Back to Top

Tuesday, November 24, 2009

I’m the spam killa’


SONY DSC I’m happy to announce that I’m one of two “spam killers” on the Software Engineering radio website. Spam was starting to run rampant on their site, so they asked for help and I responded. It is so simple to donate your time to a worthy cause. You to can do it, it takes just a couple of minutes per day!

PS: If you are interested in software development / design, this is definitely a podcast you should give a listen.

Picture taken from Manuel_Marin's photostream with permission.

Screenshot forensics


2390570910_09a697ffee_o One of the interesting thing I like to do when reading (security) blog posts, is to try to deduce details about the machine setup used. You can find some very interesting tidbits of information, like Sunbelt using Symantec AV on some of their machines.

A couple of current examples:

If you want to avoid exposing such details, try the following:

  • Crop the screenshot as much as possible. This has other advantages as well (smaller image size which leads to quicker display for example)
  • Remember that identification can be done in any number of ways:
    • Using prominent OS features (like the Mac OS X dock or the Windows start menu)
    • Using window “chrome” (title bar, frames, buttons on them, their color, etc)
    • Colors and fonts
    • Metadata in the image (if it was edited with Paint .NET for example, it is very probable that it happened on a Windows machine)
    • Never use “blur” or similar effects to hide information, since they can be reversed (given that they are completely deterministic)

If you are really paranoid, you might want to consider taking the screenshot on an entirely different OS (Haiku for example :-).

Got fun “screenshot archeology” findings? Share them in the comments!

Picture taken from DeusXFlorida's photostream with permission.

Monday, November 23, 2009

Plugging a good friend of mine (not in a sexual way! :-P)


A talented photographer with a lot of beautiful images. Check them out below or on his flickr stream. Go OPE!

Today’s fudbuster


4039543987_2ea3fb6e8b_b We begin today’s FUD-buster with – applause please – cyberterorism via an “article”: Cyberterrorism: A look into the future. The article talks about Estonia (which is the poster-child for “cyber” incidents these days) and says the following thing (amongst others equally high-quality content) – emphasis added:

“The three-week cyberattack on Estonia threatened to black out the country's digital infrastructure, infiltrating the websites of the nation’s banks and political institutions”

The article cites as source (hey, at least they cite sources) an equally “well researched” piece from the which says almost the same thing. Now I seem to remember that the Estonia incident was just a large scale DDoS attack, so I’ve looked around for more reliable sources, like this article on Dark Reading Authoritatively, Who Was Behind The Estonian Attacks? by Gadi Evron (or see this other article). This confirms what I was remembering: it was a large scale DDoS attack with some minor defacements, but in no way were they “infiltrating the websites”.

The second (unrelated, other than the fact that it is an overstatement) quote comes from the Kaspersky blog, where we can read that:

“a vast amount of pirate software nowadays contains trojans, both for the PC and Mac”

This depends very much on your interpretation of “vast amount” (as me how I know :-P). Of the actual pirated software shared in limited networks like college campuses, very little is infected. What are extremely likely to be malicious are the crack / keygen websites. Either they contain exploits directly or they bundle malware with the downloads. An other sneaky way, seen on P2P networks like Gnutella or eDonkey, is to run bots which respond to any search with an executable that contains the keywords in the name and is – of course – malicious. So, depending on your interpretation of “vast amount”, this doesn’t hold up.

The conclusion, as always: do your own research!

Picture taken from cooljinny's photostream with permission.

ActivTrack review


ActivTrak is an activity tracking and employee monitoring software. It currently supports the 32 bit versions of Windows 2000, XP and Vista with support for 64 “coming soon” (no word on support for Windows 7 as of yet). The features are the basic ones one would expect from such a product:

  • direct deployment from the management console (however this can become tedious for a large number of computers)
  • tracking active programs / windows and URLs (in case of browsers)
  • taking periodic screenshots
  • basic reporting about the data

One nice thing is the fact that it employs a “reverse connection” (ie. the server opens up a port and the clients connect to it). This has the benefit of requiring less configuration on the clients and making them more secure (also, the server configuration part is done during install automatically). While trying out, you can run both the viewer and the agent on the same machine (it will report it as “no running”, but the data will still be available). You can watch multiple workstations at once by tiling the screenshot windows and setting them to auto-refresh.

Two shortcomings of the program are the fact that (from what I understand) the server needs to be running continuously for data collection (then again, it might be just a misunderstanding on my part, but this was the impression I got). The second shortcoming (maybe its not a shortcoming, but definitely something to be aware of) is the fact that you have very limited interaction with the surveyed computers: no controlling the mouse / keyboard / file-transfer. You can send messages and chat with the user. This means that the product can’t be used directly in a “support” type environment.

A final word of caution: consult with a lawyer before deploying such a solution (it might be illegal depending on the circumstances!). Also, consider the impact on the morale. If you have staff which needs this level of constant supervision, you might be better looking for new employees.

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Small Business VoIP review


I have posted reviews trough ReviewMe for VoIP products before, but here is an other other one: Vocalocity is a provider specialized on small business voip. They’ve been in business since 2005 and all the reviews about them which I could find were glowing (one might suspect foul play given all the good reviews, but digging deeper some of them mention problems and specify that the support was very good and helped them trough the hiccups). Of course if you had a negative experience with them, please share it in the comments.

An other positive aspect is that their pricing plan is prominently featured on their webpage, so you should have no problem finding it. They also pride themselves with not being resellers (“owning their own technology”) and have a nice office building:

View Larger Map

What else is there to say about them? If you are looking for a way to reduce the complexity of your phone network, take a look at them (of course, you have to consider other aspects of your business – like what level of guarantee you need that others won’t access the voicemail – the assurance you can provide in-house is always greater, at a higher cost of course).

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Saturday, November 21, 2009

To my dear wife


If you are viewing this from the RSS feed: please visit the blog to see the embed. Many RSS readers filter out embed codes.

Tuesday, November 17, 2009

Calls to action


With the motto “better late than never” here are some calls to action:

  • Vote for your favorite podcast on the Podcast Awards website. Votes are open until November the 30th and you can vote once per day (after you vote, you can an email with a link, which you must click on to validate your vote – this is to reduce the number of “fake” votes). If you are unsure for which podcast to vote, here are some suggestions: in the “Best Video Podcast” category I would recommend Buzz out loud – it is a very good (informative and fun) daily tech-news podcast. In the “Business” category I would recommend Career Tools- it (together with its sister podcast Manager Tools) is a great resource. In the Technology category I would recommend FLOSS Weekly – it is a superb podcast for all people interested in free / libre / open-source software. And it would be a great gift for them for the 100th episode which is quickly approaching. And besides – TWIT already won a couple of times :-). So go ahead my minions readers, fly like the wind and vote!
  • And here is a second poll related to Perl IDE’s: What other technologies, languages, templating systems are you using besides Perl?

After you have done your deed :-D, you can relax with two fun flash games: Little Wheel, a fun old-school point-and-click adventure game with very nice artwork (including an interesting soundtrack). Or play nine-balls. Let the lightning be with you!

Little Wheel
Little Wheel
Billiard Blitz 3 - Nine Ball
Billiard Blitz 3 - Nine Ball

Surprising numbers


2801309954_3af91bf56b_o I was reading the latest FudSec piece (Generating a False Sense of Insecurity) where I found the following statement (emphasis added):

Facebook now has 300 million users. Let’s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it’s a very user-content driven site. That means that of the 300 million home pages on Facebook that 95% (285 million) has either a malicious link or other insecure content. Conversely that means that 5% (15 million) are clean, uninfected, safe pages.

The average Facebook user has 120 friends or 281 friends, depending on which news article you might be reading. Let’s just assume for mathematical purposes that the number is somewhere in the middle, at about 200 friends per user. Let’s pretend, too, that you visit every friend’s page in a single day. Because it’s your day off, of course, you wouldn’t actually do that at work.

The mathematical likelihood that one of your 200 friends is one of the 95% that is infected is infinitesimal.

This statement seemed a little off. After all, we are selecting 200 pages out of 300 million where 275 million are infected. The chance to get to an infected / malicious page can’t be that low, right? Wrong! The problem as stated is known in mathematics (probability theory to be more precise) as the “drawing without replacement” and apparently the scientific name is hypergeometric distribution. Long story short, Wikipedia pointed me to a calculator which says that – given the parameters quoted above – you have a 99.9999608980365% chance that all of your friends will be clean / non-malicious! Talk about counter-intuitive!

Conclusion? First of all, trust but verify. If you hear something which sounds “off”, try to verify the information from multiple sources. Then again, our brains don’t seem to be wired to evaluate probabilities “heuristically”, so one should always sit down and work out the exact math (there are a lot of free tools on the Internet which can help you) before making important decisions.

Picture taken from EraPhernalia Vintage's photostream with permission.

Web Hosting Site Review Review :-p


WebHostingChoice pretends to be a hosting review site (it contains categories like “best uk web hosting”), however it only seems to be a placeholder for a couple of affiliate links to a limited number of hosts. Their WOT (web of trusts) rating isn’t so great either. While WOT has its limits (mainly because of its “crowdsourced” nature), when it has several negative ratings, it can be a good indicator that there are problems with the given site.

So how to find a good webhost? First of all, you should realize that (usually) you get what you pay for (ie. “free” webhosts are rarely free). I would recommend going with a “big brand” company like GoDaddy or Rackspace. You can fairly easily find coupon codes for them (just listen to some technical podcasts) which can get you a considerable percentage (like 20%) off. An other company which seems very good is firehost. While they are a little pricy (especially compared to the other two companies), they consider security an explicit priority, which is very important these days IMHO – if they are willing to take on people with large targets on their back like Kevin Mitnick, they should be able to protect your business too.

Full disclosure: this is a paid review from ReviewMe. Under the terms of the understanding I was not obligated to skew my viewpoint in any way (ie. only post positive facts).

Monday, November 09, 2009

The leaked Microsoft COFEE product


176571915_de1226bb5d_b So, the Microsoft COFEE (Computer Online Forensic Evidence Extractor) tool was leaked. I took a quick look at it, and – as expected – there is nothing “magical”, “secret” or “backdoorish” about it (even though I love the picture which comes with the Gizmodo article, the text itself is complete and utter BS – COFEE isn’t a tool “that helps law enforcement grab data from password protected or encrypted sources” as the article claims).

So what is Microsoft COFEE?

  • it is a collection of information gathering tools which are either built into Windows (ie. net, arp, ipconfig) or can be freely downloaded from the Microsoft website (ie. pslist)
  • it contains a simple case-management software which helps users prepare a USB stick that need to be inserted in the target computer and manage the collected information
  • the software on the USB stick is executed either using the autorun mechanism or by manually launching it. There is no built-in functionality to bypass passwords or other protection mechanisms
  • It also contains a detailed analysis of the registry / filesystem fingerprint of each tool (this is important if the other party argues that running the tool caused modifications on the system which are pertinent to the case)

Conclusion: there is no magical pixie dust here, move along! (in fact, it is quite similar with the winenum Metasploit script).

PS/Update: regarding the "defense" against these tools: first of all, they all seem to be user-mode tools. This means that they probably have limited capability of detecting kernel-mode rootkits. Also - from what I've seen - they are all public tools, so there is a good chance that there exists malware out there there which "defends" itself against these software. Again, no magic.

Now before you conclude that this is utterly useless - if I were a IT forensicator :-p, I would prefer having this data compared to no data at all. It will give you some basic idea of the system (or the network for that matter if ran on every PC) which may enable you to come back with a very precise target in mind.

Picture taken from raddaqii's photostream with permission.

What VirusTotal is not


2139429_dedfc5706f_b Since its inception VirusTotal has been used by people to compare different AV products (just in case you don’t know: VirusTotal is great free service which scans the uploaded file with 40 AV engines currently and reports back the results). The AV industry has objected to this practice because of a couple of reasons, some more valid than others IMHO.

Today however I want to talk about the practice of saying “(only) X% of AV detect this” and then giving a VirusTotal link. Two recent examples: here and here (to be clear: I don’t have anything against the particular blogs / companies / authors – there are many more examples of this practice, these are just two recent ones which came to my attention).

Why is this percentage meaningless and serves only to perpetuate FUD?

  • As I first argument I could mention all the discussion about AV engine configuration (this is frequently raised in discussion regarding the detection discussion, so I won’t dissect it further). A very thoroughly discussed argument is also that VT results represent a “point in time” rather than “now” (ie. detections since the scanning might have changed).
  • The second argument would be: VirusTotal goes for quantity not necessarily quality. Ie. the fact that a given engine is included in the list of engines used by VirusTotal isn’t a statement about the engine resource use, detection rate or false positive rate. Again, this doesn’t mean that the engines used are of low quality, it just means that VirusTotal isn’t in the AV engine testing business. It doesn’t say anything about the market share of the product either.
  • This means that the affirmation “X% of the engines detect a given file on VT” isn’t equivalent with the affirmation “X% of the users using AV are protected” or “AV software is X% effective”. However these are the thoughts which appear (by association) in a readers mind when seeing the initial affirmation.
  • Furthermore, some engines appear in multiple products (for example GData integrates BitDefender – amongst others) while other engines appear “split” (for example the McAfee desktop product contains both the “classical” and “cloud” engine, however on VT they appear as two separate entries “McAfee” and “McAfee+Artemis” respectively). If these relations are not considered (and I’m almost sure that they aren’t – given that these relations are not always publicly documented and they can change over time), the results come out skewed.

Conclusion: please never, ever take the VT result page and copy-paste the percentage from it! Do provide permalinks to the result pages and you can even make some sensible general statements (like “most of the major AV vendors detect this threat” or “this threat is not well detected by the smaller, Asian AV companies, but given its reliance on the English language for social engineering, it might not be such a big threat”). However, giving percentage wreaks of FUD and smells of negative propaganda (do we really want to be at each-others throat, analyzing which vendor doesn’t detect what? – there would be no winners in such a discussion). Lets concentrate on giving sensible security advice to users instead.

Picture taken from Peter Kaminski's photostream with permission.

Monday, November 02, 2009

Grooveshark VIP member



I’ve written about Grooveshark in the past, however I want to mention them again for a couple of reasons:

First of all, they introduced a new user interface, which works great. More than that, you can now seek in the songs! This means that Grooveshark directly addresses three out of the five methods of music use which I’ve enumerated in my original post. There are some small quirks (I don’t really like the popup-type controls, where you first have to hover over it for the useful part to appear), but those are just a matter of personal taste. They’ve also made it available as a desktop application via Adobe Air (currently available only for VIP subscribers).

Which brings me nicely to my second point: I’ve subscribed to their VIP services. I thought that I’ve been using them for a month now and I’m satisfied, so I should give something back aka. “Vote with my money”. So, as of today, I’m a Grooveshark subscriber. A couple of things I didn’t like about the subscription process: there is an additional tax of 15% to the advertised 3 USD monthly price. Also, the subscription payment is set as recurring by default. You can deactivate it later, but even so, it made me feel a little uneasy. Still, I decided to give them some of my money. Hopefully I won’t regret it.

As of now, I can only recommend Grooveshark to everybody! If something happens, I will update this blogpost.

PS. I’ve also removed the widget from my blog. Currently Grooveshark seems to be a much better deal than for approximately the same amount of money.

Disclaimer: I don’t receive anything from Grooveshark, I’m just a happy subscriber.