Learning your history is important

It is said that if you don’t know your history you are bound to repeat the past. They same holds true even in the world of Malware. The below Infographics helps with bringing you up to speed with what occurred over the last 28 years in the wonderful world of Malware.

A big thanks to the ESET team for creating and sharing this with the community. I would like to pride myself on know a bit more about Malware than the average user, but even so I learned quite a lot form this Infographics.

So sit back and enjoy the journey that begins with Pakistani Brain in 1986 and ends with Windigo 2014.

Tails,cause we care about our privacy

tails-torTails, is a live system that aims at preserving your privacy and anonymity. It helps you to use the Internet anonymously almost anywhere you go and on any computer but leave no trace using unless you ask it explicitly.

How does this work you might ask?

Tails relies on the Tor anonymity network to protect your privacy online: all software are configured to connect through Tor, and direct (non-anonymous) connections are blocked.

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

In short if you have every used a bootable Live CD/DVD/USB media before its the same concept just that this project focus on your privacy.

What’s under the hood?

A set of note worthy Firefox extension:

  • Adblock Plus
  • Cookie Monster
  • FoxyProxy Standard
  • HTTPS-Everywhere
  • NoScript
  • Torbutton

Screen Shot 2013-05-26 at 1.14.06 PM

 

A few extra bonus applications for the paranoid at heart:

  • Create ecycrpted volumes with TrueCrypt
  • Securely delete files with Nautilus
  • Manage passwords using KeePassX
  • By default your browser is pointed to https://startpage.com/, the world’s most private search engine.

Lastly, another option that felt was nice was the ability to use the “Windows Camouflage” mode, this basically makes Tails look more like Microsoft Windows XP. This is useful in public places in order to avoid attracting suspicion.

So now you have a new OS to enhanced your desire for privacy. Have fun and please let us know what other methods you are using.

Podcast Appearance “Attack of the Android”

Hello all, I hope your year is going well so far; I just wanted to drop a line and mention that a few weeks ago I appeared on “Attack of the Androids” podcast esp 16. A little background about the podcast, the are a weekly audio podcast focused on the Google Android operating system and community.

You can find them on Google + or follow them on twitter @aotaradio    kool cast check them out!

Handcent SMS logs all your sent messages

In light of all the CarrierIQ press I started wondering what others applications on my phone might be doing things that I am not aware of. So I installed SQLite Editor and started poking around my phone, that’s when I decided to see what my sms client “Handcent” was up too. Since I wanted to view my out on a bigger monitor I fired up a adb shell and used SQLite see what Handcent sms was hiding under the hood.

I used the following command to search my /data/data folder on my device to look for any files with a .db extension since that indicated it was a database file.

adb shell find /data -name *.db

As you can see I found several databases on my phone but today
we will be looking at one in particular. Handcent's "hc_sms.db".

For this part we will use sqlite to view the database layout (schema)
and its contents:

sqlite> .schema
CREATE TABLE DELIVERY_REPORT (MESSAGE_ID INTEGER Primary KEY,TIMESTAMP text,UPDATE_TIMESTAMP text);

CREATE TABLE SEND_LOG (ID Integer Primary KEY,SID INTEGER ,SEND_TYPE INTEGER,BEGIN_SEND_TIME text,END_SEND_TIME text,SEND_CONTENT TEXT,
SENDING_PERSON_NUBER INTEGER,SUCCESS_NUMBER INTEGER,FAIL_NUMBER INTEGER);

CREATE TABLE SEND_LOG_DETAIL (SID INTEGER,PID INTEGER,BEGIN_SEND_TIME TEXT,END_SEND_TIME TEXT,PERSON_NAME TEXT,PERSON_NUMBER TEXT,SENDI
NG_MESSAGE_NUMBER INTEGER,SENT_SUCCESS_NUMBER INTEGER,SENT_FAIL_NUMBER INTEGER);
CREATE TABLE android_metadata (locale TEXT);

sqlite> .tables
DELIVERY_REPORT   SEND_LOG          SEND_LOG_DETAIL   android_metadata
sqlite>

And now after doing a select * from SEND_LOG; to my amazement
I saw all my text messages that were sent since I installed
the handcent application both
DELETED and undeleted.

Also looking at select * from SEND_LOG_DETAIL I saw the same
information but this log also held the receiver of the sms name
and phone number.

Now my question is, if I am deleting a message and thinking
its being deleted why would handcent chose to keep a copy of
this message in an unencrypted database where anyone can access
it? I would love to hear from them and try to understand why
this is being done.

Should I Change My Password?


While sorting through my twitter feed yesterday I notice the following site and a informative article over at  SCmagazine explaining the site’s purpose.

In short “A Sydney security researcher has developed a web portal that allows administrators to check if work email accounts have been compromised.

The portal, (https://shouldichangemypassword.com) allows users to search through databases of stolen email addresses collated by researcher Daniel Grzelak.”

Read more over at SCMagazine.com.

My first response to this was hmm, this would be a perfect place to harvest new email addresses as a spammer with every new query to the database. But as the site owner stated “The email you enter will NOT be stored, transmitted, or otherwise used beyond this check.”.

In the end I think this is a great resource, someone actually decided to do something useful with all the hacked data that are being leaked every week or so. I send the researcher a tweet requesting a feature to do a blind search on a domain name instead of just an email address, this way you can easily see if anyone in your organization has been compromise.

Disclosure of over 35 million Google user profiles

While checking my IRC and twitter stream this morning I notice some chatter surrounding a comment from a user by the name of @mikkohypponen on twitter mentioning that “Google provides the addresses of all of their 35,513, 445 user profiles” that’s about 35 million people.

You can verify this for yourself by visiting the provided URL http://bit.ly/iT6p3n or directly at https://ssl.gstatic.com/s2/sitemaps/profiles-sitemap.xml what you will see when you visit that link is a xml file listing all of the various profiles grouping. Just copy one of the links place it into your browser and you will then be taken to another site with the links to the actual profiles copy any of them into your browser an you will be a bit surprised.


Why should you care about this you might ask? Easy its only a matter of time before some creates a script to harvest all of the following:

  • Usernames, first-name, last-name
  • GPS co-ordinates of places you have lived, if you filled that out
  • Personal photos

For that you should be a bit concern but maybe Google is not. According to https://twitter.com/#!/tomokas he stated that he mentioned this to Google back in 2008 and only got an auto response email.

 

Exploit packs overview, Zeus code leaked

I recently came across a really interesting intro writeup on browser exploit packs. The research team installed and tested over 40 different packs and provided some really nice feedback, here is the link.

For anyone that is not familiar what an exploit packs is, here is a brief definition;  “A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user’s browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.”

The infamous ZeuS or zbot Trojan has made a name for itself in this arena. Even though zbot does not directly exploit any system vulnerability however it is very successful when it comes to infecting its victim. Zeus, which until recently was being sold on the underground black market for anywhere from $5,000-$10,000 or even more; because of this it was hard for the average guy to get his hands on a copy to review the source code.

Well not until a few days ago that is, now if you do a search for Download the ZeuS Source Code”, you will come across several sites that are hosting a leaked copy of “Zeus 2.0.8.9”, and from the looks of things its a fully loaded copy. With that said grab your copy, turn on your VM’s and let the learning begin.

 

Links:

https://secure.wikimedia.org/wikipedia/en/wiki/Browser_exploit

http://www.scmagazineuk.com/zeus-source-code-now-available-for-5000-as-predictions-made-that-its-cost-will-continue-to-drop/article/199995/

http://www.mdl4.com/2011/05/download-zeus-source-code/

 

 

Now while reading about exploit pack I started wondering how I can get myself a copy without having to spend

Exploit
packs
are
criminally
appealing
because
vic6m
exploita6on
is
quick
and
seamless
if
a
vulnerability
exists.
The
vic6m
may
not
no6ce
anything
different
in
their
computer’s
behavior
post
drive-­‐by.
The
majority
of
exploit
packs
we
tested
simply
required
the
client
computer
visit
the
root
index.php
page.
The
newer
families
required
a
drive-­‐by
to
a
specifically
craKed
URI
that
corresponded
to
a
specific
“user”
(renter)
of
the
managed
exploit
pack.