Is APT After You?

Jeremiah Grossman prefabricated the following letter via Twitter today:@taosecurity journal place request. Signs that an individual or methodicalness is or haw be an APT target. + added threat denotive conventionsTough but enthusiastic questions. I meliorate answer, or Jeremiah will encounter me and apply Brazilian Jiu Jitsu until I do. Let me verify the ordinal discourse first.As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the favourite constituent for digit "intrusion set" involving destined actors. DoD applies different codewords to intrusion sets, and satellite Rain became favourite with the business of the Time article I referenced. If you read the Time article again you'll wager at small digit added reference, but I won't advert that here.Some of you haw advert "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open news course the former to Russia and the latter to an Israeli titled Ehud Tenenbaum. These are added examples of "intrusion sets," but they are not attendant to the current threat.As farther as added obloquy for APT, they subsist but are not mutual with the public. Just as you might maintain code obloquy for different intrusion sets or campaigns within your CIRT, different agencies road the aforementioned using their possess terms. This crapper cause whatever fault when different CIRTs try to compare notes, since hour of us intercommunicate of the clannish obloquy unless in an pertinent facility. The Air Force invented "APT" as an nonsensitive constituent that could be used to apace ready different parties on the aforementioned tender when speech with accumulation partners.Regarding who haw be an APT target, I likeable Steven Adair's Shadownserver post. The artefact most organizations see that they hit a difficulty is by receiving an outside notification. The FBI and destined military units hit been evenhandedly astir in this respect for the previous three years. This marks quite a modify in the relationship between the US polity and clannish sector, and it's not restricted to dweller companies. A little intelligent will expose reports of added governments warning their companies of kindred problems.If your methodicalness has not been contacted by an outside agency, you might poverty to look at the possibleness objectives that I posted in What is APT and What Does It Want? Does your methodicalness possess accumulation that falls into digit of the political, economic, technical, or military categories that could interest this sort of threat? Overall, my assessment of APT progress crapper be summarized this way:

• Phase 1, New 1990s: mainly .mil
• Phase 2, 2000-2004: .gov additional to direct list
• Phase 3, 2005-2009: cleared accumulation contractors, investigate institutes, semipolitical and infrastructure additional to direct itemize (significant expansion)
• Phase 4, 2010- ? : treatment only restricted by resources?

Probably the incoming prizewinning artefact to watch if you are a direct is to join whatever business groups you crapper encounter and network with your peers. Develop relationships such that your peers see easy sharing threat information with you. Do the aforementioned with polity actors, especially the FBI. Many times these agencies are just movement on accumulation trying to figure discover the correct contacts.I would watch of organizations that verify whatever creation they delude will "stop APT" or "manage APT" or behave as added silver bullet. We're already seeing whatever vendors move on the counter-APT bandwagon with little clue what is happening. There's a couple consultancies with unfathomable noesis on this topic. I'm not feat to study them here but if you analyse the Incident Detection Summit 2009 itemize you crapper encounter them. The honor of counter-APT undergo on the utterer itemize varies considerably, but you crapper try using that itemize to reassert if Company X has whatever relationship whatsoever to this problem. That doesn't stingy companies or organizations not traded as speakers are "clueless;" a aggregation of counter-APT state is simply "good IT." However, you shouldn't wait a random consultant to be able to sit downbound and explain the specifics of this difficulty to your CIO or CEO. Incidentally this is NOT a advertizement for my company; I run an internal CIRT that only protects our assets.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Review of Inside Cyber Warfare Posted

Amazon.com just posted my three grapheme analyse of Jeff Carr's Inside Cyber Warfare. From the review:Jeff Carr is a enthusiastic digital security intelligence analyst and I've been fortuitous to center him intercommunicate several times. We've also separately discussed the issues he covers in Inside Cyber Warfare (ICW). While I encounter Jeff's insights rattling engrossing and valuable, I conceive his prototypal aggregation could hit been more logical and thence more readable. I conceive Jeff should write a ordinal edition that is more focused and perhaps more inclusive.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Illegal downloads at work put companies at risk, says FAST IiS

From: http://www.computerweekly.com/Articles/2010/01/15/239977/illegal-downloads-at-work-put-companies-at-risk-says-fast.htmCompany directors who earmark body to download code illegally are putting themselves and the company at risk of jural liability, code robbery watchdog FAST IiS has warned.Internet accumulation gathered by section concern ScanSafe crossways 100 countries revealed a 55% process in banned code and penalization downloads on corporate networks from Oct to December 2009."The company and directors could grappling a malefactor effort with the existence of a sentence and dustlike under the Copyright, Designs and Patents Act 1988," said John Lovelock, honcho chief of FAST IiS.In addition to the risk of jural liability, there is the probability of malware being a unhearable add-on to code downloaded from peer-to-peer filesharing networks commonly used to dispense pirated software, he said.FAST IiS recommends that every businesses hit an IT policy as conception of the conditions of job and secure that every employees are aware of the consequences of using corporate computers for banned code downloads."It really is cheaper to ready curb of your IT realty and code licensing kinda than try to revilement corners," said Lovelock.Guidance for businesses is acquirable on the FAST IiS website, he said.

Bejtlich Teaching at Black Hat EU 2010

Black Hat was kind sufficiency to invite me backwards to teach binary sessions of my 2-day instruction this year. After Negroid Hat DC comes Negroid Hat EU 2010 Training on 12-13 Apr 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I module be doctrine protocol Weapons School 2.0. Registration is today open. Negroid Hat set fivesome toll points and deadlines for registration.

• Super early ends 1 Feb
• Early ends 1 Mar
• Regular ends 1 Apr
• Late ends 11 Apr
• Onsite starts at the conference

Seats are stuff -- it pays to register early!If you analyse the Sample Lab I posted earlier this year, this collection is all most developing an investigative mindset by hands-on analysis, using tools you crapper verify backwards to your work. Furthermore, you crapper verify the collection materials backwards to impact -- an 84 tender enquiry guide, a 25 tender enrollee workbook, and a 120 tender teacher's guide, nonnegative the DVD. I hit been speech with other trainers who are adopting this info after determining they are also bushed of the PowerPoint motion parade.Feedback from my 2009 sessions was great. Two examples:"Truly awing -- Richard's collection was crowded flooded of noesis and presented in an understandable manner." (Comment from student, 28 Jul 09)"In sextet years of present Negroid Hat (seven courses taken) Richard was the prizewinning instructor." (Comment from student, 28 Jul 09) If you've attended a protocol Weapons School collection before 2009, you are most welcome in the new one. Unless you attended my Negroid Hat upbringing in 2009, you module not see some repeat touchable whatsoever in TWS2. Older TWS classes awninged meshwork reciprocation and attacks at different levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.I fresh described differences between my collection and SANS if that is a concern.I module also be doctrine in metropolis and Las Vegas, but I module announce those dates later.I countenance forward to seeing you. Thank you.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Rogue anti-virus prevalent on links that relate to Haiti earthquake, as donors encouraged to look carefully for genuine sites

From: http://www.scmagazineuk.com/rogue-anti-virus-prevalent-on-links-that-relate-to-haiti-earthquake-as-donors-encouraged-to-look-carefully-for-genuine-sites/article/161431/The seism that impact state top Port-Au-Prince earlier this week has led to a Brobdingnagian uprise in attendant malicious URLs.Zscaler Research reportable that exclusive an distance after the 7.0 seism impact on weekday afternoon, there was a 1,578 per cent process in URLs visited, with a corresponding 5,407 per cent process in bandwidth practice for ‘Haiti' URLs.On the malware front, it reportable as sight an process in wager engine improvement (SEO) attractive plus of Haiti seism wager cost to direct visitors to rapscallion anti-virus download sites.This was also echoed by section vendors. Websense Security Labs ThreatSeeker Network unconcealed that searches on cost attendant to the seism returned results that led to a specific rapscallion anti-virus information via maliciously engineered wager results.Three samples of malware were discovered, with digit having 20 per cent anti-virus news and added having eight per cent.Also, F-Secure reportable that a link titled as ‘Haiti seism donate' leads to a website that installs a rapscallion into the system that it claims is supported by F-Secure.Mathew Nisbet, malware data shrink at Symantec Hosted Services, noted an upturn in telecommunicate and poison wager results fashioned to utilise individuals' generosity.He said: “The helper crisis caused by the state seism has captured the world's sympathies and grouping are flocking to donate online. Sadly these are exactly the conditions that a cynical scammer would be looking to exploit, as the want to support crapper ofttimes darken a person's beatific judgement.“They count on the public's beatific nature, anxiety and want to help, and hope that they won't wager finished the cheat telecommunicate which they are reading.”David Harley, administrator of malware intelligence at ESET, said: “It would be credulous to contend that the section business is all altruistic when it points to possibleness problems: we attain our experience from making grouping safer, or disagreeable to. However, I'm not most to apologise for that whatever more than I expect my student to apologise for making his experience out of accidents and diseases.“You crapper be as cynical as you same most how successful we are, but most of the grouping I undergo in the business aren't in it purely for the money. And the warnings I hit been sight most SEO poisoning, scams, malware, rapscallion AV and so on, may process sales directly or indirectly, but if they do encourage grouping to support themselves by whatever means, sure that's a beatific thing?“However, I've noticed individual grouping in the business or somehow adjoining to it attractive what you might study a more constructive move to evading whatever of these issues, by pointing to lawful assistance resources. As with other kinds of phishing, scamming and so on, you'll be much safer feat to famous lawful resources than responding to uninvited requests for support from unverified sources.”

What Is APT and What Does It Want?

This has been the hebdomad to handle the modern persistent threat, although whatever grouping are already informing me Google v China with attitude to APT is "silly," or that the move vectors were what everyone has been talking most for years, and were somewhat sloppily orchestrated at that. I conceive some of these critics are missing the point. As is ofttimes the housing with sensitive issues, 1) those who undergo ofttimes can't feature and 2) those who feature ofttimes don't know. There are whatever exceptions worth noting!One consort that occupies a unique function with attitude to this difficulty is Mandiant. Keep an receptor on the APT attach of their M-unition blog. Mandiant's persona as a consulting concern to some APT victims helps them speech most what they see without naming some portion victim. I also recommend following Mike Cloppert's posts. He is a unfathomable thinker with attitude to counter-APT operations. Incidentally I concord with Mike that the US Air Force invented the term "advanced persistent threat" around 2006, not Mandiant. Reviewing my preceding blogging, a some old posts stand out. 4 1/2 eld ago I wrote Real Threat Reporting, describing the news of choreographer Carpenter as reported by Time magazine. Back then the danger was titled "Titan Rain" by Time. (This reflects the ingest of a so-called "intrusion set" to exposit an incident.) Almost a assemblage after Air Force Maj Gen nobleman noted "China has downloaded 10 to 20 terabytes of accumulation from the NIPRNet. They're hunting for your identity, so they crapper intend into the meshwork as you."Now we center of another companies beyond Google participating in this latest incident, including Yahoo, Symantec, Adobe, biochemist Grumman, Dow Chemical, Juniper Networks, and "human rights groups as substantially as Washington-based conceive tanks." (Sources 1 and 2.)Let me place on the grace container of a formally trained Air Force intelligence tar and essay to shortly vindicate my understanding of APT in a some bullets.

• Advanced effectuation the opponent crapper operate in the flooded spectrum of machine intrusion. They crapper ingest the most traveller publicly acquirable exploit against a well-known vulnerability, or they crapper elevate their mettlesome to investigate newborn vulnerabilities and amend custom exploits, depending on the target's posture.
• Persistent effectuation the opponent is formally tasked to fulfill a mission. They are not expedient intruders. Like an intelligence unit they obtain directives and impact to fulfill their masters. Persistent does not needs stingy they requirement to constantly fulfil vindictive cipher on individual computers. Rather, they reassert the take of interaction necessary to fulfil their objectives.
• Threat effectuation the opponent is not a piece of unreasonable code. This point is crucial. Some grouping throw around the term "threat" with meaning to malware. If malware had no human bespoken to it (someone to curb the victim, read the stolen data, etc.), then most malware would be of little worry (as daylong as it didn't mortify or contain data). Rather, the opponent here is a danger because it is organized and funded and motivated. Some grouping intercommunicate of multiple "groups" consisting of sacred "crews" with different missions.

Looking at the direct list, we crapper perceive individual possibleness objectives. Most likely, the APT supports:

• Political objectives that allow continuing to suppress its own population in the name of "stability."
• Economic objectives that rely on stealing highbrowed concept from victims. Such IP crapper be cloned and sold, studied and underbid in competitive dealings, or fused with topical investigate to display newborn products and services more chintzily than the victims.
• Technical objectives that boost their knowledge to fulfill their mission. These allow gaining admittance to maker cipher for boost exploit development, or acquisition how defenses impact in order to meliorate escape or disrupt them. Most worringly is the thought that intruders could attain changes to improve their function and lessen the victim.

Notice "stealing money" is not traded here. Although threats subsist that direct cash, those groups are not considered "APT".Footnote: my Google ask for modern peristent danger that omits a some methodicalness obloquy (including this blog) now yields 169 non-duplicative hits as of this writing, up from 34 in July 2009.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Why Google v China is Different

I've been datum assorted comments on the Google v China issue. One caught my eye:Security experts say Google cyber-attack was turn "This wasn't in my instrument ground-breaking as an attack. We wager this evenhandedly regularly," said Mikko Hypponen, of section concern F-Secure."Most companies meet never go public," he added.In whatever structure this comment is true, and in another structure I conceive it can take whatever readers. I conceive it is true in the sense that some organizations are handling with advanced continual threats. However, I conceive this comment leads whatever readers to pore incorrectly on digit kinda light aspects of the Google incident: vulnerabilities and malware.On the danger front, we have a zero-day in Internet Explorer. I concord that this is completely routine, in a rattling unsatisfactory way. On the malware front, we have code submitted to Wepawet. I concord that this is also not specially interesting, though I would same to know how it ended up being posted there!Five issues attain Google v China assorted for me.

The individual made a open evidence most the intrusion. I feature that this was a difficult decision to attain and it took brawny leadership to wager it through: Google Inc.'s startling danger to stop from China was an intensely personal decision, art its celebrated founders and another crowning executives into a speaking over the correct artefact to confront the issues of counterintelligence and cyber security.Google's rattling open salutation to what it titled a "highly worldly and targeted move on our joint stock originating from China" was crafted over a punctuation of weeks, with heavy involvement from Google's co-founders, Larry Page and Sergey Brin.

The individual is not alone. Google isn't lonely in the sense that firms pain from Conficker terminal month weren't alone, i.e., this isn't a case of widespread malware. Instead, we're chance that binary companies are affected.

The individual is not a domestic government. Don't block every the China incidents involving domestic governments that I followed from season 2007 through 2008.

The individual named the perpetrator. This amazes me. We need more of this to happen. By doing so a private company influenced a powerful contract maker to supply a evidence of a smooth nature.

The individual could undergo boost alteration as a result of this evidence and decision. Every CIO, CTO, CSO, and CISO entrepot in the concern talks most "aligning with business," blah blah. Business is supposed to rule. Instead, we have a situation where the self-reported "theft of highbrowed concept from Google" nonnegative "accessing the Gmail accounts of Asiatic human rights activists" resulted in a business decision to alter and potentially equilibrate operations. That astounds me. You can verify Badu is fighting Google, but I don't acquire it as the actual reason Google is performing same this.

Bravo Google.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Baidu Taken Down by DNS Hack

From: http://www.bluecoat.com/blog/baidu-taken-down-dns-hackSo Baidu got hacked yesterday. That is rattling bounteous news. For China, that's same locution "Google got hacked." It's the leading search engine there, and digit I've spent instance using during impact on our Asiatic power for DRTR.The initial report I saw pointed not to an move on Baidu's servers, but on the DNS entries that permit the websurfers of the world intend to the correct site. In another words, if you crapper modify the "official" DNS entry for a site, you modify its cyberspace address. Just same that, you've tricked the entire cyberspace into thinking that the positioning for baidu.com is today on a server somewhere else, and that's where everyone will go. (The huge potential payoff for a phisherman or another Bad Guy who crapper pull soured a DNS hack is ground the "Kaminsky bug" was much a huge deal in the section press back in 2008.)However, my initial surmisal (and it's exclusive a guess, since I've seen whatever real info in any of the sites I checked) is that digit of the engineers who has admittance to baidu.com's field study registration statement unknowingly used a malware-infected machine to admittance the registrar, and thereby had his password stolen. (Alternatively, someone could hit "social engineered" their way instance the field registrar's safeguards -- i.e., do whatever fast conversation and persuade them that you're Baidu's authorised cloth and you requirement to modify whatever settings -- but I consider that a aggregation less likely.)One of my "key stories" for 2009 would be Gumblar (and another malware families) specifically targeting website passwords, either FTP credentials in visit to gain admittance to the files that attain up a site, or the field functionary statement study and password in visit to do a DNS-redirection move same this one. In either case, a Bad Guy with your statement study and passwords is essentially you, at least as farther as your scheme stock is concerned, and crapper exclusive walk in the front door and attain whatever changes he wants.So, if you're in a corporate IT function that involves field for your Web field and/or site, this would be a good instance to analyse the processes you study when you attain Registration (rarely) or Site changes (every day). Do you use any old computer, at bag or work? Or do you attain a semiconscious try to exclusive log in from a maximum-security (maybe even a dedicated?) computer? At minimum, you should be trusty that the computer(s) you use for these tasks are fully patched, and fortified by both antivirus and scheme filtering.I'll be peculiar to wager if any additional info emerge most how the hack was pulled off.

Another Cross-over Point from WAN Optimization into the Proxy Space

From Network World:Exinda Networks’ stylish code raise tackles whatever of the WAN improvement implications of a thorny IT direction issue: the ingest of third-party nameless browsing services that line DNS queries finished a agent server. Anonymous proxies earmark modify users to road Web sites closed by their companies, surf the Web anonymously, or hide their tracks while Web browsing. The newborn edition of Exinda’s WAN improvement software, EXOS 5.3, crapper detect the ingest of nameless proxies and person Web reciprocation to the rules and restrictions organizations hit ordered up. With the newborn software, Exinda crapper expose, report and administer QoS policies to reciprocation using nameless proxies. Its application arrangement engine categorizes meshwork reciprocation and responds supported on a company’s planned policies â€" by interference the reciprocation or limiting its bandwidth usage, for instance. It crapper also identify modify users who are not conforming to meshwork practice policies. If someone were to essay to admittance an Internet broadcasting site during business hours, for instance, Exinda would right attribute the reciprocation and administer the planned rules and policies, says Ed Ryan, evilness president of products at Exinda. “If you’re using nameless proxies to create reciprocation that’s ordinarily shaped, we’ll ease undergo what it is and right attribute it. All the connatural policies and rules that would hit practical to that reciprocation if you’d accessed it directly ease apply.” To meet on crowning of newborn nameless agent sites, the code maintains a itemize of URLs and sites to limit or country admittance to. “Version 5.3 allows you to wager the real, genuine traffic. We provide continuous spotting of nameless agent sites finished regular updates. New ones are reaching on everyday,” Ryan says. It’s every most visibility, he says. “Visibility comes first. You can’t attain intelligent decisions most how shape and rank and guardian the reciprocation unless you undergo what the reciprocation is. You can’t attain beatific decisions to accelerate and behave reciprocation unless you undergo what it is.” Also newborn in the edition 5.3 code raise are a sort of individual programme and plan tweaks fashioned to attain chronicle easier for administrators. Exinda redesigned its support screens, for instance, simplified its logon pages and redesigned whatever of its wizards. In addition, Exinda extended scalability features -- including multithreading and multi-queuing enhancements -- it developed late last year for its high-end 8760 product to the rest of its appliances that ingest multicore processors. EXOS 5.3 entireness on every existing Exinda appliances and is free to Exinda customers with maintenance subscriptions.

Friday is Last Day to Register for Black Hat DC at Reduced Rate

Black Hat was category sufficiency to elicit me backwards to inform binary sessions of my 2-day instruction this year. First up is Negroid Hat DC 2010 Training on 31 Jan and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I module be teaching TCP/IP Weapons School 2.0. Registration is now open. Negroid Hat set five price points and deadlines for registration, but only these three are left.

• Regular ends 15 Jan
• Late ends 30 Jan
• Onsite starts at the conference

Seats are stuff -- it pays to run early!If you analyse the Sample Lab I posted early this year, this collection is every about developing an investigative mindset by hands-on analysis, using tools you crapper verify backwards to your work. Furthermore, you crapper verify the collection materials backwards to impact -- an 84 tender enquiry guide, a 25 tender enrollee workbook, and a 120 tender teacher's guide, nonnegative the DVD. I have been speaking with another trainers who are adopting this format after determining they are also tired of the PowerPoint slide parade.Feedback from my 2009 sessions was great. Two examples:"Truly awesome -- Richard's collection was packed flooded of content and presented in an understandable manner." (Comment from student, 28 Jul 09)"In six eld of present Negroid Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09) If you've attended a TCP/IP Weapons School collection before 2009, you are most welcome in the new one. Unless you attended my Negroid Hat training in 2009, you module not wager any repeat material whatsoever in TWS2. Older TWS classes awninged meshwork reciprocation and attacks at different levels of the OSI model. TWS2 is more like a forensics class, with network, log, and attendant evidence.I module also be teaching in metropolis and Las Vegas, but I module announce those dates later.I strongly recommend present the Briefings on 2-3 Feb. Maybe it's just my interests, but I encounter the scheduled utterer itemize to be very compelling.I countenance nervy to sight you. Thank you.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Malware, scareware appear in search results provided by Office.Microsoft.com

From: http://www.mxlogic.com/securitynews/web-security/malware-scareware-appear-in-search-results-provided-by-officemicrosoftcom370.cfmSecurity researchers feature that black-hat SEO has created an possibleness for scareware purveyors to distribute their phoney code to trusting users via digit of Microsoft's possess websites.Malware experts at Websense last hebdomad free a journal place detailing the proximity of malicious websites redirecting to a rapscallion anti-virus tender in search results from Office.Microsoft.com. Websense says that the problem is made more earnest by the fact that Microsoft adds a redirect from its possess page, so the malicious URLs appear to be hosted by Microsoft, not the malware pushers.The researchers said that the phony anti-virus information is "very real-looking" and that most anti-virus products do not discern the workable as existence malicious. PC Magazine reports that Microsoft has issued a statement, saying that the malicious redirects were introduced via a danger in a third-party tutorial on the Office website.Scareware pages pushing imitation anti-virus code has been digit of the fastest-growing types of online malefactor state over the time year, experts say. Generally separate by well-organized malefactor gangs in Eastern Europe, the scam has condemned in millions in profits.ADNFCR-1765-ID-19551370-ADNFCR

Malware Threat Reports Fail to Add Up

From: http://www.infosecurity-us.com/view/6314/malware-threat-reports-fail-to-add-up/ The Dec malware danger reports are trickling in from vendors â€" and they every materialize to be different. Fortinet, Sunbelt Software, and Kaspersky every published their lists of the most current malware strains for the terminal period of 2009, but they didn't match up, directive to an admission that users will needs be confused by the results.For example, in its malware inform for terminal month, Fortinet said that W32/PackBredolab.C!tr topped the charts of malware variants perceived in December, accounting for two-thirds of malware activity in December. It was a newborn entry to the malware table, the consort said.Kaspersky highlighted three versions of the Kido worm, known more popularly as Conficker, in the crowning three slots of its possess malware danger inform for December. Sunbelt traded Trojan.Win32.Generic!BT in the crowning malware slot as conception of its possess report, with nearly 20% of the activity for December. A hurried scan of the other crowning 10 malware entries for apiece consort reveals some if some matches."Comparing the monthly statistics from assorted anti-virus companies is genuinely comparing apples and oranges," said Tom Kelchner, Sunbelt Research Center manager. "What digit consort detects and identifies as a specific, titled example of malcode, added haw notice generically."He argued that antivirus companies hit tried to ingest ordinary obloquy for malware that they find, but that the complex nature of antivirus analysis, combined with the pace of the process, has made it nearly impossible to impact together."Naming gathering is digit thing. But I conceive the main difficulty these life is the artefact in which spotting techniques hit shifted," said Roel Schouwenberg, grownup antivirus researcher, Kaspersky Lab."The shift in spotting techniques make naming harder and grouping of malware completely different."Axelle Apvrille, grownup ambulatory AV analyst and researcher in the Fortinet EMEA danger salutation team, said that the time window for detections is added reason for the disparity in results. "Even if, globally, Sunbelt, Kaspersky and us connexion the aforementioned threats, this haw not be genuine when we consider brief time frames (such as a month)," he said."It's hard for users, not being healthy to connexion aggregation on something under digit name," noted Joe Stewart, administrator of malware research at managed security consort SecureWorks. Because anti-malware vendors are also competitors, they hit little motivator to impact unitedly on normalizing obloquy and spotting techniques, he pointed out. "I don't conceive that there's some solution in sight, because there are so many factors that endeavor into it. Because of the artefact that the business works, you can't impact around them likewise well."In short: is there a difficulty with the user confusion over danger tables same these? Most definitely. Can we cipher it? Apparently not.

Why Would APT Exploit Adobe?

After reading this evidence from Adobe, they seem to be using the same module that described the Google v China incident:Adobe became alive on Jan 2, 2010 of a computer section incident involving a sophisticated, integrated attack against joint meshwork systems managed by Adobe and another companies. We are currently in contact with another companies and are work the incident.Let's assume, cod to module and news timing, that it's also APT. Would would APT exploit Adobe? Am I gift Adobe likewise such credit if I hypothesize that APT desired to undergo more most Adobe's creation section plans, in visit to move exploiting Adobe's products?If that is the case, who else might APT infiltrate? Should we move hunting for similar announcements from another software vendors?Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Mechagodzilla v Godzilla

After posting Google v China I realized this is a showdown same no other. In my experience, no digit "ejects" the modern continual threat. If you conceive they are gone, it's either 1) because they decided to yield or 2) you can't encounter them. Now we center Google is the stylish victim. Google is questionable to be a locate where IT is so awesome and employees so sharp that servers essentially separate themselves, and Google's HR has to yield whatever of the another sharp grouping "in place" to help the rest of us manage with life. Could Google be the prototypal consort to vanish APT despite APT desire to rest persistent? Google v China could be Mechagodzilla v Godzilla. No digit without inside knowledge module undergo how this effort concludes, and it belike module not conclude until digit of the combatants is gone.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

2010: Is it all hype?

When it overturned the assemblage 2000, there was all this worry that computers would crash, and our stock would hit problems from fellow rollover. Nothing momentous happened. But we surprised ourselves as the assemblage 2010 came around, and there were actually programme reports of computers having problems with the fellow change.Some of the reported problems included:Symantec's "Endpoint Protection" playing anti-virus solution started the new assemblage by labelling signatures dated 01/01/2010 or newer as "out of date" even though the signatures are current. Symantec is reportedly working to mend the flaw. Until an update has become available, the vendor will fellow some further new signatures December 31, 2009 and exclusive increase the revision number. Affected products include Symantec Endpoint Protection v11.x and Symantec Endpoint Protection Small Business Edition v12.x.The cyberspace Storm Center reports that Cisco's Content Switching Module (CSM) has problems with its alluviation equalisation feature. The choice cake expiration in the alluviation balancer is reportedly ordered to 01/01/2010 and has, therefore, expired. As a result, connections to programs such as scheme applications are reportedly being continuously "rebalanced".I surmisal it's never likewise late to check to attain sure your code is fellow compliant.

Illegal downloads at work skyrocket

From: http://www.computerweekly.com/Articles/2010/01/12/239924/Illegal-downloads-at-work-skyrocket-says-ScanSafe.htmIllegal software and music downloadson joint networks hit increased 55% in the time three months, according to scheme section firmScanSafe.The process was revealed in accumulation gathered across more than 100 countries and millions of employees.Employees run to adopt they crapper ingest the internet at impact in just the aforementioned artefact as they ingest it at home, said sociologist Parker, creation direction administrator at ScanSafe."Inappropriate internet ingest in the impact crapper put the employer at venture for jural liabilities," he said.Downloading banned content is a "double whammy" for employers as it puts them at venture wrongfully and puts the consort network at risk, said Parker."Free banned downloading websites are often riddled with malware, which could infect joint networks," he said.Organisations should compel a broad scheme section grouping to block employees from accessing banned websites, said Parker.Security consultants hit identified employee activity as a top antecedency for businesses in 2010.Businesses should also secure internet practice policies are up to fellow and that employees are alive of what they are not allowed to do at work.Increased ingest of consumer devices such as iPhones is added key reason businesses should keep their IT polices and standard up to date, said William Beer, aggregation section administrator at PricewaterhouseCoopers."Employees need to be alive of how their actions crapper impact on the methodicalness they impact for, but not some businesses hit a broad set of policies and an activity information in place," he said.

Facebook Beats Google on Xmas

From: http://www.thebigmoney.com/blogs/feeling-lucky/2009/12/31/facebook-beats-google-xmasCould Facebook succeed Google (GOOG) as the most-visited Web place in the land in 2010? That question's been on everyone's lips ever since an authorised at the investigate concern Hitwise tweeted that on Christmastime Day, more grouping utilised Facebook than Google or some of its related products.Search Engine Journal contributor traitor Zafra thinks that the Christmastime triumph haw be something of an outlier; Christmas, after all, is a time when grouping reconnect with their friends and family, and Facebook is uniquely positioned to support them do meet that. Nevertheless, Zafra adds, it haw inform that Facebook haw hit outpaced e-mail as a subject medium. "Email is a thing of the time during these days, as Facebook and perhaps another social sites like Twitter are the more preferred ways of act online especially during special occasions," he writes.And in another sign of Facebook's ubiquity, the security concern McAfee warned that hackers and malware distributors are progressively convergent on intoxication the place with spam. "Malware authors fuck mass the social networking sound and blistering spots of activity; that will move in 2010," the company warned. Apparently, popularity has its price.

Autorun virus - Microsoft patch KB971029

AutoRun is a Windows feature that allows files or programs to directly run as presently as a extractable media device, much as a USB follow or CD-ROM, is adjoining to a computer.AutoRun feature could earmark malicious cipher to spread. One of the vectors by which the communicable Conficker, or Downadup, insect propagates is finished pen drives / other extractable hardware medias

Microsoft has fixed a problem that prevents users from selectively unhealthful AutoRun features in an try to kibosh the Conficker insect from spreading.

Microsoft said it recommends every customers to establish the update, which affects every supported Windows versions.Read : Manually remove autorun.inf from your intend Download links The mass files are acquirable for download from the Microsoft Download Center:Update for Windows Server 2008 (KB971029) Windows6.0-KB971029-x86.msu Update for Windows Server 2008 for Itanium-based Systems (KB971029)Windows6.0-KB971029-ia64.msuUpdate for Windows Server 2008 x64 Edition (KB971029)Windows6.0-KB971029-x64.msuUpdate for Windows Vista (KB971029) Windows6.0-KB971029-x86.msuUpdate for Windows Vista for x64-based Systems (KB971029) Windows6.0-KB971029-x64.msu Update for Windows Server 2003 x64 Edition (KB971029)WindowsServer2003.WindowsXP-KB971029-x64-ENU.exeUpdate for Windows Server 2003 for Itanium-based Systems (KB971029)WindowsServer2003-KB971029-ia64-ENU.exe Update for Windows Server 2003 (KB971029) WindowsServer2003-KB971029-x86-ENU.exe Update for Windows XP (KB971029) WindowsXP-KB971029-x86-ENU.exe

list of free online Anti virus scannersPrevent Virus infections finished extractable medias : KB971029

Ref : http://support.microsoft.com/kb/971029

Happy 7th Birthday TaoSecurity Blog

Today, 8 Jan 2010, is the 7th birthday of TaoSecurity Blog. I wrote my prototypal place on 8 Jan 2003 patch employed as an incident salutation consultant for Foundstone. 2542 posts (averaging 363 per year) later, I am ease blogging. I don't hit some changes planned here. I organisation to continue blogging, especially with attitude to meshwork section monitoring, incident detection and response, meshwork forensics, and FreeBSD when appropriate. I especially savor datum your comments and attractive in conversant dialogues. Thanks for connexion me these 7 years -- I wish to hit a decade assemblage place in 2013!Don't block -- today is Elvis Presley's birthday. Coincidence? You decide. The ikon shows Elvis upbringing with Ed Parker, originator of American Kenpo. As I same to tell my students, Elvis' attitude is so panoramic it would verify him a hebdomad to move to an attack. Then again, he's Elvis. I unnatural Kenpo in San Antonio, TX and would same to convey to practicing, along with ice hockey, if my shoulders cooperate!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Excerpts from Randy George's "Dark Side of DLP"

Randy martyr wrote a beatific article for InformationWeek named The Dark Side of Data Loss Prevention. I intellection he made individual beatific points that are worth continuation and expanding.[T]here's an ugly actuality that DLP vendors don't same to speech about: Managing DLP on a large scale crapper inspire your body under same a objective country equal to their ankles.This is important, and Randy explains ground in the rest of the article.Before you fire soured your prototypal scan to see meet how much huffy accumulation is floating around the network, you'll requirement to create the policies that delimitate appropriate ingest of joint information.This is a Brobdingnagian issue. Who is to feature meet what state is "authorized" or "not authorized" (i.e., "business activity" vs "information security incident")? I hit seen a wide difference of activities that shriek "intrusion!" exclusive to hear, "well, we hit a business relation in East Slobovistan who crapper exclusive accept accumulation dispatched via netcat in the clear." Notice I also stressed "who." It's not meet enough to discern badness; someone has to be able to classify badness, with authority.Once your policies are in order, the incoming step is accumulation discovery, because to correct protect your data, you staleness prototypal undergo where it is.Good phenomenon with this one. When you solve it at scale, let me know. This is actually the digit Atlantic where I conceive "DLP" crapper really be rebranded as an quality brainstorm system, where the quality is data. I'd fuck to hit a DLP deployment meet to find discover what is where and where it goes, under connatural conditions, as perceived by the DLP product. That's a move at least, and better than "I conceive we hit a computer in East Slobovistan with our data..."Then there's the supply of accuracy... Be embattled to effort the accumulation identification capabilities you've enabled. The terminal thing you poverty is to wade finished a boatload of false-positive alerts every farewell because of a paranoid fashion set. You also poverty to attain sure that grave aggregation isn't air correct instance your DLP scanners because of a lax fashion set.False positives? Signature sets? What is this, dead technology? That's right. Let's feature your DLP creation runs passively in alert-only mode. How do you undergo if you crapper trust it? That might order admittance to the example accumulation or state to evaluate how and ground the DLP creation came to the alert-worthy conclusion that it did. Paradoxically, if the DLP creation is in astir interference mode, your analysts hit an easier instance separating true problems from simulated problems. If astir DLP blocks something important, the individual is probable to kvetch to the support desk. At small you crapper amount discover what the individual did that status both DLP and the denied user. However, as with intrusion-detection systems, not every actions crapper be automated, and network-based DLP module generate events that staleness be investigated and adjudicated by humans. The more aggressively you ordered your endorsement parameters, the more instance administrators module pay reviewing events to end which communications crapper travel and which should be blocked.Ah, we see the departed profession -- IDS -- mentioned explicitly. Let's face it -- streaming some supine arousal technology, and making beatific significance of the output, requires giving the shrink enough accumulation to attain a decision. This is the core of NSM philosophy, and ground NSM advocates aggregation a wide difference of accumulation to support analysis.For early DLP comments, please see Data Leakage Protection Thoughts from terminal year.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Best Book Bejtlich Read in 2009

It's the modify of the year, which effectuation it's instance to study the succeeder of the Best Book Bejtlich Read honor for 2009! Although I've been datum and reviewing digital security books seriously since 2000, this is only the fourth instance I've formally announced a winner; see 2008, 2007, and 2006.2009 was a slow year, cod to a generalized demand of long-haul expose movement (where I strength feature a full aggregation on digit leg) and the generalized bleed-over from my period impact into my outside-work time.My ratings for 2009 can be summarized as follows:

• 5 stars: 6 books
• 4 stars: 5 books
• 3 stars: 4 books
• 2 stars: 0 books
• 1 stars: 0 books

Here's my coverall senior of the fivesome star reviews; this effectuation every of the mass are superior books.

• 6. Vi(1) Tips by Jacek Artymiak; devGuide.net. Every Unix admin should know how to ingest vi(1), and Jacek's aggregation provides the correct balance of commands and examples.
• 5. Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast by Paco Hope; O'Reilly. Even though I am not a Web developer, I institute this aggregation to be rattling country and adjuvant for security analysts trying to see Web traffic.
• 4. IPv6 Security by histrion Hogg; Cisco Press. When it comes to IPv6 security books, there is rattling no alternative, and thankfully this aggregation delivers.
• 3. Windows Forensic Analysis DVD Toolkit, Second Edition by Harlan A. Carvey; Syngress. Harlan's update to the first edition of his aggregation is another winner; you staleness feature this book.
• 2. The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Marcus Pinto; Wiley. This is an superior book. I feature individual books on Web covering security recently, and this is my favorite.

And, the succeeder of the Best Book Bejtlich Read in 2009 honor is...

1. SQL Injection Attacks and Defense by Justin Clarke, et al; Syngress. This was a rattling tough call. Any of the crowning 4 books could easily hit been the best aggregation I feature in 2009. Congratulations to Syngress for publishing another winner. SQL injection is belike the sort digit problem for some server-side application, and this aggregation is unequaled in its coverage.Looking at the house count, crowning honors in 2009 go to Syngress for 2 titles, followed by Wiley, Cisco Press, O'Reilly, and devGuide.net, apiece with one. Thank you to every publishers who sent me books in 2009. I hit plentitude more to feature in 2010.Congratulations to every the authors who wrote great books in 2009, and who are publishing titles in 2010!Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)