It all started in Berlin when I realized what an amazing community we have. People from all over the world coming over for 3 days of sharing, networking and listening to talks (oh, and partying). I also have the great honor of calling a few of these guys friends. Friends that I know that I would be honored to help if they needed anything, and friends that I know I can “drop on” if I happen to get into a snag in their hometown. Friends that I only see in-person 2-4 times a year, but still consider them one of my closest.

I saw borders dissolve in an instant as politics, geography and history dropped in sight of a beer or a cool PoC demo on someone’s PC, and I had great conversations with people I just got to know and am sure will run into again in the future.

And then I got back home. I don’t need to mention the unfortunate events that took place a couple of days ago, and I’m not going to point fingers at anyone. Everyone had their agenda, some sides were more optimistic, some had better planning, some had better intent, but the end result is what it was. Sometimes as we say it’s better to be smart than to be right…

That was just a day before I flew over to Athens to talk at Athcon. People around me started freaking out, having the entire area feel like a barrel of gunpowder, and the media adding in some FUD to top it off. And then I recalled ph-neutral. A couple of hours later, a friendly cabbie and what looks to be a really cool con, everything is left behind. The community wins again, while politicians keep meddling with their agendas.

I just hope that more people could find such communities where borders are bridged, and religion/ethnicity/gender become irrelevant in light of a common cause/interest. I’m truly happy that I had a chance to debunk myths that I’ve had in my mind, and other people had in theirs, and really hope that this focus on a common interest could work elsewhere.
Now off to polish off my presentation for tomorrow. Stay safe out there!

Quick update [6/7/2010]: Athcon was fantastic! I’ve had a great time in Athens, had a chance to finally meet some really brilliant minds that I’ve been following for some time online, and was fortunate enough to experience the famous greek hospitality. I am reassured with my previous assumptions that all these politics are just the attempt of politicians to prove that they are worth their salaries (hint -they don’t). We just want to live our lives quietly – the only reason for some kind of army/politicians is to fend off anyone who wants to disturb this (terrorists).

Back to work now, as I need to start prepping for Miami next week…

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. ExoticLiability podcast interview
3. Upcoming Conference Schedule

I have been naming this development since it started being discussed in the back-channels, and predicted that these would be the next generation communication methods as they provide not only another layer of separation (anonymity) between the botnet manager and the controlled bots/trojans, but also a layer of scalability to the control scheme.

You can check out the last time I discussed this on my DefCon presentation slides which should be uploaded to the DefCon site soon. In the meantime here is an older presentation (at least 10 months old) where the same subject is being demonstrated (slides 31-32):
Behind the Scenes of E Crime July09

Basically, the Twitter messages are encrypted codes being sent between the command and control and the controlled bots, which is very close to the “homework” I mentioned at the end of my DefCon talk – encouraging researchers to look for “garbage” data on blogs and Web2.0 services which are actually encrypted data being passed over a public medium.

I guess that that’s one more issue to deal with when trying to deal with the growing threat of eCrime and cyberwarfare.

Related posts:

1. Two steps forward, one step back – controling botnets…
2. DefCon 17 talk video available!
3. Twitter spam – Spitter? Tpam?

When you finally think that a social network platform would get immune from the perils of spam and malicious content, it’s funny to see how spammers – especially on the adult content side have been using Twitter to peddle their stuff… Instead of Tweeting it again (http://twitter.com/iiamit/status/2404011102), I decided to pay respects with a full blog post.

So here are my 2 new followers (the one mentioned on my older tweet has fled – probably didn’t get what they signed up for ), I’ll be sure to keep checking out these trends and make sure that nothing beyond the traditional and mostly harmless content (unless you consider NSFW dangerous – no malweb so far there).

See you all in Vegas (https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Amit)!

Update: OK, this can go out in the open now (had to make sure that this went public already…) pushing malweb through Twitter has been going on for a while, a funny example below shows the usage of the same malicious URL being pushed by “foot soldiers” across multiple trending topics as they change over time:

And the Tweet of the day for me is an attempt to “whore” the trending topics in order to promote an adult site:

Obviously all the keywords at the time this was published were on the trending top list…

Related posts:

1. Malicious ads circa 2007
2. Two steps forward, one step back – controling botnets…
3. Mapping and Security Research

I’ve just finished reading a great little note from Brian Krebs on the Washington Post that enabled me to “out” (don’t worry, I won’t) an incident that some of us in the security industry have been following in the last few days. One of “ours” has been hijacked on Tweeter, and the impersonator who hijacked him was twittering some rants and raves that actually close to this person’s professional life.

This makes you think again of what we have been discussing in the annual threat report on social networking threats getting real. Once again, our recommendation is – get your online identity straightened out. Make sure you are aware of who you are online, own your identity online – even if that means registering to the major social networks just to “plant your flag” as Brian so eloquently put it (as long as you point the flag to the social networking identity you actually use…).

Check out the original article by Brian here, and our annual report here [PDF].

Related posts:

1. The oracle strikes again – “Browser OS” threats start to appear
2. Blocking Facebook? Not popular, and not effective
3. Social networking threats – the “hacker” story

It’s that time of the year again… March madness is engulfing us with news and pre-season activities, and everyone is out and about to see what we would be seeing in the coming months. Just as we have portrayed before, eCrime is a social animal just as well, and is not going to let the action go by without having a chance to have a go at the crowd.

As usual – it’s the same technique all over again – using SEO (Search Engine Optimization) to grab high ranking in search results and leading users clicking on the related links to a variety of malicious content. We have see similar techniques used during the US presidential election season covered quite elaborately in the past, and don’t be surprised to see more of the same hitting the next seasonal event as long as it can attract enough “eyeballs” on search engines.

Related posts:

1. Christmas shopping online – make sure you get what you PAY for
2. Social networking strikes again
3. Optimizing Cross Site Scripting – and general security practices

Moving on from the social networking issues we outlined in the past couple of weeks, after following the predictions, and their materialization (here, here, here in the announcement of Gmail offline, here, and here), we can already see the “Browser OS”, as we dubbed it in our annual threat and predictions report, begin to materialize as well.

As per a recent Register article, threats related to Google Gears™ have started to appear – taking advantage of the extended capabilities granted to the browser – just like we predicted in our report. We named Google’s Gears, Adobe’s Air and Microsoft’s Silverlight as the prominent technologies that would be the enabler for the “Browser OS” and would be scrutinized for their security implications.

As always, we are not here to say “nay” to every new technology – just the opposite these technologies are the future, and they enable businesses and individuals alike to be more productive and have a better web experience. The only claim here is that more focus should be put on measures that take these technologies into account when implying to provide internet and web security, and enough forward looking vision to execute on it.

Related posts:

1. Gear up – predictions for 2009 has begun to materialize
2. More on the browser OS – from Microsoft Research
3. It’s a browser! It’s an Operating System! It’s… brOSer?!

As the social networking threats angle is picking up a lot of traction lately <pat_on_own_back>,  the folks at Netragard have posted a great write-up on using social networks as an attack tool – involving both social engineering as well as technical exploits. The post can be found here, and I just want to quote a couple of sections that I feel very strongly about:

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn’t read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile” … “After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.”

Needless to say that the newly created fake profile, which could just as well have been hijacked, went a long way in terms of enabling the attackers (who were commissioned to perform a penetration test this time) to gain access to internal company resources quite easily.

Related posts:

1. Social networking strikes again
2. The oracle strikes again – “Browser OS” threats start to appear
3. Social aspects of web security – the March edition

OK, so we know that social networking sites have their issues and threats associated with them, we’ll be the first to admit it. But on the same note, we also know that just blocking/censoring them (pick the more politically correct term) is not working either. This is in light of the Maryland general assembly’s decision to block Facebook and MySpace from their computers.

It’s a lose-lose situation. You lose the added value of using social networking to leverage business, you lose the “popular” vote when your employees expect access to such sites, and you lose on the security front as simply blocking certain sites is not effective.

The solution as we see it here is to enable access to social networking sites, while stripping out any malicious content that may end up there, and control what functionality is permitted while browsing social networking sites.

Related posts:

1. Blocking legitimate sites in real-time
2. Who owns your online identity? Facebook squatters on the rise
3. The oracle strikes again – “Browser OS” threats start to appear

As we have been predicting (and following during 2008), the criminal’s mind is very much attuned to public mind. The current issues that everyone (well, at least a lot of us) has been dealing with are the current economical situation, and what president Obama is going to do about it. Without fail, eCriminals have been worried about the same issues, and in their latest “marketing” efforts have made sure that relevant internet sites will cater for themselves as well. Reports by Websense and Sophos show how both the official Barack Obama website, and a couple of popular job sites have been compromised in an attempt to capitalize on the volume of traffic that has been hitting these sites.

As usual, no much surprise here (read more details about the “almanac” of web security here), still, be careful out there – even on sites which you supposedly trust. Common sense usually trumps the irresistible urge to click and approve everything shown to you when trying to get to some content.

Related posts:

1. Obama Leads in US Presidential Election Poll – the eCrime Way
2. Social aspects of web security – the March edition
3. The oracle strikes again – “Browser OS” threats start to appear

A lot of write-ups have been covering this, so here are a few from InformationWeek, Dancho, SCMagazine and McAfee.

Besides saying the ever satisfying “told you so”, nothing much to add here. More bogus profiles enticing users to connect to them, look at the content, and catch the same old nastiness – only packaged in another format. Just remember that social networks, just like in real life, can be a great playground for eCriminals – this is just the tip of the iceberg. What would have happened if you were to see the profile of a person you actually know on LinkedIn (or any other network for that matter), and click on a link from it that is actually malicious? That would be much more effective, and not that far-fetched wouldn’t it?

Related posts:

1. Social networking threats – the “hacker” story
2. The oracle strikes again – “Browser OS” threats start to appear
3. Are you LinkedIn/Facebooked/Twittered/Beboed/Viadeoed/etc?