From: Goebbels Amadeus
Date: Sun, 2 Dec 2007 06:12:54 +0100 (CET)

Despite the misleading subject of my e-mail, I want to
bring to attention an important topic which hasn’t been
discussed enough among the security industry: the exploit
and vulnerability research market.
Since this might be a vastly secretive community, I will
introduce some of the members of this dramatically disturbing tale:
Since a few years ago, few companies emerged, who offer
rewards for exploit information and vulnerability research.
In the beginning, only iDefense (US-based) openly disclosed
its activities.
In the last 3-7 years we have seen ZDI (TippingPoint, now
3Com and soon its Chinese major shareholder..), WSLabi (the
failed attempt on creating an auction market model for these
sales) and Netragard (the old DMCA publicity stunt SNOsoft).
Now I’ll start telling a tale of distrust, lies, middle men
and other creatures of the infraworld…
Once upon a time, there was an increasingly powerful work
force capable of crafting weapons which existed only in a
digital world. This force didn’t have a name. They didn’t
pursue certifications. They were anonymous. But some realized
they also had the power of influencing people, controlling the
flow of information from anywhere at any time. Humanity has
seen for ages how the power of controlling information can
take down whole nations. Nowadays, in an open and free market,
the corporate world is nothing but a battlefield.
There’s no crimson tie. No blood escaping the bodies of its
soldiers. The soldiers are John Does, fighting for a decent
paycheck at any cost, selling out their spirits and time for
the corporate machine. Selling out their comrades and dignity.
Losing the values, principles and matter that make them human.
Unknowingly, they are becoming mere tools of few individuals
who have a neverending desire for fame and wealth.
Have you ever considered your future in their hands? You’ve
been working for 50 years, your liver and kidneys start failing,
creating visible symptoms, stains in your skin. You can’t handle
life in the same way anymore. For what? What have you done in
those 50 years but serving another man to become more wealthy
and over powered. The approaching day of your death and its
mere vision strikes you like a burning iron blade.
In this New Age battlefield, you can make a difference. A
talented youth started emerging and dedicated passionately to
fulfill its curiosity. Day after day, spending countless hours
in front of a machine. Understanding it’s inner design and
details, breaking it apart and reassembling it the way it wasn’t
meant to be assembled.
Some others dedicated painful discipline to physical work and
trained themselves for achieving perfection in both intellectual
and physical matters. Others fell in the way and never made it
to the final round.
After realizing they could not let the corporate world exhaust
them, they tried another way. The emerging market of digital
ammunition seemed to be a potential solution for their problems.
But, unbeknown to them, they were wrong. They didn’t think at
first glance of the impossibly huge amounts of lies and fallacies
they were about experience. Because in a world where you can
claim something while denying your obligation to prove it, the
only power that is left is that of common sense and intuition.
The ability to sense the deceitful and know the truthful.
Once day, our John Doe decided to approach an independent digital
weapons dealer, looking for better offers than those coming from
more established business men. He knew that more then business men,
they were only middle men. After numerous experiences with these
little twerps, he realized they were also abusing their condition.
John was also especially disappointed with the fact that in the
world of digital ammunitions, there’s no real way of providing the
goods without turning them instantly useless and vulnerable to abuse.
John knew that these middle men were taking cuts far higher than
their alleged 10 to 15 percent of the sale. How could John prove it
otherwise? There was no way of ensuring that their contacts were
getting the very exact figure John demanded.
Despite this fact, John also realized that in this market of smoke,
the seller is not supposed to set the price of the goods. These
middle men, in their great mistake of thinking that wisdom and
knowledge are the very same thing, wanted John to believe that
they were the ones who set the price of the goods.
John’s disappointment was growing to incredibly high stakes: “As a
child, whenever I tried to tell the candy shop clerk that the
chocolate bars cost as much as the peanut butter ones, he simply
tried to smack my head down. I wasn’t supposed to even swap the
labels in a failed attempt to fool this man, who had been making
candy bars for more time than I was actually able to barely say
my name.”
John had been crafting digital weapons for so many time, with
such a high talent and effectiveness, that he was much less
dispensable than this middle men. His personal background, of an
extremely tough childhood full of misery and hostility, also
gave him the necessary wisdom and experience in this world for
quickly spotting the weaknesses of these ego-crazed men. Their
weakness lies in the fact that without John and his comrades,
they have no business. They lack far more than just knowledge.
They lack wisdom, passion and truly devoted dedication to whatever
they do. Sooner or later they will make the same mistake of other
weapon dealers: getting killed with their own goods.
Hypocrisy among these poorly educated middle-men was so high,
that they resorted to low tricks and ridiculous attempts to gain
the trust of people like John. They went as far as insulting the
intelligence of those who provided them with the goods they are
unable to produce themselves. No matter how hard the tried, it
never brought anything back but silence. The silence that can be
clearly understood as a fully precise signal of genuine despise.
The fundamental error behind their approach is that trust can’t
be gained for cheering, boosting the ego, claiming great benefits
and wealth. Trust is something sculpted in hard rock, taking years
to become an admirable master piece. It doesn’t come attached to
an email.
At the end, John and his comrades found out that wasting their
time with these miserable beings was far less than fruitful. It
was exhausting them as much as the corporate world did. They
realized that any day above ground is a good day. Let the snakes
change their skin and show their true colors. In the desert,
being unable to match with environment has deadly consequences.
It might take years, or decades, but time will set them all where
they belong. Life does not forgive and everything has come to an
end… because they lack of patience, the end will approach their
nefarious activities sooner than they ever thought and John and
his comrades will be free again.
And this tale has to come to an end itself… the end of a
story about middle-men and their madness.
Time’s striking force.
- Paul Amadeus Goebbels

very interesting, mr goebbels.

Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.

“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.

Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”

Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.

“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.

Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.

“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”

Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”

Domain Name System Hijacked: Hackers Abuse Domain-Name Trust

InternetWorld’s Andy Patrizio and Finjan’s Yuval Ben-Itzahk discuss the fundamental weaknesses in Finjan’s Blacklist-based URL Filtering products

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

“Web 2.0 sites are great fun but also a great platform for hackers to host malicious code.” - Ben Itzahk from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo’s hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Finjan Web-filtering product into believing a person was going to a highly trusted Yahoo domain. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan’s Web-filtering product.)

“They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown,” Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

“You can upload anything you like, so you can upload malicious content, as well.” - Ben-Itzahk on design flaws within Finjan’s product.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that’s a flaw in social networks.

“In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well,” said Ben-Itzhak. “You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year.”

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan’s SecureBrowsing or SnakeOil’s HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it’s suspicious.

InternetWorld - Hackers Abuse Domain-Name Trust

“With Finjan’s web security there will be no need to worry about getting caught napping by the latest round of web-based threats” - SC Magazine

Giorgei Jorge [xssworm] writes:

After explaining that Finjan’s server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is ‘highly trusted’ such as Yahoo.com .. it’s patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan’s server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they belong only to “highly trusted domains” such as yahoo.com it is recommended that users install Finjan’s SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only highly trusted domains such as yahoo.com are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan’s server-based web-filtering product and Finjan’s server and desktop email malware badware and anti-virus filter scanning products and Finjan’s Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these new threats to your information assets.

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures — dubbed “fast-flux” — that could make them more difficult to detect, researchers say.

DNS Fast Fluxing is also referred to simply as Fast Fluxing, although some advanced security researchers claim Fast Fluxing of services other than Domain Name Services (DNS) may be possible with future developments in attack-and-command botware and crimeware frameworks; in any case, the International Security Convention Consortium (ISCC) will have to convene to consider an appropriate protocol convention for these issues. In the interest of brevity and throughout this article I will generally only make references to “Fast Fluxing” rather than use the long-hand title of DNS Fast Fluxing, and I humbly deign to apologize in advance for any misunderstandings of confusion.

DNS Fast Fluxers, also known as DFFers (or in some circles, FFers) are classed amongst some of the most dangerous of threats to your online assets. DFFers are notorious for defeating anti-phencing systems using flaws within Domain technology such as DNS Services, and for utilizing these flaws to avoid being detected. This makes the DFFer harder to track down completely, as his peer network command is decentralized through the tunnels provided by the popular Internet naming services.

WHAT IS DNS FAST FLUXING?

Fast flux is an advanced method being used by determined botnet operators to hide and preserve their malicious Websites and botnet infrastructures. The bad guys behind Warezov/Stration and Storm, for instance, have separately moved their infrastructures to fast-flux service networks, according to members of the Honeynet Project & Research Alliance, who monitor fast-flux behavior via their honeypots.

With Fast Flux, infected bot machines serve as proxies or hosts for malicious Websites and get rotated regularly, changing DNS records to evade discovery. IP blacklists are basically useless in finding fast flux-based botnets. The bad guys behind these networks can easily hide their fake online pharmacies, pornography, phishing sites, and other malicious content servers using this “round-robin” process.

• Mark Wade

Mark Wade, 10 year veteran in information security and current manager of Research Content with Computer Associates’ Threat Research Team, and contributer to the Computer Associates Security Advisor Research Blog (CARBS) writes:

“I decided to take a deeper look and see what I could find out about a botnet operation that I stumbled across. This investigation begins from a spammed email message I received, that was selling jewelry.

Since it is common practice we can assume the email was sent or relayed from a compromised computer that may have been part of a botnet. There were two websites in the email message: http://ryih.mhhimto.com and rmfx.mhhimto.com.

Using nslookup, I entered rmfx.mhhimto.com to resolve its IP address. I was not surprised to see eight completely different returned IP addresses returned, all ranging from various IP netblocks. Since I have seen similar types of activity in the past, I ran nslookup again to see if the IP addresses changed. Sure enough, in just under 10 minutes the previously listed IP addresses changed to a completely new set of IP addresses. This seemed to happen about every ten minutes. I quickly identified the ever changing IP addresses as DNS fast fluxing.

Fast fluxing is a method of deception utilized by botnets to conceal the identity of the bot herder or parts of the criminal activity. Fast fluxing works by constantly rotating compromised IP addresses, which are usually acting as a proxy to the end system. This is extremely beneficial to criminals who are involved in phishing scams or using compromised web sites used to deliver malware. “

• The Honeynet Project

The Honeynet Project & Research Alliance defines a fast-flux network as :
“Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.“

• Adam O’Donnell of Cloudmark

“The purpose of this technique is to render the IP-based block list — a popular tool for identifying malicious systems — useless for preventing attacks,” says Adam O’Donnell, director of emerging technologies at security vendor Cloudmark.

“Fast flux is just the latest method of survival for the bad guys: There are more to come. Any technique that allows a malicious actor to keep his network online longer — and reduce the probability of his messages and attacks being blocked — will be used,” he says. “This is just the latest of those techniques.”

• Ralph Logan, The Logan Group

“All of this research on fast-flux is new. No one had any definitive research on it. [..] We saw a rising trend in illegal, malicious criminal activity here.. [..] Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites,” Logan says. “This is to keep security professionals and ISPs from discovering and mitigating their illegal content.”

The bad guys like fast-flux — not only because it keeps them up and running, but also because it’s more efficient than traditional methods of infecting multiple machines, which were easily discovered.

“The ISP would shut down my 100 machines, and then I’d have to infect 100 more to serve my content and relay my spam,” Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the “mother ship,” which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

“Our honeypot can capture actual traffic between the mother ship and the end node,” Logan says. The Alliance is still studying the malicious code and behavior of the fast-flux network it has baited.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently — so the proxy machines get rotated regularly, too – some as often as every three minutes — to avoid detection. “It’s not a bunch of traffic to one node serving illegal code,” Logan says.

“I send you a phishing email, you click on www.homepharmacy.com — but it’s really taking you to Grandma’s PC on PacBell! .. Which wakes up and says ‘it’s my turn now!‘ threatens Logan. “You’d have 100 different users coming to Grandma’s PC for the next few minutes, and then Auntie Flo’s PC gets command-and-controlled next!” he says, with a menacing tone.

Sources:

http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx

http://www.darkreading.com/document.asp?doc_id=132720