I repeated that exercise today for the sake of the presentation and it showed that the Matrizzz channel on this server is now accessed a few more times. But it also shows that a similar channel (matrizzzz) is present on another Server. Examining the code showed that this indeed is related.

Going to the data on that server, we can see that this C&C server is actually hosting two botnet channels. I could go deeper into the second channel, but the phrase “matrix” is used a lot in a wide variety of botnet/channels, so that won’t reveal too much information.

If we continue on the channel we started with, it is noticeable that the channel password everywhere contains the phrase “makako123”. If we start to do a search on that phrase, another Server shows up.

And at that server, there is a channel. Now this exercise could continue for a few more cycles and we would reveal more and more information and more and more nodes that are interlinked. A nice graph is building. If we would do this for every Botnet, we will actually see that specific servers are part of multiple botnets and there is a big overlap.

And before you know it, what seems to be Chaos is actually Organized…

Funnily enough, the same graphs can be made about Who knows Whom on social networks…

Taken from David LeBlanc’s blog, the sequence is:

• The directory from which the application loaded. 
• The current directory. 
• The system(32) directory. Use the GetSystemDirectory function to get the path of this directory. 
• The 16-bit system directory. There is no function that retrieves the path of this directory, but it is searched. 
• The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. 
• The directories that are listed in the PATH environment variable.

When the current directory is set to a directory that is controlled by malware, the requested DLL will actually be loaded from that directory rather than the (normal) \windows\system32 directory.

Basically it boils down to bad programming, but that will not help anyone right now. Lots of sourcecode will have to be re-evaluated to see if it the applications compiled from it will be vulnerable to this attack.

The Exploit DataBase is keeping track of all exploits that are found for popular applications. Please check if your popular application is amongst them here...

The best advice we can give your right now is not to allow DLL’s from shared devices and through WebDAV. If this is too cumbersome or will not work in your environment, another possibility is to follow Microsoft’s quick fix to alter the register, preventing DLL’s to be loaded from the working directory or through WebDAV. However, you may want to check the discussion on SANS beforehand as there is a growing list of applications that do not seem to work anymore after changing the registry.

The text above is from Guns N' Roses 'Bad Apples', and seems appropriate to sum up what happened to Guns N' Roses' Axl Rose's Twitter account last Sunday.

The following message was tweeted:

All upcoming Guns N' Roses dates are officially cancelled. Please contact your place of purchase for any refunds.

Click image to enlarge

(When this blog item is written, this is still the latest tweet on this Twitter account!)

Some of the almost 70 000 followers probably were shocked and disappointed. It soon was established, however, that the the message was posted because someone had managed to crack this Twitter account - the message was fake.
Guns N' Rose's web site still has information about the upcoming tour dates without any reservations, and Guns N' Roses' management confirmed that the tweet was fake.

Don't believe everything you read on the Internet, is the obvious lesson to learn from this incident. (A statement that cannot be repeated too often). 

Or to say it like Guns N' Roses already did (from 'Nice Boys'):

You know nice boys
Don't play rock and roll
Nice boys don't play rock and roll
I'm not a nice boy and I never was!

(...) a principle proposed for user access networks participating in the Internet that advocates no restrictions by Internet Service Providers and governments on content, sites, platforms, on the kinds of equipment that may be attached, and no restrictions on the modes of communication allowed.

Other definitions exist, but the general consensus is that the term should ensure that 

• all Internet content must be treated alike and move at the same speed over the network,
• the owners of the Internet's infrastructure are not allowed to discriminate
• Internet users should be in control of what content they view and what applications they use on the Internet

In the summer 2006 Google posted a public letter to its users:

The Internet as we know it is facing a serious threat. There's a debate heating up in Washington, DC on something called "net neutrality" – and it's a debate that's so important Google is asking you to get involved. We're asking you to take action to protect Internet freedom.

In the next few days, the House of Representatives is going to vote on a bill that would fundamentally alter the Internet. That bill, and one that may come up for a key vote in the Senate in the next few weeks, would give the big phone and cable companies the power to pick and choose what you will be able to see and do on the Internet.

Today the Internet is an information highway where anybody – no matter how large or small, how traditional or unconventional – has equal access. But the phone and cable monopolies, who control almost all Internet access, want the power to choose who gets access to high-speed lanes and whose content gets seen first and fastest. They want to build a two-tiered system and block the on-ramps for those who can't pay.

Creativity, innovation and a free and open marketplace are all at stake in this fight. Please call your representative (202-224-3121) and let your voice be heard.

Thanks for your time, your concern and your support.

Only four years ago!

9 August this year a joint proposal from Alan Davidson, Google director of public policy and Tom Tauke, Verizon executive vice president of public affairs, policy, and communications was made (the emphasizing below is mine):

(...) Broadband Internet access service providers are permitted to engage in reasonable network management. Reasonable network management includes any technically sound practice: to reduce or mitigate the effects of congestion on its network; to ensure network security or integrity; to address traffic that is unwanted by or harmful to users, the provider’s network, or the Internet; to ensure service quality to a subscriber; to provide services or capabilities consistent with a consumer’s choices; that is consistent with the technical requirements, standards, or best practices adopted by an independent, widely-recognized Internet community governance initiative or standard-setting organization; to prioritize general classes or types of Internet traffic, based on latency; or otherwise to manage the daily operation of its network.

A provider that offers a broadband Internet access service complying with the above principles could offer any other additional or differentiated services. Such other services would have to be distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services and could include traffic prioritization. (..)

Because of the unique technical and operational characteristics of wireless networks, and the competitive and still-developing nature of wireless broadband services, only the transparency principle would apply to wireless broadband at this time. (...)

The complete joint proposal is available as a PDF document. See also Google Public Policy Blog for further explaination.

This proposal has resulted in an outcry from several commentators, consumer groups and representatives from various institutions around the world. The reason why is that one perceives that the proposal allows differentiating Internet traffic. Those who are able to pay the Internet Service Providers (ISPs) will ensure that their content is prioritized over other Internet content. The statement's view on wireless broadband in particular received harsh comments.

Obviously new organizations with new types of Internet content will not be able to compete with well-established, wealthy organizations like ... Google (to name a not-so-random company as the example) when they want to make their content available to the Internet community.

Initiatives have been taken to run campaigns to stop this Google-Verizon initiative. The one that has received most attention is probably Save the Internet, which has set up a mailing system where one can send a message to USA's Federal Communications Commission (FCC) Chairman, Julius Genachowski. Another initiative has set up a system to send protests directly to Google.

If the regulators of the Internet allow a system approximating the Google-Verizon suggestion, it will be a fundamental change in the way the Internet functions. Not only for citizens in the United States of America, but for Internet users around the world.

It will be very interesting to follow this debate and its final outcome. 

Almost at the same time that support for Windows XP SP2 ended, information about a zero-day vulnerability in all current Windows versions was published. Several malware authors started using exploits of this vulnerability in their malware products, and it was viewed as very dangerous. Microsoft regarded this as unusually serious, and accordingly released an out-of-band security update 2 August for all supported operating systems.
Supported is the operative word here, as Windows XP SP 2 was no longer supported at this point in time. Users of this operating system are therefore still vulnerable to malware exploiting this vulnerability. As well as all other upcoming exploits of vulnerabilities in Windows XP SP2, which will not be fixed by Microsoft.

It is strongly recommended that those who still use this legacy operating system upgrade to a supported operating system. See this page on Microsoft's web site for more information.

Lately I've encountered several critical network infrastructures that haven't merged abstract functionality onto mainstream technology platforms. In the interest of redundancy, machines perform single or few functions, operated and managed by simplistic custom operating system platforms. Production is designed to continue functioning as long as there is a power source. Complex mainstream platforms like Windows and Linux are only used for analyzing data exported from production lines only. As a result, such environments have remained largely unaffected by security threats depending on mainstream software. Of course, any environments controlled or actively interacting with Windows, or other mainstream platforms, must be protected with production network protection initiatives.

More frequently, security education encourages the use of one computer exclusively for banking, and other machines for normal browsing, returning to the encapsulation idea of separating and hiding functionality from unrelated activities. Technology compartmentalization in networks can be expanded further beyond the network layer topology. Moving to a physical network encapsulation will greatly enhance security against malicious threats.

Administrators know that web servers, email servers, and databases should be separated onto their own dedicated hardware. However, they fail to move functionality into segmented locations. where the same threats are less likely to affect multiple functions. As network encapsulation increases, security solutions supporting network protocols such as CIFS and SMB, like Norman Network Protection, will be valuable as we reconsider ancient computer science architectures for integrity.

His presentation was cancelled at the last minute and replaced with a presentation of Job de Haas called “Side Channel Analysis on Embedded Systems”. The reason the presentation was cancelled was the pressure from the vendors of these ATM Machines. What are they afraid of? Chiesa already presented the details at a different security conference and his findings are used for different reports, including the ENISA report "ATM Crime: Overview of the European situation and golden rules on how to avoid it". Due to the pressure of the ATM vendors, the presentation was cancelled. What are they afraid of? Several of the problems have been there for a long time and remain unfixed. Is it a case of “hide the fact and the problem doesn’t exist”?

Pressure from ATM vendors is nothing new. Last year, IOActive Lab’s Barbaby Jack’s presentation “Jackpotting Automated Teller Machines” was pulled for similar reasons from the Blackhat Conference. However, this year, the presentation is on the program again. Jack is quite easy on this. One of his comments on the occurrence is “The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks. Norman is a gold sponsor of the Blackhat conference and I will be there. I am looking forward to his presentation and report on it, if not again pulled at the last minute.

So what is next? ATM vendors and banks will try to stop all presentations on skimming? By all means, let the public be unaware of the problems that are real and the crimes that are happening. I have done a few presentations that dealt with skimming. And skimming partially happens because the banks do not really act in the right way. Now I do realize that skimming is not done by the banks themselves, but as long as the damage done by skimming is lower than replacing all the ATM’s with a safe model…

It happened some time ago and I used it at a few presentations, but it is still current. I had to fly and at the airport I found an ATM where the card reader did not match the picture on the screen. A sticker tells you to call the bank when in doubt. So the picture and the slot were not identical… And I had 1.5 hours to spare… So what else to do… Of course I called. Do you think they were happy? The next is a recap of the conversation between the lady I got on the telephone when I called the helpdesk and me.

She: “No Sir, this machine is completely safe to use. The card reader has just been replaced.”

Me: “I know that, it is normal with skimming that the card reader is altered, tampered with or replaced by the bad guys.”

She: “No Sir, it has been replaced by us. It is completely safe to use.”

Me: “So why don’t you update the picture when replacing the card reader?”

She: “That’s another department!”

Me: “So who can guarantee that this machine is safe to use. The picture is not identical to the card reader”.

She: “Sir, please trust me when I say that the machine has not been tampered with and is safe to use. Your card can safely be inserted”.

Me: “And who are you?”

She: “I’m [whatever], of the helpdesk of the bank”.

Me: “And who guarantees me that you do work for the bank and not for a criminal organization trying to obtain my card data and pincode having altered this machine. And that you were not able to update the picture but you were able to change the telephonenumber so I’m actually calling with a representative of a skimming organization?”

SLAM! She hung up the phone...

If this would happen to you and you would indeed find another machine with the card reader being different than the picture… Would you call again?
 

As Adobe's programs Reader and Acrobat are those most used for reading PDF files, Adobe's handling of this case was important. Initially Adobe published information about how to change program settings to mitigate the risk for being infected by this "trick". The set of security updates published by Adobe 29th June, included changes to Acrobat and Reader, which were meant to fix this vulnerability permanently.

Alas!

Only few days after - 1st July - information on Bkis Global Task Force Blog showed that only the dialog box issue was (presumably) fully fixed by Adobe's updates. By enclosing the program one wanted to start from the PDF file by double quotes, Adobe's new blocking mechanism is circumvented. This was also acknowledged by Adobe in a blog posting. Didier Stevens subsequently showed how to make Registry changes to block even this vulnerability, although his Windows Registry fix may be beyond what several users feel comfortable to do on their own.

It seems like the /Launch vulnerability is still alive, although recent changes have rendered it far less dangerous. A new Adobe security update addressing this, is to be expected.

As we end the first half of 2010, let's review some of biggest stories and trends, and what it means for the future.

File Format Exploits

Malware analysts and their toolsets can proficiently respond to the most complex executable code. As operating systems are secured, and malware lab response become effective against executable code, threats continue to move to the web and third party applications.

Traditionally weak in vulnerability research and file format analysis, Anti-Malware vendors acquiring and developing these technologies are positioned to offer superior detection, the most important attribute in cyber-security purchasing decisions.

Apple market cap surpasses Microsoft

Mac will trail Windows market share significantly in the foreseeable future. However, the Mac user base is growing fast so threats will find and exploit weaknesses in Mac environments with more frequency.

Though more Anti-Malware vendors are releasing AV solutions for Mac, there is little targeted marketing focus on this market. Currently a niche market, Mac AV will expand into an important growth segment. Establishing key partnerships within the Apple industry, and loyalty with first adopters of Mac AV, presents strong positioning opportunities.

Facebook Privacy

Information sharing, key to innovation and modernization of societies, has steadily increased throughout history. In the old days, cities built big walls for protection. As the world opened up, walls fell, and generally the world is a safer place.

Facebook privacy issues have been beneficial for educating users. Armed with first hand unauthorized exposure of information, the entire Facebook user base is now more aware of their risk. Increased sharing and user awareness has increased demand for solutions offering technologies enhancing privacy. This leads to security suite products boasting encryption, private browsing, cache cleaning, blacklisting, content control, website reputation, and other non traditional Anti-Malware technologies to keep information safe.

Event Scams

Social engineering, bait for users to chase a threat, is another trend evolving throughout history. Likely the best approach is enhancing protection against the actual threat and it’s spreading vector. Unfortunately, using the Facebook example, successful user eduction is usually found through a major security breach affecting them.

Fake AV

Like the movement to third party software vulnerabilities, threats are becoming more complex in both architecture and social engineering. Anti-Malware vendors have been slow to find success against these threats. Like vulnerability research, emerging threat techniques need unique focus to quickly adapt to new complexities. Security vendors with analysts focused only on emerging threat research and technologies will best protect against tomorrow’s threats.

SEO Poisoning & Web Based Malware

SEO Poisoning is an alternative method for quickly spreading code as security solutions have become successful against traditional propagation methods. Web reputation and proactive web based detection technologies are key.

Drive-by malware hasn’t been such a big buzz story, but as a spreading vector, it is successful. With malware using pull strategies to infect users rather than the old approach of pushing out malware, malicious websites are where it’s at these days. Essentially every kind of processing is moving to the cloud, the new frontier for security where users spend time and store valuable information.

Security Industry Mergers & Acquisitions

Symantec acquired PGP, VeriSign, and others, HP acquired TippingPoint through 3Com, just to name a few of the M&A stories of 2010.

Solutions for the trends outlined above require innovative technologies with long risky gestation periods. Smaller organizations often don’t have assets or capabilities to divert focus from core operations to invest and commit to such risky projects. Restrained from aggressively pursuing these attributes, they must find other sources of help, or recognize that merging with complementary players is the best way to create value for their stakeholders.

Pornography in its different forms is one of the most popular topics available on the Internet. No matter if one counts the number of web sites, the number of visits, the number of search words/criteria, total revenue; porn is there among those at the very top.
Another interesting observation regarding web sites with pornographic or adult content, is that web sites with such content have been among the most innovative and clever in adopting new web technology.

In its meeting in Brussels, Belgium, 25 June 2010, The Internet Corporation for Assigned Names and Numbers (ICANN), perhaps the most important Internet body there is, took a big step in the direction of allowing a special top level domain (TTL) dedicated to porn, or more precise, for "the adult entertainment industry". Some additional steps need to be taken (and approved), but the decision that was announced in ICANN's press release is a big leap towards "a Red Light District" on the Internet.

Not surprisingly - appropriate even - the new top level domain is to be named .XXX.

The road to arrive to this decision has been long and cumbersome, as the ICANN chronology of the .XXX issue shows.

No doubt there will be critical voices raised against a dedicated domain for adult content. These will be raised from persons and organizations, which have opinions regarding what they view as inappropriate content on the Internet, and may of course have some merit. However, it's not ICANN's responsibility to have opinions on the Intenet's content. The organization's role is to be (quoted from ICANN's web site):

(...) a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.
ICANN doesn’t control content on the Internet.

Seen from an operational point of view for ordinary Internet users, an .XXX domain may have considerable advantages:

• it enables parents to easily block a huge amount of content that they consider unappropriate for their children, by blocking a complete top level domain, compared to the impossible task of blocking an immense number of unique web sites,
• it gives organizations the same option to block .XXX domains on the perimeter if they want to stop employees access to such sites during working hours,
• it gives users of adult content better ability to pinpoint web sites that host the type of content they are looking for (it seems safe to presume that these users exist even though each and every individual may be difficult to find).

The final outcome of this new top level domain is expected to be decided upon late this or early next year.

(I'm sorry to have disappointed those who expected a more ...ehhhh .... interesting image to illustrate this blog item.)

1. Consumers expect 100% protection from threats. With more than 50,000 increasingly complex threats released daily, this is a daunting challenge that is becoming increasingly infeasible.
2. Anti-Malware experts see the threat landscape as a big picture. There is an ethical obligation to prioritize assets and capabilities in a way that best secures society as a whole. Often these priorities don’t align exactly with individual consumer needs.
3. Consumers base purchasing decisions on a number of factors. Security organizations often make compromises to align product positioning with these factors. One example is product testing. In the computer security world, product testing procedures are usually not aligned with real world threats consumers encounter.

These three gaps can be exploited as opportunities for Anti-Malware players to gain relative advantages over the competition with increased market awareness, growth, and loyalty. This takes us to the question of how do we organize innovative processes that maximize both customer perceived value and actual value from an expert’s view?

Technology Push Innovations: Exploratory technologies are a necessity for current and future protection solutions. Immediate results are usually minimal, frustrating users with high expectations through marketing value propositions. Eventually, as is the case with Norman SandBox, these technologies mature into valuable protection solutions.

Market Pull Innovations: Solutions that satisfy the perceived needs of the consumer build loyalty and equity immediately, building a foundation on which radical and disruptive innovations can be build. Judging by the gaps I’ve discussed, this is an enormous area of opportunity.

From a strategic perspective, Anti-Malware innovations are unbalanced toward pushing technologies on the market. Evidence comes from one big feature consumers have been crying for, the ability to create their own signatures. Almost all types of security products allow customers to create their own rules and signatures, from IDS and IPS technologies, to vulnerability management tools like Norman’s Patch and Remediation Solutions, to Anti-Malware inverse solutions like Norman’s Application and Device Control. Some say liability issues and loss of proprietary control over signature subscription models prevent opening up our frameworks for public signature creation, which I doubt would be different from the solutions I’ve mentioned above. To the detriment of society, opening up technologies has been delayed too long in many industries over time.

Want to be successful? Open up and engage your markets, they will embrace you back.

This report once again highlights the need for consumers to seek out proactive solutions that do not rely on signatures, like Norman's SandBox, DNA Matching, Exploit Detection, Forensic Toolkit, and other leading edge technologies.

Drilling down into quarterly, 10k, and annual reports often reveals results and strategic directions for specific products and lines. What does this have do with IT? A look at vendor results, particularly revenue increases over the past few quarters, will reflect which products consumers consider the best value.

I don't recommend this method in a bullish economy. In good times, budgets allow markets to consume poor products that add little to no incremental value to IT initiatives. Remember, if you do use this method, some current profits have increased due to cost cuts. Revenue measures, such as revenues from sales, will best reflect which vendors are actually increasing total sales. With vendors decreasing prices in the face of falling demand, increased revenue is a great sign.

If you do use Wallstreet as a product information source in bullish economies, I'd suggest looking at valuation measures such as earnings yields, or price to earnings(P/E). Valuation measures take into account results, but for technology stocks especially, they also add valuation premiums which consider product lines quality and management's ability to keep those products on the leading innovative edge. Valuation premiums are often influenced by analysts research who consider all the same information you would use in purchasing decisions, like word of mouth, and third party performance tests and reviews.

In a previous post I discussed how to evaluate network based security products. If you don't mind scanning through financial information, Wallstreet information is a great source of secondary research. Remember, no matter who is buying the most popular products, you must first consider which products best fit into your IT environment.

It seems I started something, although I am not sure we should be proud on that. At this moment, the “Beesies” are not just an advertisement on nl.msn.com any more, it is even a featured article to download the “Beesie-moticons” now.

And it made it to #1 in the MSN Download Top 5 in The Netherlands.

Now in this case, the emoticons are harmless, but… The next time it may not be… And then we will all download them again, even if all the signs are there we shouldn’t, right? Because last time it was innocent… So this time, it will be too, won’t it?
And I did not even go into details about the risk of the “1clicksend2friend.com” part. One thing good came from this attention: the “1clicksend2friend.com” page has been removed.
 

Having advertisements like these appear on your MSN home page, you would expect that all safety measurements are in place and that the advertisement is safe. Clicking on the icon, you are transferred to a different site (www.rulive.nl) telling you you can download a free package with Beesie emoticons and winks, which of course are used within Live Messenger.

Clicking on the generous offer, why should you reject such an offer, makes all alarm bells go off!!!

Not only is it trying to download an executable, it is also downloading it again from a different domain. We started with and advertisement at “nl.msn.com”, we were redirected to “rulive.nl” and the actual download is coming from “downloads.emoticons-livemessenger.com”. On top of that it is an executable: “ahwk.exe”… Like a misspelled “hawk”. Maybe it is a hawk and trying to sneak into your system. Ok, the filename is derived from the Dutch “Albert Heyn Wereld Kampioenschap”, but if you do not know the abbreviation, it can be very scary and it looks like a typical filename malware could be using.

What is wrong offering these kinds of emoticon packages through the normal download channel to get “Free IM Content”.

After downloading the file, the user is prompted by a Security Warning as the executable we just downloaded wants to be executed...

Now what??? The program we just downloaded was “ahwk.exe” and the program that wants to be run is called “smu.exe”, published by a company I never heard of before… Really suspicious… Would anyone fall for this? Don’t answer it, it was a rhetorical question!

On a secured system (of course) we continued and had the downloaded program run. As a surprise, you again get a similar graphics telling you that you can download the free “Beesie” package (didn’t I just do that already?) to support the Dutch National Team.

Pressing “Volgende” (“Next”) I am presented with an extremely long EULA and some “interesting” options for settings which, for my convenience of course, have been pre-set. It means that I will set Internet Explorer as my default browser, Bing as my default search engine and MSN as my default home page.

Sigh… If you do continue, the package gets installed and a new browser window opens, congratulating you installing the “Beesie” package, and offers you to share it with your friends,

When you try the ‘sharing’ feature, you are asked to enter your MSN credentials. The URL at that moment also includes the very suspicious

http://1clicksend2friend.com/Default.aspx&lc=1043&id=******

As we installed it on a safe system, we did not really want to spam out the message to our friends (which would be honeypots anyway from this system) but we really wondered… Who would really go for this? Who would press all the links trusting everything and ignoring all the bells and whistles that should be raised as this has all the signs of malware trying to be put on your system using very smart social engineering???
 

Yes indeed, loads of people…
 

Ok, we have analyzed the content of this package and it is harmless, but this is typical case how not to offer any goodies on the internet as it looks, smells and feels suspicious. On the other hand, seeing the success of this packages, it proves user education is far from being finished.
 

Earlier today Norman changed its assessment of the general threat level from Low to Medium.

This was the first time Norman raised the threat level since it was set to Medium in October 2008 (and subsequently reset to Low 22 April 2009).

It is not one particular piece of malware, which is the reason for this elevation of threat level. Nor is it one particular vulnerability. It is the sum of three different vulnerabilities, which let us to believe that the general level cannot be viewed as low any more.

These vulnerabilities are in:

• Windows Help and Support Center
• Adobe Flash Player, Adobe Reader and Acrobat
• The PDF specification, which allows launching malware embedded in PDF documents.

The vulnerable applications' vendors have as of yet not published updates for all the vulnerable programs. Information about workarounds is available, but some of the workarounds are difficult to implement for many non-expert users.
Information about these vulnerabilities and other threats to the Internet community is regularly published and updated on Norman Security Center.

Exploit code examples utilizing these vulnerabilities are available on the Internet, and actively used by malware. We predict that even more malicious programs that utilize these vulnerabilities will be published in the next days and weeks.

Information about Norman's threat levels and the reasons for the current level is at all times available from this page.

Big sport events cause lots of media attention and fun. Unfortunately they are also an attack vector that will be used by cyber criminals. It is safe to assume that in the wake of the legitimate information about the World Cup, the teams, the players, the games - we will experience a wide range of malicious attempts from cyber criminals to use the event as a stepping stone for malware spreading.

As a member of the Internet community you should beware of manipulations attempts like:

• emails that seem to have information about and links/attachements related to the World Cup, but which turn out to try to infect you with malware,
• links about the World Cup in social networks like Twitter and Facebook, that are inserted by persons with malicious intent and lead to infected web sites,
• search engine results using World Cup releated key words manipulated to be displayed at the top of the results listing.

Use sound skepticism before you click on an object which pretends to be World Cup related, but turns out to be malicious. 

Enjoy the World Cup football tournament free from malware!

Ah yes… I can hear you say it already… Only my friends can see my full profile and the messages I put on there. And, do you know all your friends that well? Will not one of them tell others? Or are you sure they will not (mis)use the information themselves? Too many examples exist where this went wrong.

So are social websites a complete waste? At first glance it may seem that way, but it can also be useful. A mother who had her 2 children (2 and 3 years old) be kidnapped by her husband 15 years ago and have never seen them again, one day decided to enter her children’s names in the Facebook Search. And to her surprise, she found her kids there. After some initial communications, the contact was abruptly cut off. But with the help of the police, the Facebook account was traced back to Orlando, Fl. The kids (now 18 and 16) have been located and the father has been arrested.

Seems that even Facebook can be a help to the “Most Wanted” and “Missing” websites around the world.

You can find the full story here…
 

Lately I've encountered several critical network infrastructures that haven't merged abstract functionality onto mainstream technology platforms. In the interest of redundancy, machines perform single or few functions, operated and managed by simplistic custom operating system platforms. Production is designed to continue functioning as long as there is a power source. Complex mainstream platforms like Windows and Linux are only used for analyzing data exported from production lines only. As a result, such environments have remained largely unaffected by security threats depending on mainstream software.  Of course, any environments controlled or actively interacting with Windows, or other mainstream platforms, must be protected with production network protection initiatives.

More frequently, security education encourages the use of one computer exclusively for banking, and other machines for normal browsing, returning to the encapsulation idea of separating and hiding functionality from unrelated activities. Technology compartmentalization in networks can be expanded further beyond the network layer topology. Moving to a physical network encapsulation will greatly enhance security against malicious threats.

Administrators know that web servers, email servers, and databases should be separated onto their own dedicated hardware. However, they fail to move functionality into segmented locations. where the same threats are less likely to affect multiple functions. As network encapsulation increases, security solutions supporting network protocols such as CIFS and SMB, like Norman Network Protection, will be valuable as we reconsider ancient computer science architectures for integrity.

Recently a special version of clickjacking appeared as an attack on Facebook users. This attack comes in several variants, common for them is that they try to trick users into clicking on a specially crafted Like button. The word likejacking was thereby coined.

An excellent analysis of a likejacking attempt is available from SANS' Internet Storm Center's diary posting 2 June.

The very useful browser plug-in NoScript protects against likejacking as well as other clickjacking attempts (and lots of other attacks through browsers).

The caveat is to beware which links you are clicking on. The links may turn out to be something completely different than what they appear to be.