812758220389207252010-08-18T00:29:00.000-07:002010-08-26T14:06:30.400-07:00

Here is a torrent download for over 100 presentations from Defcon 18.And here is the official archive.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-89803651778667612512010-08-15T12:50:00.000-07:002010-08-15T13:10:14.239-07:00

Tons of slides and papers to go through, enjoy the summer here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-76169873688817700392010-08-09T03:09:00.000-07:002010-08-09T03:26:03.961-07:00

Barracuda Labs released their midyear 2010 security report. get it from here.The report is focusing on Twitter usage trends trying to identify illegitimate accounts, also the usage of search engine for finding malware.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-85657532802317666762010-08-08T02:13:00.000-07:002010-08-08T02:13:00.204-07:00

As usual Cyveillance are publishing their Anti-Virus detection rate for the leading AV vendors, results are stressing that the usual AV solutions can not adequately detect and protect against new and quickly changing malware threats. get the report from here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-59467572143658237762010-08-07T02:04:00.000-07:002010-08-07T02:10:43.726-07:00

I am back after a long vacation, Check out Cenzic Q1/Q2 2010 Security trends report.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-12120883647304207392010-07-24T00:28:00.000-07:002010-07-24T00:28:00.614-07:00

Cisco released its 2010 midyear security report, the report shows focus on social media. Get it from here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-12830709866722519832010-07-23T00:08:00.000-07:002010-07-23T00:15:27.401-07:00

Bitdefender released 2010 H1 threat report, get it from here.The report shows that cyber criminals are moving to Web 2.0, focusing on social media like Facebook and Twitter.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-62356250225613681882010-07-10T06:49:00.000-07:002010-07-10T07:07:49.329-07:00

Hack in the Box conference was held in Amsterdam, download the conference materials from here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-66041924136239354692010-06-29T00:02:00.000-07:002010-06-29T01:10:55.840-07:00

I just noticed that there are large number of spy software easily available for almost all kind of mobile phones, blackberry, iPhone, windows, Symbian, Android or even old non-smart phones , with price range of $50 to less than $500 per year, depends on vendor and features.Most of them offer different feature set for different flavors, so here is a summary of the common features I came across

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com2tag:blogger.com,1999:blog-249740660683386337.post-17617469310995267912010-06-20T00:10:00.000-07:002010-11-16T00:42:23.148-08:00

Guy Bruneau has created a DNS sinkhole ISO image, available for 32-bit and 64-bit. sinkhole is using 3 public lists for known bad domains (Malware Domain Blocklist, Zeus Tracker, and SRI malware list).A step-by-step guide is available here. I will be waiting for other lists to be added, such as Phishtank, GoogleSafeBrowsing, XSSED, and others.DNS can be used effectively to detect and prevent

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-91098973033482591222010-06-19T00:35:00.000-07:002010-06-19T00:55:49.623-07:00

Visualize web browsing history, web historian from Mandiant. Supports Firefox 2/3+, Chrome 3+, and Internet Explorer 5 through 8, collects web, cookie, download history, export data sets to XML, HTML or CSV, and many more features ...You may want to check this old comparison about different tools for browsers forensics tools, note the old version of some of these tools including Web Historian.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-54859513307910012282010-06-14T01:16:00.000-07:002010-06-14T03:23:16.052-07:00

Here is a list of free resources for analyzing web servers logs.Apache-scalpSplunkMicrosoft LogParser SNARE

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-61486409079515676252010-06-07T23:38:00.001-07:002010-06-07T23:53:51.341-07:00

If you need to download AusCERT 2010 materials, just email me and I will send you the password to their online materials.user name : presentationIf you need some coverage on the conference, check ZDNet.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-28126023148978156442010-05-29T11:40:00.000-07:002010-05-29T11:40:00.717-07:00

Nice representation of botnets on mozy infographics based on Messagelabs and M86 reports.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-48833486004378817152010-05-27T04:35:00.000-07:002010-05-27T11:23:06.831-07:00

Whisper Systems, announced the availability of it public beta Mobile Security Suite, with two applications for Encrypting SMS and VoIP calls on Android devices. The VoIP application uses a new method of establishing a call using SMS as a signaling protocol instead of the initial SIP signaling, to overcome the SIP constant connection requirements.The encryption is done using the well-known ZRTP

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-73903626775305710712010-05-19T01:04:00.000-07:002010-05-28T12:12:46.543-07:00

A recent paper from RSA highlighting the impact of malware infection in enterprise, by analyzing one month of Zeus malware data collected, looking for US Fortune 500 related data.- 88% of Fortune 500 were shown to have been accessed by computer infected with Zeus trojan- 60% of Fortune 500 have at least one email address compromised- Security managers have little visibility into employees online

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-13984502993019691022010-05-16T23:54:00.000-07:002010-05-17T00:38:35.421-07:00

Facebook recently added a new feature that will alert you if you or someone else logged in with your account from unusual computer or Mobile.Gmail also provided similar feature a while ago, but with no alerts, just an easy way of checking your login activities with time stamp and IP address.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-84985382308308487512010-05-09T04:31:00.000-07:002010-05-09T04:48:09.051-07:00

SOURCE Boston 2010 slides are now available online. They are still adding more slides, so check it every while.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-46006558407438966172010-05-03T04:38:00.000-07:002010-05-03T05:02:39.785-07:00

M86 just released a report looking in general at exploit toolkits in terms of prices, usage, simplicity, and features.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-10602938149388387822010-05-01T00:02:00.000-07:002010-05-01T00:22:19.009-07:00

LEET'10 workshop just ended few days ago, there are some interesting presentations and papers out there. Program details are here.Some of the interesting topics:A View of Botnet Management from InfiltrationWebCop: Locating Neighborhoods of Malware on the WebOn the Potential of Proactive Domain BlacklistingDetection of Spam Hosts and Spam Bots Using Network Flow Traffic ModelingHoneybot, Your Man

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-39442844610497821682010-04-27T01:06:00.000-07:002010-04-27T01:22:01.684-07:00

Microsoft released its 248 pages Security Intelligence Report volume 8, for 2nd Half 2009.Here are some regional statistics:

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-71458427508888753932010-04-22T01:29:00.000-07:002010-04-22T01:29:00.053-07:00

Released in April 2010, a must read report as usual from Symantec.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-30857823762405817752010-04-18T01:01:00.000-07:002010-04-18T01:01:00.376-07:00

Blackhat Europe just ended, check the media archive.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-77134460309843490732010-04-14T10:26:00.000-07:002010-04-14T22:55:40.747-07:00

The Russian crimeware toolkit Spy Eye, the Zeus killer is now offered for much lower prices than the famous Zeus crimekit.Jerome Segura has a couple of articles ( 1, 2 ) looking at Spy Eye. Zeus and Spy Eye are competing head-to-head in the underground market, as noted by Symantec and discussed by Brian Krebs.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-19193874807743914092010-04-06T01:02:00.000-07:002010-04-06T02:03:47.475-07:00

When it comes to log handling and analysis, perl is my preferred scripting language, with loads of ready-made libraries for all your needs, here are some useful resources:Text::CSV (handling csv files)Net::Whois::IP (retrieving whois information)IP::Country::Fast (retrieving country code information)Net::DNS::Resolver (resolve dns queries)XML::RSS::Parser::Lite (retrieving RSS feeds)Mail::

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-83795246309140258822010-04-01T01:52:00.000-07:002010-05-19T23:18:40.841-07:00

Intelligent Exploit Aggregation Network is a new website for aggregating exploits for specific platforms including Windows and some CMS. The exploits are aggregated from multiple sources like Exploit-db , VUPN, and SEBUG.net.Also check this old list.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-75116423173479801182010-03-31T01:21:00.000-07:002010-04-01T00:00:08.930-07:00

Microsoft released out-of-band updates targeting increased attacks using CVE-2010-0806, and other several vulnerabilities on IE8 as well. These updates does not address the recent vulnerability used in pwn2own contest @ CanSecWest.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-40878298316758034832010-03-31T01:07:00.000-07:002010-03-31T01:07:00.397-07:00

Last week, representatives from governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime” in Octopus Interface conference, here are the presentations.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-38788690091977509302010-03-29T10:26:00.000-07:002010-03-29T10:56:53.796-07:00

In CanSecWest Pwn2Own 2010, researchers were able to break in a fully patched IPhone using unknown Safari vulnerability, it took them 2 weeks to find the vulnerability and write the exploit and took them 20 seconds to hijack the entire SMS database and uploaded it to a server.The researchers claim that they can also hijack the emails and photos using the same vulnerability. Vulnerability details

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-8431429299290922722010-03-24T23:52:00.000-07:002010-03-24T23:58:24.870-07:00

Top 75 Open Source Security Tools, and 26 Open Source Tools with commercial support, both lists worth checking.check also:Must-have firefox add-ons and free personal security tools.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-65477060471702448502010-03-21T04:25:00.000-07:002010-03-21T23:55:27.058-07:00

This is an interesting way of checking your DNS cash for malicious domains, an easier method instead of examining the DNS server log. This might miss some domains with low TTL value, but still very handy.After some trials on a small ISP DNS server, the short TTL is dominating Zeus domain (1 min on average) , so checks should be on-going, with DNS overheads in mind.Another good idea is to add

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-25400962632526524822010-03-10T02:52:00.000-08:002010-03-10T10:45:15.682-08:00

After shutting down Mariposa, PandaLabs published some statistics on the infection rate per country, and it is really interesting that US and China are not on top, instead we are seeing several Arab countries in the top list, Egypt, Saudi Arabia, Morocco, and Emirates.I compared the data from PandaLabs with the internet usage in each country, and came up with the infection percentage with

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-816304742913056592010-03-08T01:42:00.000-08:002010-03-08T01:42:00.296-08:00

Flint is the name of the tool, it examines firewalls, and spots problems so you can:- Clean up configuration- Check if new rules will create problems- Discover overly rules

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-34655015871210483702010-03-04T03:38:00.000-08:002010-03-04T03:59:18.776-08:00

Here is a suggestion for building a botnet network behavior analysis lab based on netflow, DNS, Snort, proxy, and packet capture logs .Notes:- Vyatta vc6 alpha version supports netflow.- Net:DNS:Nameserver can be configured to be a fake DNS.- Malicious domains can be collected from some feeds in this list- Other sources of malicious domains could be spamtraps, twitter timeline, ....

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com2tag:blogger.com,1999:blog-249740660683386337.post-63959414854092781672010-03-01T22:31:00.001-08:002010-03-01T22:34:24.602-08:00

Here are the slides and videos of Shmoocon 2010. Do no forget to check also the Firetalks.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-91183970074380415802010-02-24T00:12:00.000-08:002010-05-25T01:15:56.570-07:00

Lots of researchers are working on the same hot topic, here is another paper presented few hours ago in HotMobile 2010, the researchers presented 3 proof-of-concept rootkits that can be used for various malicious use. I was surprised that Android has 20 million lines of code, adding the external interfaces of the mobile such as GPS, Camera, voice, mic, sms, etc.., things are really getting more

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-27763451201662964352010-02-18T10:32:00.000-08:002010-05-09T04:57:13.393-07:00

Another alarming presentation from Shmoocon 2010, discussing Blackberry spyware is now available online. The presentation gives an example of what happened in Etisalat Trojan in 2009, and raises lots of issues as written in the conclusion part:- Mobile spyware is trivial to write- Minimal methods of real time eradication or detection of spyware type activities- Security model of mobile platforms

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-17937464919879053132010-02-17T03:50:00.000-08:002010-06-28T23:04:42.191-07:00

In the Shmoocon 2010 conference, an interesting presentation on smartphone security is now available on line. Jail broken iPhones have lots of risks, with default root password and default services enabled, scanning the mobile network revealed lots of interesting services making them easily hacked. The presenter gives some sample applications that can be installed on the hacked device remotely

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-83998051719966747512010-02-15T22:57:00.000-08:002010-02-15T23:02:46.476-08:00

Here is the link for the streaming and downloadable media, Shmoocon 2010.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-20638444060541783032010-02-11T03:05:00.000-08:002010-02-11T03:16:03.461-08:00

EWNI 2010 was held in Hamburg, Germany, few weeks ago. This kind of focused events are worth attending, I was there in -15 degrees, anyway check the slides here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-37967191345442422212010-02-07T01:07:00.000-08:002010-02-07T01:07:00.072-08:00

Presentations, and papers are now available online on Black Hat archive.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-3993180313903113932010-02-06T23:51:00.000-08:002010-02-06T23:54:33.802-08:00

If you missed out SANS Forensics Summit few months ago, it is never too late to check out the presentations available online here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-56669349188197861062010-02-01T04:52:00.000-08:002010-02-01T05:02:42.573-08:00

Botnet detection using Network Anomaly Detection has some strengths and weaknesses, Damballa blog discussed some interesting points, and came up with a conclusion that NAD has a minor role to play in botnet detection and mitigation due to the new trends in botnets.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-78890839541446107922010-01-21T01:05:00.000-08:002010-01-21T03:35:18.370-08:00

Arbor Networks released their 2009 report based on their operational security survey.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-76668286322613583362010-01-18T04:45:00.000-08:002010-01-18T04:53:19.844-08:00

This seems to be a very good reading about the story. Some great technical details and background have been compiled by extraexploit.As it was mentioned by Andrew Jaquith , human remain the weak link, and I guess it will remain...

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-10217688173540225192010-01-13T01:01:00.000-08:002010-03-07T22:13:52.969-08:00

Here is a nice interesting list of online password crackers by Chris Gates, since the same blog is moving to a new host, check the comments on both the old and new host, as readers are posting more interesting links.Updated:And here is a list of password dictionaries.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-72994531248030500722010-01-11T01:07:00.000-08:002010-01-11T01:07:00.052-08:00

How easy is it to get some good collection of trojans and bots with different versions, types, and plugins??I wonder how many of them are not backdoored??

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-24541935429910809772010-01-10T09:16:00.000-08:002010-01-10T20:51:05.440-08:00

Guy Bruneau, posted an entry on SANS handler's diary on how to setup DNS sinkhole.The same technique was previously discussed with different DNS formats by malwaredomains.com.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-45146215212585138062010-01-07T05:10:00.000-08:002010-01-07T05:17:23.045-08:00

Here is the 2009 Annual Report from PandaLabs.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-5640686801018359312010-01-05T01:06:00.000-08:002010-01-05T01:06:00.665-08:00

Analysis of Waledac botnet propagation technique is available here. Waledac botnet size estimated to be 390,000 infected host.The researchers produced a cloned version from Waledac called Walowdac to analyze it.Trendmicro previously produced an analysis of the same botnet.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-9846850605152026392010-01-04T01:07:00.000-08:002010-01-04T20:06:26.214-08:00

Credit Cards companies are using their own honeypot too, here is what a fraud prevention agent recently disclosed:Credit Card details: 4485 0489 2408 7591, expires 9/2010, CCV 721Anyone using these numbers anywhere will have his IP tracked and added to a database. This card has a $0.01 limit; any transaction will be denied, except $0.01 orders of course.Another interesting and scary part in the

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-73587174758769033232009-12-31T01:34:00.000-08:002009-12-31T05:03:21.542-08:00

26th Chaos Communication Congress (26C3) was the lastconference on 2009, here is the mp4 video sessions ( torrent)

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-69025200641951028312009-12-30T00:08:00.000-08:002009-12-30T00:32:45.335-08:00

Few days ago, in 26th Chaos Communication Congress(26C3), researchers presented a live proof-of-concept for cracking GSM encryption protocol A5/1 that is used in many GSM networks worldwide nowadays.- Security agencies worldwide are cracking the A5/1 for years, now it is publicly available- It was previously cracked in 2008 by someone else, but the tables was never released- The crack is using

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-81274658187809362112009-12-28T01:34:00.000-08:002009-12-28T01:34:00.236-08:00

Here is a summary of my blog in 2009:Open Source Information Gathering:DIY Threat Monitoring System - Part 1DIY Threat Monitoring System - Part 2Enterprise Open Source Intelligence Gathering Monitoring Social mediaWardriving setupDNS BlackholingLists:Malware online databases and analysis sitesJavascript obfuscatorsMalicious FREE IPs and URLs DatabasesFree Personal Security ToolsLocal News:47

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-27535545139053691812009-12-24T01:02:00.000-08:002009-12-24T01:02:00.216-08:00

AV-Comparatives released the 2009 summary report commenting on various AV products and comparing the results of various tests. Best products of the year is Symantec, followed by Kaspersky, followed by ESETMicrosoft is doing a very good job, with their Security Essentials product, based on various reports and based on my own experience.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-31863579139059561732009-12-23T03:49:00.000-08:002009-12-23T04:28:34.581-08:00

Here is how to build your own wardriving setup:Here is my checklist:- Laptop :)- High power wireless card (200mw or higher)- High gain omni antenna 15dBi (choose the correct cables & connector to your wireless card)- USB GPS receiver- Fedora 12- Google Earth- Kismet New-CoreKismet New-Core comes with a new log format, so all the old tools used to convert kismet logs to Google Earth format is not

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com2tag:blogger.com,1999:blog-249740660683386337.post-61297033708707094972009-12-21T02:12:00.000-08:002009-12-21T02:30:43.684-08:00

The guys in Avira have compiled a list of the most phished brands in 2009.Facebook is on the list.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-87284418038697628432009-12-19T11:30:00.000-08:002009-12-19T11:46:54.287-08:00

CNNIC (China Internet Network Information Center) has changed the rules for registering new .cn domains, requiring business registration documents starting from 14th December.Here is how Sophos detected the behavior change in the spam tactics, where spammers are started using specific free web hosting services in their Canadian pharmacy spam.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-20781915271062422862009-12-18T19:54:00.000-08:002009-12-18T21:07:42.353-08:00

Analysis of iKee.B iphone botnet by SRI.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-37918682679540159682009-12-12T04:39:00.000-08:002009-12-12T04:52:17.241-08:00

WPA Cracker is a new paid service for cracking WPA or WPA2 Pres-Shared Key.- The service is running on cloud with 400 CPU- Uses dictionaries with 130 million word, tailored for wireless cracking- 2 pricing models 17$ (using CPU half capacity) and 34$ (using full capacity to shorten time)- Require pcap file with WPA handshake- Accept Amazon payments- Cracking the key is not guaranteed.So are you

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-6992921343483114972009-12-11T03:38:00.000-08:002009-12-23T03:47:37.373-08:00

SHODAN is an interesting search service, this is a banner grabbing search service that could reveal some useful information for interested people. SHODAN is scanning the internet on specific ports and provide the scan results in a searchable way.I did a simple search using SIP keywork, and easily got web access to lots of voip devices on the internet. The IP ranges I checked randomly are all

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-20843188746458506922009-12-10T04:07:00.000-08:002009-12-10T04:07:01.166-08:00

The MessageLabs Intelligence Annual Security Report for 2009 has been released.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-52275506669684124402009-12-09T01:33:00.000-08:002009-12-09T05:08:34.238-08:00

I am back after a long vacation, with Cisco 2009 Security report.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-13481678480863047402009-11-30T08:46:00.000-08:002009-11-30T08:46:00.772-08:00

I am a big fan of Splunk, I should spend more time playing with the new free version. Here is how Cisco CSIRT team is using it.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-50591691975940434752009-11-24T08:41:00.000-08:002009-11-24T08:41:00.093-08:00

This is an interesting discussion about obfuscating malicious IFrames.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-89639431654980936232009-11-16T10:15:00.002-08:002009-11-16T10:51:50.762-08:00

This is my Part 2 of DIY, Threat Monitoring System. Here is an example of several connectors to download some public lists and save them internally for further processing.The script will download the following lists:CBL, Phishtank, GoogleSafeBrowsing, Dshield, TOR Exit nodes, MalwareDomainList, MalwareURL.1- You will need to install some perl modules first:Net::Google::SafeBrowsing::

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-64770278937003219262009-11-12T04:30:00.000-08:002009-11-12T04:36:04.360-08:00

Building your own threat monitoring system can be done using the above architecture, you will need to write some connectors and parsers to filter data and check if your IPs or URLs appear in any of the free public databases I am using perl and shell scripts along with Mysql database. Visualization can be done using google charts API, which has nice easy-to-use charts.If you are a cloud fan, you

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-40427953023682919582009-11-11T02:28:00.000-08:002009-11-11T02:32:41.895-08:00

Anton Chuvakin in his blog is discussing SIEM must-have features, use cases, and different users.nice reading, in addition to SANS paper on benchmarking SIEM.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com2tag:blogger.com,1999:blog-249740660683386337.post-63133735522442132552009-11-05T01:05:00.000-08:002009-11-05T01:05:00.350-08:00

A series of blog entries ( 1, 2, 3) by Tom Eston, about Open Source information gathering has some useful techniques and tools that can be easily used in enterprises for monitoring social media. An overall presentation is available here.More tools can be found here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-76603447550816571422009-11-03T00:55:00.000-08:002011-06-06T22:44:49.627-07:00

Lenny Zeltser is always inspiring me, he recently published a list of blocklist.Here is my own list, the issue is how to use these IPs and URLs for your benefit? The answer is a project I am working on, stay tuned.CBL BlackList: (Spam ip, FREE) UCEProtect: (Spam ip, FREE)MS SNDS (ip, FREE)SpamHaus: (Spam, $$) There are lots of other SPAM databases, just google them..Malware Domain list: (domains,

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-40452451677896970332009-11-03T00:45:00.000-08:002009-11-03T00:51:56.991-08:00

Arbor is releasing statistics from their systems and spamtraps for tracking Fast-Flux networks.Q3, 2009 statistics:Q2, 2009 Statistics:

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-70149958505005003812009-11-01T00:16:00.000-07:002009-11-01T00:20:12.268-07:00

Louisville Infosec 2009 conference videos are available here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-8535508572132497472009-10-30T01:08:00.000-07:002009-10-30T01:08:00.271-07:00

The guys @ SANS are putting daily articles on 31 different ports/services/protocols/applications during October, the list is very good and the comments of the readers also worth checking.123 NTP53 DNS22 SSH25 smtp23 Telnet514 syslog5900 VNC20,21 FTP5060,5061 SIP445 SMB over TCP1433,1434 MS-SQL67,68 bootp and DHCP80,443 HTTP/HTTPS995,465,993 Secure Mail1521 Oracle TNS

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-13408587340569070292009-10-27T01:00:00.000-07:002009-10-28T03:21:01.389-07:00

This is a list of some useful awareness materials including videos, posters, presentations, ...etcEnisa posters, cartoons and videos GoogleMicrosoft brochures, videos, and presentationsOnGuard: tips, games, and videos.Secure Bytes: posters and wallpapers

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-12843830263721232632009-10-25T00:01:00.000-07:002009-10-25T00:01:01.437-07:00

A new localized wave with SEO in Arabic, making use of Palestinian internal conflict, seems like a new direction, the link points to a blog on blogspot. (hxxp://otkiwmxoakdklfbyc.blogspot.com/)A redirection from the blog to infected urls, will result in the the below page:Setup.exe file is downloaded to the machine, the anti-virus detection rate of that file is below 35%.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-56550299079381389172009-10-23T12:50:00.000-07:002009-10-23T12:56:45.697-07:00

Here is another list of infected domains used in Koobface campaign.http://armadasound.com/498/http://phobos.de/619/http://javanesemassage.com/361/http://jean-jacques-goldman.hostzi.com/393/http://www.redsparkmusic.com/757/index.phphttp://geci-international.net16.net/568/http://osenf.com/247/http://suhaibalsheikh.com/376/http://sereshgi.com/328/http://seassociation.sg/232/http://

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-34550385203795418632009-10-22T16:41:00.000-07:002009-10-22T17:22:19.439-07:00

A friend of mine just got hit with what it seems to be new koobface campaign; hundreds of posts from his account to his friend's walls with the following message samples:You musst see tthis vvideo nnow! It'ss the bbest one!!You mmust see tthis viideo now!! It'ss the bestt onne!You mustt see thhis vvideo now!! It''s the bbest one!!andI ccan't falll assleep affter viiewing tthis videoo. I havven't

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com2tag:blogger.com,1999:blog-249740660683386337.post-51108295199680002282009-10-22T09:51:00.000-07:002009-10-22T09:56:57.994-07:00

For Facebook users, this guide is a must read.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-83164632150181010122009-10-21T01:01:00.000-07:002009-10-21T03:24:01.509-07:00

Web Application Security Consortium (WASC) released statistics from 2008 project, the goals are:Identify the prevalence and probability of different vulnerability classes.Compare testing methodologies against what types of vulnerabilities they are likely to identify.They have scanned over 12,000 web site, resulting in 4 data sets:Overall statistics by all kinds of activities;Automatic scanning

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-2000618236122396652009-10-20T10:26:00.000-07:002009-10-20T10:47:11.102-07:00

Check the report here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-82092870006567860342009-10-17T05:05:00.000-07:002009-10-17T05:34:02.852-07:00

A couple of recent blog posts by Andrew Waite, Infosanity, has put some details on implementing a full visualized lab, using VMWare ESXi with Vyatta (virtual FW and router), De-ICE PenTest LiveCDs , and BT4.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com1tag:blogger.com,1999:blog-249740660683386337.post-46274375107069376802009-10-14T00:02:00.000-07:002009-10-14T00:09:08.098-07:00

Mozilla has just released a web page that will check your main plugins for updates, all what you need to do is visiting this page. Mozilla plan for automatic updating of Firefox plugins, that is a major step in fighting malware propagation methods.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-75207742208524052582009-10-12T01:00:00.000-07:002009-10-12T01:00:02.524-07:00

Slides are available here.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-67478297688803501802009-10-11T00:27:00.000-07:002010-03-23T10:38:46.565-07:00

Materials are available online for Hack in The Box 2009, Kuala Lumpur.Check the updated location for materials and videos.I like the Ed Skoudis keynote "The bad guys are winning", specially the part discussing the implication of current threats on enterprise security personnel, and the need to divert some enterprise security resources from prevention to detection and eradication.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-17855927567265870142009-10-10T01:06:00.000-07:002009-10-10T01:06:00.614-07:00

11 out of 26 Anti-virus products fail VB100 certification called RAP, Reactive and Proactive detection. G Data, Avira, and Trustport got the best scores.The results are close to what av-comparatives released in its August report.

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0tag:blogger.com,1999:blog-249740660683386337.post-20706408362597990292009-10-07T14:30:00.000-07:002009-10-08T23:14:03.523-07:00

U.S. and Egyptian authorities are arresting dozens of people in an identity theft ring. The gang used phishing attacks and successfully managed to get financial and personal information from thousands of victims. Expected loss is around 2 million US$.The story is alarming in the middle east, for the number of charged people (47 in Egypt, 33 in USA), and the ease of attacks.The indictment is

OkamalOhttp://www.blogger.com/profile/11332410613453519243noreply@blogger.com0