Author: Alex Eckelberry

Our new sandbox technology was officially announced this morning at the Infosec conference in New York.

Sunbelt Software today announced the availability of Sunbelt CWSandbox, a powerful tool for the automatic analysis of malware samples. The technology was originally developed by noted security expert Carsten Willems while at the University of Mannheim and is under exclusive license to Sunbelt Software.

CWSandbox provides technology providers and corporations the ability to rapidly analyze malware for a number of different purposes — security research, creation of new signatures, forensic/criminal analysis and improved threat protection. Malware samples submitted to the sandbox are executed in a controlled environment, with a comprehensive analysis provided of the malware’s execution in XML, HTML or text format.

How CWSandbox Works
Using a comprehensive automated system, CWSandbox uses unique technology to execute malware in a controlled environment for behavior analysis. The application provides fast analysis of large volumes of malware samples in a short period of time, capable of automatic collection of malware from different inputs including Nepenthes (a tool for automated collection of autonomous spreading malware), a web server/interface, or a directory.

The CWSandbox is an awesome tool for malware analysis.   Submit a piece of malware, and you’ll get a detailed report back as to what the malware is actually doing.  In addition, the sandbox will also run the malware through several different AV engines to give you a feel as to what the in-the-wild detection is.

Link here.

Try the sandbox out youself — go to www.sunbeltsandbox.com and submit a malware sample. 

Our business model for the sandbox is simple: Anyone can freely use our public sandbox for malware analysis.  If commercial entities want to bring the power of the sandbox in-house, they can purchase a reasonably priced license.  Entities involved in pure research (e.g. no commercial intent) can license the sandbox at no-charge.  More information can be had by contacting a specialist.

Alex Eckelberry

Microsoft uses the trademark Spyweeper in promoting OneCare. 

This shows that Microsoft is not looking for new customers who don’t have security software, as they’ve said in the past.  They are directly targeting an incumbent player here.

Alex
(Thanks Suzi!) 

 

 

File under shameless self promotion.

FutureSoft®, Inc., the Houston-based Endpoint Security solution provider, today announced the release of their latest and most powerful version of DynaComm i:scan®. Version 6.5 of DynaComm i:scan addresses such critical endpoint security issues as distributed anti-spyware protection, USB security management, and application and desktop lockdown.

This new release builds on the centrally managed solution by incorporating new anti-spyware day-zero protection to secure critical operating systems resources that are typically targeted during the first hours of a new spyware infection. In addition to the enhanced day-zero protection, this newest release includes an anti-spyware scanning and cleaning engine licensed from award-winning security developer Sunbelt Software.

Link here.

Alex Eckelberry

Aberdeen Group’s Information Security practice recently published a new research report “The 2006 Messaging Security Benchmark Report: Strategies for Securing Corporate Communications.” Sunbelt Software co-sponsored this research, which is now available to you at no cost.

Feel free to to take a moment and download this report. It focuses on messaging security trends in today’s IT market, and finds that while 80% of companies are aware of the threat of loss of confidential data by insiders, only 43% have implemented messaging security solutions that will stop that outbound threat. Link here.

We’re going to be in Barcelona, Spain – November 14-17. Look for the QBS booth and check out Ninja and CounterSpy Enterprise! Here is the link to the Microsoft site.

I’m a competitor so my opinion is worthless.  But this article has some people quite curious.  What is up? I don’t know — anyone want to leave a comment explaining more?

Alex

n3td3v (leetspeak for “net-dev”) is a person or persons who has had a history of posting some fairly obnoxious stuff on Full Disclosure.

Dr. Neal Krawetz of Hacker Factor decided to figure out who this person(s) was, and has written an extensive analysis of his effort.  It’s fun sleuthing, and the result is he believes that n3td3v is likely the same person(s) behind Gobbles Security, who had posted similarly obnoxious (but quite interesting exploits) messages on technical forums.

In three minutes, writing samples from n3td3v were collected. Two minutes later, it was determined that n3td3v was not a “he” but a “they”: at least three distinct individuals, two males (one European) and a female. Another researcher (Jim McCown) mentioned that the trolling1 reminded him of the postings made by Gobbles Security. Dr. Krawetz had met the primary members of Gobbles Security many years ago and knew that they consisted of three people: two males (one is Eastern European) and a female. This document shows techniques used to identify writing characteristics and concludes that the core people behind Gobbles Security are strong contenders for being the people behind n3td3v.

Link here.

Alex Eckelberry

Update: SecurityFocus has more on this here, which sheds some doubt on Krawetz’s findings, but it’s all part of the sleuthing fun.

InternetPerils has an interesting animated gif that shows a “cluster” of phishers.

A phishing message arrives in your mailbox, pretending to be from a bank, or from an etailer such as eBay or Paypal. It directs you to a web page and asks you to enter your password or social security number to verify your identity, but the web page is not one actually associated with the bank; it’s on some other server.

InternetPerils has discovered that those phishing servers cluster, that infest ISPs at the same locations for weeks or months.

Here’s an example of a phishing cluster in Germany, ever-changing yet persistent for four months, according to path data collected and processed by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group (APWG) repository.

Link here.

Alex Eckelberry
(Thanks Bill)

 />

(Edelman’s strategy diagram)

There’s revelations coming out that mega PR firm Edelman created three “independent” blogs for WalMart (called “flogs”).   The first one that was outed was “Wal-Marting Across America”, a travelogue of a couple of RVers that was found out to be paid Edelman staffers.  Now, MediaPost reports that two more blogs, PaidCritics and a blog run off of Working Families for Walmart were all manufactured blogs.

As Mya Frazier writes in Ad Age (link here via Walmartwatch), “It’s ironic that Edelman Worldwide helped to write the Word of Mouth Marketing Association’s code of ethics, which states: “Honesty of identity: You never obscure your identity.”

Oh yeah, that’s ironic. Especially coming from a PR agency.

Edelman got tricky and got caught with their hands in the cookie jar.  Will this make a difference for WalMart’s brand?  Hell no.  WalMart is virulently hated by a minority of people, tolerated by a larger group and loved by RVers and shoppers (ostensibly those who are at or below the median income line,  where every penny counts).  

But PR agencies have been playing games like this for a long, long time — with an explosion around the turn of the century.  Smarmy PR types have used deceptive means to craft public opinion for as long as there has been a press, except over the 100 years, it’s evolved into a fine science of sleaze.  There’s the obvious ones, like global warming — it’s “unproven” and “junk science” — the very words implanted through repetition in the American public originally through oil company funding of The Global Climate Coalition and now by groups such as the Competitive Enterprise Institute and Frontiers of Freedom (please, I’m not making a political statement). And then there’s the not-so-obvious ones, like the drumbeat of the of the Committee on Public Information, which crafted US opinion on World War I; and in technology, McAfee’s predictions of worldwide apocalyptic chaos from the Michelangelo virus – an act which transformed the antivirus industry from a largely shareware model into a real business.

Covert control of public opinion has been the hallmark of 20th century PR, and it hasn’t served us well at all. It’s just that now, with the ease of transparency on the Internet, it’s much easier for them get caught.  But it’s still there and quite a part of our society.  The pharmaceutical industry is built on PR (how many “syndromes” and diseases can you actually make up to sell more drugs?), as are many other industries.  How many “thinktanks”, “grass-roots” organizations and “independent studies” are the work of PR agencies?  Some are obvious, like Hands Off the Internet (with their silly video), which a clearly disclosed membership roster. But most are not-so-obvious. 

Question “facts” until you’ve verified them yourself, question authority and always be skeptical anything you read in the paper or on television until you’ve checked it for validity.  You’d be surprised as to how many times there’s a crafty PR person behind popular “opinions”.  Our only weapon against it is our own intelligence and our willingness to go against the tide. 

And read the client lists or practice specialities of the big PR agencies — Edelman, Hill and Knowlton and others.

Alex Eckelberry

On the ongoing saga of Spamaus vs. David Linhardt, life is a bit better.

From SecuriTeam:

The proposed order is limited to only the first remedy, suspension of the domain name by The Internet Corporation for Assigned Names and Numbers (“ICANN”), the entity responsible for coordinating unique identifiers used for Internet communication, or Tucows, Inc., the registrar through which Spamhaus obtained its domain name. Neither of these outfits are parties to this case. Though more circumscribed than the preceding request, this relief is still too broad to be warranted in this case. First, there has been no indication that ICANN or Tucows are not independent entities, thus preventing a conclusion that either is acting in concert with Spamhaus to such a level that they could be brought within the ambit of Fed. R. Civ. P. 65(d). Though our ability to enforce an injunction is not necessarily coterminous with the rule, the limitations on its scope inform an exercise of our power to address contempt. See, e.g., Rockwell Graphic Systems, Inc. v. DEV Industries, Inc., 91 F.3d 914, 920 (7th Cir. 1996). Second, the suspension would cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention of this court’s order. While we will not condone or tolerate noncompliance with a valid order of this court, neither will we impose a sanction that does not correspond to the gravity of the offending conduct.

Link here.

 

Microsoft has released a set of privacy guidelines for developers.

Failing to protect customer privacy can lead to an erosion of trust. Over the last several years, Microsoft has established extensive internal guidelines for developers that help them protect customer privacy, give them a view into customer expectations and global privacy laws, and document the hard lessons we’ve learned. These guidelines have been engrained in our development process and are now incorporated into the Security Development Lifecycle (SDL). The impact has been felt across Microsoft’s products and services.

In response to requests from customers, partners, ISVs, educators, advocates, and regulators, we created a public set of privacy guidelines for developing software products and services. These guidelines are based on our internal guidelines and our experience incorporating privacy into the development process. By documenting our principles, we hope to help anyone building products and services to meet customer expectations and deliver a more trustworthy experience.

As the threat landscape escalates, customers are feeling less able to control access to their personal information, so consumer trust is waning. As an industry, we need to set a high bar for respecting customer privacy, to help build greater trust in the Internet and e-commerce. We want to foster an open dialogue with others in the industry so we can build a common set of privacy best practices to help meet our privacy obligations and increase customer trust. We are pleased to offer our guidelines as a starting point to accelerate this effort.

Link here via BeSpacific.

I’m getting reports of people not being able to see the blog.  Should be resolved soon by the good folks over at Blogger.

The headline is “Security rivals shut out of Microsoft meeting”. 

This meeting was under NDA, so what was actually discussed I can’t say. 

However, the not-secret part of it was that someone at Microsoft accidently sent out the LiveMetting presentation invites as “presenter”, which if you’ve ever used LiveMeeting, is an invitation to chaos.  Realizing their error, the meeting was rescheduled for 30 minutes later, and that didn’t all come together, because the meeting had been originally setup to end at 12:30, so we were promptly all kicked off.  Finally at 12:45 EDT the meeting went as planned.  Those who missed this meeting will have the ability to view another later today.

While I have my disagreements with Microsoft on the PatchGuard issue, I must defend them in this instance. It was a case of a few honest mistakes made by well-intentioned people, probably working under a tremendous amount of stress. No big deal people.  Like I’ve never made a few honest mistakes in putting together a presentation?

Alex Eckelberry

Another good one from Lance James.

A phisher may also use a Trojan or other Malware to watch for instances of a web browser and use the information contained in the title bar to search for various keywords referencing previously submitted data. By hooking directly into the IE Browser Helper Object, bypassing TLS/SSL encryption, malware such as berbew, mitgleider, haxdoor, and snapper will grab this post data and send it to a data collection server. The Secure Submission Transfer (SST) module of the DFP product seamlessly protects a banks login HTTP forms data from being potentially hijacked by malware without requiring a client-side software plugin.

Link here.

Alex

This is really cool.  Sun has released Project BlackBox, a “Datacenter in a box”, capable of supporting 10,000 simultaneous desktop connections all from a standard shipping container. 

I can see this being useful for all kinds of plug-and-play operations, from simple commercial uses to portable military command centers, disaster recovery or disaster assistance.

“Containerization”, using ISO-standard containers, revolutionized the cargo industry.  A standard container can fit on a train, boat or truck, anywhere in the world.  Using this existing and highly evolved logistics method makes a lot of sense.

Alex Eckelberry

Great blog posting by Mike Jagger on a badly setup alarm system.  If you have a home or business alarm, worth reading.

The image above summarizes, for me, everything that is wrong with the security industry (click on the image for a bigger version). The installation is absolutely criminal and how any company could charge a dime for monitoring a system like this is beyond my comprehension. In the race to offer the cheapest possible alarm in order to generate a monthly monitoring fee, far too many systems have been installed like this offering a false sense of security to literally millions of Canadians, Americans and other unsuspecting victims.

There are so many things wrong here that it is hard to know where to start. Here is a short list of the 3 most important issues…

Link here via Schneier.

Alex

Some financial institutions use “virtual keyboards” to authenticate users.

They are basically useless against today’s threats like Haxdoor.  Why?  Because certain keyloggers use form grabbing (grabbing POST submissions).  And since virtual keyboards do a POST submission, they’re useless against these malware threats.  Doh!

And phishing Uber-guru Lance James has done a writeup on it here.

Alex Eckelberry

 

Couple of examples of what I call “affinity spam” (fraudulently representing yourself as a company known to you in order to lure you into clicking on a link) seen today .

These purport to be from Earthlink and advertise RX or mortgage rates.

(The purported Earthlink-supported mortgage site)

(The purported Earthlink-supported RX site.)

These are all fake and are bad to install on your system.

IP: 85.255.118.195 
vccodec(dot)com     

IP: 69.50.188.109   
hqcodec(dot)com     

IP: 69.50.188.109   
powercodec(dot)com           

IP: 69.50.188.109   
medcodec(dot)com 

IP: 216.255.183.202           
ptproject.com   (currently offline) 

All of these sites, except for ptproject(dot)com, have installers confirmed on their sites, even if the main page is not loading.

Patrick Jordan
Sr. Researcher

Warning: Seriously geeky security humor.

Link here via SecuriTeam.

And a bonus link here.