"New Moon" Movie Now Playing on Torrent Sites

Capitalizing on the Team Edward versus Team Jacob fever, a couple of New Moon.avi movie files are now appearing on well-known torrent sites. Of course its not the real thing, opening the actual .avi file redirects you to cleverly crafted website, www.microsoftmedicenter.com. Yes kids, look closely before you click:


Its mediacenter, minus the letter "a". Good job guys, but its an old trick, only works for kids and those who do not practice safe Internet use in the first place.

I found out about this from a friend who IM'ed me that I need to fix his laptop again because he caught a nasty virus or something for the Nth time this month. He told me the last thing he did was simply open an .avi movie file that redirected him to Microsoft's website and that's when thing started to act funky.

The problem is that this guy never listens. He downloads a lot. He refuses to pay for music and movies. Downloading illegal copies of media is hurting the industry. And nothing is free in this world, download a free new movie, get a free evil payload (virus, adwares, scarewares, etc.)

So I inspected his laptop and immediately browsed to the New Moon Movie folder. Everything looks legit, you can even do a quick scan of the .AVI file using Microsoft's Security Essentials and no alerts came out.

So off I go and I opened the movie and as expected my browser popped open and gets directed to www.microsoftmedicenter.com.

However, what I got was a Bandwidth Exceeded return error. Hopefully someone DDoS'ed his website for good, or it got taken down already, or this guy is indeed maxing out the allotted bandwidth for his website because his clever trick is working.

Bandwidth Limit Exceeded The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.

---

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_python/3.3.1 Python/2.4.3 mod_bwlimited/1.4 PHP/5.2.6 Server at microsoftmedicenter.com Port 80

So I made my part as good Netizen of this world and decided to explore and learn more about this poorly-spelled website. First stop is a back trace to see where this guy is hosted:

Wow, Amsterdam, land of the free. If it is indeed hosted in that country. Let's try a whois test:

http://whois.domaintools.com/microsoftmedicenter.com

Here's what we know about microsoftmedicenter.com:

* "James Gonzaga" owns about 13 other domains View these domains >
* is a contact on the whois record of 3 domains
* 1 registrar has maintained records for this domain since 2009-05-14
* This domain has changed name servers 3 times over 0 year.
* Hosted on 4 IP addresses over 0 years.
* View 49 ownership records archived since 2009-05-16 .
* Wiki article on Microsoftmedicenter.com
* 193 other web sites are hosted on this server.

DomainTools for Windows®

Now you can access domain ownership records anytime, anywhere... right from your own desktop! Find out more >
Registrant:
James Gonzaga
Roxas Boulevard
Manila, NCR 2000
Philippines

Domain Name: MICROSOFTMEDICENTER.COM
Created on: 14-May-09
Expires on: 14-May-10
Last Updated on: 27-Oct-09

Administrative Contact:
Gonzaga, James
Roxas Boulevard
Manila, NCR 2000
Philippines
+63.9194341212 Fax --

Technical Contact:
Gonzaga, James
Roxas Boulevard
Manila, NCR 2000
Philippines
+63.9194341212 Fax --

Domain servers in listed order:
NS1.WATCHUNDERGRADS.COM
NS2.WATCHUNDERGRADS.COM

And the plot thickens! Domain name was registered to a fellow-Filipino residing in Manila? Who knows. Unless Domain Name registration requires a high-level of authentication and presentation of credentials, I doubt if there is even a James Gonzaga along Roxas Boulevard in Manila. I am going to try that listed Philippine number in some other time, who knows, maybe there is a real James Gonzaga prowling the streets of Manila.

If someone picks up, I will ask "Is this James? Can I pay in $$$ and distribute some of my stuff on your website and be part of my worldwide BOT NET operation?"

Evil grin. That's how easy bad guys do transaction with smart kids from developing countries. All they need to do is mention the word US Dollars.

Next stop is let's NMAP this baby, I don't care if he backtracks on my trace, I make sure I cover my tracks:

Hmm, a couple of filtered interested ports. Maybe next time.

Stay tuned.

Thawte dumps free personal E-mail Certificates

Important Thawte&reg Personal E-mail Certificate Holder Notice Thawte Personal E-mail Certificates and Web of Trust are being discontinued Dear (My Complete Full Name - PacketBoy), Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and theWeb of Trust will be discontinued on November 16, 2009 and will no longer be available after that date. Deciding to conclude these services was a difficult decision for us to bear, specifically because of the community that has been built around these products over the years. To express our gratitude and sincere appreciation for being a part of our Thawte community, we would like to offer you up to $100.00 off the purchase price of our SSL and/or code signing certificates. If you would like to take advantage of our offer, please forward this email to our sales department. Their contact details are listed at the foot of this message. Please note that this offer expires on November 16, 2009. We have also made a special arrangement with VeriSign regarding replacing your personal email certificate. VeriSign's exclusive offer to you is for a FREE 1-year replacement personal email certificate - a $19.95 value. This offer will be open for 2 months after the service is discontinued and will no longer be available after January 16, 2010. Simply follow appropriate link below to request your certificate: MS Internet Explorer: https://digitalid.verisign.com/client/class1MSToken.htm For Mozilla, Firefox, Netscape, or Apple Safari: https://digitalid.verisign.com/client/class1NetscapeToken.htm You may replace each of your active certificates with a VeriSign® Digital ID for Secure Email using the following token(s): A3067904AD83FDD2B34E76631A09A178 Click here to receive answers to questions you may have with regard to enrolment for and installation of your free VeriSign Digital ID class 1:https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12704 For answers to further questions you may have about the discontinuation of this service and the impact to your existing certificates please refer to the following FAQ:https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12658 (we will keep this FAQ updated with responses to common questions) We hope we can keep you in the Thawte family as customers of our SSL and code signing products. Thank you for your support of Thawte Personal E-mail Certificates and Web of Trustover the years.

Kind regards, Thawte Technical Support E-Mail: personalcert@thawte.com FAQ: Click here for FAQ
If you would like to take advantage of our free SSL and code signing offer, please forward this email to our sales department using the details listed below:
North American Sales Tel: +1 888 484 2983 E-Mail: us-sales@thawte.com Online Chat: Click Here to Chat	International Sales Tel: +27 21 937 8902 E-Mail: int-sales@thawte.com Online Chat: Click Here to Chat

October 13, 12 Updates for my Vista box, 1 Goal: Security

I would like to thank Dungeons & Dragons Online MMORPG for giving me a reason to play around with my Lenovo SL300 again and at the same time discover the multiple security updates for Vista released today by Microsoft.

This laptop has been sitting around gathering dust for a while. Simply because I hated the bundled Windows Vista Ultimate Sp2 OS. I would consider it a moderate-gaming laptop, with a dedicated Nvidia 128mb graphics chip. I rarely open this laptop, save for occasions where I need to do cross-Windows OS platform compatibility and User Acceptance Testing (UAT) of our proprietary VoIP application.

Another reason I boot it up is just to make the Avira Free Anti-Virus and Spybot S&D definitions updated, and of course, checking for Windows Updates is critical and has always been a routine for me every time I boot up my Windows systems, and any Windows systems I play around with regardless if I have it set to acquire Automatic Updates.

Today, October 13, after getting tired of completing Rank 2 Quests for my female Monk character (Yes, shame on me, my account in DDO is VIP) I decided to log out of my alternate universe, head back to the real world and work on my Security+ reviewers and SANS Institute Reading Room materials.

Jumping from one security website to another is a good alternative method to review. Sometimes staring and reading a book with 1000 pages will bore you one way or another, and you will want something more interactive.

One of the websites I frequently visit is Threatpost.com, a relatively new site which I find very enjoyable to read. Not 2600'ish, but the articles and pictures are very enticing. The white page background and colorful graphics on this website makes the hardcore articles look like easy-reading, hence the enticing factor.

Threatpost also scales well on my Blackberry 8330's screen; as well as this humble blog of yours truly. Please go and try it. I find it very convenient to just pop-out my smartphone and read along every time I ride the BART going to work. Keeps me updated on the current IT security news. It's like Slashdot but only with Security-related topics.

Back to my Vista Ultimate SP2 box and its merry 12 updates from Microsoft on a single day, here's a screen shot of the list (click on thumbnail to enlarge screen shot)


Just by looking at these KB numbers I am already having headaches :-) Head to Microsoft's Security Bulletin website to find out what each Knowledge Base (KB) is all about:
http://www.microsoft.com/technet/security/current.aspx

You may want to try and use Microsoft's Baseline Security Analyzer on a couple of your Vista boxes. Just to make sure your Vista boxes, your brother's, your sister's, even your friend's friends Vista boxes are updated and safe.

Vista is beyond SMBv2 exploit (MS0-9050) nowadays, it has been a haven of choice for wannabe hackers and script-kiddies.

I wonder what's going to happen with Vista with Windows 7 coming out in a few days. Will it be the new Windows ME in memory?

Play safe kids.
Ron

Poor City Planing and your Disaster Recovery Plans

The Philippine Government finally admitted that poor city planning was the root cause of the recent massive flooding claiming the lives of nearly 300 people near and around the City of Manila.

Growing up in the Philippines, it doesn't take a genius to figure this out. We do not need statistics or blueprints of how the city was designed to scale presented to us to understand this.

You see it and you smell it.

I hate to say the "smell" thing because its very unlikely to come out from a patriotic Filipino guy like me, but it is the truth at least in my experience and opinion. Some part of Metro Manila is so congested that you do not need to open your eyes to know that this area is overpopulated.

You can't blame those people. Healthy conditions are the least priority of people who rarely eat at least twice a day and needs a shelter at night. Celebrities and politicians residing in tall buildings were not spared as well by the flood. There was even a story circulating around of a "dashing" rescue, worthy of a movie, wherein a famous actor rescued an actress in distress from her tall residential building using a speedboat. And not helping the less-privileged neighbors.

In the corporate IT world, I can almost imagine the feeling of helplessness of the people in charge of the Disaster Recovery and Business Continuity Plans (DRP & BCP) for their respective organizations.

These guys, mostly the Senior Network Administrators and Chief Security Officers of the corporate world, spent hundreds of man-hours in designing, testing, and implementing plans to

disaster-proof their business, regardless if its a natural or man-made disaster. The basic and ultimate goal is to survive such events and still continue to do business.

The problem is the actual city where your network infrastructure and organization is physically located. If the city was not designed with security, room for growth, and disaster recovery in mind, your plans get tossed out of the window.

Major City planners of the world should take a page out of secure software developers book: Design with security in mind. And spend less time mitigating risks.

If your city gets flooded to the point that major streets and thoroughfares look like a wild, gushing river, your well-laid plans most likely will take a detour. This detour is where your plans will be actually tested because you do not know whats going to happen next.

However, on major events like this, disaster recovery and business continuity plans should be tossed out of the window for the time being and self-preservation and helping other lives should be the number one priority.

After securing the lives of people working for your organization, go out and help out. Events like this happen for a reason and it makes organizations and cities plan and prepare better for the future.

Lessons learned is always the last phase of such events. Take detailed notes, recall how the event escalated, and learn from your mistakes.

PDF Reader Risk Mitigation and Herd Mentality in IT Security Best Practice

The prevailing trend for security conscious system administrators and IT personnel nowadays regarding the risks that Adobe Acrobat PDF reader presents in the network is to dump the entire PDF reader application in favor of another.

This trend is an attempt to accomplish Risk Avoidance. Risk Avoidance is a Risk Management Method wherein you terminate the activity that is introducing the risk. In short, no need to implement and keep track of your Risk Mitigation process since there is nothing to keep track of in the first place. No Adobe PDF Reader, no risk. And why worry about Adobe PDF Reader Zero-Day exploits when you can use another PDF reader that is not affected by such vulnerabilities? Ok, that sounds logical and you may have a point Mr. IT Admin Sir, but please listen.

Enter Foxit PDF reader, the leading candidate and alternative for Adobe's dominant PDF Reader. However, converting your entire company to Foxit PDF reader does not guarantee 100% Risk Avoidance. The Top 2 misconceptions about Foxit PDF Reader are the following:

1. Foxit PDF Reader does not have Javascript (Who needs Javascript on a document reader anyways?!)

>False. Foxit PDF Reader (the most recent version in time of this writing is 3.1.1.0901) also has Javascript and as a matter of fact, is also enabled by default during first installation. So go ahead and disable that damn Javascript by going to Tools>Preferences>Javascript and remove the check mark to disable it.

2. Foxit PDF Reader doesn't have exploits and vulnerabilities like Adobe PDF Reader.

>False. Although Adobe PDF Reader leads in scoring when it comes to exploits and vulnerabilities (Like 10 Exploits Adobe PDF Reader, and 2 Exploits Foxit PDF Reader) Foxit has its own share of bad apples. From Buffer Overflow Exploit to Remote Denial of Service Exploit, yes, Foxit is also prone to PDF-related exploits and vulnerabilities.



It won't take long for malware authors and security researchers to create new and more exploits targeting alternative PDF readers such as Foxit PDF Reader. The same rule applies when dumping Adobe PDF Reader in favor of another; patch your applications and systems on a regular basis, keep tab of Zero-Day exploits. Enforce your company or organization Policies, Standards, Baselines, Guidelines and Procedures to the full extent but not to the point that you lose your sanity in the process, and your co-workers start tagging you as control freak.

Although I find random on-the-spot, casual conversation, Security Awareness Training the best tactic one can employ inside the workplace. So every morning, while lining up for coffee at the pantry room, go ahead and break some "cool" and "leet" IT security news to your fellow workers, they will enjoy it as long as you tell the story like how movies tell them. Avoid jargon and acronyms please and make it exciting. Think Quentin Tarantino directing a hacker-movie.

Bruce Schneier made an excellent point on his speech about "The Future of the Security Industry: IT is Rapidly Becoming a Commodity" on a recent OWASP Meet. Bruce mentioned that the trend nowadays with IT security is slowly turning into a somewhat herd mentality. They are doing it, so let's do it, that kind of thing. Even current Best Practices recommended by the community is suffering from such herd-mentality syndrome. I somehow agree on this notion since everywhere I go and every material I read describes a Best Practice guide which usually doesn't always apply to all.

We need to treat each system, no matter how closely it resembles other systems, as a unique system with a different set of variables and behavior. So please, stop treating those Best Practice Guides as your bible and study your network how it behaves.

Cheers!
Ron

Sources:
1. "Handling Risk" Page 107, Chapter 3: Information Security and Risk Management, All-in-One CISSP Exam Guide 4th Edition by Shon Harris, CISSP, MCSE
2. Bruce Schneier: The Future of the Security Industry: IT is Rapidly Becoming a Commodity, http://vimeo.com/groups/owaspmsp/videos/6495257
3. Open Web Application Security Project (OWASP), http://www.owasp.org/index.php/Main_Page
4. http://www.schneier.com/

Steganography meets VoIP in hacker world

An excellent way to hide messages or malicious payloads, making use of the unused UDP-RTP bits on a voice stream. I bet I can see the malformed or modified part of the RTP stream on Wireshark! Back to the lab for some tests!

Complete details on the link below.

Steganography meets VoIP in hacker world
Posted using ShareThis

Have fun inserting stuff on those unused bits!
Ron

"Daemon" by Daniel Suarez.

A must-read for everyone interested in the future of AI, automation and technology in general.

This novel is awesome. All the enumeration, sniffing and penetration methods and tools used in the story are all real and up-to-date. A computer game software genius dies and leaves behind the best AI ever created and a kick-ass "daemon" process to automate things. How do you fight evil packets? Go figure it out how the rest of the story unfolds.

So for a change, get out of your chair, away from your computer monitor and pick up the book from the nearest bookstore t. Currently enjoying the Audio Book version for my second reading of the book, and drooling of having my hardcover copy signed by the author.


http://thedaemon.com/

Below is a brief E-mail exchange with the genius behind the book, Daniel Suarez:

Excellent novel Daniel, looking forward to Freedom (TM).

One question though, regarding this line from the novel:

"So far, Gragg had a cache of nearly two thousand high-­
net-­wort identities to sell on the global market, and the Brazilians and Filipinos
were snapping up everything he offered."

Does this mean that based on your research (and statistics), most of these bad guys lurking around IRC channels are either from Brazil or the Philippines?

I am a Filipino residing here in the Bay Area and I am into VoIP Security, and overall IP-based Systems Security as well.

All the best,
Ron

+++

Hi Ronald,

Thanks for the kind note. I'm glad you enjoyed Daemon.

When I wrote Daemon back in 2004, Brazil and the Philippines were big
centers for identity theft; however, much of that has since moved to other countries. With the rise of botnets, though, it's increasingly difficult to tell where exploits and penetrations originate (with zombies serving as proxies...).


Best,
D.S.

+++

Daniel,

Agreed, 2004, those where the days. Now the Philippines is into hosting Call Centers
(and exploiting them) and Brazil is into US-Satellite tapping, lol.

Do you mind if I post your reply to my blog? (http://packetboyperseus.blogspot.com) I am planning to put up a simple personal review so my network of friends can see it and eventually pick it up from the nearest bookstore. I am sure they will love it as well.

All the best,
Ron

Hi Ronald,

My main point is that the future of cyber warfare is going to be driven by botnets and
distributed attacks originating from small groups of individuals (not
nations).

I don't want to sound like I'm 'blaming' that on Russians,
Brazilians, or Filipinos. The root cause of our IT security problem is
the inherently open architecture of global networks and the monoculture
that is modern software.

There are now cyber criminals and cyber warfare
units all around the world, and solving the infrastructural issues is
more important than playing international whack-a-mole with would-be
perpetrators--no matter what country they hail from.

Best,
D.S.

+++

Tracing packet drops in Florida and sniffing traffic from 35K feet

I recently traveled to Hollywood, Florida for a customer on-site network troubleshooting. We usually do things over the phone and remote access if needed, but this customer insists that its our VoIP application acting up, and not their network. So the next day I went to their facilities, met with one of their IT Staff and immediately started mapping out their wired network (for fun and profit).



After a couple of minutes of tracing un-labeled RJ45 cables and network devices in general, I was able to trace the root cause. The bottleneck is originating from a commercial firewall installed on their network. I am not going to identify the brand and model, but its one of those firewall not meant to handle tremendous amount of traffic. In short, its a small-office-home office firewall/router. Their facility generates around 12 to 20mbps of outbound traffic on a daily basis.

This firewall goes gaga when hit by too much traffic; it simply drops all concurrent connections and resets as evident on the firewall and router logs. Good thing their Network Admin made the right choice and decided to get hold of a Cisco ASA 5505 Security Appliance and replace their current firewall. The problem is this guy does not know how to configure the ASA and needs to outsource the configuration and installation, so the ASA needs to wait while the problem still persists on their converged network.

To add salt to the wound, they are using old-school workstations; running Celeron 2.0ghz processors with a measly 256mb of SDRAM. Understand that these workstations handle a softphone-based VoIP client, a web-based CRM, Instant Messaging client, and Agent productivity apps. I say good luck with that. As suspected, Agents usually encounter the white screen of death where everything halts and freezes, hitting the Reset button is their usual routine.

Add the workstation hardware issues and misconfiguration on the network and you get a very painful and regretful VoIP experience.

Knowing how painful this experience is to their Agents, what I did was strip down Windows XP Pro to the bare minimum to free additional memory and overall system resources. What I meant with a stripped-down version is by disabling all Local Services that are not needed, adjust the workstation to Best Performance, disable tons of start up and running applications via msconfig, and finally, lock down the Agent login to Limited Rights so they can't install those nasty shopping IE add-on toolbars, lol. Things you must do when no Domain Controller is not present on a large network.

On my way back home to the Bay Area, I had some fun on-flight thanks to Gogo In-flight Internet without actually signing up for their service.

Thanks to Wireshark, ZenMAP GUI, and my laptop's Intel(R) Wireless WiFi Link 5100 card I was able to take a glimpse of the WiFi activity on-board the plane.

Intense Scan plus UDP output on NMAP:

nmap -sS -sU -T4 -A -v -PE -PA21,23,80,3389 172.19.131.2

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-03 16:40 Pacific Daylight Time
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 16:40
Scanning 172.19.131.2 [1 port]
Completed ARP Ping Scan at 16:40, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:40
Completed Parallel DNS resolution of 1 host. at 16:40, 11.39s elapsed
Initiating SYN Stealth Scan at 16:40
Scanning 172.19.131.2 [1000 ports]
Discovered open port 80/tcp on 172.19.131.2
Completed SYN Stealth Scan at 16:40, 5.05s elapsed (1000 total ports)
Initiating UDP Scan at 16:40
Scanning 172.19.131.2 [1000 ports]
Completed UDP Scan at 16:40, 4.26s elapsed (1000 total ports)
Initiating Service scan at 16:40
Scanning 1001 services on 172.19.131.2
Service scan Timing: About 0.40% done
Service scan Timing: About 1.50% done; ETC: 18:43 (2:00:31 remaining)
Service scan Timing: About 3.00% done; ETC: 18:13 (1:29:33 remaining)
Service scan Timing: About 4.50% done; ETC: 18:02 (1:18:15 remaining)
Service scan Timing: About 5.99% done; ETC: 17:57 (1:12:09 remaining)
Service scan Timing: About 7.49% done; ETC: 17:54 (1:08:07 remaining)
Service scan Timing: About 10.39% done; ETC: 17:43 (0:56:12 remaining)
Service scan Timing: About 10.49% done; ETC: 17:50 (1:02:43 remaining)
Service scan Timing: About 13.39% done; ETC: 17:43 (0:54:02 remaining)
Service scan Timing: About 13.49% done; ETC: 17:48 (0:58:55 remaining)
Service scan Timing: About 16.38% done; ETC: 17:43 (0:52:03 remaining)
Service scan Timing: About 16.48% done; ETC: 17:47 (0:55:49 remaining)
Service scan Timing: About 19.38% done; ETC: 17:42 (0:50:03 remaining)
Service scan Timing: About 19.48% done; ETC: 17:46 (0:53:11 remaining)
Service scan Timing: About 22.38% done; ETC: 17:42 (0:48:06 remaining)
Service scan Timing: About 28.37% done; ETC: 17:42 (0:44:16 remaining)
Service scan Timing: About 34.37% done; ETC: 17:42 (0:40:29 remaining)
Service scan Timing: About 40.36% done; ETC: 17:42 (0:36:45 remaining)
Service scan Timing: About 46.35% done; ETC: 17:42 (0:33:01 remaining)
Service scan Timing: About 52.35% done; ETC: 17:42 (0:29:19 remaining)
Service scan Timing: About 58.34% done; ETC: 17:42 (0:25:37 remaining)
Service scan Timing: About 64.34% done; ETC: 17:42 (0:21:55 remaining)
Service scan Timing: About 70.33% done; ETC: 17:42 (0:18:13 remaining)
Service scan Timing: About 76.32% done; ETC: 17:42 (0:14:32 remaining)
Service scan Timing: About 82.32% done; ETC: 17:42 (0:10:51 remaining)
Service scan Timing: About 88.31% done; ETC: 17:42 (0:07:10 remaining)
Service scan Timing: About 94.31% done; ETC: 17:42 (0:03:30 remaining)
Service scan Timing: About 98.90% done; ETC: 17:43 (0:00:41 remaining)
Completed Service scan at 17:42, 3688.53s elapsed (1001 services on 1 host)
Initiating OS detection (try #1) against 172.19.131.2
NSE: Script scanning 172.19.131.2.
NSE: Starting runlevel 1 scan
Initiating NSE at 17:42
Completed NSE at 17:43, 36.19s elapsed
NSE: Starting runlevel 2 scan
Initiating NSE at 17:43
Completed NSE at 17:43, 5.02s elapsed
NSE: Script Scanning completed.
Host 172.19.131.2 is up (0.0014s latency).
Interesting ports on 172.19.131.2:
Not shown: 1000 open|filtered ports, 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
| html-title: Site doesn't have a title.
|_ Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=172.19.131.153&PORT=54273&RPORT=54272&acpu_redirect=true
MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.27, Linux 2.6.26
Uptime guess: 0.405 days (since Thu Sep 03 07:59:45 2009)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_ nbstat: ERROR: Name query failed: TIMEOUT

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3757.66 seconds
Raw packets sent: 4045 (148.498KB) | Rcvd: 31 (1502B)

Wireshark Capture Screenshot:



Noteworthy discovered Protocols and Services gathered from the Wireshark .pcap capture:

- Cisco IP-SLA
- TACACS and XTACACS
- BOOTP
- TFTP
- CLDAP (Connectionless Lightweight Directory Access Protocol)
- Cisco Wireless LAN Context Control Protocol
- Mobile IP Protocol (RFC 3344)
- RIP (Routing Information Protocol)
- OpenVPN
- OCSP (Online Certificate Status Protocol)
- Slimp3 Communication Protocol (Device ID: 101) (Firmware Revision: 6:12 (0x6c)
- Base Station Subsystem GPRS Protocol (BSSGP)
- CFLOW (Cisco NetFlow/IPFIX)
- CUPS (Common Unix Printing System)
- GPRS Tunneling Protocol (GTP)
- H.225.0 RAS

Discovered Network Device Signatures/MAC OUI's:

- JUMP INDUSTRIELLE COMPUTERTECHNIK GmbH (00:e0:4b)
- Hon Hai Precision Ind. Co., Ltd. (00:22:69)

You can easily Google those two identified manufacturers and you will have and idea what type of devices they produce.

As always, hit me up on E-mail if you want a copy of the complete .pcap capture and I will be glad to send you a copy, for research and analysis of course. Let me know if you guys need additional information as well about my recent 35K feet packet-sniffing adventure.

On my next flight, I am bringing an external USB antenna with packet-injection capability :-) attached to my future 1000HE netbook.

Happy packet-sniffing everyone and try not to break any law in the process!
Ron

Source Codes for a Skype Eavesdropper Trojan Released for Public Viewing

Skype trojan sourcecode available for download.

Aug 25th, 2009 by carrumba

As announced some weeks ago the Skype trojan sourcecode will be available for download. You find the source packages in the Tools & sources section if you are the impatient type.

The code is simple and straightforward. You have know malware development is no rocket science and if you expect big magic you are at the wrong place. The backdoor receives instructions from the dropzone and transferres audio files. The Skype-Tap intercepts the Skype function calls, extracts and dumps audio data to files, converts it to the mp3 format and encrypts it.

The code is not 100% complete. I removed the plugin system in the backdor and also the firewall bypassing system is not there anymore. I will publish both of them in separate tools later. If you don’t like this … well, I can’t help you. Thats how it is. Take it or leave it.

As always I am open for your opinions and criticism.



Complete article and technical details from Megapanzer's website:

From http://www.megapanzer.com/

The day my box almost got 0wn3d by Chinese boxes

Last month, I moved to a new apartment and decided to hook-up a high-speed Cable Internet from Comcast (as openly documented on this very same blog) as my primary connection to the world wide weird. This was July 15 and I was working at home that day.

With no router or a switch at hand yet, my Sony Vaio VGN-BZ560 laptop is connected directly to Comcast's modem, getting a dynamic Public IP address from time to time. Something exciting happened right in front of my eyes as my Symantec Endpoint Protection software started displaying notification windows, stating a couple of Intrusion Prevention logs. I immediately accessed the Client Management Logs - Security Log feature of Symantec's Endpoint Protection and here's what I found:

[SID: 20081] MS SQL Stack BO detected.
Traffic has been blocked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

Traffic from IP address 58.51.89.122 is blocked from 7/15/2009 1:33:12 PM to 7/15/2009 1:43:12 PM.

Active Response that started at 07/15/2009 13:33:12 is disengaged. The traffic from IP address 58.51.89.122 was blocked for 600 second(s).

I immediately launched my Wireshark to capture the network interface, then went inside Symantec Endpoint Protection's Client Management - Security Logs and turns out the attack has started since 5AM this morning PST!

Here are the logs of the first attempt:

[SID: 20081] MS SQL Stack BO detected.
Traffic has been blocked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

Traffic from IP address 218.23.37.51 is blocked from 7/15/2009 5:48:38 AM to 7/15/2009 5:58:38 AM.

The logical thing for me to do is to trace where these IP addresses are coming from. So I made a few back traces using my VisualRoute Tool and surprise! Surprise! Yes, the IP addresses are all from China.

The source IP's are all from China, if the back trace is reporting it correctly and these attackers are not using some mechanism to hide their real location, or probably just a bunch of compromised boxes or BotNets serving their master somewhere here in the States. But my guts keep on telling me that these are really coming from China.

My Sony Vaio Laptop is running Windows XP SP3. Installed is Microsoft Office 2007, with Microsoft SQL Server 2005 pre-installed which is the backdoor of this attack based on the Symantec Endpoint Protection Security Logs.

I am sure that my MS SQL Server 2005 service is not running on the background as a Service on my laptop turns-out that our new customer network connectivity troubleshooting tool called PathView by Apparent Networks is using a Local SQL Server Service on my laptop as well. By virtue of logic, I believe this application gave another backdoor for this MS SQL based vulnerability.

Below are actual screen shots while the attack is occurring:

(Click on the images to enlarge them)

Symantec Endpoint Protection Client Management Logs - Security Logs

PathView SQL Server running as a Local Service

Wireshark capture while the attack is happening

Let me know if you guys need a copy of the actual Wireshark capture (.pcap file) for analysis, I have no problem sending it out.

So what have I learned from this? Always double-check your new machine what applications are pre-installed on it, as well as ensure that unnecessary Services are not running on the background. This happened to me because I got lazy when the new Sony Vaio was handed over to me from work and I did not bother hacking into it like what I usually do with my personal machines.

Peace out and spread the word.

The madness stopped on the 4th day: My Comcast Hell

It took them 4 days in total, to resolve a simple physical connection problem. Turns out that my actual cable was disconnected. The apartment located on the 2nd floor got disconnected from their Comcast Service so someone from Comcast Provisioning disconnected them. They did not even check that the connection was originating from a splitter, one goes to the apartment on top of me, one goes to my apartment. They disconnected the entire cable feed. Another epic provisioning to on-site tech coordination FAIL.

My savior on my 4th day in fire and brimstone of zero Internet was a good-natured on-site tech guy named Tom. Tom was a classic good-ol'-American gentleman. He reminded me of those 1950's to 60's Handymen portrayed on television. He has a cool utility belt with all the tools he need, he has a cool mustache and beard, and sports an old-school baseball cap. He was a little bit odd with his seemingly non-sense gibbering while tracing the coax cables from my living room all the way outside the veranda but one thing is for sure, he knows his craft. He knows how to pacify someone who has been deprived of their connection for days by virtue of hard-work and results. Comcast Tech Support people should take a page out of Tom's book of work ethics.

All work, less talk. No promises.

My Comcast Hell Continues....

It has been 3 days now and my Comcast Cable Internet is still down. I guess that gives me the right (and pleasure) to say that Comcast Technical Support sucks, as well as how they coordinate with their local dispatch units that handles installation and on-site troubleshooting.

The thing is, Comcast Call Centers are distributed in North America and most of their on-site technicians are contractors, even better, sub-contractors. lol. Earth to Comcast, please stop hiring and giving out contracts to clueless companies to render service to your poor customers.

And one more thing, in case you call in Comcast Technical Support Hotline, ask them to transfer you to their Call Center based in Tucson, Arizona because the guys there will help you. The rest are plain stupid, newbies, too old to do technical support jobs, or just completely clueless.

I was in a hurry to go home today so I can meet the Comcast tech guy at 6PM PST, as promised over the phone yesterday by another clueless Supervisor. So around 5:45PM PST they called me and I told them to wait for just at least 5 minutes, 8 minutest tops, because I am already on my way to my apartment walking, coming from the BART station.

You know what was the reply of the guy who called me representing Comcast?

"Sorry, but we cannot wait because we have other job orders pending today." And that was it.

OMFG. I have been patiently waiting for the past 3 days for them to restore my Internet service, and the freakin' on-site Tech Guys couldn't even wait for just 10 minutes for a customer who has been down for 3 days?!

How I wish Comcast Managers can read my post. You guys gave me a new definition for ultimate customer service FAIL.

Have a goodnight Comcast people.

Sorry Comcast, but first impression lasts!

So I just moved to a new apartment. The place is totally empty, I have no furniture yet except for my laptop, HD LCD and game console. That's it. My clothes are still inside my traveling bags even, and yes, I am sleeping on the carpeted floor, reminds me of my college years.

So whats the very first thing I worked on on my first day at the new spot? Yes, you got it, Internet. I am nothing without Internet, the rest of the bare necessities can wait.

In reading the Apartment Lease form, I saw a big Comcast Cable Service Ready smack at the bottom of the document. Turns out Comcast has first dig on the apartment complex, AT&T can't touch the area for some reason. So I immediately called the courteous guys at Comcast and in a couple of minutes a technician is already installing the Cable Internet. He brought a used Modem with a big Comcast logo on it, I said fuck it, I don't mind if its used, as long as its working right. So after a few minutes, Coax Cable on wall to the back of the Modem is installed. Ethernet Cable plugged it, and I politely asked the tech guy if I can hook it up at the back of my laptop already so we can test it. He said "Ok but its not up yet, I need to call to get it provisioned, but yeah you can hook it up because I need to check on it as well."

After hooking up the modem I immediately launched the terminal console on my Macbook to check what IP the gray box is giving me. The box was on a default gateway IP address 192.168.0.1, immediately opened my Firefox 3.5 and headed straight to it. The modem has a web-based configuration access but there is nothing we can do currently because it still needs to be provisioned. The tech guy said "Hmm, so you know how to do this huh?" I said, yeah only a little. This guy definitely needs to look around my empty living room because right next to us are scattered Cisco and CISSP books, lol.

The tech guy made a few calls on his NexTel phone, and after like 10 to 15 minutes, modem was up and operational, signal was good, and firmware updated. I saw this with my own eyes. The tech guy told me to do some speed tests, so he directed me to speedtest.net. The site testing gave me remarkable results, 15mbps download, 3mbps upload. Destination San Jose, from my place in Union City. Perfect. He told me that's Powerboost baby, but since you are not signed up for it, you may only get something like around 8mbps down, and 2mbps up. So I said, ok, its cool, still more than sufficient for my needs. Signed the papers that service was installed and working properly, a few chit-chat, tech guy left.

Everything was doing good till the next day, the freakin' Cable Internet went out on me. Multiple calls to their 24x7 Support Department wasn't fruitful, they could not even tell remotely from their Support Contact Center if there is a problem with the line or the modem. The first tech support guy that I spoke with told me I need to pick up a replacement modem, for free of course, but turns out I need to drive all the way to their office in Fremont or Hayward. Fuck that, its freaking far. So I told them I'd rather go to Radio Shack because Its right next to my place, all I need to do is walk.

So I asked the guys at their Technical Support Department, Supervisors included, what is my assurance that once I go out and spend like 40 to 60 bucks on a cable modem, swap it, that it will fix the problem?! Their answer? NONE. If its not a modem issue, I'm negative 60 bucks, if its a line issue, they can only send in an on-site tech guy on Monday, because of the long weekend. WTF. Another epic FAIL in customer service.

So I made a call again to their Support Department next day, 2nd day of my outage, made a plea of my case, and finally, they told me they will send in a tech guy on-site to check on the modem. The tech guy will bring a modem so he can swap it out. So I said yes, finally progress, and a sign of true customer service. But turns out there was a catch to it. If it turns out to be a line problem, cable problem, etc, or anything aside from the the modem being the source of the problem, they will charge me $46.00+ for the on-site service. Wow. The rabbit hole gets deeper. But the courteous lady tech support told me, I can avoid the service charge If I sign up for the 99 cents monthly service fee to cover such similar issues. Wow, another can of crap opened right in front of me. I politely replied to the support lady that I will not sign up, just send someone out for heavens sake, I just signed up for your service, and its already out the next day. Do me a favor please.

So here I am, typing this blog, spilling my guts out in disgust to their service at Starbucks so I can be online, its $3.99 plus tax for 2 hours by the way. They told me to wait for the call somewhere between 1PM to 5PM PST. They will call me on my mobile phone before they drop by. So I said, fuck it, I'll give them another chance, or not.

Its almost 4:15PM PST, assuming they come and fix the problem today, what I am going to do is call first thing on Monday and cancel the service. I am switching to AT&T's DSL and Telephone Line service instead.

Ah, revenge, so sweet I can almost taste it. Sorry Comcast, but first impression lasts!

Upgrade yourself @ 30 years old

I am 30 years old and honestly I feel more fit then I was like 5 to 6 years ago. I think I am in the best shape of my life, both physically and mentally.

I grapple, I wrestle, I box, I jog, I ride skateboards, I read a lot of networking, programming, and quantum physics books, all in a span of 7 days. Could it be possible that my physical and mental being has improved despite aging? I can never do all this 5 to to 6 years ago, I get tired easily, and my patience for reading and digesting complex concepts is absolutely horrible. Now, I can read a book for the first time, and absorb its content without going back to it and reading it again. I never even imagined I can learn to write codes! Now, I am creating my own Cisco IOS simulator using Python and thinking of porting it as a Java Applet.

Whatever it is I'm doing, I am sticking to it. I think its my positive outlook in all things in life that is helping me a lot.

Dreaming while awake, of things I want to accomplish and acquire is also helping me push harder to achieve them. A man without a dream will never reach his potential.

Good thing its Friday, I can now work on my Fakie 180 Ollies, hell, there's even a 4-set stairs in a park nearby that I am trying to ollie on. The young kids, around 15 to 18 years old that skates on that park can easily ollie and kickflip those 4-set of stairs without breaking a sweat. If they can do it, I can do it. I will even do it better, in style, style comes with age :-)

Multi-Factor Authentication FTW!

Two-factor authentication is old-school now, it has served its purpose in the past. Bank institutions that offers on-line banking to its customers should think beyond two-factor, why not make a multi-factor authentication?

The current safeguard, standards, policies and other techniques to mitigate on-line banking fraud cannot keep up to the meteoric rise of tools to commit fraud. A simple kid struck by the hacking curiosity phenomenon (thanks to Hollywood of course) can easily just search Google for keywords "hacking tools download" and voila, links and links where to download and how to use them. In the past, one needs to understand how to write codes and navigate the command line interface, today, its the age of point and click cracking. Thank goodness for that rich, easy to use graphical user interface.

As Security Expert Bruce Schneier recommended, Bank institutions should focus on authenticating the transaction itself and not the identity of the individual. Identity information theft is so easy to accomplish nowadays. Crackers owe MySpace, Friendster, FaceBook, LinkedIn a lot. No need to do some serious underground data mining work, almost all personal and private information are tucked inside social networking website user profiles. You will be amazed on the high number of people setting their profile to public, exposing all their family pictures and personal information to the world wide weird.

Focusing on authenticating the actual on-line bank transaction is indeed a better way of controlling fraud.

Below is a sample Multi-Factor Authentication Process that Bank institutions can utilize:

1. Bank provides a secure login page for customer username, account number and password input.

2. Bank Server checks on the source public IP address and computer OS and/or MAC address of the transaction, which I am calling as "on-line transaction signature" logs the transaction attempt, and checked against that account owners database of logins if this IP address and other transaction signature has been used already in the past.

3. If public IP address is not listed, computer OS signature and/or MAC address does not match or not on the database for that account owner, this will trigger an alert to the Bank Customer Support Anti-Fraud Agents and they will call the customer on his listed telephone numbers for transaction verification.

4. If customer cannot be reached, the transaction is denied by default.

5. If Bank Agent was able to contact the customer, the Bank Customer Support Anti-Fraud Agent then asks a series of challenge questions to the customer to verify the identity of the customer.

5. As the customer answers the challenge questions, a voice recognition software runs on the background of the Bank Agent's telephone and analyzes the voice signature of the customer. The voice recognition signature software is the safeguard for impersonation attempts.

6. If customer was able to provide correct answers to the challenge questions and passes the voice signature match, customer is authenticated and authorized and transaction is allowed.

7. All transaction logs, denied or authenticated are stored on a secure server, and mirrored on a hot-site server.

Although possible, It will be very difficult even for the smartest social engineer to go through this multi-step authentication. It will make them think twice because of the tedious process. I know many of you will react that this will make on-line banking tedious which basically defeats the purpose of on-line banking, but id rather spend a couple of extra minutes doing secure on-line banking than opting for the fast method but opens the process to a lot of back doors for evil doers to come in.

Bank institutions should go above and beyond in protecting the investments of their depositors. They should invest serious money on research and development of the latest technology in transport layer security, cryptography and other safeguard mechanisms as well as improving standard policies and procedures. They should be liable for every on-line transaction fraud that involves one of their accounts, not the depositors because they should have complete control of a transaction that involves their network. All money matters should be taken seriously, no matter how small the amount is. This multi-factor authentication is one serious approach to curb the rise of on-line bank transactions.

IP Artificial Intelligence Module: The Center of Your IP Network

In about 20 years or maybe less, we should have already created an Artificial Intelligence (A.I.) module that plugs in to our IP network. The sole purpose of this A.I. IP module is for automated governance of multiple Wide Area Networks (WAN) of the future.

This AI-IP module will be so advance that it will not rely solely on hardware power to completely manage your interconnected-network devices. I believe this A.I. module will contain sophisticated coding techniques that someday someone will discover. A.I. technology has been around so long, this should not take long to be discovered.

A sophisticated A.I.module for a computer network will act as the central control, no matter how many nodes you have on it. It can utilize a simple code tagging technique to a specific packet or traffic, keep track of the signature, payload, and behavior on its almost infinite database. The packet infrastructure of IP networks will evolve beyond IPv6.

No, this is not SkyNet. It will not be sentient, it will only follow what it has on its code.

A quantum-powered laptop for my son's 22nd birthday

On his 22nd birthday, I decided to bring my son to the nearest Electronic Boutique and let him choose the gift he wants. I am proud of what my son has become, he inherited my passion and curiosity with computers, and her Mom's fortitude. He is a very-technical guy with a knack for street fashion and martial arts. In short, he reminds me of me when I was his age. He goes to work wearing old-school Chuck Taylor's, Tap-Out Shirts ( A famous Mix Martial Arts company back in the year 2006, now owned by UFC Inc.) faded Levis Jeans, a Long Sleeve Shirt by GAP, and baseball cap with a Google logo on it. Google was the leading and famous Search Engine back in the days of the Internet and silicon-powered microprocessors.

What even makes me even more proud on that day is he chose the gift me myself would choose. He chose a top-of-the-line Quantum-Powered Quad Core Laptop by Intel, developed by Apple. It is one of the slimmest and lightest laptop released this year. 80% of the body, including the keyboard is made of combined graphite, aluminum and composite materials used by NASA. making it super light yet virtually indestructible because of the Nanotechnology used to developed it. The material used in the body has the native characteristic of repelling materials that comes close to it, its like a mini-magnet but with a South Pole. It Is even rumored that the technology was derived from the nearby civilization discovered in the outskirts of Venus. But Intel and Apple refuses to give comment about this, since only the US Military has access to such technology, a thing frowned upon by the Neo United Nations.

My son gave me a full smile after I flashed my credit card in front of the automated cashier. The price was hefty, but it hella' worth it in my opinion. When I was at my son's age, I was using a laptop powered by silicon and transistors on their microprocessors. Silicon-based Microprocessors during those times only has two states, either a 1 or a 0, called the Binary System. It will take years to crack a 1024K-bit encrypted message using the laptops I used to use during those days. Now, even the cheapest Quantum-Powered Processor Netbooks can crack a 1024K-bit encrypted message in minutes.

I think not only my son will enjoy this new toy we are taking home, I am thinking of installing SETI@Home on it, then connect it to my 100-Gigabit Wireless Network at home to help my main computer's processor and resources in reaching signals far beyond Venus. Who knows, my son might be the next Galaxy Civilization discoverer, and not some UC Berkeley and MIT alumni. I am getting old, the year 2030 has been good to me and my finally. I am looking forward to visiting our retirement home back in our homeland, Neo Manila. But that will be another blog entry.

Cheers and reach for the stars!
Ron

(P.S. Although a fictional story, the future technology depicted here is a possibility. This story focuses on the future of Nanotechnology and Quantum Physics. It is getting more exciting every day as scientists and experts around the globe continue to push the limits of our current technology and discover new ones in the process.)