7

Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Malware Protection Bulletin, 2013

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Dec 29, 2013] The NSA's 50-Page Catalog Of Back Door Penetration Techniques Revealed

Dec 29, 2013 | Zero Hedge
While the world may have become habituated to (and perhaps revels in, thank you social media exhibitionist culture) the fact that the NSA is watching anyone and everyone, intercepting, recording, and hacking every electronic exchange regardless if it involves foreign "terrorists" or US housewives, the discoveries from the Snowden whistleblowing campaign continue. The latest revelation from the biggest wholesale spying scandal since Nixon, exposed by Germany's Spiegel which continues the strategy of revealing Snowden leaks on a staggered, delayed basis, involves a back door access-focused NSA division called ANT, (which supposedly stands for Access Network Technology), described by Spiegel as "master carpenters" for the NSA's TAO (Tailored Access Operations, read more about TAO here). The ANT people have "burrowed into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell." More importantly, thanks to Spiegel (and Snowden of course), the NSA's 50-page catalog of "backdoor penetration" techniques has been revealed.

The details of how the NSA can surmount any "erected" walls, via Spiegel:

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives -- from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

Nothing quite like an extensive, taxpayer funded catalog listing back-door entry strategy imaginable. Say you wanted to have some backdoor fun with Juniper Networks, the world's second largest network equipment manufacturer (which claims the performance of the company's special computers is "unmatched" and their firewalls are the "best-in-class.")

In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs... Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."

It gets better, because when simple penetration is not enough, the NSA adds "implants."

In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

So what exactly is to be found in the 50-page catalog?

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable" -- in other words, over the Internet. Others require a direct attack on an end-user device -- an "interdiction," as it is known in NSA jargon -- in order to install malware or bugging equipment.

The conclusion here is an easy one, and one we have repeated ever since before the Snowden revelations: Big Brother is bigger and badder than ever, he knows exactly what you've been doing, and the second the NSA wants to nuke your computer out of orbit and/or destroy your digital life, it can do so in a millisecond. What is more amusing is that with each passing disclosure, it is increasingly clear that the NSA has gotten its inspiration for its dealings with the US public from a Danielle Steel book at best, or a Vivid Video bootlegged tape at worst.

Ying-Yang

NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets.

One of the most striking reported revelations concerned the NSA's alleged ability to spy on Microsoft Corp.'s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies.

http://www.csmonitor.com/Innovation/Latest-News-Wires/2013/1229/Elite-te...

[Dec 10, 2013] Meet Paunch: the Accused Author of the BlackHole Exploit Kit

December 08, 2013 | Slashdot

samzenpus

tsu doh nimh writes

"In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today. According to pictures of the guy published by Brian Krebs, if the Russian authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000 a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits.

As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story: 'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years.

A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.'"

platypussrex (594064)

Re:I am confused. (Score:5, Informative)

it gets even better. In the linked article it explains that Paunch sells ads that appear in the control panels for all the renters, so not only does he get income from renting the system, he he also gets the income from that ads that are popping up in your system after you rent it from him!

[Dec 06, 2013] Europol, Microsoft Target 2-Million Strong ZeroAccess Click Fraud Botnet -

December 06, 2013 | Slashdot
Soulskill

tsu doh nimh writes

"Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.

KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture in which new instructions and payloads are distributed from one infected host to another.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft.

While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."

[Dec 06, 2013] FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

December 06, 2013

Soulskill

chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

[Nov 23, 2013] NSA hacked over 50,000 computer networks worldwide

Public sources show that TAO employs more than a thousand hackers. The task force has been active since at least 1998, according to Washington Post. That's the end of any trust in Windows as we know it. Sorry Microsoft...
RT News

The US National Security Agency hacked more than 50,000 computer networks worldwide installing malware designated for surveillance operations, Dutch newspaper NRC reports citing documents leaked by Edward Snowden.

The latest round of revelations comes from a document dating from 2012 that shows the extent of the NSA's worldwide surveillance network.

Published by Dutch newspaper NRC Handelsblad, it points out more than 50,000 locations, where the NSA used 'Computer Network Exploitation' (CNE) and implanted malicious software into the networks.

According to the NSA website CNE "includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks."

Once the computer has been infected, the 'implants' act as digital 'sleeper cells' that can be remotely turned on or off with a single push of a button, the Dutch paper reported. The malware can remain active for years without being detected, the newspaper added. The malicious operations reportedly were carried out in many countries including China, Russia, Venezuela and Brazil.

The hacking is conducted by the Tailored Access Operations (TAO), a special unit within the NSA tasked with gaining access to foreign computer systems.

According to the Dutch media, one of the examples of the CNE operation is the reported attack against Belgian telecom company Belgacom that was discovered in September 2013. The attack was previously reported to have been carried out by British intelligence agency GCHQ that worked in cooperation with its American counterpart.

GCHQ injected malware in the Belgacom network to tap their customers' telephone and data traffic. The agency implemented a technique known as Quantum Insert, placing Belgacom's servers in strategic spots where they could intercept and redirect target traffic to a fake LinkedIn professional social network's website.

Public sources show that TAO employs more than a thousand hackers. The task force has been active since at least 1998, according to Washington Post.

Documents acquired by the NRC newspaper also reveal that NSA spied on the Netherlands from 1946 to 1968. However the report does not indicate the specific intentions.

Dutch interior affairs minister Ronald Plasterk has recently confirmed that the NSA monitors mail and phone traffic in the Netherlands and exchanges data with Dutch security organization AIVD.

[Nov 12, 2013] Interview with Vyacheslav Medvedev, Dr. Web

This interview took place during celebration of Doctor Web, Ltd's twenty years of product development (and simultaneously 10 years since creation of the company -- Doctor Web, Ltd). For additional information about the anniversary see Doctor Web Anniversary Match and Facebook Community Page about Doctor Web.

The leading analyst of Doctor Web, Ltd Mr. Vyacheslav Medvedev kindly agreed to talk about current security problems with the editor of Softpanorama. Mr. Medvedev is a frequent speaker on various security conferences, where he often represents the company.

[Nov 12, 2013] IE Zero-Day Exploit Disappears On Reboot

November 11, 2013 | Slashdot

samzenpus nk497 writes:

"Criminals are taking advantage of unpatched holes in Internet Explorer to launch 'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot - provided it hasn't already taken over your PC - making it trickier to detect, though easier to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,' the company said. '

This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods.'"

[Nov 11, 2013] GCHQ spoofed LinkedIn site to target global mobile traffic exchange and OPEC

Injection of malware is possible due to privileged position of servers on Internet backbone...
November 11, 2013 | RT
The UK's electronic spying agency has been using spoof version of LinkedIn professional social network's website to target global roaming data exchange companies as well as top management employees in the OPEC oil cartel, according to Der Spiegel report.

The Government Communications Headquarters has implemented a technique known as Quantum Insert, placing its servers in strategic spots where they could intercept and redirect target traffic to a fake website faster than the legitimate service could respond.

A similar technique was used earlier this year to inject malware into the systems of BICS, a subsidiary of Belgian state-owned telecommunications company Belgacom, which is another major GRX provider.

In the Belgacom scandal first it was unclear where the attacks were coming from. Then documents from Snowden's collection revealed that the surveillance attack probably emanated from the British GCHQ – and that British intelligence had palmed off spyware on several Belgacom employees.

The Global Roaming Exchange (GRX) is a service which allows mobile data providers to exchange roaming traffic of their user with other providers. There are only a few dozen companies providing such services globally.

Now it turns out the GCHQ was also targeting networking, maintenance and security personnel of another two companies, Comfone and Mach, according to new leaks published in the German magazine by Laura Poitras, one of few journalists believed to have access to all documents stolen by Snowden from the NSA.

Through Quantum Insert method, GCHQ has managed to infiltrate the systems of targeted Mach employees and successfully procured detailed knowledge of the company's communications infrastructure, business, and personal information of several important figures.

A spokesman for 'Starhome Mach', a Mach-successor company, said it would launch "a comprehensive safety inspection with immediate effect."

The Organisation of Petroleum Exporting Countries was yet another target of the Quantum Insert attack, according to the report. According to a leaked document, it was in 2010 that GCHQ managed to infiltrate the computers of nine OPEC employees. The spying agency reportedly succeeded in penetrating the operating space of the OPEC Secretary-General and also managed to spy the on Saudi Arabian OPEC governor, the report suggests.

LinkedIn is currently the largest network for creating and maintaining business contacts. According to its own data the company has nearly 260 million registered users in more than 200 countries. When contacted by The Independent, a LinkedIn spokesman said that the company was "never told about this alleged activity" and it would "never approve of it, irrespective of what purpose it was used for."

According to a cryptographer and security expert Bruce Schneier, Quantum Insert attacks are hard for anyone except the NSA to execute, because for that one would need to "to have a privileged position on the Internet backbone."

The latest details of GCHQ's partnership with the NSA were revealed just last week, after the reports emerged that GCHQ was feeding the NSA with the internal information intercepted from Google and Yahoo's private networks.

The UK intelligence leaders have recently been questioned by British lawmakers about their agencies' close ties and cooperation with the NSA.

The head of GCHQ, Sir Ian Lobban, lashed out at the global media for the coverage of Edward Snowden's leaks, claiming it has made it "far harder" for years to come to search for "needles and fragments of needles" in "an enormous hay field" of the Internet.

However, the intelligence chiefs failed to address public fears that Britain's intelligence agencies are unaccountable and are operating outside the law.

[Oct 26, 2013] Cryptolocker (Win32/Crilock.A)

In a way it is a game changer. This is the only Trojan that went to Malware Defense History in 2013...

This is a game changing Trojan, which belong to the class of malware known as Ransomware . It seriously changes views on malware, antivirus programs and on backup routines. One of few Trojan/viruses which managed to get into front pages of major newspapers like Guardian.

Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets backups of your data on USB and mapped network drives. If you offload your backups to cloud storage without versioning and this backup has an extension present in the list of extensions used by this Trojan, it will destroy (aka encrypt) your "cloud" backups too.

It really encrypts the data in a way that excludes possibility of decryption without paying ransom. So it is very effective in extorting money for decryption key. Which you may or may not get as servers that can transmit it from the Command and Control center might be already blocked; still chances are reasonably high -- server names to which Trojan connect to get public key changes (daily ?), so far at least one server the Trojan "pings" is usually operational. So even on Oct 28 decryption was possible). At the same time the three days timer is real and if it is expire possibility of decrypting files is gone. Essentially you have only two options:

Beware snake oil salesmen, who try to sell you the "disinfection" solution. First of all disinfecting from Trojan is trivial, as it is launched by standard CurrentVersion\Run registry entry. The problem is that such a solution does not and can't include restoration of your files.

It was discovered in early September 2013 (around September 3 when domains to reach C&C center were registered, with the first description on September 10, see Trojan:Win32/Crilock.A.). Major AV programs did not detect it until September 17, which resulted in significant damage inflicted by Trojan.

Here is the screen displayed when the Trojan finished encrypting the files (it operates silently before that, load on computer is considerable -- encryption is a heavy computational task):

Continued

[Oct 23, 2013] Fiendish CryptoLocker ransomware

The Register

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back," adds the firm. "But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Re: Already seen this

"You can't kill this virus in normal ways."

So, it manages to run despite having a software restriction policy in place preventing any vaguely executable code from running outside of program files or authorised network shares?

I've been receiving the companies house emails regularly. I've had a few users run them with nothing more harmful than the standard SRP prohibited text since outlook opens attachments in a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.

Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will vanish overnight because the users can't run the bloody things if they try.

Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer instead of task manager and PSKILL to kill things instead of the "end task" button in task manager. If you want malware dead, don't allow it to gracefully close through a task manager request to close. That's just letting it run more instructions. Figure out where the file and all it's dependencies are from process explorer and then either suspend or terminate it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete it.

It encrypts .doc, .dwg etc

So what? In the corporate world those files should be held in some kind of version control and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not be the master, they should be the published version of a document under proper control (also, users don't need write access to *everything*). As for local files that are being worked on; well, those are backed up as well aren't they?

And why the HELL do people open an attachment without first scanning it? When coming in from outside, open it on a machine which has actual work files on it. Are they totally mentally deficient? Run Outlook in a separate VM. Problem solved.

If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame, look in the mirror.

Then call MS and ask them why their software is so shit.

I can see this being a serious worry for home users. Top-tip: stop opening random files.

Re: It encrypts .doc, .dwg etc

How naeve can you get? ! Obviously never worked for a large corporation then. The idea that they do things properly always is just naivety. Release documents will (should) be in a document management system, but there are always many documents which are not.

Reality check

And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?

Re: It encrypts .doc, .dwg etc

I really hope your not an IT support guy, Users are .... users... they are not IT experts, the same way that IT Experts are not brain surgeons. Yes good practice is always good, but...

Cloud backup

If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?

It'd be recoverable if you had a cloud locker with version control, but still annoying.

Re: Cloud backup

DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week.

TkH11

It never ceases to amaze me how many people open and click on links in emails without knowing who they're from. Even my employer (who shall remain nameless) has become infected despite there being a fairly recent and high profile campaign targetting computer security and phishing emails. Some people are just dumb.

Mike Bell

To be fair, a bit of social engineering is involved here by making the file look like something that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs are normally harmless viewable documents. If they possess a little geekiness, they might know that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and they'd know that executables can be camouflaged like this.

I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need a life.


DrXym

I was talking to someone a week ago who got a popup in their browser warning they were downloading pirated software and to click to acknowledge this. The sad thing is that while they didn't click, they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which would just be malware of some kind.

I assume the criminals wouldn't bother with these scams if people didn't fall for them.

Wild Bill

From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't take place until the virus is able to phone home to one of its many servers, which have their domains automatically created using a Domain Generation Algorithm.

Is there not any software that can block all domains which are obviously gobbledygook and are therefore likely to have been automatically generated by a nasty? It appears DGAs are used by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).

[Oct 23, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013

sysadmin

tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet.

WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off.

MalwareBytes Pro and Avast stop the virus from running.

Sysadmins in a domain should create this Software Restriction Policy which has very little downside (you need both rules).

The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup (including versioning-based cloud backups), or be SOL.

... ... ...

Vectors: In order of likelihood, the vectors of infection have been:

[Oct 23, 2013] Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know. sysadmin

Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.

For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here.

Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it.

Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.

Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed.

[Oct 23, 2013] Vulnerabilities in some Netgear routers open door to remote attacks by Lucian Constantin

"Do not turn on remote administration ever, for any device," Cutlip said. "That's the number one attack surface, and it's the one we usually find bugs in."
Oct 23, 2013 | IDG News Service

Vulnerabilities in the management interfaces of some wireless router and network-attached storage products from Netgear expose the devices to remote attacks that could result in their complete compromise, researchers warn.

The latest hardware revision of Netgear's N600 Wireless Dual-Band Gigabit Router, known as WNDR3700v4 and shown above, has several vulnerabilities that allow attackers to bypass authentication on the router's Web-based interface, according to Zachary Cutlip, a researcher with security consultancy firm Tactical Network Solutions.

"If you browse to http:///BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface," Cutlip said Tuesday in a blog post. "But not only that, authentication remains disabled across reboots. And, of course, if remote administration is turned on, this works from the frickin' Internet."

That opens the door to many attack possibilities. For example, an attacker could configure the router to use a malicious DNS (Domain Name System) server, which would allow the attacker to redirect users to malicious websites or set up port forwarding rules to expose internal network services to the Internet.

"Additionally, any command injection or buffer overflow vulnerabilities in the router's web interface become fair game once authentication is disabled," Cutlip said.

In fact, the researcher already found a vulnerability which, when exploited together with the authentication bypass one, allows an attacker to obtain a root prompt on the router.

"Once the attacker has root on the router, they can easily sniff and manipulate all the users' Internet-bound traffic," Cutlip said Thursday.

The BRS_02_genieHelp.html vulnerability is actually a combination of two separate issues. One is that any interface pages whose names start with "BRS_" can be accessed without authentication.

This is a vulnerability in itself and can lead to sensitive information disclosure. For example, a page called "BRS_success.html" lists the access passwords for the 2.4GHz and 5GHz Wi-Fi networks configured on the router.

The second issue is that when accessed, the BRS_02_genieHelp.html page switches a router configuration setting called "hijack_process" to 1. This disables authentication for the entire web interface. The value for the "hijack_process" setting when the router is configured properly is 3.

The same vulnerability was found by researchers from Independent Security Evaluators (ISE) in April in the firmware of the Netgear CENTRIA (WNDR4700) router model. However, the vulnerable URL ISE identified at the time was http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html.

Other routers may be affected

Netgear patched the vulnerability in the WNDR4700 1.0.0.52 firmware version that was released in July. However, it seems the company failed to check if other router models are also vulnerable.

The latest firmware version for WNDR3700v4 is 1.0.1.42; Cutlip performed his tests on the older 1.0.1.32 version. However, static code analysis of the 1.0.1.42 firmware indicates that it is also vulnerable, the researcher said Thursday.

The older WNDR3700v3 hardware revision does not appear to be affected, Cutlip said, adding that he hasn't analyzed the firmware for the much older v1 and v2 revisions yet.

The researcher also discovered a separate authentication bypass vulnerability in the WNDR3700v4 firmware that's not related to the BRS_* issue. "Appending the string 'unauth.cgi' to HTTP requests will bypass authentication for many, if not most, pages," he said.

Cutlip didn't test if WNDR4700 is also vulnerable to this second flaw.

Netgear did not immediately respond to a request for comment.

A search for WNDR3700v4 routers that have their web interface exposed to the Internet returned over 600 devices on the SHODAN search engine.

"Do not turn on remote administration ever, for any device," Cutlip said. "That's the number one attack surface, and it's the one we usually find bugs in."

To avoid local attacks, administrators should secure their wireless networks with strong WPA2 passphrases and make sure strangers are not allowed on their local networks, the researcher said.

[Oct 17, 2013] Dr. Web Anniversary Match

Dr Web, one of the key players on the Russian and European AV software markets celebrated 20 years of the product development (Igor Danilov started distribution of his malware scanner via Dialog Nauka in 1992) and 10 years since creating a company.

The match was the central point of celebration which took place in Yalta Inturist hotel. Dr.Web St. Petersburg team played against Dr. Web Moscow team. Moskovites won...

There were also huge fireworks in the evening which Yalta residents can probably took for a for the celebration of some new Ukrainian holiday ;-)

Disclaimer: I was invited as a guest...

[Aug 13, 2013] Malware taps mobile ad network to siphon money By Antone Gonsalves

Congratulations, in addition to all our troubles, advertisement networks can now be used as hidden channel for installing spyware. In other words, adware provides a channel for installing malware.
August 13, 2013 | Network World
Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims.

The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading code.

"It's a very, very clean infection vector," said Wade Williamson, a senior security analyst at Palo Alto Networks who discovered the new trickery.

In legitimate partnerships between ad distributors and developers, the latter embeds the former's software development kit (SDK) into the app, so it can download and track ads in order to split revenue.

Unfortunately, how well developers vet the ad networks they side with varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high.

Wiliamson found one such network's SDK embedded in legitimate apps provided through online Android stores across Asian countries, such as Malaysia, Taiwan and China. Once installed, the SDK pulls down an Android application package file (APK) and runs it in memory where the user cannot easily discover it.

The APK typically waits until another app is being installed before triggering a popup window that seeks permission to access Android's SMS service.

"It doesn't have to go through the whole process of doing a full install," Williamson said. "It just sits there and waits on the smartphone to install something else and then piggybacks in."

Once installed, the APK takes control of the phone's messaging service to send text to premium rate numbers and to download instructions from a command and control server. The majority of Android malware today, 77 percent, wring money from victims through paid messaging services, said Juniper Networks' latest mobile threat report.

Williamson has seen more than a half dozen samples of the latest malware, which he believes is coming from one criminal group, while acknowledging multiple groups is possible.

Android users in Asia and Russia are more susceptible to Android malware, because many apps are downloaded from independent online stores. In the U.S., most Android users take apps from the Google Play store, which scans for malware and malicious ad networks.

Because of the effectiveness of the latest malware, Williamson expects criminals in the future to use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored.

The same pathway could also be used to steal credentials for entering corporate networks.

"As soon as you have a vector like this, the difference between creating malware that sends spoof SMS messages versus looks for the network and tries to break in is just malware functionality," Williamson said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

[Jul 27, 2013] Man gets ransomware porn pop-up, goes to cops, gets arrested on child porn charges by Cyrus Farivar

July 26 2013 | Ars Technica

21-year-old walked into police station with computer in hand, cops searched it.

A man from just outside of Washington, DC turned himself in to local police-with his computer in tow-after receiving a pop-up message from what he believed was an "FBI Warning" telling him to click to pay a fine online, or face an investigation.

While specific details on the case are scant as of yet, it appears that the suspect here fell victim to a type of ransomware that has been proliferating for years now-raking in millions for the scammers behind it.

Police said Jay Matthew Riley, 21, of Woodbridge, Virginia, walked into Prince William's Garfield District Station on July 1, 2013 to "inquire if he had any warrants on file for child pornography."

According to the local police department's press release, posted on its own Facebook page on Thursday, July 25, 2013:

The accused voluntarily brought his computer to the station and, following a search, several inappropriate messages and photos of underage girls were recovered. Detectives were able to identify one of the girls as a 13 year old from Minnesota. A search warrant was obtained and executed at the home of the accused. As a result, computers and other electronic devices were seized.

Following the investigation, the accused was subsequently arrested on July 23rd. The FBI message that the accused had originally received was determined to be a virus and not a legitimate message. The investigation continues.

The Prince William County police also noted that Riley is now being held without bond. He was charged with "3 counts of possession of child pornography, 1 count of using a communication device to solicit certain offenses involving children, and 1 count of indecent liberties with a minor."

[Jul 26, 2013] There's No Hiding

The danger of rogue software updates in Windows is very real. Typical Windows installation contains at least a dozen of updaters. Microsoft update, Adobe update, Mozilla updaters, almost all applications implement updates independently, and each update channel is essentially a covert channel that can deliver malware to your PC.
Zero Hedge

... Are we sure that what we download from Apple or any other such phone producer is a bone fide update, these days? Are phone companies providing access today via downloads to our cell phones and mobile devices?

... ... ...

Anyhow, I have probably unknowingly typed one of the 70, 000 keywords that launches Prism onto my back and gets me monitored today in this article. Wonder who can get the list of them?

[Jun 14, 2013] U.S. Agencies Said to Swap Data With Thousands of Firms

Corporatism is on the march...
Bloomberg

Microsoft Bugs

Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation.

In an e-mailed statement, Shaw said there are "several programs" through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.

Willing Cooperation

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge's order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.'s major spy agencies, the people familiar with those programs said.

... ... ...

Committing Officer

If necessary, a company executive, known as a "committing officer," is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.

Intel Corp. (INTC)'s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.

Such a relationship would start with an approach to McAfee's chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.

McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.

McAfee's Data

McAfee (MFE)'s data and analysis doesn't include information on individuals, said Michael Fey, the company's worldwide chief technology officer.

"We do not share any type of personal information with our government agency partners," Fey said in an e-mailed statement. "McAfee's function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity."

In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.

In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.

... ... ...

The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.

... ... ...

Metadata

That metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.

"It's highly offensive information," said Glenn Chisholm, the former chief information officer for Telstra Corp (TLS)., one of Australia's largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.

According to Snowden's information, Blarney's purpose is "to gain access and exploit foreign intelligence," the Post said.

It's unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge's order.

... ... ...

Einstein 3

U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems' architecture or equipment schematics so the agencies can analyze potential vulnerabilities.

"It's natural behavior for governments to want to know about the country's critical infrastructure," said Chisholm, chief security officer at Irvine, California-based Cylance Inc.

Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.

Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn't authorized to discuss the matter.

AT&T, Verizon

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn't be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn't meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

[Jun 06, 2013] Banking Malware, Under the Hood

Slashdot

"What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

3.5 stripes

Well, you were dumb enough (Score:1, Insightful)

to click on the attachment in the first place, you've already set the bar for your intelligence

minstrelmike

Re:Well, you were dumb enough (Score:5, Insightful)

Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.

Synerg1y

Re: Well, you were dumb enough (Score:4, Insightful)

There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.

I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).

Kenja

Re:Nice try? (Score:4, Informative)

BofA actually has VERY good online security.

If setup right, you should be shown a picture you choose to confirm that you are on the legit site. Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.


Anonymous Coward

It's Quite A Bit More Than That (Score:1)


So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

It's quite a bit more than that. Perhaps you should RTFA.

stewsters

Re:Most of the exploits.. (Score:5, Informative)

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date. Don't install toolbars or weather apps from unknown sources.

CAOgdin

I Fixed One Of These Recently (Score:5, Interesting)

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).

When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

[May 25, 2013] Scanner Identifies Malware Strains, Could Be Future of AV

May 25, 2013

An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. Security researcher Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even after moderate changes to its code. He created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens. It scores the similarity between malware (any kind of software, really), and it charts the results and visualizes program relationships as an evolutionary tree."

[Apr 19, 2013] Gozi banking Trojan

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.

... ... ...

Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.

... ... ...

The new Gozi MBR rootkit component waits for Internet Explorer to be launched and then injects malicious code into the process. This allows the malware to intercept traffic and perform Web injections inside the browser like most financial Trojans programs do, Maor said.

[Mar 22, 2013] Decade-old espionage malware found targeting government computers

Mar 20 2013 | Ars Technica

"TeamSpy" used digitally signed TeamViewer remote access tool to spy on victims.

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab.

Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns," CrySyS researchers wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half of 2012."

They added: "The attackers surely aim for important targets. This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high-profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc."

The attackers relied on a variety of methods, including the use of a digitally signed version of TeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the compromised program also provides attackers with a backdoor to install updates and additional malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon. The TeamSpy operation also relies on more traditional malware tools that were custom-built for the purpose of espionage or bank fraud.

According to Kaspersky, the operators infected their victims through a series of "watering hole" attacks that plant malware on websites frequented by the intended victims. When the targets visit the booby-trapped sites, they also become infected. The attackers also injected malware into advertising networks to blanket entire regions. In many cases, much of that attack code used to infect victims was spawned from the Eleonore exploit kit. Domains used to host command and control servers that communicated with infected machines included politnews.org, bannetwork.org, planetanews.org, bulbanews.org, and r2bnetwork.org.

The discovery of TeamSpy is only the latest to reveal an international operation that uses malware to siphon sensitive data from high-profile targets. The most well-known campaign was dubbed Flame. Other surveillance campaigns include Gauss and Duqu, all three of which are believed to have been supported by a well-resourced nation-state. Last year, researchers also uncovered an espionage campaign dubbed Mahdi.

[Feb 28, 2013] Computer Virus Computer virus that activates webcam spreads, finds East Tennessee victims by Jennifer Meckles

Oct 5, 2012 | www.wbir.com
Authorities are tracking a new computer virus that uses a fake "FBI" message in an attempt to extort money from its victims.

Called "Reveton Ransomware," officials say the virus is installed on a computer when a user visits a compromised website. The computer then locks, while displaying a warning that the FBI or Department of Justice has identified the computer as being involved in criminal activity. The fake message instructs users to pay a fine using a prepaid money card service, which will unlock the computer.

The computer's webcam is also activated, showing the user a live picture of themselves.

"We started seeing versions of this virus last year, but of course, like all scams, it morphs over time," said FBI Supervisory Special Agent Marshal Stone, of the Knoxville Division.

Stone says FBI officials do not conduct business in that fashion, and would never demand payment to unlock a computer.

The virus has already found victims in East Tennessee. Sean Woods of "Computer Solutions" in Seymour says he has worked three cases within the past week.

"In this case, a person will lose everything that they've ever had. If it's not backed up, it's gone," he said.

Officials have not confirmed which websites lead to the virus, but Woods says he is connecting some trends. He believes users are picking up the virus through shared files, illegal downloads, or websites commonly linked to bugs.

"You don't know who's going on your computer and what they're doing," he said, cautioning users to be careful who they share a computer with."They download content such as music… they're out there for you to go view, this is where you're getting hit."

Woods says users should also keep their virus protection software up to date.

The FBI encourages any victims of the virus to file a complaint with the Internet Crime Complain Center at www.ic3.gov.

[Feb 16, 2013] The Antivirus Industry's Dirty Little Secret

Video, you need Ad
obe Flash to view it...
Feb. 14, 2013 | Businessweek

-- Bloomberg Businessweek's Jordan Robertson discusses why the antivirus industry has so many customers in the face of its ineffectiveness. He speaks on Bloomberg Television's "Market Makers." (Source: Bloomberg)

[Feb 13, 2013] Welcome to the Malware-Industrial Complex By Tom Simonite

February 13, 2013 | MIT Technology Review

The U.S. government is developing new computer weapons and driving a black market in "zero-day" bugs. The result could be a more dangerous Web for everyone.

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven't been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a "zero-day" vulnerability, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran's nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet's many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it's involved even more complex techniques (see "The Antivirus Era Is Over"). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects' computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero day vulnerability receives a monthly payment as long as a flaw remains undiscovered. "As long as Apple or Microsoft has not fixed it you get paid," says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok-based security researcher who goes by the name The Grugq tweets about acting as a middleman and has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In an argument on Twitter last month, he denied that his business is equivalent to arms dealing, as critics within and outside the computer security community have charged. "An exploit is a component of a toolchain," he tweeted. "The team that produces & maintains the toolchain is the weapon."

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it

"provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions."

Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google's Chrome browser, but they turned down Google's offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.

General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. "Part of our defense has to consider offensive measures," he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing "Cyberspace Warfare Attack capabilities" that could "destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage." And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. "In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs," she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.

Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country's vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a "digital Pearl Harbor" could result (see "U.S. Power Grids, Water Plants a Hacking Target").

Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. "It's a growing area of the defense business at the same time that the rest of the defense business is shrinking," says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. "They've identified two growth areas: drones and cyber."

Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to "plan, execute and assess an Offensive Cyberspace Operation (OCO) mission," and many current positions at Northrop ask for "hands-on experience of offensive cyber operations." Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: "Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies."

The new focus of America's military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.

"Every country makes weapons: unfortunately, cyberspace is like that too," says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. "I think maybe the civilian courts ought to get together and bar these kinds of attacks," he says.

The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there's a strong chance that a copy will remain somewhere on the victim's system-by accident or design-or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see "Stuxnet Tricks Copied by Criminals").

"The parallel is dropping the atomic bomb but also leaflets with the design of it," says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: "There's a lot of people playing this game."

[Jan 05, 2013] Foreign Policy Group Gets Hacker Happy New Year Discovery News

See also Sirefef and Win32/Tracur.AV. Using IE 8 became really dangerous those days.
Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.

The CFR is a non-partisan policy group, known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer.

... ... ...

The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessesed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The javascript is hidden in a file on the system that is usually used for a completely different purpose," he said.

Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.

Users of Internet Explorer 9 and later aren't vulnerable.

While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.

[Jan 03, 2013] Antivirus Makers Work on Software to Catch Malware More Effectively

"The traditional signature-based method of detecting malware is not keeping up." : it was known for 20 years or so. Nothing changed.
NYTimes.com
Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.

"The bad guys are always trying to be a step ahead," said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems. "And it doesn't take a lot to be a step ahead."

Computer viruses used to be the domain of digital mischief makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.

In 2000, there were fewer than a million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests antivirus products.

The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company's trade secrets, erasing data or emptying a consumer's bank account.

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva's chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.

On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates - Avast and Emsisoft - are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year - nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.

"Existing methodologies we've been protecting ourselves with have lost their efficacy," said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers. "This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept."

Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its "signature" - unique signs in its code - before they can write a program that removes it.

That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years.

Mikko H. Hypponen, chief researcher at F-Secure, called Flame "a spectacular failure" for the antivirus industry. "We really should have been able to do better," he wrote in an essay for Wired.com after Flame's discovery. "But we didn't. We were out of our league in our own game."

Symantec and McAfee, which built their businesses on antivirus products, have begun to acknowledge their limitations and to try new approaches. The word "antivirus" does not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.

"Nobody is saying antivirus is enough," said Kevin Haley, Symantec's director of security response. Mr. Haley said Symantec's antivirus products included a handful of new technologies, like behavior-based blocking, which looks at some 30 characteristics of a file, including when it was created and where else it has been installed, before allowing it to run. "In over two-thirds of cases, malware is detected by one of these other technologies," he said.

'Neverquest' trojan threatens online banking users

Computerworld
IDG News Service

A new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.

The malware was first advertised on a private cybercrime forum in July, according to malware researchers from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.

"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could increase considerably over a short period of time."

Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).

However, this Trojan program also has some features that make it stand out.

Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.

This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.

Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.

"Of all of the sites targeted by this particular program, fidelity.com -- owned by Fidelity Investments -- appears to be the top target," Golovanov said. "This company is one of the largest mutual investment fund firms in the world. Its website offers clients a long list of ways to manage their finances online. This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims."

The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.

Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.

The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. "These emails are typically designed to look like official notifications from a variety of services," Golovanov said.

In addition, Neverquest steals account log-in information for a large number of social networking websites and chat services accessed from infected computers. Those accounts could be used to spread links to infected websites with the intention to further spread Neverquest, even though Kaspersky Lab hasn't seen this method being used yet.

"As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent," Golovanov said. "We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft."

Cryptolocker Hijack program - Page 5 - General Security

Its a game changing virus. Seriously changes views on malware and on backup routines.

Education is really the only way to prevent this unfortunately. Without education people will continue to open email attachments they shouldn't, use weak passwords, and provide little or no network security.

These types of encrypting malware are the new breed of moneymakers for malware developers, especially as they be created by individuals, or small groups, rather than larger organizations. In the past it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that method was pretty much eliminated. Ransomware, such as this Cryptolock, ACCDFISA, and DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now BitCoins.

As always, I suggest noone pay them if they can avoid it as it just encourages them to continue. On the other hand, I know that not everyone has a backup of their data for whatever reason and that it is necessary to get this data back by any means.

====

Hi,

We have been able to remove this by creating a Kaspersky Rescue Disk: http://support.kaspersky.com/viruses/rescuedisk#downloads

Once booted into this you can use the File Manager and register editor to remove the start up entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate the random file (this will also show you where on the system this is loading from. Remove this reg entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Once the reg entry is deleted the use the File Manager function to browse to where this file is located and delete this file.

Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker screen appears, you should then run a scan with your current AV software or download Malwarebytes: http://www.malwarebytes.org/ and run a scan with this. It maybe best to run this scan with the computer in safe mode.

Decade-Old Espionage Malware Found Targeting Government Computers

Slashdot

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe. TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as 'secret' from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed 'Hungarian high-profile governmental victim.'

erroneus

Suspiscious based on what criteria?

  1. We aren't allowed to use open source and so we have to "trust" every 'signed binary' which executives and leaders want to use. If we could use open source, we could at least read the source and even compile it to ensure the source we read was the binary which was compiled.
  2. When the malware doesn't do "harm" to anything, the sympoms of malware are non-existant. No pop-up ads, no unusual crashing (see note about being unable to use open source... the 'other' operaitng system crashes often enough for inexplicable reasons that no one suspects malware as the cause any longer) and when a commonly used utility program which performs remote access is used, how can it be detected as malware?

Arguably, that it was proprietary and commercial software which was exploited is pretty disturbing. But at the same time, that software makers (and other device and product makers, and service providers too) frequently enter into deals with government to spy on people is unfortunately very common. That the "white-hat" (heh, I accidentally typed "white-hate"... apropos?) nation called the USA has compromised global communications with Echelon and more recently with the much celebrated NSA wiretapping, does not help matters.

I think no one appreciates the value of trust. Once it's lost, it's lost. What amount of trust in government... any government... may have existed, it is gone for most of us.

The unenlightened? Well... they still watch MSM (mainstream media, I have come to know these initials). What hope have they against that?

Anonymous Coward

Re:A strong push for open source in government (Score:1)

I suspect that as more malware and backdoors are discovered in systems used by government, the penny will begin to drop more frequently. Closed source is incompatible with security, by definition, since you cannot validly trust what you cannot see

Bullshit. Open or closed source has no direct bearing on the ability of an attacker to infect a binary. Open source provides more eyes on a given bug or problem, but once compiled and running its the exact same problem.

The article mentions use of a modified signed binary. So tell me how open source is going to remedy that? Unless you're recompiling from scratch (your entire tool chain, plus dependencies) on each launch, you're just as fucked as the next guy. Are you going to checksum the binary in memory each time a method is called? Are you going to encrypt/decrypt on each call? What's to stop an attacker from modifying your checksum code in the same manner as CD checks on games are trivially broken?

The only thing open source is really going to do for you is ensure that if you compile from source, the attack didn't originate from that source. So what?

Anonymous Coward

The fact it's open source IS (or can be) the pathway. If it's a small piece of software that does a specific function that's not of use to many people, your million eyeballs shrink rapidly. And what you're left with (IMO) is a handful of eyeballs thinking "I don't have the time/skills for this, it's open source, I'm sure someone will have looked over it" while no one actually does.

Or someone auditing the code but not the stuff around it, or maybe the code as distributed is clean and will compile into a clean and functioning binary, but the scripts around it actually add some malicious steps if certain criteria are met.

Open source isn't a magic bullet.

Google under fire for sending users' information to developers by Thom Holwerda

02/15/13
"Sebastian Holst makes yoga mobile apps with his wife, a yoga instructor. The Mobile Yogi is sold in all the major mobile app stores. But when someone buys his app in the Google Play store, Holst automatically gets something he says he didn't ask for: the buyer's full name, location and email address.

He says consumers are not aware that Google Inc. is sharing their personal information with third parties. No other app store transmits users' personal information to third-party developers when they buy apps, he said." Oh Google.

UltraZelda64

Hopefully this applies only when "buying" an app.

If so, then I should be safe. This kind of privacy violation is just... wrong. Google seems to think that their customers automatically trust third parties or something... if anything, this demonstrates that Google themselves should not be trusted.

darknexus

RE[2]: Obviously a bug by darknexus

"If it had been a certain fruit company everyone would be rioting.

Man, it's so hard to be persecuted, eh? "

Much as I hate to be defending Apple this time, the OP is absolutely correct. There's definitely a double standard in place for Apple in the tech media, particularly though not exclusively when compared to Google.

If Apple had been the one doing this, everyone would have been up in arms, torches lit, ready to burn down Apple HQ and any other buildings around them just to make sure the deed was done.

When Google does it, not only do we get some people giving them the benefit of the doubt but we even have some that claim Google are in the right to do this. If that's not a double standard, I don't know what is. For myself, I say no app store should give

[Jan 11, 2013 ] Adobe Flash Virus - McAfee Security Scan Plus Scam

Adobe Engaging in a Detestable Practice
Adobe has began a new campaign of evil. They are installing unrequested software without the user's permission. Although the software may seem fairly benign and even helpful, it isn't. It is actually fairly harmful to the computing experience.

... .... ...

Please close Firefox to continue installation... flash player installed...McAfee Security Scan Plus installed....WHAT? I never gave permission to install McAfee. I watched very carefully to make sure I unchecked any boxes that asked me for permission to install additional software. Well, maybe I missed it. Besides, it sounded fairly benign. I decided to let it go.

Problems with McAfee - May Adobe Die

I began noticing some new problems with my computer. This was very strange as I hadn't tried any new programs yet. The only security that I use for my computer is WinPatrol and the only new program it showed running in the background was McAfee. Programs and sound files would freeze for about a tenth of second and I worried about a hardware problem caused by working on my computer. Even YouTube videos would stutter. I even opened up my computer again and made sure everything was seated tight and no cables bumping against the wrong thing. I couldn't find any physical problems though.

Luckily, I got around to uninstalling McAfee. It is easy to remove, just click on start, all programs tab, then McAfee tab. There will be an option to uninstall McAfee and it runs without any problems.

After removing McAfee, the next time I booted up my computer it ran perfect again. This got me curious. I went online and discovered that I am not the first to have problems with Adobe and their unwanted software. Other IT users noticed that McAfee was installed without any check boxes or warnings. It might be in the EULA, but who reads that. The EULA may protect them legally, but in my book it doesn't mean that what they are doing is moral. It only means that Adobe knows how to legally scam people while protecting itself.

I heard that McAfee has caused some serious problems on other people's computers too. Recently, it would cause computers to constantly reboot after installation. How many people would know how to fix that problem?

Why would Adobe do such a thing? Well, it turns out that the McAfee installation isn't a full working version. It may detect viruses, but you will have to pay money to upgrade to a full version that removes them. Basically, Adobe and McAfee are trying to bleed people for money.

I suspect in the long run, this will work against Adobe

... ... ... ...

[Jan 11, 2013 ] McAfee VirusScan - Wikipedia, the free encyclopedia

Customer support criticisms

Reviewers have described customer support for McAfee products as lacking, with support staff slow to respond and unable to answer many questions.[9]

2010 reboot problem

On April 21, 2010, beginning approximately at 2 PM GMT, an erroneous virus definition file update from McAfee affected millions of computers worldwide running Windows XP Service Pack 3. The update resulted in the removal of a Windows system file (svchost.exe) on those machines, causing machines to lose network access and, in some cases, to enter a reboot loop. McAfee rectified this by removing and replacing the faulty DAT file, version 5958, with an emergency DAT file (version 5959) and has posted a fix for the affected machines in its consumer "KnowledgeBase".[11]

2012 update issues

An August 2012 update to McAfee Antivirus caused the protection to turned off and users to lose internet connections. McAfee was criticised for not notifying users promptly of the issues when they learned about it.[13]

Recommended Links

Top articles

Sites

...



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: September, 19, 2017