Strategies of Defending Microsoft Windows against Malware
Introduction to the topic became too big and was converted into a separate article on Dec 1, 2012.
Architectural approaches for increasing Windows resistance against malware:
- [Oct 22, 2016] Botnets can use internet enabled devices other then PC, tablets and phones ( Oct 22, 2016 | www.nakedcapitalism.com )
- [Oct 08, 2016] Yahoo Email Scanner Was Installed by Government ( Oct 07, 2016 | news.antiwar.com )
- [Sep 26, 2016] Probe of leaked U.S. NSA hacking tools examines operatives mistake ( Reuters )
- [Sep 18, 2016] Long-Secret Stingray Manuals Detail How Police Can Spy on Phones ( Sep 18, 2016 | theintercept.com )
- [Sep 16, 2016] Edward Snowdens New Revelations Are Truly Chilling ( Oct 08, 2015 | Zero Hedge reprinted from TrueActivist.com )
- [Sep 16, 2016] Leaked Demo Video Shows How Government Spyware Infects a Computer ( Sep 16, 2016 | news.slashdot.org )
- [Sep 16, 2016] Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials ( Sep 16, 2016 | apple.slashdot.org )
- [Sep 16, 2016] Wyden Calls on Senate to Prevent Expansion of Government Hacking On the Wire ( Sep 16, 2016 | www.onthewire.io )
- [Sep 16, 2016] Malware Infects 70% of Seagate Central NAS Drives, Earns $86,400 ( Sep 16, 2016 | news.slashdot.org )
- [Sep 16, 2016] Unredacted User Manuals Of Stingray Device Show How Accessible Surveillance Is ( Sep 16, 2016 | yro.slashdot.org )
- [Sep 12, 2016] Hard Drive Firmware Provides New Backdoor into YOUR Data ( Sep 12, 2016 | dataclinic.co.uk )
- [Sep 09, 2016] Some thoughts on the DNC email hacking scandal ( Aug 07, 2016 | marknesop.wordpress.com )
- [Sep 03, 2016] There is interesting and expert commentary to NSO group software in the Hacker News forum ( Sep 03, 2016 | www.nakedcapitalism.com )
- [Sep 03, 2016] How Spy Tech Firms Let Governments See Everything on a Smartphone ( Sep 03, 2016 | www.nytimes.com )
- [Aug 21, 2016] The NSA Leak Is Real, Snowden Documents Confirm ( Aug 19, 2016 | theintercept.com )
- [Aug 01, 2016] FSB Detects Cyberattacks on 20 Russian Organizations, Including Military Targets ( sputniknews.com )
- [Aug 01, 2016]
Google Bans Israeli Babylon (
- [Jul 06, 2016] Researchers dubbed the malware HummingBad. ( fortune.com )
- [Jun 28, 2016] Malvertising, a hack that takes advantage of comprised ad networks and which is increasingly sited by privacy and security advocates as a reason to use ad-blockers. ( www.wired.com )
- [Jun 09, 2016] Mcrosoft wont back down from Windows 10 nagware trick ( May 26, 2016 | The Register )
- [Jun 03, 2016] OEM software update tools preloaded on PCs are a security mess by Lucian Constantin ( May 31, 2016 | PCWorld )
- [May 24, 2016] New DMA Locker ransomware is ramping up for widespread attacks By Lucian Constantin
- [Apr 16, 2016] Out-of-Date Apps Put 3 Million Servers At Risk of Crypto Ransomware Infections
- arstechnica.com with Slashdot discussion
- [Apr 16, 2016] Researchers Find Hybrid GozNym Malware, 24 Financial Institutions Already Affected ( securityintelligence.com )
- [Apr 12, 2016] The ransomware that knows where you live ( Apr 12, 2016 | bbc.com )
- [Apr 12, 2016] Petya ransomware encryption system cracked ( Apr 11, 2016 | BBC News )
- [Nov 12, 2015] The Emperor Has No Clothes and Nobody Cares ( www.howtogeek.com )
- [Sep 26, 2015] Intelligent System Hunts Out Malware Hidden In Shortened URLs ( Sep 26, 2015 | tech.slashdot.org )
- [Sep 13, 2015] Microsoft pushes Windows 10 upgrade to PCs without user consent By Gregg Keizer ( Sep 11, 2015 | Network World )
- [Aug 30, 2015] Ashley Madisons Female Subscribers Barely Exist, Analysis Concludes ( Those horny guys should probably watch The Fatal Attraction ;-) )
- [Aug 23, 2015] Ashley Madison Hackers Speak Out: Nobody Was Watching ( August 21, 2015 | Motherboard )
- [Jul 22, 2015] Registering on shady sites is a huge risk
- [Jun 16, 2015] US Navy Solicits Zero Days ( Jun 15, 2015 | Slashdot )
- [Feb 26, 2015] 3 Million Strong RAMNIT Botnet Taken Down ( February 25, 2015 | yro.slashdot.org )
- [Nov 24, 2014] Regin, new computer spyware, discovered by Symantec ( Nov 24, 2014 | BBC News )
- [Nov 21, 2014] Court Shuts Down Alleged $120M Tech Support Scam ( November 19, 2014 | slashdot.org )
- Amnesty International Releases Tool To Combat Government Spyware ( Nov 20, 2014 | slashdot.org )
- [Aug 15, 2014] "Please dont do anything evil" by Dan Goodin ( July 31 2014 | Ars Technica )
- [Aug 15, 2014] Watch a Cat Video, Get Hacked ( Slashdot )
- [Jun 17, 2014] Zeus Trojan alternative hits the underground market By Lucian Constantin ( June 11, 2014 | Computerworld/IDG News Service )
- [Jun 10, 2014] Massive botnet takedown stops spread of Cryptolocker ransomware by Gregg Keizer ( Jun 10, 2014 | Computerworld )
- [Jun 02, 2014] Wham bam Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet ( Computerworld Blogs )
- [Jun 02, 2014] Game Over for Gameover Malware ( tomsguide.com )
- [Jun 02, 2014] Fed Cyber Sleuths Stop Gameover Zeus and Cryptolocker Crime Sprees ( ABC News )
- [Jun 02, 2014] Global police operation disrupts aggressive Cryptolocker virus by Tom Brewster & Dominic Rushe ( [Jun 02, 2014] The Guardian )
- [Feb 07, 2014] Security Researcher Punches Holes In NBCs Everyone Going To Sochi Will Be Hacked Story; NBC Doubles Down In Response Techd
- [Jan 14, 2014] Chrome 32 launches with better malware blocking
- [Jan 14, 2014] N.S.A. Devises Radio Pathway Into Computers ( NYT )
- [Jan 02, 2014] Unencrypted Windows Crash Reports a Blueprint For Attackers ( January 02, 2014 | Slashdot )
- [Dec 29, 2013] The NSAs 50-Page Catalog Of Back Door Penetration Techniques Revealed ( Dec 29, 2013 | Zero Hedge )
- [Dec 10, 2013] Meet Paunch: the Accused Author of the BlackHole Exploit Kit ( December 08, 2013 | Slashdot )
- [Dec 06, 2013] Europol, Microsoft Target 2-Million Strong ZeroAccess Click Fraud Botnet - ( December 06, 2013 | Slashdot )
- [Dec 06, 2013] FTC Drops the Hammer On Maker of Location-Sharing Flashlight App ( December 06, 2013 )
- Neverquest trojan threatens online banking users ( Computerworld )
- [Nov 23, 2013] NSA hacked over 50,000 computer networks worldwide ( RT News )
- [Nov 12, 2013] Interview with Vyacheslav Medvedev, Dr. Web
- [Nov 12, 2013] IE Zero-Day Exploit Disappears On Reboot ( November 11, 2013 | Slashdot )
- [Nov 11, 2013] GCHQ spoofed LinkedIn site to target global mobile traffic exchange and OPEC ( November 11, 2013 | RT )
- [Oct 26, 2013] Cryptolocker (Win32/Crilock.A )
- [Oct 23, 2013] Fiendish CryptoLocker ransomware ( The Register )
- Cryptolocker Hijack program - Page 5 - General Security
- [Oct 23, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013 ( sysadmin )
- [Oct 23, 2013] Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know. sysadmin
- [Oct 23, 2013] Vulnerabilities in some Netgear routers open door to remote attacks by Lucian Constantin ( Oct 23, 2013 | IDG News Service )
- [Oct 17, 2013] Dr. Web Anniversary Match
- [Aug 13, 2013] Malware taps mobile ad network to siphon money By Antone Gonsalves ( August 13, 2013 | Network World )
- [Jul 27, 2013] Man gets ransomware porn pop-up, goes to cops, gets arrested on child porn charges by Cyrus Farivar ( July 26 2013 | Ars Technica )
- [Jul 26, 2013] There’s No Hiding ( Zero Hedge )
- [Jun 14, 2013] U.S. Agencies Said to Swap Data With Thousands of Firms ( Bloomberg )
- [Jun 06, 2013] Banking Malware, Under the Hood ( Slashdot )
- [May 25, 2013] Scanner Identifies Malware Strains, Could Be Future of AV ( May 25, 2013 )
- [Apr 19, 2013] Gozi banking Trojan
- [Mar 22, 2013] Decade-old espionage malware found targeting government computers ( Mar 20 2013 | Ars Technica )
- Decade-Old Espionage Malware Found Targeting Government Computers ( Slashdot )
- [Feb 28, 2013] Computer Virus Computer virus that activates webcam spreads, finds East Tennessee victims by Jennifer Meckles ( Oct 5, 2012 | www.wbir.com )
- Google under fire for sending users information to developers by Thom Holwerda ( 02/15/13 )
- [Feb 16, 2013] The Antivirus Industrys Dirty Little Secret ( Feb. 14, 2013 | Businessweek )
- [Feb 13, 2013] Welcome to the Malware-Industrial Complex By Tom Simonite ( February 13, 2013 | MIT Technology Review )
- [Jan 11, 2013 ] Adobe Flash Virus - McAfee Security Scan Plus Scam
- [Jan 11, 2013 ] McAfee VirusScan - Wikipedia, the free encyclopedia
- [Jan 05, 2013] Foreign Policy Group Gets Hacker Happy New Year Discovery News
- [Jan 03, 2013] Antivirus Makers Work on Software to Catch Malware More Effectively ( NYTimes.com )
||Microsoft is closely monitoring the situation, and is committed to helping customers have
a safe, enjoyable computing experience.
From the quotes of the day
||“the Windows dominance produced a computer monoculture with all the same problems as other
"Anti-virus companies have always been seen as ambulance chasers, and sometimes, it's true,"
said Dan Schrader, the chief security analyst at
Trend Micro. "Because this is an industry
that has been built on hype and alerts and pretensions of being good citizens, the industry doesn't
have a lot of credibility."
||The preoccupation with computer "hacking" is a way for physically unattractive males to enter
the mainstream of society.
Not mentioned in the News of the Wired snips: the Dyn DDOS was the latest using a megascale IOT
botnet. Coming soon to a Smart Toaster|Thermostat|Fridge|WasherDryer|EggTimer|PencilSharpener|Dishwasher|GarbageCompacter|BabyMonitor
October 21, 2016 at 7:36 pm
October 21, 2016 at 7:38 pm
I suspect various enforcement agencies are using those cameras for something else, like mass
video surveillance, and having just lost a lot of TLS vulnerabilities, are motivated to keep their
sources' name out of the news (as befits TS/SI NOFORN projects), though steering the industry's
and the commercial market economy's Confidence Fairy out of an imminent uncontrolled landing would
suffice to explain the quiet.
October 22, 2016 at 1:13 am
For people who understand what that means it is mind-blowing, the processors in your parking
garage gate or your nursery's NannyCam being used in a giant global concerto of digital disruption.
Smells like the NSA in a desperate attempt to disrupt the flows from Wiki, they already gave the
Clinton camp their best spyware (FoxAcid) and this would be par for the course given the level
of lawbreaking and dirty tricks.
Will be illuminating to see if Congress demands IOT accountabilty. IMO the IOT manufacturers
should be held to the same level of accountability as car manufacturers,
Software Could've Given NSA Much More Access Than Just Emails
Former employees of Yahoo have corroborated this week's stories about the company scanning all
emails coming into their servers on behalf of the NSA, saying that the "email scanner" software was
actually made and installed by the US government .
The employees, including at least one on Yahoo's own internal security team, reported finding
the software on the
server and believing they were begin hacked, before executives informed them the government had done
it. They described the software as a broader "rootkit" that could give the NSA access to much more
than just emails.
To make matters worse, the employees
say the government's software was "buggy" and poorly-designed , meaning it could've given other
hackers who discovered it the same access to the Yahoo server, adding to the danger it posed to customers'
Yahoo itself has been mostly mum on the matter, issuing a statement claiming the initial reports
were "misleading" but not elaborating at all. The NSA denied the claim outright, though they have
been repeatedly caught lying about similar programs in the past.
"... A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing on a theory that one of its operatives carelessly left them available on a remote computer ..."
"... The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers. ..."
"... But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews. NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said. ..."
"... That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them. ..."
"... Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and one other person familiar with the matter said. ..."
A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing
on a theory that one of its operatives carelessly left them available on a remote computer and
Russian hackers found them, four people with direct knowledge of the probe told Reuters.
tools, which enable hackers to exploit software flaws in computer and communications systems from
vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a
group calling itself Shadow Brokers.
The public release of the tools coincided with U.S. officials saying they had concluded that Russia
or its proxies were responsible for hacking political party organizations in the run-up to the Nov.
8 presidential election. On Thursday, lawmakers accused Russia of being responsible
... ... ...
But officials heading the FBI-led investigation now discount both of those scenarios, the
people said in separate interviews. NSA officials have told investigators that an employee or contractor
made the mistake about three years ago during an operation that used the tools, the people said.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the
companies of the danger when it first discovered the exposure of the tools, the sources said. Since
the public release of the tools, the companies involved have issued patches in the systems to protect
Investigators have not ruled out the possibility that the former NSA person, who has since departed
the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the
sources said, is that more than one person at the headquarters or a remote location made similar
mistakes or compounded each other's missteps.
Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of
National Intelligence all declined to comment.
After the discovery, the NSA tuned its sensors to detect use of any of the tools by other parties,
especially foreign adversaries with strong cyber espionage operations, such as China and Russia.
That could have helped identify rival powers' hacking targets, potentially leading them to be defended
better. It might also have allowed U.S officials to see deeper into rival hacking operations while
enabling the NSA itself to continue using the tools for its own operations.
Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied
targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and
one other person familiar with the matter said.
In this case, as in more commonplace discoveries of security flaws, U.S. officials weigh what intelligence
they could gather by keeping the flaws secret against the risk to U.S. companies and individuals
if adversaries find the same flaws.
Richard Tynan, a technologist with Privacy International, told The Intercept
that the " manuals released today offer the most up-to-date view on the
operation of" Stingrays and similar cellular surveillance devices, with
powerful capabilities that threaten civil liberties, communications infrastructure,
and potentially national security. He noted that the documents show the
"Stingray II" device can impersonate four cellular communications towers
at once, monitoring up to four cellular provider networks simultaneously,
and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.
"... Submitted by Sophie McAdam via TrueActivist.com, ..."
"... He disclosed that government spies can legally hack into any citizen's phone to listen in to what's happening in the room, view files, messages and photos, pinpoint exactly where a person is (to a much more sophisticated level than a normal GPS system), and monitor a person's every move and every conversation, even when the phone is turned off. ..."
"... "Nosey Smurf": lets spies turn the microphone on and listen in on users, even if the phone itself is turned off ..."
"... Snowden says: "They want to own your phone instead of you." It sounds very much like he means we are being purposefully encouraged to buy our own tracking devices. That kinda saved the government some money, didn't it? ..."
"... It's one more reason to conclude that smartphones suck. And as much as we convince ourselves how cool they are, it's hard to deny their invention has resulted in a tendency for humans to behave like zombies , encouraged child labor, made us more lonely than ever, turned some of us into narcissistic selfie – addicts , and prevented us from communicating with those who really matter (the ones in the same room at the same time). Now, Snowden has given us yet another reason to believe that smartphones might be the dumbest thing we could have ever inflicted on ourselves. ..."
Submitted by Sophie McAdam via TrueActivist.com,
In an interview with the BBC's 'Panorama' which aired in Britain last week,
Edward Snowden spoke in detail about the spying capabilities of the UK intelligence
agency GCHQ. He disclosed that government spies can legally hack
into any citizen's phone to listen in to what's happening in the room, view
files, messages and photos, pinpoint exactly where a person is (to a much more
sophisticated level than a normal GPS system), and monitor a person's every
move and every conversation, even when the phone is turned off.
These technologies are named after Smurfs, those little
blue cartoon characters who had a recent Hollywood makeover. But despite the
cute name, these technologies are very disturbing; each one is built to spy
on you in a different way:
- "Dreamy Smurf": lets the phone be powered on and off
- "Nosey Smurf": lets spies turn the microphone on and listen in on
users, even if the phone itself is turned off
- "Tracker Smurf":a geo-location tool which allows [GCHQ]
to follow you with a greater precision than you would get from the typical
triangulation of cellphone towers.
- "Paranoid Smurf": hides the fact that it has taken
control of the phone. The tool will stop people from recognizing that the
phone has been tampered with if it is taken in for a service, for instance.
Snowden says: "They want to own your phone instead of you." It sounds
very much like he means we are being purposefully encouraged to buy our own
tracking devices. That kinda saved the government some money, didn't it?
His revelations should worry anyone who cares about human rights, especially
in an era where the threat of terrorism is used to justify all sorts of governmental
crimes against civil liberties. We have willingly given up our freedoms in the
name of security; as a result we have
neither. We seem to have forgotten that to live as a free person is a basic
human right: we are essentially free beings. We are born naked and without certification;
we do not belong to any government nor monarchy nor individual, we don't even
belong to any nation or culture or religion- these are all social constructs.
We belong only to the universe that created us, or whatever your equivalent
belief. It is therefore a natural human right not to be not be under secret
surveillance by your own government, those corruptible liars who are supposedly
elected by and therefore accountable to the people.
The danger for law-abiding citizens who say they have nothing to fear because
they are not terrorists, beware: many peaceful British protesters have been
arrested under the Prevention Of Terrorism Act since its introduction in
Snowden's disclosure confirms just how far the attack on civil liberties
has gone since
9/11 and the London bombings. Both events have allowed governments the legal
right to essentially wage war on their own people, through the Patriot Act in
the USA and the Prevention Of Terrorism
Act in the UK. In Britain, as in the USA,
activism seem to have morphed into one entity, while nobody really knows
who the real
terrorists are any more. A sad but absolutely realistic fact of life in
2015: if you went to a peaceful protest at weekend and got detained, you're
hacked right now.
It's one more reason to conclude that smartphones suck. And as much as
we convince ourselves how cool they are, it's hard to deny their invention has
resulted in a tendency for humans to behave like
zombies, encouraged child labor, made us more
lonely than ever, turned some of us into
and prevented us from
communicating with those who really
matter (the ones in the same room at the same time). Now, Snowden has given
us yet another reason to believe that
smartphones might be the dumbest thing we could have ever inflicted on ourselves.
on Thursday September 08, 2016 @03:00AM
An anonymous reader quotes a report from
Motherboard has obtained a
showing a live demo for a
spyware solution made by a little known Italian
surveillance contractor called
Unlike Hacking Team, RCS Lab has been able to fly
under the radar for years, and very little is known
about its products, or its customers. The video
shows an RCS Lab employee
performing a live demo of the company's spyware to
an unidentified man
, including a tutorial on how
to use the spyware's control software to perform a
man-in-the-middle attack and infect a target
computer who wanted to visit a specific website. RCS
Lab's spyware, called
, allows agents to easily set up these kind
of attacks just by applying a rule in the software
settings. An agent can choose whatever site he or
she wants to use as a vector, click on a dropdown
menu and select "inject HTML" to force the malicious
popup to appear, according to the video. Mito3
allows customers to listen in on the target,
intercept voice calls, text messages, video calls,
social media activities, and chats, apparently both
on computer and mobile platforms. It also allows
police to track the target and geo-locate it thanks
to the GPS. It even offers automatic transcription
of the recordings, according to a confidential
brochure obtained by Motherboard. The company's
employee shows how such an attack would work,
setting mirc.com (the site of a popular IRC chat
client) to be injected with malware (this is shown
around 4:45 minutes in). Once the fictitious target
navigates to the page, a fake Adobe Flash update
installer pops up, prompting the user to click
install. Once the user downloads the fake update, he
or she is infected with the spyware.
link to the YouTube video can be found
on Wednesday September 07, 2016 @08:30PM
An anonymous reader writes from a report via
An attacker can use a modified USB
Ethernet adapter to
fool Windows and Mac computers into giving away
their login credentials
. The attack relies on
using a modified USB Ethernet adapter that runs
special software, which tricks the attacked computer
into accepting the Ethernet adapter as the network
gateway, DNS, and WPAD server. The attack is
possible because most computers will automatically
install any plug-and-play (PnP) USB device. Even
worse, when installing the new (rogue) USB Ethernet
adapter, the computer will give out the local
credentials needed to install the device. The custom
software installed on the USB intercepts these
credentials and logs them to an SQLite database.
can take around 13 seconds
to carry out, and the
USB Ethernet adapter can be equipped with an LED
that tells the attacker when the login credentials
have been stolen.
A proposed change to a little-known criminal procedure
"would make us less safe, not more" by allowing law
enforcement agencies to hack an unlimited number of
computers with a single warrant, Sen. Ron Wyden said
Wyden (D-Ore.) spoke on the Senate floor about the
proposed change to Rule 41
of the Federal Rules of
Criminal Procedure, which covers the limits of search and
seizure. The modification would would simplify the process
for a judge to issue a search warrant for a remote search of
an electronic device. It would allow judges to authorize the
search of any number of devices anywhere in the United
States. Because of the way the rule making process works,
the change, proposed by the Department of Justice, will go
into effect on Dec. 1 unless Congress passes legislation to
Wyden introduced a one-sentence bill
that would prevent
the change. The Senate has taken no action on the
thus far and Wyden on Thursday warned that
continued inaction on the issue would be dangerous.
"If the Senate does nothing, if the Senate fails to act,
what's ahead for Americans is a massive expansion of
government hacking and surveillance powers," he said. "If
the Congress just says, aw gee, we have other things to do,
these rules go into effect."
"What's ahead for Americans is a massive expansion of
Wyden asked the Senate to pass his bill by unanimous
consent, but Sen. John Cornyn (R-Texas) objected, saying
that the change to Rule 41 was a simple one that would help
law enforcement agencies know which venue is the correct one
to ask for a warrant.
"These aren't substantive changes. The government must
still go before a judge and make the requisite showing in
order to get a search warrant," Cornyn said. "I can't
imagine circumstances where we'd say the Fourth Amendment is
trumped by the right to privacy. We can't let that happen
and that's why these changes are so important."
Cornyn cited recent reports about hacks of the election
systems in some states, possibly by foreign governments, as
evidence of the need for the change.
"This isn't a time to retreat and allow cyberspace to be
run amok by cybercriminals," Cornyn said. "This is a very
sensible tool of venue."
Wyden said there is nothing "routine at all" about the
change to Rule 41, and scolded his colleagues for not taking
any action on his bill.
"The government can search potentially millions of
computers with one single warrant issued by one single
judge. This isn't an issue where the Seate can do some kind
of ostrich act and do nothing. In my view, the limits of
search and seizure are unquestionably an issue for Congress
on Saturday September 10, 2016 @09:50PM
An anonymous Slashdot reader writes:
malware family has
infected over 70% of all Seagate Central NAS devices
connected to the Internet
. The malware, named
Miner-C or PhotoMiner, uses these hard-drives as an
intermediary point to infect connected PCs and
install software that mines for the Monero
cryptocurrency... The crooks made over $86,000 from
Monero mining so far.
The hard drives are easy to infect because Seagate
does not allow users to delete or deactivate a
certain "shared" folder when the device is exposed
to the Internet. Over 5,000 Seagate Central NAS
devices are currently infected.
Researchers estimates the malware is now
responsible for 2.5% of all mining activity for the
, according to the article.
"The quandary is that Seagate Central owners have no
way to protect their device. Turning off the remote
access NAS feature can prevent the infection, but
also means they lose the ability to access the
device from a remote location, one of the reasons
they purchased the hard drive in the first place."
on Monday September 12, 2016 @04:00PM
The Intercept has today published
200-page documents revealing details about Harris
Corp's Stingray surveillance device
, which has
been one of the closely guarded secrets in law
enforcement for more than 15 years. The firm, in
collaboration with police clients across the U.S.
have "fought" to keep information about the mobile
phone-monitoring boxes from the public against which
they are used. The publication reports that the
surveillance equipment carries a price tag in the
"low six figures." From the report:
Bernardino Sheriff's Department alone has snooped
via Stingray, sans warrant, over 300 times. Richard
Tynan, a technologist with Privacy International,
told The Intercept that the "manuals released today
most up-to-date view on the operation of
Stingrays and similar cellular surveillance devices,
with powerful capabilities that threaten civil
liberties, communications infrastructure, and
potentially national security. He noted that the
documents show the "Stingray II" device can
impersonate four cellular communications towers at
once, monitoring up to four cellular provider
networks simultaneously, and with an add-on can
operate on so-called 2G, 3G, and 4G networks
Hard Drive Firmware Provides New Backdoor into YOUR Data
July 24, 2015 /
Data Clinic Ltd ,
Various software tools now exist that create backdoors into people's
data by exploiting the resident firmware code in their computer hard drives.
Put simply, firmware is the computer program that runs a hard drive and
is executed when the hard drive first starts up. It operates at a lower
level than the computer's operating system and therefore, computer security
programs like anti-virus products can not interact or detect modifications
These tools aren't crappy pieces of software written by adolescent kids,
these are state sponsored professional pieces of software written
by governments (eg. America's NSA et al). Their purpose is simple
– surveillance and control of the systems they are installed on.
Exploiting hard drive firmware to provide a covert way in to computer
systems is a technique that many cyber security professionals see as the
new next step in digital terrorism and counter-terrorism. To flag wave for
just a moment, Data Clinic documented this technique over 10 years ago,
back in 2004 – see here:
With larger amounts of information and manufacturing processes now being
controlled by computers, and security and encryption programs now being
so strong they are almost unbreakable, increasingly clever ways have to
be found of gaining access to important computer systems via backdoors.
This government sponsored spying software isn't interested in stealing credit
card details, it's purpose is international espionage.
The US-Iran Nuclear Agreement (July 2015)
This recent undated satellite image provided by Space Imaging/Inta SpaceTurk
shows the once-secret Natanz nuclear complex in Natanz, Iran, about 150
miles south of Tehran. AP Photo/Space Imaging/Inta SpaceTurk, HO
In the last few days, you'll be aware that a nuclear "agreement" has
now been reached between the US and Iran (
http://www.bbc.co.uk/news/world-us-canada-33636922 ). Wrecking Iran's
attempts to become a nuclear power has been high on the US agenda for years:
Stuxnet was a state sponsored piece of software designed to infiltrate computers
that were part of Iran's nuclear development programme. It's target was
machines that controlled the centrifuges that enriched uranium. Once a system
was detected, Stuxnet deliberately reprogrammed it to not only wreck the
centrifuges but also ruin the enrichment process. Read about how Stuxnet
successfully infiltrated Iran's nuclear program here:
Hard Drive Manufacturers Fight Back
Seagate has become the first hard drive manufacturer to "lock down" it's
firmware. For example, the STxxxxDM03 series of hard drives has firmware
that can no longer be manipulated or reprogrammed. This is bad news for
data recovery companies, as firmware often becomes corrupted and prevents
the hard drive working correctly. For us to retrieve data from these drives,
we have to reprogram the hard drive's firmware, something that is no longer
possible (yet) with some of the the latest Seagate drives.
Recommended: Read more about the NSA firmware hacking here
data recovery ,
hard drive firmware ,
"... Cybersecurity company FireEye first discovered APT 29 in 2014 and was quick to point out a clear Kremlin connection. "We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. because of evidence from FireEye." ..."
"... FireEye is also interesting as it, along with the US Department of Defense, funds the CEPA (publishers of Ed Lucas's and Pomerantsev's screed on fighting Kremlin influence): ..."
"... I recall the FireEye story well – they used the exact same logic; the code was written on Cyrillic-keyboard machines and during Moscow working hours. Their conclusion was "It just looks so much like something the Russians would do that it must be them". No allowance for the possibility that someone else did it who wanted the USA to arrive at exactly that conclusion. Someone who has done it before, lots of times, and who makes a science out of picking fights on Uncle Sam's behalf. ..."
"... Cozy Bear and Fancy Bear? Is there proof that they actually exist? I mean real proof, not WADA proof. ..."
"... They are just code names given by a particular security outfit. Different outfits will use different names for the same entities, much in the same way that a given virus/trojan/etc will be given different names by different AV corporations. The names reflect observable characteristics such as threat type, coding style, code structure, distribution network, similar earlier threats, etc rather than a specific single person. ..."
August 5, 2016 at 2:53 am
Some thoughts on the hacking "scandal". This article
August 5, 2016 at 9:56 am
blames the Russians thus:
"On June 14, cybersecurity company CrowdStrike, under contract with the
DNC, announced in a blog post that two separate Russian intelligence groups
had gained access to the DNC network. One group, FANCY BEAR or APT 28, gained
access in April. The other, COZY BEAR, (also called Cozy Duke and APT 29)
first breached the network in the summer of 2015. Cybersecurity company
FireEye first discovered APT 29 in 2014 and was quick to point out a clear
Kremlin connection. "We suspect the Russian government sponsors the group
because of the organizations it targets and the data it steals. because
of evidence from FireEye."
Crowdstrike – their Co-Founder, Alperovitch, is an Atlantic Council fellow.
The other firm, FireEye, has the CIA as a stakeholder:
Should give pause to thought that the intelligence services are interfering
in US democracy?
FireEye is also interesting as it, along with the US Department of
Defense, funds the CEPA (publishers of Ed Lucas's and Pomerantsev's screed
on fighting Kremlin influence):
I recall the FireEye story well – they used the exact same logic; the
code was written on Cyrillic-keyboard machines and during Moscow working
hours. Their conclusion was "It just looks so much like something the Russians
would do that it must be them". No allowance for the possibility that someone
else did it who wanted the USA to arrive at exactly that conclusion. Someone
who has done it before, lots of times, and who makes a science out of picking
fights on Uncle Sam's behalf.
August 5, 2016 at 12:58 pm
In the case of both FireEye and Crowdstrike, they would stop looking
as soon as they arrived upon a conclusion which suited them anyway.
Cozy Bear and Fancy Bear? Is there proof that they actually exist? I
mean real proof, not WADA proof.
August 5, 2016 at 3:04 pm
They are just code names given by a particular security outfit. Different
outfits will use different names for the same entities, much in the same
way that a given virus/trojan/etc will be given different names by different
AV corporations. The names reflect observable characteristics such as threat
type, coding style, code structure, distribution network, similar earlier
threats, etc rather than a specific single person.
August 5, 2016 at 3:23 pm
Yes, 'APT' stands for something, I forget what it was but they said it.
Advanced Persistent Threat, something like that.
September 3, 2016 at 8:11 am
I just found this via Hacker News… perhaps it was in yesterday's links and I missed it. Truly
scary in the Orwellian sense and yet another reason not to use a smartphone. Chilling read.
SAN FRANCISCO - Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their
every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup
fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like
- just check out the company's price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture
all the activity on a smartphone, like a user's location and personal contacts. These tools can
even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security
researchers caught its spyware trying to gain access to the iPhone of a human rights activist
in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote
about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York
Times offer insight into how companies in this secretive digital surveillance industry operate.
The emails and documents were provided by two people who have had dealings with the NSO Group
but would not be named for fear of reprisals.
–NY Times: How Spy Tech Firms Let Governments See Everything on a Smartphone
There is interesting and expert commentary in the Hacker News forum:
September 3, 2016 at 12:01 pm
September 3, 2016 at 2:15 pm
I could be wrong, but the promos for Sixty Minutes on the local news make it seem they might
be about this subject. Either way it is another scare you about what your cell phone can do story,
possibly justified this time.
An anecdote which I cannot support with links or other evidence:
A friend of mine used to work for a (non USA) security intelligence service. I was bouncing
ideas off him for a book I'm working on, specifically ideas about how monitoring/electronics/spying
can be used to measure and manipulate societies. He was useful for telling if my ideas (for a
Science Fiction novel) were plausible without ever getting into details. Always very careful to
keep his replies in the "white" world of what any computer security person would know, without
delving into anything classified.
One day we were way out in the back blocks, and I laid out one scenario for him to see if it
would be plausible. All he did was small cryptically, and point at a cell phone lying on a table
10 meters away. He wouldn't say a word on the subject.
It wasn't his cellphone, and we were in a relatively remote region with no cell phone coverage.
It told me that my book idea was far too plausible. It also told me that every cellphone is
likely recording everything all the time, for later upload when back in signal range. (Or at least
there was the inescapable possibility that the cell phones were doing so, and that he had to assume
foreign (or domestic?) agencies could be following him through monitoring of cell phones of friends
It was a clarifying moment for me.
Every cellphone has a monumental amount of storage space (especially for audio files). Almost
every cellphone only has a software "switch" for turning it off, not a hardware interlock where
you can be sure off is off. So how can you ever really be sure it is "off"? Answer- you can't
Sobering thought. Especially when you consider the Bluffdale facility in the USA.
The New York Times
There are dozens of digital spying companies that can
track everything a target does on a smartphone.
Spencer Platt/Getty Images
SAN FRANCISCO - Want to invisibly spy on 10
owners without their knowledge? Gather their every keystroke, sound,
message and location? That will cost you $650,000, plus a $500,000 setup fee with an
Israeli outfit called the NSO Group. You can spy on more people if you would like -
just check out the company's price list.
The NSO Group is one of a number of companies that
sell surveillance tools
that can capture all the activity on a smartphone, like a
user's location and personal contacts. These tools can even turn the phone into a
secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last
month, security researchers
caught its spyware trying to gain access
to the iPhone of a human rights activist
in the United Arab Emirates. They also discovered a second target, a Mexican
journalist who wrote about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The
New York Times offer insight into how companies in this secretive digital
surveillance industry operate. The emails and documents were provided by two people
who have had dealings with the NSO Group but would not be named for fear of
The company is one of dozens of digital spying outfits that track everything a target
does on a smartphone. They aggressively market their services to governments and law
enforcement agencies around the world. The industry argues that this spying is
necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate
mission statement is "Make the world a safe place."
Ten people familiar with the company's sales, who refused to be identified, said that
the NSO Group has a strict internal vetting process to determine who it will sell to.
An ethics committee made up of employees and external counsel vets potential
customers based on human rights rankings set by the World Bank and other global
bodies. And to date, these people all said, NSO has yet to be denied an export
But critics note that the company's spyware has also been used to track journalists
and human rights activists.
"There's no check on this," said Bill Marczak, a senior fellow at the Citizen Lab at
the University of Toronto's Munk School of Global Affairs. "Once NSO's systems are
sold, governments can essentially use them however they want. NSO can say they're
trying to make the world a safer place, but they are also making the world a more
The NSO Group's capabilities are in higher demand now that companies like Apple,
Facebook and Google are using stronger encryption to protect data in their systems,
in the process making it harder for government agencies to track suspects.
The NSO Group's spyware finds ways around encryption by baiting targets to click
unwittingly on texts containing malicious links or by exploiting previously
undiscovered software flaws. It was taking advantage of
three such flaws in Apple software
- since fixed - when it was discovered by
researchers last month.
The cyberarms industry typified by the NSO Group operates in a legal gray area, and
it is often left to the companies to decide how far they are willing to dig into a
target's personal life and what governments they will do business with. Israel has
strict export controls for digital weaponry, but the country has never barred the
sale of NSO Group technology.
Since it is privately held, not much is known about the NSO Group's finances, but its
business is clearly growing. Two years ago, the NSO Group sold a controlling stake in
its business to Francisco Partners, a
firm based in San Francisco, for $120 million. Nearly a year
later, Francisco Partners was exploring a sale of the company for 10 times that
amount, according to two people approached by the firm but forbidden to speak about
The company's internal documents detail pitches to countries throughout Europe and
multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15
million for three projects over three years, according to internal NSO Group emails
dated in 2013.
"Our intelligence systems are subject to Mexico's relevant legislation and have legal
authorization," Ricardo Alday, a spokesman for the Mexican embassy in Washington,
said in an emailed statement. "They are not used against journalists or activists.
All contracts with the federal government are done in accordance with the law."
Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was
restricted to authorized governments and that it was used solely for criminal and
terrorist investigations. He declined to comment on whether the company would cease
selling to the U.A.E. and Mexico after last week's disclosures.
For the last six years, the NSO Group's main product, a tracking system called
Pegasus, has been used by a growing number of government agencies to target a range
of smartphones - including iPhones, Androids, and BlackBerry and Symbian systems -
without leaving a trace.
Among the Pegasus system's capabilities, NSO Group contracts assert, are the
abilities to extract text messages, contact lists, calendar records, emails, instant
messages and GPS locations. One capability that the NSO Group calls "room tap" can
gather sounds in and around the room, using the phone's own microphone.
Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone
access to certain websites and applications, and it can grab search histories or
anything viewed with the phone's web browser. And all of the data can be sent back to
the agency's server in real time.
In its commercial proposals, the NSO Group asserts that its tracking software and
hardware can install itself in any number of ways, including "over the air stealth
installation," tailored text messages and emails, through public Wi-Fi hot spots
rigged to secretly install NSO Group software, or the old-fashioned way, by spies in
Much like a traditional software company, the NSO Group prices its surveillance tools
by the number of targets, starting with a flat $500,000 installation fee. To spy on
10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android
users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users - on
top of the setup fee, according to one commercial proposal.
You can pay for more targets. One hundred additional targets will cost $800,000, 50
extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000,
according to an NSO Group commercial proposal. There is an annual system maintenance
fee of 17 percent of the total price every year thereafter.
What that gets you, NSO Group documents say, is "unlimited access to a target's
mobile devices." In short, the company says: You can "remotely and covertly collect
information about your target's relationships, location, phone calls, plans and
activities - whenever and wherever they are."
And, its proposal adds, "It leaves no traces whatsoever."
"... The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, "ace02468bdf13579." That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE. ..."
On Monday, a hacking group calling itself the "ShadowBrokers" announced an auction
for what it claimed were "cyber weapons" made by the NSA. Based on never-before-published
documents provided by the whistleblower Edward Snowden, The Intercept
can confirm that the arsenal contains authentic NSA software, part of a powerful
constellation of tools used to covertly infect computers worldwide.
of the code has been a matter of heated debate this week among cybersecurity
experts, and while it remains unclear how the software leaked, one thing is
now beyond speculation: The malware is covered with the NSA's virtual fingerprints
and clearly originates from the agency.
The evidence that ties the ShadowBrokers dump to the NSA comes in an
agency manual for implanting malware, classified top secret, provided by Snowden,
and not previously available to the public. The draft manual instructs NSA operators
to track their use of one malware program using a specific 16-character string,
"ace02468bdf13579." That exact same string appears throughout the ShadowBrokers
leak in code associated with the same program, SECONDDATE.
SECONDDATE plays a specialized role inside a complex global system built
by the U.S. government to infect and monitor what one document
estimated to be millions of computers around the world. Its release by ShadowBrokers,
alongside dozens of other malicious tools, marks the first time any full copies
of the NSA's offensive software have been available to the public, providing
a glimpse at how an elaborate system outlined in the Snowden documents looks
when deployed in the real world, as well as concrete evidence that NSA hackers
don't always have the last word when it comes to computer exploitation.
But malicious software of this sophistication doesn't just pose a threat
to foreign governments, Johns Hopkins University cryptographer Matthew Green
told The Intercept:
The danger of these exploits is that they can be used to target anyone
who is using a vulnerable router. This is the equivalent of leaving lockpicking
tools lying around a high school cafeteria. It's worse, in fact, because
many of these exploits are not available through any other means, so they're
just now coming to the attention of the firewall and router manufacturers
that need to fix them, as well as the customers that are vulnerable.
So the risk is twofold: first, that the person or persons who stole this
information might have used them against us. If this is indeed Russia, then
one assumes that they probably have their own exploits, but there's no need
to give them any more. And now that the exploits have been released, we
run the risk that ordinary criminals will use them against corporate targets.
The NSA did not respond to questions concerning ShadowBrokers, the Snowden
documents, or its malware.
A Memorable SECONDDATE
The offensive tools released by ShadowBrokers are organized under a litany
of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL, and their exact purpose
is still being assessed. But we do know more about one of the weapons: SECONDDATE.
SECONDDATE is a tool designed to intercept web requests and redirect browsers
on target computers to an NSA web server. That server, in turn, is designed
to infect them with malware. SECONDDATE's existence was
first reported by The Intercept in 2014, as part of a look at a
global computer exploitation effort code-named TURBINE. The malware server,
known as FOXACID, has also been
described in previously released Snowden documents.
Other documents released by The Intercept today not only tie SECONDDATE
to the ShadowBrokers leak but also provide new detail on how it fits into the
NSA's broader surveillance and infection network. They also show how SECONDDATE
has been used, including to spy on Pakistan and a computer system in Lebanon.
The top-secret manual that authenticates the SECONDDATE found in the wild
as the same one used within the NSA is a 31-page document titled "FOXACID
SOP for Operational Management" and marked as a draft. It dates to no earlier
than 2010. A section within the manual describes administrative tools for tracking
how victims are funneled into FOXACID, including a set of tags used to catalogue
servers. When such a tag is created in relation to a SECONDDATE-related infection,
the document says, a certain distinctive identifier must be used:
The same SECONDDATE MSGID string appears in 14 different files throughout
the ShadowBrokers leak, including in a file titled SecondDate-3021.exe. Viewed
through a code-editing program (screenshot below), the NSA's secret number can
be found hiding in plain sight:
All told, throughout many of the folders contained in the ShadowBrokers'
package (screenshot below), there are 47 files with SECONDDATE-related names,
including different versions of the raw code required to execute a SECONDDATE
attack, instructions for how to use it, and other related files.
After viewing the code, Green told The Intercept the MSGID string's
occurrence in both an NSA training document and this week's leak is "unlikely
to be a coincidence." Computer security researcher Matt Suiche, founder of UAE-based
cybersecurity startup Comae Technologies, who has been particularly vocal in
his analysis of the ShadowBrokers this week, told The Intercept "there
is no way" the MSGID string's appearance in both places is a coincidence.
Where SECONDDATE Fits In
This overview jibes with previously unpublished classified files provided
by Snowden that illustrate how SECONDDATE is a component of BADDECISION, a broader
NSA infiltration tool. SECONDDATE helps the NSA pull off a "man in the middle"
attack against users on a wireless network, tricking them into thinking they're
talking to a safe website when in reality they've been sent a malicious payload
from an NSA server.
According to one December 2010 PowerPoint presentation titled "Introduction
to BADDECISION," that tool is also designed to send users of a wireless
network, sometimes referred to as an 802.11 network, to FOXACID malware servers.
Or, as the presentation puts it, BADDECISION is an "802.11 CNE [computer network
exploitation] tool that uses a true man-in-the-middle attack and a frame injection
technique to redirect a target client to a FOXACID server." As another
top-secret slide puts it, the attack homes in on "the greatest vulnerability
to your computer: your web browser."
One slide points out that the attack works on users with an encrypted wireless
connection to the internet.
That trick, it seems, often involves BADDECISION and SECONDDATE, with the
latter described as a "component" for the former. A series of diagrams in the
"Introduction to BADDECISION" presentation show how an NSA operator "uses SECONDDATE
to inject a redirection payload at [a] Target Client," invisibly hijacking a
user's web browser as the user attempts to visit a benign website (in the example
given, it's CNN.com). Executed correctly, the file explains, a "Target Client
continues normal webpage browsing, completely unaware," lands on a malware-filled
NSA server, and becomes infected with as much of that malware as possible -
or as the presentation puts it, the user will be left "WHACKED!" In the other
top-secret presentations, it's put plainly: "How
do we redirect the target to the FOXACID server without being noticed"?
Simple: "Use NIGHTSTAND or BADDECISION."
The sheer number of interlocking tools available to crack a computer is dizzying.
FOXACID manual, government hackers are told an NSA hacker ought to be familiar
with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named
MAGIC SQUIRREL and MAGICBEAN. A top-secret
presentation on FOXACID lists further ways to redirect targets to the malware
To position themselves within range of a vulnerable wireless network, NSA
operators can use a mobile antenna system running software code-named BLINDDATE,
depicted in the field in what appears to be Kabul. The software can even be
attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for
a SECONDDATE attack:
Elsewhere in these files, there are at least two documented cases of SECONDDATE
being used to successfully infect computers overseas: An April 2013
presentation boasts of successful attacks against computer systems in both
Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach "targets
in Pakistan's National Telecommunications Corporation's (NTC) VIP Division,"
which contained documents pertaining to "the backbone of Pakistan's Green Line
communications network" used by "civilian and military leadership."
In the latter, the NSA used SECONDDATE to pull off a man-in-the-middle attack
in Lebanon "for the first time ever," infecting a Lebanese ISP to extract "100+
MB of Hizballah Unit 1800 data,"
a special subset of the terrorist group dedicated to aiding Palestinian
SECONDDATE is just one method that the NSA uses to get its target's browser
pointed at a FOXACID server. Other methods include sending spam that attempts
to exploit bugs in popular web-based email providers or entices targets to click
on malicious links that lead to a FOXACID server. One
document, a newsletter for the NSA's Special Source Operations division,
describes how NSA software other than SECONDDATE was used to repeatedly direct
targets in Pakistan to FOXACID malware web servers, eventually infecting the
A Potentially Mundane Hack
Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has
offered some context and a relatively mundane possible explanation for the leak:
that the NSA headquarters was not hacked, but rather one of the computers the
agency uses to plan and execute attacks was compromised. In a
series of tweets, he pointed out that the NSA often lurks on systems that
are supposed to be controlled by others, and it's possible someone at the agency
took control of a server and failed to clean up after themselves. A regime,
hacker group, or intelligence agency could have seized the files and the opportunity
to embarrass the agency.
Documents published with this story:
"... "Instances of planting of malicious software designed for cyber espionage in computer networks of some 20 organizations located on the territory of Russia have been exposed… Information resources of public authorities, scientific and military institutions, enterprises of the military - industrial complex and other objects of country's critical infrastructure were contaminated," the statement read. ..."
Instances of planting of malicious software designed for cyber espionage in computer networks
of some 20 organizations located on the territory of Russia have been exposed, according to FSB press
MOSCOW (Sputnik) - Russian Federal Security Service (FSB) exposed planting of malicious software
designed for cyber espionage in computer networks of about 20 Russian institutions, including government
and military bodies, FSB press service said Saturday.
The press service stressed that the attack was professionally planned, has similar traits with the
previously exposed attacks from all over the world.
"Instances of planting of malicious software designed for cyber espionage in computer networks
of some 20 organizations located on the territory of Russia have been exposed… Information resources
of public authorities, scientific and military institutions, enterprises of the military - industrial
complex and other objects of country's critical infrastructure were contaminated," the statement
"The latest sets of software are made for each 'victim' individually, based on the unique characteristics
of the targeted PC. The spread of the virus is carried out by the means of targeted attacks on
PC by sending an e-mail containing a malicious attachment," the statement continued adding that
the software made it possible to do screenshots, turn on web-camera and microphones, collect data
from the keyboard use.
FSB in cooperation with the ministries and agencies took a number of measures to identify all
the "victims" of the malicious program on the Russian territory, as well as to localize the threats
and minimize the consequences caused by its spread.
"... On paper, Babylon looks like an inoffensive provider of online dictionaries.
In the screenshot reproduced below, one can see the home page featured in many Bolivian
internet kiosks. It is a Babylon search page, designed to look like a Google search
page; note the odd code appearing in its address line (a long string of nonsense
numbers and letters serving as directives to the company's server, in contrast look
at the address of this page), that's the first sign something is wrong. ..."
"... The second sign appears while using it; the computer reacts slowly since
it is busy sending data to its Babylonian masters. This happens despite Bolivians
being unable to spend money on the web; Bolivian money is not a free floating currency
and thus it is banned by the international financial system. This search page is
defined as a default in the user's browser while installing Babylon's dictionary.
ProPeace | Jul 30, 2016 9:53:10 AM |
@98 Reppz FYI:
The 4th Media " Google Bans Israeli Babylon
Bab·y·lon [noun] : In the Book of Revelation, the name of a whore who rules
over the kings of the earth and rides upon a seven-headed beast. "Mystery,
Babylon the Great, the Mother of Harlots and of the Abominations of the
Internet giant Yahoo! announced on November 10,
2013, that it won't end its revenue sharing contract with Israeli Babylon,
despite Google terminating its similar contract on November 30.
Google provided above 40% of Babylon's revenues during the second quarter
of 2013; Yahoo! provided over 30%, which amounts to almost $20 million...
Babylon is the largest company in what is mockingly known as the Israeli
Download Valley,* or in a more serious term the field of directing users.
Israel has conquered several internet and information-technology niche markets.
This is true to the extent that most American citizens are unwillingly sharing
their secrets with the State of Israel.
I reviewed Babylon a few months ago in Microsoft Strikes Israeli Software
after the American giant limited the activity of Babylon and similar companies
on its browsers. Google decision was the result of pressure coming from
users of its browser Chrome that correctly understood they were being robbed
"But, they are just nice kids translating stuff!"
On paper, Babylon looks like an inoffensive provider of online dictionaries.
In the screenshot reproduced below, one can see the home page featured in
many Bolivian internet kiosks. It is a Babylon search page, designed to
look like a Google search page; note the odd code appearing in its address
line (a long string of nonsense numbers and letters serving as directives
to the company's server, in contrast look at the address of this page),
that's the first sign something is wrong.
The second sign appears while using it; the computer reacts slowly
since it is busy sending data to its Babylonian masters. This happens despite
Bolivians being unable to spend money on the web; Bolivian money is not
a free floating currency and thus it is banned by the international financial
system. This search page is defined as a default in the user's browser while
installing Babylon's dictionary.
Since the page looks like Google's, few users realize that their home
page has been replaced, or that they had clicked on a button asking for
this change while installing the dictionary. "Same, same" they say to themselves
and begin telling Babylon everything about themselves. The following week,
they buy a book named "French Cooking;" a few days later-so that they won't
suspect the link between the events-they get a pamphlet advertising a French
restaurant near their home. In thanks for the blunt violation of privacy,
the Babylonian masters in Israel get a few silver coins. [...]
ProPeace | Jul 30, 2016 10:02:54 AM |
[...] *Mocking Silicon Valley, other players in the Israeli Download
Valley are Waze, Perion, the manager of the IncrediMail, Smilebox and SweetIM
brands, VisualBee, Montiera, Fried Cookie Software, WebPick, Linkury, Bundlore,
iBario and KeyDownload. These are Israel's Weapons of Mass Distraction.
Another niche market is far more dangerous. An offshoot of Golden Pages,
the Israeli business phone directory company, Amdocs develops, implements
and manages software and services for business support systems, including
billing, customer relationship management, and for operations support systems.
If your phone company is AT&T, BT Group, Sprint, T-Mobile, Vodafone, Bell
Canada, Telus, Rogers Communications, Telekom Austria, Cellcom, Comcast,
DirecTV, Elisa Oyj, TeliaSonera or O2-Ireland, then Israel has access to
much of your communications and bills, including credit cards numbers.
Also important in this context is Check Point, a provider of software
and combined hardware and software products for IT security, including network
security, endpoint security, data security and security management. In other
words, the supermarket near your home probably uses products from this giant
to secure its transactions. Israel has access to all of them. This apparently
innocent company got so rich that its CEO sits in a penthouse office atop
Tel Aviv's highest tower.
Waze of Israel: Google Beats Facebook for a detailed description of
how one of this companies operates as more than a spying device allowing
to coordinate agents on the field.
The gang juiced clicks to make about $300,000 per month in fraudulent revenue.
In case you needed a reminder that hacking is big business: a group of cybercriminals
operating as part of a Chinese advertising firm, has been running a malicious
ad racket that rakes in roughly $300,000 monthly, according to Check Point,
an Israeli cybersecurity company.
The researchers who exposed the alleged scam found that apps from Yingmob,
the Chinese ad firm, were installed on nearly 85 million mobile devices running
Android operating system. Of those, nearly 10 million were found to be running
malicious software developed by the firm to display ads, generate illegitimate
clicks, download fraudulent apps, and make money.
"It would just take a flip of the switch, and this could turn into a botnet
that could do more nefarious things than serve advertisements," Dan Wiley, Check
head of incident response, said on a call with Fortune.
The malicious software, he said, could easily be used to steal data from
its targets, wage denial of service attacks against companies, or spy on people's
activities. He said that the group could turn all of Yingmob's apps (200, of
which 50 were deemed malicious) into malware with a simple update, and then
sell access to those tens of millions of compromised machines to the highest
bidder who would then have free range to do as he or she pleased.
The malware worked by installing a bundle of software known as a rootkit
that gives computer crackers total control over infected devices, letting them
engage in ad fraud. The campaign, dubbed "HummingBad" by the researchers, allowed
the group to discreetly display a total of 20 million ads, generate 2.5 million
clicks, and download 50,000 apps on the compromised machines per day, earning
them about $10,000 daily.
Infected devices were mostly in China (1.6 million) and India (1.4 million).
The Philippines and Indonesia represented half a million infected devices each,
while the United States accounted for about 287,000 and Russia 208,000, among
"... The New York Times ..."
Last weekend, hackers hijacked ad campaigns that ran across the web sites of the BBC, The
New York Times, Newsweek, and other high-profile news domains,
according to the security firm Malwarebytes, whose researchers first spotted the activity. As
reported by The Guardian, the malware targeted US visitors and took advantage of numerous
exploits to attempt to download itself on people's computers, encrypt their hard-drives, and then
demand bitcoin payment in order to decrypt their data.
This episode combines two hot-button issues
in online security right now:
ransomware, the hostage-style hack that is
on the rise, and
malvertising, a hack that takes advantage of comprised ad networks and which is increasingly
sited by privacy and security advocates as a reason to use controversial ad-blockers.
That's pretty disingenuous approach that means that Windows 10 is a malware.
Shame on Microsoft leadership. This dirty trick with assuming that closing dialof
means saying yes to upgrade is actually a typical malware authors approach. Like
one commenter said "Total asshattery. "We decided to screw you over and we meant
"... Redmond recently created a new Windows 10 nagware reminder that presented a dialog asking you to install the OS. But if users clicked the red "X" to close the dialog - standard behaviour for dispelling a dialog without agreeing to do anything - Microsoft took that as permission for the upgrade. ..."
"... The Close button on the title bar should have the same effect as the Cancel or Close button within the dialog box. Never give it the same effect as OK. ..."
Microsoft is hurt and disappointed that people would think it was trying
to "trick" them with a confusing Windows 10 upgrade dialog that scheduled an
upgrade without users explicitly agreeing to do so.
Redmond recently created a new Windows 10 nagware reminder that presented
a dialog asking you to install the OS. But if users clicked the red "X" to close
the dialog - standard behaviour for dispelling a dialog without agreeing to
do anything - Microsoft took that as permission for the upgrade.
Redmond (via its flacks) has e-mailed The Register – and, we presume,
World+Dog – to say that the UI had worked like that for ages: "the UI of our
'your upgrade is scheduled' notification is nothing new (including the
ability to just 'X-out' of the notification with no further action needed to
schedule your upgrade) – it's been part of the notification UI for months" (their
emphasis, not ours).
Base article, Microsoft notes that "Based on customer feedback, in the most
recent version of the Get Windows 10 (GWX) app, we confirm the time of your
scheduled upgrade and provide you an additional opportunity for cancelling or
rescheduling the upgrade."
+Comment: You'll have noticed that Microsoft didn't say it would re-write
the app so that closing the app is taken as a "no", as happens for just about
every other dialog Windows offers.
Or is Redmond saying users who didn't like the UI sleight-of-hand are at
fault for delving into its Knowledge Base every time they find a dialog confusing?
We'd expect commenters to have an opinion on this …
My opinion on this?
Re: My opinion on this?
Ralph, you post doesn't do the link justice.
You should clarify that the link is to a remarkably helpful tool that
will stop the nagware, prevent inadvertent deployment of Windows 10 by desktop
users, recover lost disk space and hopefully prevent mobile users busting
their data limits downloading a large Windows 10 installer.
It has a helpful command line interface for use in enterprise environments
which is vital for smooth and effective deployment.
It will also clear up gigabytes of disk space lost when GWX installs,
some people have claimed it's freed up over 10GB!
PS. I have no connection with the author.
PPS. User beware - take the usual precautions before deploying any application...test
Re: My opinion on this?
OK, so I've run the software and restarted, and the nagware is gone from
my system tray but the Windows 10 update is still in the Control Panel Windows
Update and still a default selection. Was I just expecting too much?
Re: My opinion on this?
> Was I just expecting too much?
Never10 doesn't/can't stop the Windows Update from downloading the Control
Panel Windows Update. It just stops the update from being used - via Microsoft's
official group policy settings.
Re: My opinion on this?
Hmm, this is nothing more than a tool to automate the creation/destruction
of 2 registry keys.
Surrounded (as typical for GRC) with a great deal of fanfare, like its
some major achievement.
He moans about the file size being 56k, well, here you go, in 244 bytes.
Windows Registry Editor Version 5.00
Because all the program does is create or delete those 2 keys.
That's it.. And this is new information how exactly?
Re: My opinion on this?
Awwww Microsofts feelings are hurt.... I DOUBT IT!!!
It doesn't take a genius or even someone with a degrees in social behavior
or even Engineering to point out how right out horrible an idea this is
to FORCE people to download Windows 10, this is NOTHING to do with if its
a good program or not, it has all to do with people and their right to choose
as well as the damage this has done by ignorantly having the program install
without even the knowledge of the owner of the computer even being aware
of it if they happen to not be around the computer at the time it installs.
The damage it has done to some computers, the loss of personal information
and money its caused not to mention how it interrupted people at work for
a long period of time and more not even mentioning the stress shows how
this is by no means something "good" Microsoft was doing for their customers,
it was them forcing their will on people as they saw fit, something that
is as close to digital rape as one can get in my opinion and to add to the
insult they act like they know better then we do, for months they asked
people if they want to upgrade to windows 10, harassing them with this like
its an ad and people were fully aware of the choice to upgrade or not and
so at this point the people who didn't were all saying NO!!! So how is this
justified??? HOW!!! You have no way to opt out unless you turn off the updates
MAYBE and/or go to some other outside application like i did to stop it
from being forced on my system!!
So Microsoft is "hurt" BULL, its a simple case of them not caring and
forcing others but in this case its caused damage and in my opinion, they
are liable, class action sounds good about now!
Also, i hear a lot of good things about Apple!
Re: My opinion on this?
Awwww Microsofts feelings are hurt.... I DOUBT IT!!!
Sure they are, just like the advertisers' feeling are hurt that we use
adblockers, or the malware writers' feelings are hurt because we won't respond
to their attempts, or Microsoft Techs' feelings are hurt because we won't
allow them to get rid of all the viruses on our computers.
Oh wait.. Hurt=Bottom Line... Tough.. hurt all you want, you bastards.
> Thus failing Microsofts own 'Windows Certification' then?
He's right, you know.
The Close button on the title bar should have the same effect as
the Cancel or Close button within the dialog box. Never give it the same
effect as OK.
Microsoft Marketing / Terry Myerson :
Nothing like Microsoft's own documentation to bring a Company down and
cause it to grovel out of a situation. (One rule for them, another rule
for the rest of us)
You'll be changing that Dialog Box pronto then, to avoid a Class Action
Lawsuit? Thought so.
Great find (The Windows Certification Documentation)...Thank you.
For all the folk with limited eyesight, dexterity problems, or other
disabilities that have put up with the MS shit for months now. Shame on
you Microsoft, we have laws against this type of inequality.
May 31, 2016 |
Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo,
Dell, and HP.
Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows
computers, but the full extent of the problem is much worse than previously thought.
Researchers from security firm Duo Security have tested the software updaters that come installed
by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer,
Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have
allowed attackers to remotely execute code with system privileges, leading to a full system compromise.
In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS
connections when checking for or downloading updates. In addition, some updaters didn't verify that
the downloaded files were digitally signed by the OEM before executing them.
The lack of encryption for the communication channel between an update tool and the OEM's servers
allows attackers to intercept requests and to serve malicious software that would be executed by
the tool. This is known as a man-in-the-middle attack and can be launched from insecure wireless
networks, from compromised routers, or from higher up in the Internet infrastructure by rogue ISPs
or intelligence agencies.
Who designed this stuff?
In some cases, even when the OEMs implemented HTTPS and digital signature validation, there were
other oversights and flaws that could have allowed attackers to bypass the security measures, the
Duo Security researchers found.
"During our research, we were often greeted by an intricate mess of system services, web
services, COM servers, browser extensions, sockets, and named pipes," the researchers said in their
"Many confusing design decisions made us wonder if projects were assembled entirely from poor StackOverflow
The five companies did not immediately respond to requests for comment on the Duo Security report.
The security and behavior of the update tools were not even consistent on the same system, let
alone the same manufacturer. In some cases, OEMs had different tools that downloaded updates
from different sources with significantly different levels of security, the researchers found.
For example, the Lenovo Solutions Center (LSC) was one of the best software updaters tested by
the researchers, with solid man-in-the-middle protections. This might be because other flaws were
found in LSC
several times in the past, drawing the company's attention to it.
On the other hand, the tested Lenovo systems also had a second update tool installed called UpdateAgent
that had absolutely no security features and was one of the worst updaters Duo Security analyzed.
The tools preloaded by Dell, namely the Dell Update software and the update plugin of the
Dell Foundation Services (DFS), were some of the most well-designed updaters, but that's only if
critical issue caused by the self-signed eDellRoot certificate, found by Duo Security back in
November, is excluded.
Since then Dell seems to have beefed up its software update implementations. The Duo researchers
found several other issues in the DFS version that came preinstalled on their system, but Dell silently
patched them in an update in January before they even had a chance to report them.
HP's updater, the HP Support Solutions Framework (HPSSF) with its HP Download and Install Assistant
component, also had decent security in place at first glance. However, the researchers found several
ways to bypass some of those protections, mainly because of inconsistent implementations.
The issues with HPSSF stem from its large number of components and the different ways in which
they interact with each other. Sometimes the same type of protection, like the signature verification
was implemented in multiple places in different ways.
HP's bloatware was the worst
This tendency for complexity was also observed in HP's decision to install an unusually large
number of support tools on its PCs.
HP "exposed the most attack surface due to the enormous number of proprietary tools included
with the machine," the researchers said. "We’re not really sure what they all do and we kind of got
sick of reversing them after a while, so we stopped."
The updaters that fared worse, aside from Lenovo's UpdateAgent, which the company plans to retire
and remove from systems in June, were those from Acer and Asus. Not only did they lack HTTPS or file
signature validation, but according to Duo Security, the issues remain unpatched.
The main advice of the Duo researchers for users is to wipe the preloaded Windows version that
comes with their computer and to install a clean copy of Windows. In most cases they should be able
to use their existing license key, which in newer Windows versions is detected automatically during
"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere
between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant
-- meaning, trivial," the Duo researchers said in a
And that's based only on an analysis of OEM update tools, not all the third-party software
that vendors commonly install on new computers. Who knows what other flaws those applications might
It is unclear what is the distribution mechanism for this ransomware.
A new ransomware program called DMA Locker has reached
maturity and shows signs of being distributed in widespread attacks.
Another big change is that the encryption routine now relies on a
command-and-control server to generate unique public and private RSA keys for
The malware first generates a unique AES (Advanced Encryption Standard) key for
every file that it encrypts. That key is then encrypted with a public RSA key
and gets appended to the beginning of the file.
In order to decrypt the affected files, users need the corresponding private
RSA key that is in the attacker’s possession in order to recover the AES keys
for each of their files and then use those keys to decrypt their content.
Previous DMA Locker versions did not use a command-and-control server so the
RSA private key was either stored locally on the computer and could be
recovered by reverse-engineering, or the same public-private key pair was used
for an entire campaign. This meant that if someone paid for the private RSA
key, that same key would work on multiple computers and could be shared with
All of these issues have been fixed by adopting a server-based model, which is
typical for how most other ransomware programs work. Once it infects a
computer, DMA Locker will now wait for a connection with the server to be
established so it can send a unique computer ID and have a unique RSA public
key generated for it.
The good news it that, for now, the server is not hosted on the Tor anonymity
network, so it should be fairly easy to block by security products, preventing
the malware from ever initiating its encryption routine.
DMA Locker also stands out by how it chooses the files to encrypt. Almost all
file-encryption ransomware programs have a list of file extensions that they
will target. Instead, DMA Locker has a list of extensions that it will not
touch, encrypting everything else and potentially causing more damage.
It will also encrypt files on network shares where the computer has write
access, even if those shares have not been mapped locally to a drive letter.
As always, with ransomware programs prevention is key. Performing regular
backups to locations that are only temporarily accessible from the computer,
such as an USB hard disk drive that’s only connected during backup operations,
is very important.
Posted by manishs on Saturday April 16, 2016 @05:30PM from the patch-it-already dept.
An anonymous reader cites an article on Ars Technica: More than
3 million Internet-accessible servers are at risk of being infected with crypto ransomware because
they're running vulnerable software, including out-of-date versions of
Red Hat's JBoss enterprise application,
researchers from Cisco Systems said Friday. About
2,100 of those servers
have already been compromised by webshells that give attackers persistent control over the machines,
making it possible for them to be infected at any time, the Cisco researchers reported in a blog
post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools,
governments, aviation companies, and other types of organizations. Some of the compromised servers
belonged to school districts that
were running the Destiny management system that many school libraries use to keep track of books
and other assets. Cisco representatives notified officials at Destiny developer Follett Learning
of the compromise, and the Follett officials said they fixed a security vulnerability in the program.
Follett also told Cisco the updated Destiny software also scans computers for signs of infection
and removes any identified backdoors.
This new type of ransomware makes using VPN proxy much more desirable. Also for all site outside
trusted list you need to use the highest level of security,
It is usually distributed through Web-based exploits launched from compromised websites. Nymaim
uses detection evasion techniques such as encryption, anti-VM and anti-debugging routines, and control
Posted by manishs on Saturday April 16, 2016 @10:30AM from the keep-an-eye-on-your-bank dept.
An anonymous reader writes: Researchers are warning about a new hybrid Trojan -- dubbed GozNym--
a combination of Nymaim dropper and the Gozi financial malware. IBM researchers say that the
malware has been designed to target banks, ecommerce websites, and retail banking, adding that GozNym
has already targeted 22 financial institutions in the United States and two in Canada. A ComputerWorld
report sheds more light into it, "Nymaim is what researchers call a dropper. Its purpose is to
download and run other malware programs on infected computers.
It is usually distributed through Web-based exploits launched from compromised websites.
Nymaim uses detection evasion techniques such as encryption, anti-VM and anti-debugging routines,
and control flow obfuscation. In the past, it has primarily been used to install ransomware
on computers. The integration between Nymaim and Gozi became complete in April, when a new version
was discovered that combined code from both threats in a single new Trojan -- GozNym."
Email based ransomware hunts for dupes. and is very successful in this activity. But they are still
dupes. This danger is several years old and is covered by media to death (Cryptolocker appeared around
September, 2013). That's why " it might be so "hard to know how to advise people who were unfortunate
enough to have their files encrypted by ransomware."
For some individuals without backups, paying the ransom might be the only way to retrieve their
"However, every person that does that makes the business more valuable for the criminal and the
world worse for everyone," he said.
Apr 12, 2016 | bbc.com
A widely distributed scam email that quoted people's postal addresses links to a dangerous form
of ransomware, according to a security researcher.
Andrew Brandt, of US firm Blue Coat, contacted the BBC after hearing an episode of
BBC Radio 4's You and Yours
that discussed the phishing scam.
Mr Brandt discovered that the emails linked to ransomware called Maktub.
The malware encrypts victims' files and demands a ransom be paid before they can be unlocked.
The phishing emails told recipients they owed hundreds of pounds to UK businesses and that
they could print an invoice by clicking on a link - but that leads to malware, as Mr Brandt explained.
One of the emails was received by You and Yours reporter Shari Vahl. "It's incredibly fast and
by the time the warning message had appeared on the screen it had already encrypted everything of
value on the hard drive - it happens in seconds," Mr Brandt told the BBC. "This is the desktop version
of a smash and grab - they want a quick payoff." --[This is baloney, speed
of encryption is limited by the speed of writing to the hard drive, so for the hard drive with sizable
user data (especially such as photo, music and video) this ten of minutes probably more then an an
hour not seconds --NNB]
Maktub doesn't just demand a ransom, it increases the fee - which is to be paid in bitcoins
- as time elapses.
A website associated with the malware explains that during the first three days, the fee stands
at 1.4 bitcoins, or approximately $580. This rises to 1.9 bitcoins, or $790, after the third day.
The phishing emails tell recipients that they owe money to British businesses and charities when
they do not. One of the organisations named was the Koestler Trust, a charity which helps ex-offenders
and prisoners produce artwork. "We rely on generous members of the public and we were very distressed
when we discovered that people felt they had received emails from us asking for money, when indeed
they had not been generated by us at all," chief executive Sally Taylor told You and Yours. Addresses
One remarkable feature of the scam emails was the fact that they included not just the victim's
name, but also their postal address. Many, including BBC staff, have noted that the addresses
are generally highly accurate. According to Dr Steven Murdoch, a cybersecurity expert at the University
of London, it's still not clear how scammers were able to gather people's addresses and link them
to names and emails. The data could have come from a number of leaked or stolen databases for example,
making it hard to track down the source.
Petya ransomware victims can now unlock infected computers without paying.
An unidentified programmer has produced a tool that exploits shortfalls in the way the malware encrypts
a file that allows Windows to start up.
In notes put on code-sharing site Github, he said he had produced the key generator to help his father-in-law
unlock his Petya-encrypted computer.
The malware, which started circulating in large numbers in March, demands a ransom of 0.9 bitcoins
It hid itself in documents attached to emails purporting to come from people looking for work.
Security researcher Lawrence Abrams, from the Bleeping Computer news site, said the key generator
could unlock a Petya-encrypted computer in seven seconds.
But the key generator requires victims to extract some information from specific memory locations
on the infected drive.
And Mr Abrams said: "Unfortunately, for many victims extracting this data is not an easy task."
This would probably involve removing the drive and then connecting it up to another virus-free computer
running Windows, he said.
Another tool can then extract the data, which can be used on the website set up to help people unlock
Independent security analyst Graham Cluley said there had been other occasions when ransomware makers
had "bungled" their encryption system.
Cryptolocker, Linux.encoder and one other ransomware variant were all rendered harmless when their
scrambling schemes were reverse-engineered.
"Of course," said Mr Cluley, "the best thing is to have safety secured backups rather than relying
upon ransomware criminals goofing up."
... ... ...
Ever since we found out just how much government spying is going on, the security community has
been systematically looking into every piece of technology that we use, from operating systems to
network protocols, and we've learned just how insecure everything is.
... ... ...
That's the good news. The bad news is that nothing has fundamentally changed as far as the spying
is concerned, despite all of the stories and media attention online. Organizations like the ACLU
have tried, and failed, to even bring cases to figure out what's actually going on. Very few politicians
even talk about it, and the ones that do have no power to change anything. People not only haven't
exploded in anger, they don't even know the details, as John Oliver illustrated brilliantly in his
interview with Snowden.
Everybody knows the government is probably spying on everything, and nobody really cares.
Posted by timothy
An anonymous reader writes: Computer scientists at a group of UK universities are developing a
system to detect
code in shortened URLs on Twitter. The intelligent system
will be stress-tested during the European Football Championships next summer, on the basis
that attackers typically disguise links to malicious servers in a tweet about an exciting part
of an event to take advantage of the hype.
Shouldn't browsers be changed to not simply follow the redirect, but ask the user first?
Zontar The Mindless
For TinyURL, you can enable preview
of the full URL here [tinyurl.com]. Uses a cookie, though.
Anonymous Coward on Saturday September 26, 2015 @06:37AM (#50603143)
I can connect to the server and retrieve the redirect information manually. Works for all of
them. But it's a) inconvenient, and b) not something everyone is able to do. Some addons seem
to be available, but they don't do things nicely.
1) Patch the page directly (not just retrieve the data on mouse over), making it less original
2) Even retrieve the title of the redirection target (just that connection is enough to validate
the existence of an email address)
My requirements are:
- shall not connect to the host of the shortened url (or any other -- no distinction between
"normal" and shorted urls) unless clicked
- shall not connect to the the redirect target unless confirmed by the user, or the target
is on the same host
Zontar The Mindless
Whatever. I despise shorteners, don't use them myself, and generally refuse to follow shortened
URLs. Just bored and trying to be helpful.
Microsoft with Windows 10 is doing a great job of destroying user trust. Look like Windows OS itself
became a malware...
"..."For those who have chosen to receive automatic updates through Windows Update, we help
customers prepare their devices for Windows 10 by downloading the files necessary for future installation,"
a company spokeswoman said in an email. "This results in a better upgrade experience and ensures the
customer's device has the latest software. This is an industry practice that reduces time for installation
and ensures device readiness." "
"...The upgrade, which can range in size from more than 3GB to nearly 6GB, is placed in the
hidden "$Windows.~BT" folder, a long-used destination for Windows upgrades. It will sit there, presumably
until the user expresses some kind of desire to install Windows 10. "
"..."I had to travel recently, so I took a laptop with [a] clean Windows 8.1 Pro install," wrote
one such user, identified only as
"X.25" on Slashdot.
"At my destination, I purchased a SIM (they only had 1GB data packages) and put it into the 3G/W-Fi
router I carry. I powered the laptop, connected to [the] Internet via said router, checked [a] few things,
then went away for [a] few hours. When I got back to [the] apartment, my data package (and Internet
connectivity) was killed because [the] Microsoft idiots decided to start downloading Windows 10 even
though I have explicitly closed/rejected all the 'offers.'" "
Microsoft confirms it has been silently downloading massive upgrade
to Windows machines via automatic updates, chewing up bandwidth and storage space
Microsoft today confirmed it has been pre-loading the Windows 10 installation bits onto devices
whose owners have not "reserved" a copy or expressed interest in the new OS.
The move has upset some users of Windows 7 and Windows 8.1, who have complained that the unsolicited
downloads have caused them to exceed their Internet providers' data caps or seized storage space
without their consent.
In a statement, Microsoft acknowledged
the practice, which was
first reported by The Inquirer on Thursday.
"For those who have chosen to receive automatic updates through Windows Update, we help
customers prepare their devices for Windows 10 by downloading the files necessary for future installation,"
a company spokeswoman said in an email. "This results in a better upgrade experience and ensures
the customer's device has the latest software. This is an industry practice that reduces time
for installation and ensures device readiness."
If Windows 7 or Windows 8.1 device owners have Windows Update set to the default -- and Microsoft-recommended
-- option that lets the operating system download and install security and other bug fixes automatically
in the background, Microsoft will push the
Windows 10 upgrade
files to the drive.
The upgrade, which can range in size from more than 3GB to nearly 6GB, is placed in the hidden
"$Windows.~BT" folder, a long-used destination for Windows upgrades. It will sit there, presumably
until the user expresses some kind of desire to install Windows 10.
Microsoft has been pre-loading the Windows 10 upgrade on systems since late July, but it
was thought that the practice had been limited to PCs whose owners had accepted Microsoft's free
offer and "reserved" a copy through an app the Redmond, Wash. company
automatically installed this spring and early summer on virtual all consumer PCs running Windows
7 Home and 8.1 Home, and on many machines powered by Windows 7 Professional and Windows 8.1 Pro.
After the Windows 10 upgrade was downloaded to the device, the user was notified through the app
that it was ready to install. This new scheme, however, is vastly different in that the bits are
downloaded to the device even though the user has not asked for the upgrade. Not surprisingly, among
the first to notice the I-did-not-ask-for-this upgrade were people who have data caps mandated by
their Internet service providers (ISPs), particularly those who relied on a cellular connection to
Several commenters in a long thread on Slashdot claimed that they had exceeded their caps because
Microsoft downloaded the massive upgrade to their hardware without their approval.
"I had to travel recently, so I took a laptop with [a] clean Windows 8.1 Pro install," wrote one
such user, identified only as
Slashdot. "At my destination, I purchased a SIM (they only had 1GB data packages) and put it
into the 3G/W-Fi router I carry. I powered the laptop, connected to [the] Internet via said router,
checked [a] few things, then went away for [a] few hours. When I got back to [the] apartment,
my data package (and Internet connectivity) was killed because [the] Microsoft idiots decided to
start downloading Windows 10 even though I have explicitly closed/rejected all the 'offers.'"
Others didn't appreciate the unwelcome guest that dropped into their limited storage space. Anyone
with a 128GB SSD (solid-state drive), for example, would be concerned if 5% of their storage capacity
was occupied without their okay.
Some also wondered whether Microsoft would take the next logical step by either dunning users
with notifications urging them to apply the already-installed upgrade, or make the much more unlikely
move of automatically triggering the upgrade.
The former would, frankly, not be that different from what Microsoft has already done with those
who accepted the free upgrade and reserved a copy. It's possible that many on the receiving end of
such notifications would approve the upgrade, and even appreciate the fact that they did not have
to wait for a long download to complete before upgrading. The latter, however, would be unprecedented,
and would almost certainly fuel a firestorm of protest.
Microsoft did not immediately reply to follow-up questions about its intensions. What is also
interesting about the upgrade-prep is Microsoft's defense, that it's an "industry practice."
Although that may be true in limited instances --
Google's Chrome browser, for example,
regularly pre-loads updates, which are then automatically installed the next time the application
is launched -- as far as Computerworld knows, it's never been done with either an operating
system or software that demands installation files of this size. The most common practice for operating
systems, by far, is to begin downloading an upgrade only after the user has been notified, and then
approved the procedure.
Wes Miller, an analyst with Directions on Microsoft, agreed. "I've seen some tiny apps do it for
updates. But not for an OS upgrade," Miller said in an email answer to a question asking whether
he recalled any similar examples.
This story, "Microsoft pushes Windows 10 upgrade to PCs without user consent" was originally published
Those horny guys should probably watch
The Fatal Attraction ;-)
"A detailed look at leaked Ashley Madison data suggests there were practically no women
active on the site.
It was already known that male profiles outnumbered female ones on the site by a ratio of roughly
six to one. And it had been previously alleged that Ashley Madison was creating fake profiles of
But a detailed look at the data leaked last week by The Impact Team hackers (or hacker), carried
out by Annalee Newitz at Gizmodo, found the number of active women on the site to be so low that
it’s statistically insignificant....
Of 5.5 million accounts identified as female, only 1,492 had ever checked their inbox,
Newitz’ analysis found, compared to 20.2 million male accounts that had checked their inbox at least
It also found 80,805 profiles linked to an IP address that indicates a local computer, suggesting
those accounts were made inside Avid Life Media, the Toronto-based company that owns Ashley Madison.
"This isn’t a debauched wonderland of men cheating on their wives," Newitz concluded. "Instead,
it’s like a science fictional future where every woman on Earth is dead, and some Dilbert-like engineer
has replaced them with badly-designed robots."
Q: What was their security like? A: Bad. Nobody was watching. No security. Only thing was segmented
network. You could use Pass1234 from the internet to VPN to root on all servers.
"... 300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison
user pictures. Some Ashley Madison user chats and messages. 1/3 of pictures are dick pictures
and we won't dump. Not dumping most employee emails either. Maybe other executives."
MOTHERBOARD: How did you hack Avid Life Media? Was it hard?
The Impact Team: We worked hard to make fully undetectable attack, then got in and found nothing
What was their security like?
Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234
from the internet to VPN to root on all servers.
When did you start hacking them? Years ago?
A long time ago. [Note: in a README file in the first data dump, the hackers wrote that they had
been collecting information from the company "over the past few years."]
What other data from Avid Life Media do you have?
300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison
user pictures. Some Ashley Madison user chats and messages. 1/3 of pictures are dick pictures
and we won't dump. Not dumping most employee emails either. Maybe other executives."
[Jul 22, 2015] Registering on shady sites is a huge risk
“Large caches of data stolen from online cheating site AshleyMadison.com have been posted online
by an individual or group that claims to have completely compromised the company’s user databases,
financial records and other proprietary information. The still-unfolding leak could be quite damaging
to some 37 million users of the hookup service, whose slogan is ‘Life is short. Have an affair'”
on Security]. And just before they were going to, er, go public…
The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting
contractors to share
vulnerability intelligence and develop zero day exploits for most of the leading
commercial IT software vendors. The Navy said it was looking for vulnerabilities, exploit
reports and operational exploit binaries for commercial software, including but not limited to
Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and
Linux, among others. The RFP seemed to indicate that the Navy was not only looking for
offensive capabilities, but also wanted use the exploits to test internal defenses.The
request, however, does require the contractor to develop exploits for future released CVEs.
"Binaries must support configurable, custom, and/or government owned/provided payloads and
suppress known network signatures from proof of concept code that may be found in the wild,"
the RFP said.
quenda (644621) on Monday June 15, 2015 @07:50PM (#49917853)
Ask the NSA (Score:4, Interesting)
So much for post-911 interagency cooperation. While one agency is inserting weaknesses,
another is having to buy then on the open market. Though the Navy approach is probably
Taco Cowboy (5327) on Monday June 15, 2015 @09:17PM (#49918315)
This has been happening since day one (Score:2)
How many years it officially took the hackers to stumble across the existence of the
embedded NSA backdoor inside MS Windows??
Way before the news of that 'discovery' was told to the world, a friend of mine found it,
but was told to 'shut up or else' by his then boss
Apparently they (and many other people) already knew about it for quite a while, but none
of them bother to tell the world about it
Luthair (847766) on Monday June 15, 2015 @08:01PM (#49917925)
Why.... (Score:2, Interesting)
does every agency and division of the military need to do this? Seems like the classic not
invented here syndrome and a colossal waste of tax payer money.
onproton (3434437) <emdanyi.gmail@com> on Tuesday June 16, 2015 @12:34AM (#49919171)
and yet real secuirty research is all but outlawed (Score:2)
I am finding it harder and harder to accept that the people in charge of these types of
programs aren't aware of just how glaringly hypocritical they are [boingboing.net]. I can't
help but be reminded of the quote:
We grow up in a controlled society, where we are told that when one person kills
another person, that is murder, but when the government kills a hundred thousand, that is
- Howard Zinn
Find a zero day and report it to someone who might fix it, that is criminal. Find a zero
day and report it to the navy, you've done a service for your country. There is a unfortunate
disconnect when the things the government does in the name of keeping us safe, end up making
us all decidedly less safe in the end [schneier.com].
Windows should probably be prohibited for security-sensitive applications or use special install
that can be wiped and restored daily. We have this powerful, all knowing NSA and multi-million botnets
simultaneously. If this a coincidence?
An anonymous reader writes The National Crime Agency's National Cyber Crime Unit worked with
law enforcement colleagues in the Netherlands, Italy and Germany, co-ordinated through Europol's
European Cybercrime Centre, to shut down command and control servers used by the RAMNIT botnet.
Investigators believe that
RAMNIT may have
infected over three million computers worldwide, with around 33,000 of those being in the
UK. It has so far largely been used to attempt to take money from bank accounts.
XB-70 (812342) on Wednesday February 25, 2015 @08:32PM (#49133439)
Thanks (Score:5, Insightful)
In many of my posts, I have been highly critical of the seeming non-efforts by government agencies
to deal with SPAM, malware, phishing etc. etc.
It is wonderful to hear this great news about good works being done for the greater good. Thank
you to all the investigators for your many hours and hard work to shut this down.
rtb61 (674572) on Wednesday February 25, 2015 @10:51PM (#49134091) Homepage
It's internet janitorial work. No fame, no money and no promotions, so basically everyone does
not much at all about it. Consider the NSA hacking all over the place, noticing all of this stuff,
doing basically nothing about it (basically who gives a fuck it's a defensive security issue)
except of course seeking to exploit it. So how come various governments are not going to their
security agencies and saying why you do bloody nothing, why you bloody ignore it, why you pretend
it doesn't exist, why you so busy hacking all politicians, activists and journalists communications
that you basically ignore in your face criminal activity, apart from the odd effort and only at
the behest of a major corporation, all other citizens can basically fuck off with the computer
A leading computer security company says it has discovered one of the most sophisticated pieces
of malicious software ever seen.
Symantec says the bug, named Regin, was probably created by a government and has been used for
six years against a range of targets around the world.
Once installed on a computer, it can do things like capture screenshots, steal passwords or recover
Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.
It has been used to spy on government organisations, businesses and private individuals, they
Researchers say the sophistication of the software indicates that it is a cyber-espionage tool
developed by a nation state.
They also said it likely took months, if not years, to develop and its creators have gone to great
lengths to cover its tracks.
Sian John, a security strategist at Symantec, said: "It looks like it comes from a Western organisation.
It's the level of skill and expertise, the length of time over which it was developed."
Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the
US and Israel to target Iran's nuclear program.
That was designed to damage equipment, whereas Regin's purpose appears to be to collect information.
According to the FTC, the scams began with computer software that claimed to improve the security
or performance of the customer's computer. Typically, consumers downloaded a free, trial version of
the software that would run a computer system scan. The scan always identified numerous errors, whether
they existed or not. Consumers were then told that in order to fix the problems they had to purchase
the paid version of the software for between $29 and $49. In order to activate the software after the
purchase, consumers were then directed to call a toll-free number and connected to telemarketers who
tried to sell them unneeded computer repair services and software, according to the FTC complaint.
wiredmikey writes A federal
temporarily shut down and frozen the assets of two telemarketing operations accused by the
FTC of scamming customers out of more than $120 million by deceptively marketing computer software
and tech support services. According to complaints filed by the FTC, since at least 2012, the
defendants used software designed to trick consumers into believing there were problems with their
computers and then hit them with sales pitches for tech support products and services to fix their
According to the FTC, the scams began with computer software that claimed to improve the
security or performance of the customer's computer. Typically, consumers downloaded a free, trial
version of the software that would run a computer system scan. The scan always identified numerous
errors, whether they existed or not. Consumers were then told that in order to fix the problems
they had to purchase the paid version of the software for between $29 and $49. In order to activate
the software after the purchase, consumers were then directed to call a toll-free number and connected
to telemarketers who tried to sell them unneeded computer repair services and software, according
to the FTC complaint.
The services could cost as much as $500, the FTC stated.
Posted by timothy on Thursday November
20, 2014 @04:34PM
New submitter Gordon_Shure_DOT_com
Human rights charity Amnesty International has
released Detekt to tool which finds and removes known government spyware programs. Describing
the free software as the first of its kind, Amnesty commissioned the tool from prominent German
computer security researcher and open source advocate
Claudio Guarnieri, aka 'nex'.
While acknowledging that the only sure way to prevent governments surveillance of huge dragnets
of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool ( downloadable
) a useful countermeasure versus spooks. According to
the app's instructions, it operates
similarly to popular malware or virus removal suites, though systems must be disconnected from
the Internet prior to it scanning.
mmell (832646) <firstname.lastname@example.org> on Thursday November 20, 2014 @04:42PM (#48429681)
Don't bother. (Score:3)
If you're interesting enough that the NSA is watching what you do on your computer, the
NSA is already watching what you do on your computer.
Now that you have detected this, other (possibly less subtle) methods will be used to ensure
that you are appropriately monitored . . . but kudos to you for catching the NSA! X^D
Oh, and First Post!
Anonymous Coward on Thursday November 20, 2014 @05:23PM (#48429999)
The NSA is watching whether you're interesting or not. Apparently you didn't get the memo...
The sorry story about booting from floppies is replicated on a new level (the fault specifically
designed by Microsoft, probably with NSA in mind): Every time anybody connects a USB
device to your computer, you fully trust them with your computer.
"If you put anything into your USB [slot], it extends a lot of trust," Karsten Nohl, chief scientist
at Security Research Labs in Berlin, told Ars. "Whatever it is, there could always be some code running
in that device that runs maliciously. Every time anybody connects a USB device to your computer,
you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer;
I'm going to walk away for 10 minutes. Please don't do anything evil."
In many respects, the BadUSB hack is more pernicious than simply loading a USB stick with
the kind of self-propagating malware used in the Stuxnet attack. For one thing, although the
Black Hat demos feature only USB2 and USB3 sticks, BadUSB theoretically works on any type of
USB device. And for another, it's almost impossible to detect a tampered device without employing
advanced forensic methods, such as physically disassembling and reverse engineering the device. Antivirus
scans will turn up empty. Most analysis short of sophisticated techniques rely on the firmware itself,
and that can't be trusted.
"There's no way to get the firmware without the help of the firmware, and if you ask the infected
firmware, it will just lie to you," Nohl explained.
Most troubling of all, BadUSB-corrupted devices are much harder to disinfect. Reformatting an
infected USB stick, for example, will do nothing to remove the malicious programming. Because the
tampering resides in the firmware, the malware can be eliminated only by replacing the booby-trapped
device software with the original firmware. Given the possibility that traditional computer malware
could be programmed to use BadUSB techniques to infect any attached devices, the attack could change
the entire regimen currently used to respond to computer compromises.
"The next time you have a virus on your computer, you pretty much have to assume your peripherals
are infected, and computers of other people who connected to those peripherals are infected," Nohl
said. He said the attack is similar to
infections affecting hard drives and removable storage. A key difference, however, is that most
boot sector compromises can be detected by antivirus scans. BadUSB infections can not.
The Black Hat presentation, titled
BadUSB—on accessories that turn evil, is slated to provide four demonstrations, three of which
target controller chips manufactured by
Phison Electronics. They include:
- Transforming a brand-name USB stick into a computer keyboard that opens a command window on
an attached computer and enters commands that cause it to download and install malicious software.
The technique can easily work around the standard user access control in Windows since the protection
requires only that users click OK.
- Transforming a brand-name USB stick into a network card. Once active, the network card
causes the computer to use a domain name system server that causes computers to connect to malicious
sites impersonating legitimate destinations.
- Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu
installation file. The file is loaded onto the drive when attached to one computer. The tampering
happens only after it is plugged into a separate computer that has no operating system present
on it. The demo underscores how even using a trusted computer to verify the cryptographic hash
of a file isn't adequate protection against the attack.
- Transforming an Android phone into a malicious network card.
Mr.StR34kSmack-Fu Master, in training
So, does turning off autoplay on USB devices mitigate or prevent this attack or are we still
screwed even if it is turned off and someone plugs a malicious USB thing into our computer?
Yes, I read the article but by the middle I was going "Wha?" and scratching my head puzzling
My understanding is that if you plug it in, it will infect, auto play or not, and that this
is not limited to any one operating system. This attack vector uses the actual firmware on the
USB device, which tells the computer the type of device being plugged in. So you plug in an
infected usb storage device, and it tells the computer that it's also a keyboard. Then it types
commands as though you were doing it at your actual keyboard.
OmoronovoWise, Aged Ars Veteran
Call me thick, but wouldn't it be rather obvious that your USB memory stick is being
a keyboard, because it can't also be a memory stick. i.e. where the hell have all my files
You aren't being thick, but you're wrong in thinking a USB device can only be one thing.
There's nothing stopping a USB Flash Drive being fully functional as a USB Flash Drive whilst
also surreptitiously acting as a keyboard if it's firmware has been modified to advertise it as
A USB device can have multiple device ID's and able to process commands as any of them.
Back in the early days of 3G dongles, they would show up as both the dongle itself and
as a virtual CD drive from which to install the device driver from. This attack vector is the
same concept, only for malicious intent and not built into the device intrinsically.
Step 1: Build a convenient USB "charging station" for an airport.
Step 2: Insert BadUSB firmware exploit
Step 3: Wait for people to charge their phones.
Step 4: ???
Step 5: Profit!
This one, people can protect themselves from by using charging cables that do not actually
have the data pins. Which are a good idea to carry while traveling, if you're not bringing your
own trusted charging devices with you.
I have a hard enough time convincing my parents-in-law to stay off the "Free WIFI" SSIDs at
the airport; now I need to convince them to use a special charging cable because of "malicious
USB ports"? Ha. Fat chance. That's not only a behavior change but also an expenditure of money,
all for a threat they can't identify.
Hacks where there is no visual difference in the operation of the device, like this one, are
completely stealthed to the majority of end users. Trying to explain it just sounds like paranoia.
"See? My phone is charging just fine and I can play my games, check my bank balance, and everything."
New submitter onproton writes:
new research today on a targeted exploitation technique used by state actors involving "network
injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube
traffic and replace it with
code that gives the operator control over the system or installs a surveillance backdoor. One
of the researchers writes, "many otherwise well-informed people think they have to do something wrong,
or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious
websites...many of these commonly held beliefs are not necessarily true." This technique is largely
designed for targeted attacks, so it's likely most of us will be safe for now — but just one more
reminder to use https.
bbn (172659) <email@example.com> on Friday August 15, 2014 @04:38PM (#47681107)
https is useless (Score:5, Insightful)
What good is https going to be against the state? You think they can not coerce Verisign et
al to hand over a copy of the root keys?
heypete (60671) <firstname.lastname@example.org> on Friday August 15, 2014 @05:00PM (#47681287) Homepage
Re:https is useless (Score:5, Informative)
What good is https going to be against the state? You think they can not coerce Verisign
et al to hand over a copy of the root keys?
Sure, they could, but I doubt they are.
If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke
their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing
While typical users won't notice, there's still plenty of risk to getting caught, particularly
when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile
sites "pinned" and will report back to Google if bogus certs are being used (they identified a
bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives
make it easier to detect if unexpected certs are showing up.
Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly,
but each time they do the risk to their entire business increases.
I suspect the government would much prefer to do things sneakily in the shadows, rather than involving
major CAs in such a risky role.
PopeRatzo (965947) on Friday August 15, 2014 @05:57PM (#47681721) Homepage Journal
Re:https is useless (Score:5, Insightful)
If VeriSign gets caught issuing bogus certs for the government, browser vendors will
revoke their roots.
Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?
I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help
the government spy on people because then all their customers would cancel their service.
No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st
SQLGuru (980662) on Friday August 15, 2014
Reduced rights (Score:3)
This is one of the reasons that I don't use an admin/root level account for normal activity.
If I need those privs, I'll escalate my rights for a single action. While that also won't prevent
all hacks, it drastically reduces my exposure.
vux984 (928602) on Friday August 15, 2014 @04:48PM (#47681195)
Re:Reduced rights (Score:3)
This is one of the reasons that I don't use an admin/root level account for normal activity.
A good practice to be sure.
While that also won't prevent all hacks, it drastically reduces my exposure.
Well, at least your device drivers are safe, and its a little harder for you to join a bot
But pretty much everything you have of value can be accessed from user space, including all your
documents. That's generally what identity and data thief hackers (and state actors) want.
SQLGuru (980662) on Friday August 15, 2014 @04:54PM (#47681239) Journal
Re:Reduced rights (Score:2)
They also have a harder time installing executable code.....if my browsing user can't
install code, then they've only got memory to play with.
not entirely true. It just can't install it in c:\program files or your platforms equivalent.
It can drop executables in folders you DO have access to though, and run them from there. And
even get them to auto run if it puts the start command in a settings file you can edit as that
MightyMartian (840721) on Friday August 15, 2014 @05:04PM (#47681319)
Well, there have been a whole host of attacks associated with vulnerable versions of Flash
and Java that could at least cripple a profile. I ran up against one of them around 2010. One
of the staff at one of our remote locations suddenly had all their files supposedly disappear,
desktop wiped out and the like, and a notification about a ransom if they wanted the files back.
The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched.
What had happened is the auto updater for the workstation had failed.
Now, while it's true that the operating system itself was not compromised, and no other systems
or users on the network were compromised, certainly there was enough control to potentially view
confidential data on shared drives. While this was relatively unsophisticated ransomware,
it did teach me than merely obsessing about privilege escalation does not lead to a secure system.
User profiles and directories can still potentially be vulnerable even if the malware can't
root the system.
AmiMoJo (196126) * <mojoNO@SPAMworld3.net> on Friday August 15, 2014 @05:38PM (#47681607)
Run your browser in a VM, preferably using a different OS to the host. No access to the
host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.
Animats (122034) on Friday August 15, 2014 @04:59PM (#47681273)
Flash vulnerability? (Score:4, Interesting)
Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in
the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash?
Who audits that code? Well?
Didn't look at the source of a Youtube page, did you? Look for "http://s.ytimg.com/yts/swfbin/player-vflZsDuOu/watch_as3.swf".
Videos can also play with "HTML5 video", but there's Flash code there to be executed.
timeOday (582209) on Friday August 15, 2014 @06:15PM (#47681803)
No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general
hand-waving, but I think the idea here is to trick people into installing an executable that
isn't really Flash by causing an executable that presents itself as a Flash update to request
installation. Since this happens while they are visiting youtube (with a man-in-the-middle
doing the injection), the user may assume it is a legit update and install the malware.
In other words, Flash and Java are "exploited" only in the sense that people are so used to
being pushed security updates, that they may accept a fake update delivered on an insecure connection.
Accepting a so-called Flash update from any untrusted site would accomplish the same thing.
It really just boils down to the fact that every site is an untrusted site if you're not using
https, since you don't know who all is in the middle.
raymorris (2726007) on Friday August 15, 2014 @05:30PM
Simpler way: virtualization + snapshot (Score:3)
You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for
your web browsing and such. Set the virtualized image read-only, except when installing new software
Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation
which has only a tiny attack surface.
raymorris (2726007) on Friday August 15, 2014 @05:24PM (#47681489)
Not wrong, or stupid, or insecure, just run Flash (Score:2)
> many otherwise well-informed people think they have to do something wrong, or stupid,
or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many
of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited
by an ISP].
Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)
Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my
default browsers. For many years, there has been precisely one site for which I ever had any interest
in having Flash installed, that was Youtube. Not anymore.
Youtube no longer requires Flash. https://www.youtube.com/html5
June 11, 2014 |
Computerworld/IDG News Service
Extensibility could help a new Trojan program called Pandemiya see wider distribution despite
its high price, researchers say
A new Trojan program that can spy on victims, steal login credentials and interfere with browsing
sessions is being sold on the underground market and might soon see wider distribution.
The new threat is called Pandemiya and its features are similar to that of the infamous Zeus Trojan
program that many cybercriminal gangs used for years to steal financial information from businesses
Zeus source code was leaked on underground forums in 2011, allowing other malware developers to
create Trojan programs based on it, including threats like Citadel, Ice IX and Gameover Zeus, whose
was recently disrupted by an international law enforcement effort.
"Pandemiya's coding quality is quite interesting, and contrary to recent trends in malware development,
it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.," researchers from RSA, the
security division of EMC, said Tuesday in a
blog post. "Through our research, we found out that the author of Pandemiya spent close to
a year of coding the application, and that it consists of more than 25,000 lines of original code
The new Trojan program can inject rogue code into websites opened in a local browser, a technique
known as Web injection; grab information entered into Web forms; steal files; and take screenshots.
Because it has a modular architecture, its functionality can also be extended through individual
DLL (dynamic link library) files that act as plug-ins.
Some of Pandemiya's existing plug-ins allow cybercriminals to open reverse proxies on infected
computers, to steal FTP credentials and to infect executable files. Its creators are also working
on others to enable reverse Remote Desktop Protocol connections and to allow the malware to spread
through hijacked Facebook accounts, the RSA researchers said.
"Like many of the other Trojans we've seen of late, Pandemiya includes protective measures to
encrypt the communication with the control panel, and prevent detection by automated network analyzers,"
the researchers said.
The new threat is being advertised on underground forums for US$1,500 for the core application
and $2,000 with additional plug-ins, a relatively high entry price for cybercriminals. This aspect
and the fact that it's new have kept Pandemiya from gaining popularity so far, but because it can
easily be expanded with DLL plug-ins "could make it more pervasive in the near future," the RSA researchers
The takedown earlier this week of a major malware-spewing botnet has crippled the distribution
of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said
But replacements already stand in the wings, prepared to take Cryptolocker's place.
"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security
researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old
botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday.
Gameover Zeus had been the sole distribution channel for
.... ... ...
On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies
in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had
grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the
alleged administrator of the botnet.
... ... ...
Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and
was one of the private security firms that assisted law enforcement prior to this week's take-down
-- estimated the Cryptolocker haul at a minimum of $10 million since its debut.
... ... ...
Some victims who refused to pay the ransom incurred significant losses recovering control of their
files and restoring files from backups, if they had them. During their investigation, U.S. authorities
interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged
recovery and remediation costs between $30,000 and $80,000.
... "This is a well-written piece of software," said Jarvis. "And they got the encryption right.
There are no loopholes and no flaws."
Earlier examples of ransomware were often sloppy, and in some cases their lock-out mechanisms
could be circumvented. Not so with Cryptolocker. Once run, it left victims with only two options:
Pay the ransom or restore the now-inaccessible data from backups.
... ... ...
So it took more then half-a-year (8 months) to get to the bottom; and at the end it was Symantec
researchers, who "poisoned" the botnet. I think all federal officials in three letter agencies responsible
for that should be fired...
“Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cybercrimes
that you might not believe if you saw them in a science fiction movie,”
reported the DOJ.
By secretly implanting viruses on computers around the world, they built a network of infected
machines – or “bots” – that they could infiltrate, spy on, and even control, from anywhere they
wished. Sitting quietly at their own computer screens, the cyber criminals could watch as
the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims
typed into computers and networks in the United States.
And then the criminals turned that information into cash by emptying the victims’ bank accounts
and diverting the money to themselves.
Assistant Attorney General Leslie Caldwell stated:
Over the weekend, more than 300,000 victim computers have been freed from the botnet
– and we expect that number to increase as computers are powered on and connected to the internet
this week. We have already begun providing victim information to private sector parties who are
poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no
longer functioning and its infrastructure had been effectively dismantled. Through these
court-authorized operations, we have started to repair the damage the cyber criminals have caused
over the past few years, we are helping victims regain control of their own computers, and we
are protecting future potential victims from attack.
US-CERT (United States Computer Emergency Readiness Team) also issued a GameOver Zeus P2P Malware
GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing
malware identified in September 2011, uses a decentralized network infrastructure of compromised
personal computers and web servers to execute command-and-control. The United States Department of
Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the
Department of Justice (DOJ), is releasing this Technical Alert to provide further information about
the GameOver Zeus botnet.
Two of the most insidious and widespread types of malware have been "disrupted," and at least
one man allegedly behind them has been indicted, according to an announcement today (June 2) by the
United States Department of Justice.
In a partnership with security companies, experts and other countries' law-enforcement agencies,
the Department of Justice helped orchestrate "Operation Tovar," a mission to identify the criminals
behind the Gameover banking Trojan and the botnet it controls, as well as the Cryptolocker ransomware,
and sabotage the associated crimeware campaigns.
According to Deputy U.S. Attorney General James Cole, the Gameover operation was successful and
the group's alleged leader, Russian citizen Evgeniy Mikhailovich Bogachev, has been indicted by a
federal grand jury in Pittsburgh.
Gameover, adapted from the infamous ZeuS banking Trojan after the ZeuS source code was released
in 2011, infects Windows computers worldwide and corrals them into a botnet, intercepts users' passwords
and other financial information and uses the stolen credentials to make or redirect wire transfers
from the bank accounts of infected users to accounts controlled by the criminals behind the malware.
According to Cole, Gameover has been implicated in the theft of more than $100 million dollars from
American victims alone.
The Gameover botnet has also been identified as the primary distributor of Cryptolocker, a
type of ransomware which holds infected computers "ransom" by using encryption to render the files
on them unreadable.
The 14-count indictment against Bogachev, who is believed to be in southern Russia, accuses him
of acting as the administrator of the Gameover botnet. The counts include conspiracy, computer hacking,
wire fraud, bank fraud and money laundering.
At the same time, an Omaha, Nebraska criminal complaint charges Bogachev with conspiracy to commit
bank fraud in a separate case invovling a variant of the ZeuS malware called "Jabber ZeuS," after
the instant-messaging software it used to communicate with its handlers.
A third civil injunction filed by the United States in the Pittsburgh federal court alleges that
Bogachev is the leader of a cybercrime gang responsible for creating and operating both Gameover
In addition, the Pittsburgh court also authorized U.S. law enforcement to intercept traffic between
computers infected with Gameover and Cryptolocker and the servers controlling these malicious programs.
For example, the FBI can collect the IP addresses of computers infected with these types of malware
in order to help study them and devise defenses against them.
"At no point during the operation did the FBI or law enforcement access the content of any of
the victims' computers or electronic communications," the Department of Justice announcement states.
However, judging by similar situations, it is highly unlikely that Bogachev will actually face
trial in the US.
The Justice Department has disrupted what it calls one of the most sophisticated cyber threats
ever, and they are now trying to capture the man behind it all, federal prosecutors announced today.
Over the weekend, federal cyber cops essentially paralyzed a massive computer virus known as “Gameover
Zeus,” which diverted millions of dollars from companies’ bank accounts, and blocked another virus
known as “Cryptolocker,” which first took control of a user’s computer files and then demanded ransom
in return for the user’s own files, according to federal prosecutors. Both viruses were the work
of an overseas criminal gang allegedly run by Russian hacker Evgeniy Bogachev, who is now among the
FBI’s most-wanted cyber criminals.
“Evgeniy Bogachev and the members of his criminal network devised and implemented the kind
of cyber-crimes that you might not believe if you saw them in a science fiction movie,” the head
of the Justice Department’s Criminal Division, Leslie Caldwell, told reporters in Washington. “By
secretly implanting viruses on computers around the world, they built a network of infected machines
– or ‘bots’ – that they could infiltrate, spy on, and even control, from anywhere they wished.”
Starting in 2011, Bogachev, 30, allegedly used “spear-fishing” – or fake – emails to infect computers
with the “Gameover Zeus” virus. Once infected, Bogachev would “hijack computer sessions and steal
confidential and personal financial information” that could then be used to funnel money overseas,
the according to U.S. Attorney for the Western District of Pennsylvania David Hickton.
In October 2011, a Pennsylvania composite materials company was hit, and “within a matter of hours
after banking credentials were compromised, hundreds of thousands of dollars were being siphoned
from the company’s bank accounts,” Hickton said.
More than two years later, in November last year, the police department in Swansea, Mass., became
a victim of the “Cryptolocker” virus when an employee opened an email that looked like it was from
a “trusted source,” Hickton said. When “Cryptolocker” strikes, a timer often appears on victims’
computer screens, giving them 72 hours to pay hundreds of dollars if they want their files back –
from family photos to business records, law enforcement officials said.
In the case of the Swansea police department, the department paid the ransom and contacted the
FBI, according to law enforcement officials.
As of April 2014, “Cryptolocker” had attacked more than 200,000 computers, and more than half
of those attacks occurred in the United States, Deputy Attorney General Jim Cole said. In addition,
in its first two months of operation alone, the criminals behind “Cryptolocker” collected an
estimated $27 million in ransom payments from victims, he said.
As for the “Gameover Zeus” virus, security researched estimate that between 500,000 and 1 million
computers around the world have been infected with it, and a quarter of the victims are inside the
United States, according to Cole. In total, federal authorities believe U.S. victims, often small
and mid-size businesses, have lost more than $100 million to “Gameover Zeus.”
Federal authorities believe the man running the Eastern European criminal gang responsible for
the two viruses is now in Russia, and they are hoping the Russian government will help bring him
The Justice Department unsealed criminal charges in Pittsburgh, Pa., and in Omaha, Neb., charging
Bogachev with computer hacking, wire fraud, bank fraud, money laundering and other violations of
To keep “Gameover Zeus” from being reconstituted, federal authorities have obtained court approval
to redirect communications from “malicious servers” to substitute servers, and both U.S. and foreign
law enforcement officials seized computer servers integral to “Cryptolocker,” authorities said today.
US authorities named Russian national Evgeniy Bogachev as the face of a malicious software scheme
responsible for stealing millions from people around the world, after a successful campaign to disrupt
two major computer networks.
Digital police from across the globe announced they had seized control over the weekend of two
computer networks that had been used to steal banking information and ransom information locked in
files on infected computers. But they warned people with infected computers to take action now to
prevent further attacks.
US and European officials announced they had managed to crack the malicious software (malware)
known as Gameover Zeus that had been used to divert millions of dollars to bank accounts
of criminals. The authorities have also cracked Cryptolocker – a malware that shutout hundreds
of thousands of users from their own computers and ransomed the data.
... ... ...
The US authorities identified Bogachev, of Anapa in the Russian Federation, as Gameover Zeus’s
main administrator. At a press conference, deputy attorney general James Cole called him “a true
21st-century criminal who commits cybercrimes across the globe with the stroke of a key and the click
of a mouse …These crimes have earned Bogachev a place on its list of the world’s most-wanted cyber
According to the FBI’s “cyber most wanted” list Bogachev has been using variants of the Zeus malware
since 2009 and communicates using the online monikers “lucky12345” and “slavik”. Gameover Zeus (GOZ)
started appearing in 2011 and is believed to be “responsible for more than one million computer
infections, resulting in financial losses in the hundreds of millions of dollars”.
"He is known to enjoy boating and may travel to locations along the Black Sea in his boat," according
to the FBI.
The Cryptolocker software locked PC users out of their machines, encrypting all their files and
demanding payment of one Bitcoin (currently worth around £300, or $650) for decryption.
It’s believed Cryptolocker, which the FBI estimated acquired $27m in ransom payments in just
the first two months of its life, has infected more than 234,000 machines.
A chief suspect from Russia has been identified, but is still at large, Troels Oerting, head of
Europol's European Cyber Crime Centre (EC3) told the Guardian. He said other arrests related to the
operation were “in progress”.
The global effort to stop the spread of the Cryptolocker ransomware has focused on its delivery
method, GOZ. The malware connected infected machines by peer-to-peer connections – in theory making
it harder for the authorities to track and stop.
GOZ was designed to steal people's online banking login details, who were usually infected by
clicking on attachments or links in emails that looked innocuous. However, it also dropped Cryptolocker
on their computers.
"Nobody wants their personal financial details, business information or photographs of loved ones
to be stolen or held to ransom by criminals," said Andy Archibald, deputy director of the NCA's National
Cyber Crime Unit.
... ... ...
Not-for-profit body Get Safe Online has worked with the NCA to launch a dedicated section of its
website to provide guidance and tools, although at the time of publication the website appeared to
Behind the scenes, the law enforcement groups have been taking over points of control in GOZ's
peer-to-peer network: an action known as "sinkholing" in the security world. By doing this, they
have been able to cut off criminal control over the infected computers.
Dismantling peer-to-peer operated malware is difficult, but it has been done before: for example
one case of a data-stealing virus called ZeroAccess, which infected as many as 1.9m PCs in 2013.
In that case, security researchers from Symantec managed to send lists of fake peers to infected
machines, which meant they could no longer receive commands from the controllers of the malicious
network, known as a botnet.
Symantec researchers said today that key nodes in GOZ's network had been disabled, along with
a number of the domains used by the attackers.
... ... ...
wombatman -> Worried9876
I read it was hackers from both Russia and Ukraine started it off, it is just that now the
USA have a filed a case just against one individual who is Russian (Evgeniy Mikhailovich Bogachev).
Clearly however this was not a one-person operation, but cynical people may say the USA would
not like to name any Ukrainian defendents in this case. The complaint even names him as the alleged
leader of the criminal enterprise.
<quote> "Nobody wants their personal financial details, business information or photographs
of loved ones to be stolen or held to ransom by criminals,"</quote>
...with the exception of the criminals von NSA/NCHQ?
Katagami -> Ninetto
...with the exception of the criminals von NSA/NCHQ?
Oh ffs change the record.
This is about criminal organisations screwing over people like me and you. It's got nothing
to do with intelligence agencies collecting data and if anything they should be given some credit
Wake up and stop attributing blame to something you (probably) know very little about.
tr1ck5t3r -> Jack Jazz
This only affects Windows PC's.
If people want to install a safe operating system on their computer, Ubuntu has achieved the
highest rating out of all the operating systems when reviewed by an arm of GCHQ.
And whilst the report focuses on Ubuntu 12.04 LTS, the new Ubuntu 14.04 LTS is available to
download with even more privacy and security enhancements.
It wont cost you a penny
Very poor publicity by the NCA. It's not merely this article which is confusing:
the NCA's own announcement fails to explain the significance of this "two-week opportunity".
wombatman -> Sheepless
The authorities disrupted the command and control (C&C) servers that were managing the major
network distributing the GameoverZeuS Trojan and the Cryptolocker ransomware. It’s only a matter
of time before those behind the botnet set up new C&C servers and regain control. Though that
may even happen in days and not the 2 weeks.
Ortho -> wombatman
Yeah, the 'two weeks' thing is just a random estimate. Not at all helpful.
What they should be saying is 'get your computer protected NOW- and keep it up to date in future'.
On AVG there is a blog post from October 2013 detailing how this came to light Sep'13. Someone
above wrote "Symantec may be able to act that fast..." Almost a year after the fact?? Seriously
- who is this targeted at?
Some viruses have been undiscovered for several years.
Antivirus is next to useless for zero day exploits.
It's my belief that these viruses come from the security software houses. It is their
way of keeping us buying their software. LOL
I don't see what difference 2 weeks will make.
Paul Tunstead -> RobDeManc
Wow, your onto how big pharma works, well done you.
consciouslyinformed -> RobDeManc
And who says a little suspicion does anyone harm? I agree with your concerns, and
have stated comments like yours. Worked in marketing companies for a few years prior to university,
and this is indeed the type of gnarly stuff companies do, in order to continue making $$$$ from
Meh, worst case it needs a fresh install, anyone with half a brain should have back-ups
of important stuff.
The sort of person who doesn't have adequate protection is often the same sort of
person who, when you ask about what they use for backing up, says, 'backing up?'.
Installing is time consuming. You need everything you are used to as well as the
OS. It takes me about 2 weeks to get a formatted drive back to how I like it by re-installing
No hassle with Clonezilla though (about 1 hr to get my machine back). Don't even need to install
anything. Just image regularly.
Unfortunately - if you are already infected, as soon as you connect your memory stick
or external drive, the trojan will start encrypting its content.
Earlier this week,
that journalists and visitors to Sochi are being immediately hacked virtually as soon as they
acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable
in its report, which purportedly showed NBC journalist Richard Engel's cellphone and laptop being
compromised "before he even finished his coffee."
All very scary but all completely false.
points out that the entire situation was fabricated.
The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every
While your average person might be lured to sketchy sites supposedly related to the Olympics, most
of these people wouldn't have disabled the default locks on their phone, as Robert Graham at Errata
Security points out.
They aren't in Sochi, but in Moscow, 1007 miles away.
The "hack" happens because of the websites they visit (Olympic themed websites), not their
physical location. The results would've been the same in America.
The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android
app onto his phone.
...and in order to download the Android app, Engel had to disable a lock that prevents such
downloads -- something few users do [update].
Stupid people do stupid things!
News at 11!
You trusts mainstream media these days?
released Chrome version 32 for Windows, Mac, and Linux. The new version
includes tab indicators, a new look for Windows 8 Metro mode, and automatic blocking of malware
downloads. You can update to the latest release now using the browser’s built-in silent updater,
or download it directly from google.com/chrome.
...The third point refers to a change in the company’s Safe Browsing service, which warns users
about malicious websites and malicious files. Added to the Chrome dev build
back in October, Google’s browser will now automatically block malware files, letting you
know in a message at the bottom of your screen. You can “Dismiss” the message, and Google says
you can circumvent the block but it will take more steps than before.
This is not very efficient as it requires close proximity of an expensive relay station to the target
(within a couple of miles) and easily defeated by Faraday cage. It's also self-limiting as relay needs
to be installed in the vicinity and will disconnect if, say, laptop trevels outside the area. So it
probably is used only against high value targets. But the idea is devious. Will those technologies now
migrate downsteam ? See a good summary of NYT article at
spying 101 How NSA bugs Chinese PCs with tiny USB radios
“What’s new here is the scale and the sophistication of the intelligence agency’s ability to get
into computers and networks to which no one has ever had access before,” said James Andrew Lewis,
the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some
of these capabilities have been around for a while, but the combination of learning how to penetrate
systems to insert software and learning how to do that using radio frequencies has given the U.S.
a window it’s never had before.”
... ... ...
One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried
in it. According to the catalog, it transmits information swept from the computer “through a covert
channel” that allows “data infiltration and exfiltration.”
Another variant of the technology involves tiny circuit boards that can be inserted in a laptop
computer — either in the field or when they are shipped from manufacturers — so that the computer
is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being
walled off from the Internet constitutes real protection.
... ... ...
“Continuous and selective publication of specific techniques and tools used by N.S.A. to pursue
legitimate foreign intelligence targets is detrimental to the security of the United States and our
allies,” Ms. Vines, the N.S.A. spokeswoman, said.
But the Iranians and others discovered some of those techniques years ago. The hardware in the
N.S.A.’s catalog was crucial in the cyberattacks on Iran’s nuclear facilities, code-named Olympic
Games, that began around 2008 and proceeded through the summer of 2010, when a technical error revealed
the attack software, later called Stuxnet. That was the first major test of the technology.
One feature of the Stuxnet attack was that the technology the United States slipped into the Natanz
plant was able to map how it operated, then “phone home” the details. Later, that equipment was used
to insert malware that blew up nearly 1,000 centrifuges, and temporarily set back Iran’s program.
January 02, 2014 | Slashdot
An anonymous reader writes "According to Forbes online-
up to 1 Billion PCs are at risk of leaking information that could be used as a blueprint for
attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that
are sent in the clear. Researchers at Websense Labs released a
detailed overview of the data contained in the crash reports, shortly after Der Spiegel released
documents alleging that nation-state hackers may have used this information to
execute highly targeted attacks with a low risk of detection, by crafting attacks specifically
for vulnerable applications that are running on the network. Also interesting to think that Microsoft
knows exactly what model of phones that you have
plugged into your PC..."
Oh, b.s. troll & here's how + why
You CAN security-harden Windows (just as well as anything else) via this guide I wrote up in
1997-2008 -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&qs=n&form=QBLH&pq=%22how+to+secure+windows+2000%2Fxp%22&sc=1-30&sp=-1&sk=&cvid=60c59dc375834640bef6cf0ed9d8147a
I truly don't *think* that you "p.r. fanboys" for other alternate *NIX based OS understand
something - when you post b.s. online, SOMEONE will spot it, and shred you for it... I mean, for
YEARS here all you heard was (more or less) "*NIX = invulnerable & Windows = vulnerable"... well,
new news: Look @ ANDROID (yes, it's a Linux) - it's being infested FAR FASTER than any Windows
EVER WAS in the SAME timeframe. That tell you anything boys?
Well, then these results ought to (as a SINGLE example of many I've seen as a result, especially
after CIS Tool usage which makes it cake to do & FUN in a nerdy kind of way):
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory
administration, and he said I was doing overkill. I told him yes, but I just eliminated the half
life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases,
its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled
besides the fact I imaged the drive over in 2008.
Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked
down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it
works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say
it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great.
Getting my host file updated, setting services to system service, rather than system local. (except
AVG updater, need system local)" from -> http://www.xtremepccentral.com/forums/showthread.php?s=19624f28d25cc6eec220229b503b7a4c&t=28430&page=3
It works, & is PROOF of my statements here.
P.S.=> Additionally - IF you trust SeLinux? Better think again - look who created it (NSA)...
Re:Not everything is about software security. (5, Informative)
If you're really concerned about security on your individual systems, DONT USE WINDOWS.
There, fixed it for ya.
Ubuntu does the same, if not worse.
pport intercepts Program crashes, collects debugging information about the crash and the operating
system environment, and sends it to bug trackers in a standardized form. It also offers the user
to report a bug about a package, with again collecting as much information about it as possible.
It currently supports
- Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler
(in piping mode)
- Unhandled Python exceptions
- GTK, KDE, and command line user interfaces
- Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for X.org,
or modified gconf settings for GNOME programs)
- apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
- Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation
of fully symbolic stack traces (apport-retrace)
- Reporting bugs to Launchpad (more backends can be easily added)
This was so obvious 10 years ago (0)
I should consider making a list of obvious things that will prove to be security risks in the
future for everyone to be aware of it. This was so expected.
- the NSA tampers with scripts hosted on googleapis.com. 90% of the internet impacted.
At least with the gifted nose i have for smelling crap i must say none of the Snowden's revelations
made me bat an eye or change any passwords.
Duh (5, Funny)
Also interesting to think that Microsoft knows exactly what model of phones that you
have plugged into your PC..."
Wait, you mean my crash reports include a list of devices?!?
Reading the article, it says that each time you plug in a new USB device, it automatically
sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft,
your computer is still phoning home each time you install a new USB device.
Duh, how does it search for drivers on Windows Update then? Turn off that functionality and
then check, if it still does, then it's news.
Next you will tell me that my browser is broadcasting an IP Address.
Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but
my understanding was that Windows came with a bunch of generic drivers for devices, and only
checked Windows Update for a device if you told it to when installing the device.
Am I wrong?
Windows typically checks Windows Update for drivers for all newly-connected devices, then look
for locally-installed drivers if the Windows Update check didn't find anything. Certain devices
(like USB mass storage devices, for example)) are installed using local drivers first, as most
people want their USB flash drives to work as soon as possible but are willing to wait a few tens
of seconds for other devices.
Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play"
and this benefits users. Similarly, while a driver might be included on a CD that comes with a
device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.
Anonymous Coward | 7 hours ago
There are two cases where it will do this, both are optional:
1. to install a driver for the device
2. for a shiny graphic in Explorer/Device Stage
You can control both trivially: http://support.microsoft.com/kb/2500967
While the world may have become habituated to (and perhaps revels in, thank you social media exhibitionist
culture) the fact that the NSA is watching anyone and everyone, intercepting, recording, and hacking
every electronic exchange regardless if it involves foreign "terrorists" or US housewives, the discoveries
from the Snowden whistleblowing campaign continue. The latest revelation from the biggest wholesale
spying scandal since Nixon, exposed by
Germany's Spiegel which continues the strategy of revealing Snowden leaks on a staggered, delayed
basis, involves a back door access-focused NSA division called ANT, (which supposedly stands for
Access Network Technology), described by Spiegel as "master carpenters" for the NSA's TAO (Tailored
Access Operations, read more about
TAO here). The ANT people have "burrowed into nearly all the security architecture made by the
major players in the industry -- including American global market leader Cisco and its Chinese competitor
Huawei, but also producers of mass-market goods, such as US computer-maker Dell." More importantly,
thanks to Spiegel (and Snowden of course), the NSA's 50-page catalog of "backdoor penetration"
techniques has been revealed.
The details of how the NSA can surmount any "erected" walls,
These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels
of our digital lives -- from computing centers to individual computers, from laptops to mobile
phones. For nearly every lock, ANT seems to have a key in its toolbox. And no
matter what walls companies erect, the NSA's specialists seem already to have gotten past them.
This, at least, is the impression gained from flipping through the 50-page document.
The list reads like a mail-order catalog, one from which other NSA employees can order
technologies from the ANT division for tapping their targets' data. The catalog even lists the
prices for these electronic break-in tools, with costs ranging from free to $250,000.
Nothing quite like an extensive, taxpayer funded catalog listing back-door entry strategy imaginable.
Say you wanted to have some backdoor fun with Juniper Networks, the world's second largest network
equipment manufacturer (which claims the performance of the company's special computers is "unmatched"
and their firewalls are the "best-in-class.")
In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This
malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs...
Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software
upgrades." In this way, US government spies can secure themselves a permanent presence
in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target
It gets better, because when simple penetration is not enough, the NSA adds "implants."
In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step
in with their special tools, penetrating networking equipment, monitoring mobile phones and computers
and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance,
have played a considerable role in the intelligence agency's ability to establish a global covert
network that operates alongside the Internet.
So what exactly is to be found in the 50-page catalog?
Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO
personnel to see what is displayed on the targeted monitor," for example, is available for just
$30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone
tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised
as normal USB plugs, capable of sending and receiving data via radio undetected, are available
in packs of 50 for over $1 million.
The ANT division doesn't just manufacture surveillance hardware. It also develops software
for special tasks. The ANT developers have a clear preference for planting their malicious code
in so-called BIOS, software located on a computer's motherboard that is the first thing to load
when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning
normally, so the infection remains invisible to virus protection and other security programs.
And even if the hard drive of an infected computer has been completely erased and a new
operating system is installed, the ANT malware can continue to function and ensures that new spyware
can once again be loaded onto what is presumed to be a clean computer. The ANT developers
call this "Persistence" and believe this approach has provided them with the possibility
of permanent access.
Another program attacks the firmware in hard drives manufactured by Western Digital,
Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American
companies. Here, too, it appears the US intelligence agency is compromising the technology and
products of American companies.
Other ANT programs target Internet routers meant for professional use or hardware firewalls
intended to protect company networks from online attacks. Many digital attack weapons are "remotely
installable" -- in other words, over the Internet. Others require a direct attack on an
end-user device -- an "interdiction," as it is known in NSA jargon -- in order to install malware
or bugging equipment.
The conclusion here is an easy one, and one we have repeated ever since
before the Snowden revelations: Big Brother is bigger and badder than ever, he knows exactly
what you've been doing, and the second the NSA wants to nuke your computer out of orbit and/or destroy
your digital life, it can do so in a millisecond. What is more amusing is that with each passing
disclosure, it is increasingly clear that the NSA has gotten its inspiration for its dealings with
the US public from a Danielle Steel book at best, or a Vivid Video bootlegged tape at worst.
NSA known as Tailored Access Operations, or TAO, which is painted as an elite team
of hackers specializing in stealing data from the toughest of targets.
One of the most striking reported revelations concerned the NSA's alleged ability to spy on
Microsoft Corp.'s crash reports, familiar to many users of the Windows operating system as the
dialogue box which pops up when a game freezes or a Word document dies.
December 08, 2013 | Slashdot
tsu doh nimh writes
"In early October, news leaked out of Russia that authorities there had
arrested and charged the malware kingpin known as 'Paunch,' the alleged creator and distributor
of the Blackhole exploit kit. Today, Russian police and computer security experts released
additional details about this individual, revealing a much more vivid picture of the cybercrime
underworld today. According to pictures of the guy published by Brian Krebs, if the Russian
authorities are correct then his nickname is quite appropriate. Paunch allegedly made $50,000
a month selling his exploit kit, and worked with another guy to buy zero-day browser exploits.
As of October 2013, the pair had budgeted $450,000 to purchase zero-days. From the story:
'The MVD estimates that Paunch and his gang earned more than 70 million rubles, or roughly
USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to
perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important
driving force behind an explosion of cyber fraud over the past three years.
A majority of Paunchâ(TM)s customers were using the kit to grow botnets powered by Zeus
and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and
Re:I am confused. (Score:5, Informative)
it gets even better. In the linked article it explains that Paunch sells ads that appear in
the control panels for all the renters, so not only does he get income from renting the system,
he he also gets the income from that ads that are popping up in your system after you rent it
December 06, 2013 |
tsu doh nimh writes
"Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast
botnet that has enslaved more than two million PCs with malicious software in an elaborate and
lucrative scheme to defraud online advertisers.
KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact
the operations of ZeroAccess over the long term, but for now the PCs infected with the malware
remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture
in which new instructions and payloads are distributed from one infected host to another.
The actions this week appear to have targeted the servers that deliver a specific component
of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers,
While this effort will not disable the ZeroAccess botnet (the infected systems will likely
remain infected), it should allow Microsoft to determine which online affiliates and publishers
are associated with the miscreants behind ZeroAccess, since those publishers will have stopped
sending traffic directly after the takedown occurred.
Europol has a released a statement on this action, and Microsoft has published a large number
of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators
and shut down the botnet."
December 06, 2013
chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled
with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges
that the company used deceptive advertising to collect location and device information from Android
owners. The FTC says
the company failed
to disclose wanton harvesting and sharing of customers' locations and mobile device identities
with third parties. Brightest Flashlight Free, which allows Android owners to use their phone
as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics
from the site indicate that it has been downloaded more than one million times with an overall
rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements
on the devices it is installed on. However, the device also harvested a wide range of data from
Android phones which was shared with advertisers, including what the FTC describes as 'precise
geolocation along with persistent device identifiers.' As part of the settlement with the FTC,
Goldenshores is ordered to
change its advertisements and in-app disclosures to make explicit any collection of geolocation
information, how it is or may be used, the reason for collecting location information and which
third parties that data is shared with."
IDG News Service
A new Trojan program that targets users of online financial services has the potential to spread
very quickly over the next few months, security researchers warn.
The malware was first advertised on a private cybercrime forum in July, according to malware researchers
from Kaspersky Lab who dubbed it Trojan-Banker.Win32/64.Neverquest.
"By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all
around the world," said Sergey Golovanov, malware researcher at Kaspersky Lab, Tuesday in a
blog post. "This threat is relatively new, and cybercriminals still aren't using it to its full
capacity. In light of Neverquest's self-replication capabilities, the number of users attacked could
increase considerably over a short period of time."
Neverquest has most of the features found in other financial malware. It can modify the content
of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal
the username and passwords entered by victims on those websites and allow attackers to control infected
computers remotely using VNC (Virtual Network Computing).
However, this Trojan program also has some features that make it stand out.
Its default configuration defines 28 targeted websites that belong to large international
banks as well as popular online payment services. However, in addition to these predefined sites,
the malware identifies Web pages visited by victims that contain certain keywords such as balance,
checking account and account summary, and sends their content back to the attackers.
This helps attackers identify new financial websites to target and build scripts for the malware
to interact with them.
Once attackers have the information they need to access a user's account on a website, they use
a proxy server to connect to the user's computer via VNC and access the account directly. This can
bypass certain account protection mechanisms enforced by websites because unauthorized actions like
transferring money are done through the victim's browser.
"Of all of the sites targeted by this particular program, fidelity.com -- owned by Fidelity Investments
-- appears to be the top target," Golovanov said. "This company is one of the largest mutual investment
fund firms in the world. Its website offers clients a long list of ways to manage their finances
online. This gives malicious users the chance to not only transfer cash funds to their own accounts,
but also to play the stock market, using the accounts and the money of Neverquest victims."
The methods used to distribute Neverquest are similar to those used to distribute the Bredolab
botnet client, which became one of the most widespread malware on the Internet in 2010.
Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed
on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino
exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware
on the computers of users visiting those sites.
The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol)
credentials from email clients and sends them back to attackers so they can be used to send spam
emails with malicious attachments. "These emails are typically designed to look like official notifications
from a variety of services," Golovanov said.
In addition, Neverquest steals account log-in information for a large number of social networking
websites and chat services accessed from infected computers. Those accounts could be used to spread
links to infected websites with the intention to further spread Neverquest, even though Kaspersky
Lab hasn't seen this method being used yet.
"As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about
buying and selling databases to access bank accounts and other documents used to open and manage
the accounts to which stolen funds are sent," Golovanov said. "We can expect to see mass Neverquest
attacks towards the end of the year, which could ultimately lead to more users becoming the victims
of online cash theft."
Public sources show that TAO employs more than a thousand hackers. The task force has been active
since at least 1998, according to Washington Post. That's the end of any trust in Windows as we know
it. Sorry Microsoft...
The US National Security Agency hacked more than 50,000 computer networks worldwide installing
malware designated for surveillance operations, Dutch newspaper NRC reports citing documents leaked
by Edward Snowden.
The latest round of revelations comes from a document dating from 2012 that shows the extent of
the NSA’s worldwide surveillance network.
Published by Dutch newspaper NRC Handelsblad, it points out more than 50,000 locations, where
the NSA used ‘Computer Network Exploitation’ (CNE) and implanted malicious software into the
According to the NSA website CNE “includes enabling actions and intelligence collection via
computer networks that exploit data gathered from target or enemy information systems or networks.”
Once the computer has been infected, the ‘implants’ act as digital 'sleeper cells' that can
be remotely turned on or off with a single push of a button, the Dutch paper reported. The malware
can remain active for years without being detected, the newspaper added. The malicious operations
reportedly were carried out in many countries including China, Russia, Venezuela and Brazil.
The hacking is conducted by the Tailored Access Operations (TAO), a special unit within the NSA
tasked with gaining access to foreign computer systems.
According to the Dutch media, one of the examples of the CNE operation is the reported attack
telecom company Belgacom that was discovered in September 2013. The attack was previously reported
to have been carried out by British intelligence agency GCHQ that worked in cooperation with its
GCHQ injected malware in the Belgacom network to tap their customers’ telephone and data traffic.
The agency implemented a technique known as Quantum Insert, placing Belgacom’s servers in strategic
spots where they could intercept and redirect target traffic to a fake LinkedIn professional social
Public sources show that TAO employs more than a thousand hackers. The task force has been active
since at least 1998, according to Washington Post.
Documents acquired by the NRC newspaper also reveal that NSA spied on the Netherlands from 1946
to 1968. However the report does not indicate the specific intentions.
Dutch interior affairs minister Ronald Plasterk has recently confirmed that the NSA monitors mail
and phone traffic in the Netherlands and exchanges data with Dutch security organization AIVD.
This interview took place during celebration of Doctor Web, Ltd's twenty years of product development
(and simultaneously 10 years since creation of the company -- Doctor Web, Ltd). For additional information
about the anniversary see Doctor Web Anniversary
Facebook Community Page about Doctor Web.
The leading analyst of Doctor Web, Ltd Mr. Vyacheslav Medvedev kindly agreed to talk about current
security problems with the editor of Softpanorama. Mr. Medvedev is a frequent speaker on various
security conferences, where he often represents the company.
November 11, 2013 |
samzenpus nk497 writes:
"Criminals are taking advantage of unpatched holes in Internet Explorer to launch
'diskless' attacks on PCs visiting malicious sites. Security company FireEye uncovered the
zero-day flaw on at least one breached U.S. site, describing the exploit as a 'classic drive-by
download attack'. But FireEye also noted the malware doesn't write to disk and disappears on reboot
— provided it hasn't already taken over your PC — making it trickier to detect, though easier
to purge. '[This is] a technique not typically used by advanced persistent threat (APT) actors,'
the company said. '
This technique will further complicate network defenders' ability
to triage compromised systems, using traditional forensics methods.'"
Injection of malware is possible due to privileged position of servers on Internet backbone...
November 11, 2013 |
The UK’s electronic spying agency has been using spoof version of LinkedIn professional social network's
website to target global roaming data exchange companies as well as top management employees in the
OPEC oil cartel, according to Der Spiegel report.
The Government Communications Headquarters has
implemented a technique known as Quantum Insert, placing its servers in strategic spots where they
could intercept and redirect target traffic to a fake website faster than the legitimate service
A similar technique was used earlier this year to inject malware into the systems of BICS,
a subsidiary of Belgian state-owned telecommunications company Belgacom, which is another major GRX
In the Belgacom scandal first it was
the attacks were coming from. Then documents from Snowden’s collection
revealed that the
surveillance attack probably emanated from the British GCHQ – and that British intelligence had palmed
off spyware on several Belgacom employees.
The Global Roaming Exchange (GRX) is a service which allows mobile data providers to exchange
roaming traffic of their user with other providers. There are only a few dozen companies providing
such services globally.
Now it turns out the GCHQ was also targeting networking, maintenance and security personnel
of another two companies, Comfone and Mach, according to new leaks published in the German magazine
by Laura Poitras,
one of few
journalists believed to have access to all documents stolen by Snowden from the NSA.
Through Quantum Insert method, GCHQ has managed to infiltrate the systems of targeted Mach
employees and successfully procured detailed knowledge of the company’s communications infrastructure,
business, and personal information of several important figures.
A spokesman for ‘Starhome Mach’, a Mach-successor company, said it would launch “a comprehensive
safety inspection with immediate effect.”
The Organisation of Petroleum Exporting Countries was yet another target of the Quantum Insert
attack, according to the report. According to a leaked document, it was in 2010 that GCHQ managed
to infiltrate the computers of nine OPEC employees. The spying agency reportedly succeeded in penetrating
the operating space of the OPEC Secretary-General and also managed to spy the on Saudi Arabian OPEC
governor, the report suggests.
LinkedIn is currently the largest network for creating and maintaining business contacts. According
to its own data the company has nearly 260 million registered users in more than 200 countries. When
contacted by The Independent, a LinkedIn spokesman said that the company was “never told about
this alleged activity” and it would “never approve of it, irrespective of what purpose it
was used for.”
According to a cryptographer and security expert Bruce Schneier, Quantum Insert attacks are
for anyone except the NSA to execute, because for that one would need to “to have a privileged
position on the Internet backbone.”
The latest details of GCHQ’s partnership with the NSA were revealed just last week, after the
reports emerged that GCHQ was feeding the NSA with the internal information
intercepted from Google and
Yahoo’s private networks.
The UK intelligence leaders have recently been
questioned by British
lawmakers about their agencies’ close ties and cooperation with the NSA.
The head of GCHQ, Sir Ian Lobban,
lashed out at the global
media for the coverage of Edward Snowden’s leaks, claiming it has made it “far harder”
for years to come to search for “needles and fragments of needles” in “an enormous hay
field” of the Internet.
However, the intelligence chiefs failed to address public fears that Britain’s intelligence agencies
are unaccountable and are operating outside the law.
In a way it is a game changer. This is the only Trojan that went to
Malware Defense History in 2013...
This is a game changing Trojan, which belong to the class of malware known as
Ransomware . It seriously
changes views on malware, antivirus programs and on backup routines. One of few Trojan/viruses which
managed to get into front pages of major newspapers like
Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets
backups of your data on USB and mapped network drives. If you offload your backups to cloud storage
without versioning and this backup has an extension present in the list of extensions used by this
Trojan, it will destroy (aka encrypt) your "cloud" backups too.
It really encrypts the data in a way that excludes possibility of decryption without paying
ransom. So it is very effective in extorting money for decryption key. Which you may or may
not get as servers that can transmit it from the Command and Control center might be already blocked;
still chances are reasonably high -- server names to which Trojan connect to get public key changes
(daily ?), so far at least one server the Trojan "pings" is usually operational. So even on Oct 28
decryption was possible). At the same time the three days timer is real and if it is expire possibility
of decrypting files is gone. Essentially you have only two options:
- To pay the ransom hoping that cyber crooks will start the decryption
- Restore your files from a backup (if you are lucky to have a recent backup on disconnected
or non-mapped drive or with the extension not targeted by the Trojan).
Beware snake oil salesmen, who try to sell you the "disinfection" solution. First of all disinfecting
from Trojan is trivial, as it is launched by standard
registry entry. The problem is that such a solution does not and can't include restoration
of your files.
It was discovered in early September 2013 (around September 3 when domains to reach C&C center
were registered, with the first description on September 10, see
Major AV programs did not detect it until September 17, which resulted in significant damage inflicted
Here is the screen displayed when the Trojan finished encrypting the files (it operates silently
before that, load on computer is considerable -- encryption is a heavy computational task):
CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police
Trojan, but it's far more sophisticated in its construction and aggressive in its demands.
The necessary decryption key is never left lying around on host machines. CryptoLocker phones
home to a command-and-control server to obtain a public RSA key before it begins the task of silently
encrypting files on compromised machines. The same command server also hosts the private key.
Malware that encrypts your data and tries to sell it back to you is not new. As net security firm
Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for
"SophosLabs has received a large number of scrambled documents via the Sophos sample submission
explains in a blog post.
"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption,
and that we can help them get their files back,” adds the firm. “But as far as we can see, there's
no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."
A video from SophosLab showing the malware in action can be found on the next page. Victims receive
little or no indication of problems on an infected machine while the malware is encrypting files
in the background.
Re: Already seen this
It encrypts .doc, .dwg etc
"You can't kill this virus in normal ways."
So, it manages to run despite having a software restriction policy in place preventing any
vaguely executable code from running outside of program files or authorised network shares?
I've been receiving the companies house emails regularly. I've had a few users run them with
nothing more harmful than the standard SRP prohibited text since outlook opens attachments in
a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.
Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will
vanish overnight because the users can't run the bloody things if they try.
Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer
instead of task manager and PSKILL to kill things instead of the "end task" button in task manager.
If you want malware dead, don't allow it to gracefully close through a task manager request to
close. That's just letting it run more instructions. Figure out where the file and all it's dependencies
are from process explorer and then either suspend or terminate it. Take a hash of the file to
stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and
email it to your AV vendor. Now your done and you can delete it.
So what? In the corporate world those files should be held in some kind of version control
and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not
be the master, they should be the published version of a document under proper control (also,
users don't need write access to *everything*). As for local files that are being worked on; well,
those are backed up as well aren't they?
And why the HELL do people open an attachment without first scanning it? When coming in from
outside, open it on a machine which has actual work files on it. Are they totally mentally deficient?
Run Outlook in a separate VM. Problem solved.
If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will
be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame,
look in the mirror.
Then call MS and ask them why their software is so shit.
I can see this being a serious worry for home users. Top-tip: stop opening random files.
Re: It encrypts .doc, .dwg etc
How naeve can you get? ! Obviously never worked for a large corporation then. The idea that
they do things properly always is just naivety. Release documents will (should) be in a document
management system, but there are always many documents which are not.
And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise
Re: It encrypts .doc, .dwg etc
I really hope your not an IT support guy, Users are .... users... they are not IT experts,
the same way that IT Experts are not brain surgeons. Yes good practice is always good, but...
If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted,
uploaded to e.g. DropBox, then synced with your other machines?
It'd be recoverable if you had a cloud locker with version control, but still annoying.
Re: Cloud backup
DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop
when she got this nasty last week.
It never ceases to amaze me how many people open and click on links in emails without knowing
who they're from. Even my employer (who shall remain nameless) has become infected despite there
being a fairly recent and high profile campaign targetting computer security and phishing emails.
Some people are just dumb.
To be fair, a bit of social engineering is involved here by making the file look like something
that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs
are normally harmless viewable documents. If they possess a little geekiness, they might know
that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and
they'd know that executables can be camouflaged like this.
I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need
I was talking to someone a week ago who got a popup in their browser warning they were downloading
pirated software and to click to acknowledge this. The sad thing is that while they didn't click,
they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone
who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which
would just be malware of some kind.
I assume the criminals wouldn't bother with these scams if people didn't fall for them.
From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't
take place until the virus is able to phone home to one of its many servers, which have their
domains automatically created using a Domain Generation Algorithm.
Is there not any software that can block all domains which are obviously gobbledygook and are
therefore likely to have been automatically generated by a nasty? It appears DGAs are used by
a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence
for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).
Its a game changing virus. Seriously changes views on malware and on backup routines.
Education is really the only way to prevent this unfortunately. Without education people will
continue to open email attachments they shouldn't, use weak passwords, and provide little or no network
These types of encrypting malware are the new breed of moneymakers for malware developers, especially
as they be created by individuals, or small groups, rather than larger organizations. In the past
it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that
method was pretty much eliminated. Ransomware, such as this Cryptolock,
DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially
cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now BitCoins.
As always, I suggest noone pay them if they can avoid it as it just encourages them to continue.
On the other hand, I know that not everyone has a backup of their data for whatever reason and that
it is necessary to get this data back by any means.
We have been able to remove this by creating a Kaspersky Rescue Disk:
Once booted into this you can use the File Manager and register editor to remove the start up
entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate
the random file (this will also show you where on the system this is loading from. Remove this reg
entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Once the reg entry is deleted the use the File Manager function to browse to where this file is
located and delete this file.
Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker
screen appears, you should then run a scan with your current AV software or download Malwarebytes:
http://www.malwarebytes.org/ and run a
scan with this. It maybe best to run this scan with the computer in safe mode.
tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with
2048-bit RSA encryption, which is uncrackable for quite a while yet.
WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having
UAC on or off.
MalwareBytes Pro and Avast stop the virus from running.
Sysadmins in a domain should create this
Software Restriction Policy which has very little downside (you need both rules).
The timer it presents is real and you cannot pay them once it expires. You can pay them with a
GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using
ShadowExplorer, go to a backup (including
versioning-based cloud backups), or be SOL.
... ... ...
Vectors: In order of likelihood, the vectors of infection have been:
- Email attachments: A commonly reported subject is Payroll Report. The attachment, most of
the time, is a zip with a PDF inside, which is actually an executable.
- Email attachment- I have seen one from a zerox internal spoofed email saying their scan
- PCs that are unwitting members of the Zeus botnet have had the virus pushed to them directly.
- There is currently one report of an infection through Java, using the .jnlp file as a dropper
to load the executable.
Payload: The virus stores a public RSA 2048-bit key in the local registry,
and goes to a C&C server for a private key which is never stored. The technical nuts
and bolts have been covered by Fabian from Emsisoft
It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx,
*.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd,
*.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe,
img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef,
*.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der,
*.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif
Many antiviruses have been reported as not catching the virus until it's too late, including
MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by
reverting registry changes and removing the executables, leaving the files behind without a public
or private key. Releasing the files from quarantine does work, as does releasing the
registry keys added and downloading another sample of the virus.
Prevention: As this post has attracted many home users, I'll put at the top that
MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the
virus from running.
For sysadmins in a domain environment, one way to prevent this and many other viruses is to set
up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming.
Grinler explains how to set up the policy
Visual example. The rule covering
%AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after
either the GP timer hits or a reboot,
gpupdate /force does not enforce it immediately.
There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may
be affected, not sure. I don't use it.
Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.
Forecast: The reports of infections have risen from ~1,300 google results for
cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really
hard to stop until it's too late. It's also very successful in getting people to pay, which funds
the creation of a new variant that plugs what few holes have been found. I don't like where this
“Do not turn on remote administration ever, for any device,” Cutlip said. “That’s the number one
attack surface, and it’s the one we usually find bugs in.”
Oct 23, 2013 | IDG News Service
Vulnerabilities in the management interfaces of some wireless router and network-attached storage
products from Netgear expose the devices to remote attacks that could result in their complete compromise,
The latest hardware revision of Netgear’s N600 Wireless Dual-Band Gigabit Router, known as WNDR3700v4
and shown above, has several vulnerabilities that allow attackers to bypass authentication on the
router’s Web-based interface, according to Zachary Cutlip, a researcher with security consultancy
firm Tactical Network Solutions.
“If you browse to http:///BRS_02_genieHelp.html, you are allowed to bypass authentication for
all pages in the entire administrative interface,” Cutlip said Tuesday in a
blog post. “But not only that, authentication remains disabled across reboots. And, of course,
if remote administration is turned on, this works from the frickin’ Internet.”
That opens the door to many attack possibilities. For example, an attacker could configure the
router to use a malicious DNS (Domain Name System) server, which would allow the attacker to redirect
users to malicious websites or set up port forwarding rules to expose internal network services to
“Additionally, any command injection or buffer overflow vulnerabilities in the router’s web interface
become fair game once authentication is disabled,” Cutlip said.
In fact, the researcher already found a vulnerability which, when exploited together with the
authentication bypass one, allows an attacker to obtain a root prompt on the router.
“Once the attacker has root on the router, they can easily sniff and manipulate all the users’
Internet-bound traffic,” Cutlip said Thursday.
The BRS_02_genieHelp.html vulnerability is actually a combination of two separate issues. One
is that any interface pages whose names start with “BRS_” can be accessed without authentication.
This is a vulnerability in itself and can lead to sensitive information disclosure. For example,
a page called “BRS_success.html” lists the access passwords for the 2.4GHz and 5GHz Wi-Fi networks
configured on the router.
The second issue is that when accessed, the BRS_02_genieHelp.html page switches a router configuration
setting called “hijack_process” to 1. This disables authentication for the entire web interface.
The value for the “hijack_process” setting when the router is configured properly is 3.
The same vulnerability was found by researchers from Independent Security Evaluators (ISE) in
April in the firmware of the Netgear CENTRIA (WNDR4700) router model. However, the vulnerable URL
ISE identified at the time was http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html.
Other routers may be affected
Netgear patched the vulnerability in the WNDR4700 220.127.116.11 firmware version that
was released in July.
However, it seems the company failed to check if other router models are also vulnerable.
The latest firmware version for WNDR3700v4 is 18.104.22.168; Cutlip performed his tests on the older
22.214.171.124 version. However, static code analysis of the 126.96.36.199 firmware indicates that it is also
vulnerable, the researcher said Thursday.
The older WNDR3700v3 hardware revision does not appear to be affected, Cutlip said, adding that
he hasn’t analyzed the firmware for the much older v1 and v2 revisions yet.
The researcher also discovered a separate authentication bypass vulnerability in the WNDR3700v4
firmware that’s not related to the BRS_* issue. “Appending the string ‘unauth.cgi’ to HTTP requests
will bypass authentication for many, if not most, pages,” he said.
Cutlip didn’t test if WNDR4700 is also vulnerable to this second flaw.
Netgear did not immediately respond to a request for comment.
A search for WNDR3700v4 routers that have their web interface exposed to the Internet returned
over 600 devices on the SHODAN search engine.
“Do not turn on remote administration ever, for any device,” Cutlip said. “That’s the number
one attack surface, and it’s the one we usually find bugs in.”
To avoid local attacks, administrators should secure their wireless networks with strong WPA2
passphrases and make sure strangers are not allowed on their local networks, the researcher said.
Dr Web, one of the key
players on the Russian and European AV software markets celebrated 20 years of the product development
(Igor Danilov started distribution of his
malware scanner via
Dialog Nauka in 1992) and 10 years since creating
The match was the central point of celebration which took place in
Yalta Inturist hotel. Dr.Web St. Petersburg
team played against Dr. Web Moscow team. Moskovites won...
There were also huge fireworks in the evening which Yalta residents can probably took for a
for the celebration of some new Ukrainian holiday ;-)
Disclaimer: I was invited as a guest...
Congratulations, in addition to all our troubles, advertisement networks can now be used as hidden
channel for installing spyware. In other words, adware provides a channel for installing malware.
Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network
to siphon money from their victims.
The new method represents another step in the evolution of mobile malware, which is booming with
more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading
"It's a very, very clean infection vector," said Wade Williamson, a senior security analyst at
Palo Alto Networks who
discovered the new trickery.
In legitimate partnerships between ad distributors and developers, the latter embeds the former's
software development kit (SDK) into the app, so it can download and track ads in order to split revenue.
Unfortunately, how well developers vet the ad networks they side with varies from one app maker
to another. If the developer does not care or simply goes with the highest bidder, then the chances
of siding with a malicious ad network is high.
Wiliamson found one such network's SDK embedded in legitimate apps provided through online Android
stores across Asian countries, such as Malaysia, Taiwan and China. Once installed, the SDK pulls
down an Android application package file (APK) and runs it in memory where the user cannot easily
The APK typically waits until another app is being
installed before triggering a popup window that seeks permission to access Android's
"It doesn't have to go through the whole process of doing a full install," Williamson said. "It
just sits there and waits on the smartphone to install something else and then piggybacks in."
Once installed, the APK takes control of the phone's messaging service to send text to premium
rate numbers and to download instructions from a command and control server. The majority of
Android malware today, 77 percent, wring money from victims through paid messaging services,
Juniper Networks' latest mobile threat report.
Williamson has seen more than a half dozen samples of the latest malware, which he believes is
coming from one criminal group, while acknowledging multiple groups is possible.
Android users in Asia and Russia are more susceptible to Android malware, because many apps are
downloaded from independent online stores. In the U.S., most Android users take apps from the Google
Play store, which scans for malware and malicious ad networks.
Because of the effectiveness of the latest malware, Williamson expects criminals in the future
to use the same scheme to download more insidious malware capable of stealing credentials to online
banking and retail sites where credit card numbers are stored.
The same pathway could also be used to steal credentials for entering corporate networks.
"As soon as you have a vector like this, the difference between creating malware that sends spoof
SMS messages versus looks for the network and tries to break in is just malware functionality," Williamson
about wireless/mobile security in CSOonline's Wireless/Mobile Security section.
21-year-old walked into police station with computer in hand, cops searched it.
A man from just outside of Washington, DC turned himself in to local police—with his computer
in tow—after receiving a pop-up message from what he believed was an “FBI Warning” telling him to
click to pay a fine online, or face an investigation.
While specific details on the case are scant as of yet, it appears that the suspect here fell
victim to a type of
ransomware that has been proliferating for years now—raking in millions for the scammers behind
Police said Jay Matthew Riley, 21, of Woodbridge, Virginia, walked into Prince William’s Garfield
District Station on July 1, 2013 to “inquire if he had any warrants on file for child pornography.”
According to the
local police department’s press release, posted on its own Facebook page on Thursday, July 25,
The accused voluntarily brought his computer to the station and, following a search, several
inappropriate messages and photos of underage girls were recovered. Detectives were able to identify
one of the girls as a 13 year old from Minnesota. A search warrant was obtained and executed at
the home of the accused. As a result, computers and other electronic devices were seized.
Following the investigation, the accused was subsequently arrested on July 23rd. The FBI message
that the accused had originally received was determined to be a virus and not a legitimate message.
The investigation continues.
The Prince William County police also
noted that Riley is now being held without bond. He was charged with “3 counts of possession
of child pornography, 1 count of using a communication device to solicit certain offenses involving
children, and 1 count of indecent liberties with a minor.”
The danger of rogue software updates in Windows is very real. Typical Windows installation contains
at least a dozen of updaters. Microsoft update, Adobe update, Mozilla updaters, almost all applications
implement updates independently, and each update channel is essentially a covert channel that can deliver
malware to your PC.
... Are we sure that what we download from
Apple or any other such
phone producer is a bone fide update, these days? Are phone companies providing access
today via downloads to our cell phones and mobile devices?
... ... ...
Anyhow, I have probably unknowingly typed one of the 70, 000 keywords that launches
my back and gets me monitored today in this article. Wonder who can get the list of them?
Corporatism is on the march...
Microsoft Corp. (MSFT), the
world’s largest software company, provides intelligence agencies with information about bugs
in its popular software before it publicly releases a fix, according to two people familiar
with the process. That information can be used to protect government computers and to access the
computers of terrorists or military foes.
Microsoft (MSFT) and other software
or Internet security companies have been aware that this type of early alert allowed the U.S. to
exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials.
Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials,
who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for
Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give
government “an early start” on risk assessment and mitigation.
In an e-mailed statement, Shaw said there are “several programs” through which such information
is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.
Some U.S. telecommunications companies willingly provide intelligence agencies with access
to facilities and data offshore that would require a judge’s order if it were done in the U.S., one
of the four people said.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and
companies are providing the information voluntarily.
The extensive cooperation between commercial companies and intelligence agencies is legal
and reaches deeply into many aspects of everyday life, though little of it is scrutinized by
more than a small number of lawyers, company leaders and spies. Company executives are motivated
by a desire to help the national defense as well as to help their own companies, said the people,
who are familiar with the agreements.
Most of the arrangements are so sensitive that only a handful of people in a company know of them,
and they are sometimes brokered directly between chief executive officers and the heads of the U.S.’s
major spy agencies, the people familiar with those programs said.
... ... ...
If necessary, a company executive, known as a “committing officer,” is given documents that guarantee
immunity from civil actions resulting from the transfer of data. The companies are provided with
regular updates, which may include the broad parameters of how that information is used.
Intel Corp. (INTC)’s McAfee unit, which makes Internet security software, regularly cooperates
with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view
of malicious Internet traffic, including espionage operations by foreign powers, according to one
of the four people, who is familiar with the arrangement.
Such a relationship would start with an approach to McAfee’s chief executive, who would then clear
specific individuals to work with investigators or provide the requested data, the person said.
The public would be surprised at how much help the government seeks, the person said.
McAfee firewalls collect information on hackers who use legitimate servers to do their work, and
the company data can be used to pinpoint where attacks begin. The company also has knowledge of the
architecture of information networks worldwide, which may be useful to spy agencies who tap into
them, the person said.
McAfee (MFE)’s data and analysis doesn’t include information on individuals, said Michael Fey,
the company’s worldwide chief technology officer.
“We do not share any type of personal information with our government agency partners,” Fey said
in an e-mailed statement. “McAfee’s function is to provide security technology, education, and threat
intelligence to governments. This threat intelligence includes trending data on emerging new threats,
cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system
vulnerabilities, and hacker group activity.”
In exchange, leaders of companies are showered with attention and information by the agencies
to help maintain the relationship, the person said.
In other cases, companies are given quick warnings about threats that could affect their bottom
line, including serious Internet attacks and who is behind them.
... ... ...
The information provided by Snowden also exposed a secret NSA program known as Blarney. As the
program was described in the Washington
Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails
or browse the Internet through principal data routes, known as a backbone.
... ... ...
That metadata includes which version of the operating system, browser and Java software are
being used on millions of devices around the world, information that U.S. spy agencies could
use to infiltrate those computers or phones and spy on their users.
“It’s highly offensive information,” said Glenn
Chisholm, the former chief information officer for
Telstra Corp (TLS)., one of
Australia’s largest telecommunications
companies, contrasting it to defensive information used to protect computers rather than infiltrate
According to Snowden’s information, Blarney’s purpose is “to gain access and exploit foreign intelligence,”
the Post said.
It’s unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney,
and if so, whether the transfer of that data required a judge’s order.
... ... ...
U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies
with details of their systems’ architecture or equipment schematics so the agencies can analyze potential
“It’s natural behavior for governments to want to know about the country’s critical infrastructure,”
said Chisholm, chief security officer at Irvine, California-based Cylance Inc.
Even strictly defensive systems can have unintended consequences for privacy. Einstein
3, a costly program originally developed by the NSA, is meant to protect government systems from
hackers. The program, which has been made public and is being installed, will closely analyze the
billions of e-mails sent to government computers every year to see if they contain spy tools or malicious
Einstein 3 could also expose the private content of the e-mails under certain circumstances, according
to a person familiar with the system, who asked not to be named because he wasn’t authorized to discuss
Before they agreed to install the system on their networks, some of the five major Internet companies
-- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications
Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable
under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney
general indicating such exposure didn’t meet the legal definition of a wiretap and granting them
immunity from civil lawsuits, the person said.
"What is your computer actually DOING when you click on a link in a phishing email? Sherri
Davidoff of LMG Security released these
charts of an infected computer's behavior
after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone
home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then
went on to capture screenshots and videos of the hacker executing a
man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when
attacker tried to steal my debit card number, expiration date, security code, Social Security
Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice
Well, you were dumb enough (Score:1, Insightful)
to click on the attachment in the first place, you've already set the bar for your intelligence
Re:Well, you were dumb enough (Score:5, Insightful)
Actually, there are two different populations of phish messages going around now. One of them
surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince.
If folks click on that, the senders know they have a live one.
But the other phishing schemes are subtle. I think reasonably intelligent folks who skim
emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable
to click to someplace nasty. After all, ain't no one 100% right 100% of the time.
Re: Well, you were dumb enough (Score:4, Insightful)
There's a very basic question that needs to be asked by people: why am I getting this email?
If you can't figure it out, a siren should go off in your mind as to what this could be.
I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason
to get your money stolen, especially considering the average age of the victims (it's up there).
Re:Nice try? (Score:4, Informative)
BofA actually has VERY good online security.
If setup right, you should be shown a picture you choose to confirm that you are on the legit
site. Then in addition to your password, you can setup a system where a six digit numeric token
is sent to your cell phone which is also needed to authenticate.
It's Quite A Bit More Than That (Score:1)
So a link in a malicious email can compromise my Windows box and cause my web browser to navigate
to addresses in a local hosts file. Welcome back to 1997.
It's quite a bit more than that. Perhaps you should RTFA.
- The infection vector does not have to come via email. It can just as easily infect via
drive-by on a web page.
- No hosts file involvement is necessary.
- It injects malware into the system and browser.
- The malware is self updating, to stay current and evade detection.
- The malware in the browser inserts itself into your normal online banking activity.
- It looks 100% legitimate, except for the nature of the "security verification" questions
which are too far reaching to be real.
Re:Most of the exploits.. (Score:5, Informative)
Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+
Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so
you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery
if you are wearing aluminum foil on your head.
Auto install security updates. If something disables it most likely you have a virus. Keep
everything up to date. Don't install toolbars or weather apps from unknown sources.
I Fixed One Of These Recently (Score:5, Interesting)
This malware (which puts up the appearance of a credit/debit card and asks for all you information)
calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts
to reach your financial institution via their website. It presents, after login (did they capture
the login info?), a panel looking like the credit/debit card, asking for the user to fill in all
information, including account number, CVC, address, and other personal information (why anyone
would fill in that data is beyond me!)
After much gnashing of teeth, I discovered it was undetectable by any known virus checker I
use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using
any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS
file and add the domain names of the miscreant with a reference to a different IP address that
is known to be a deadend (you could, for example, use 127.7.7.7).
When the malware couldn't execute, it couldn't disable the various malware detectors, and several
files were then identified and removed.
May 25, 2013
An anonymous reader writes "When it comes to spotting malware, signature-based detection, heuristics
and cloud-based recognition and information sharing used by many antivirus solutions today work well
up a certain point, but the polymorphic malware still gives them a run for their money. At the annual
AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne
has presented the
result of his research and work that just might be the solution to this problem. Security researcher
Silvio Cesare had noticed that malware code consists of small "structures" that remain the same even
after moderate changes to its code. He created
Simseer, a free online service that performs automated analysis on submitted malware samples
and tells and shows you just how similar they are to other submitted specimens. It scores the similarity
between malware (any kind of software, really), and it charts the results and visualizes program
relationships as an evolutionary tree."
[Apr 19, 2013] Gozi banking Trojan
Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program
that infects a computer's Master Boot Record (MBR) in order to achieve persistence.
... ... ...
Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS,
are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is
hard to detect and remove and can even survive operating system reinstallation procedures.
... ... ...
The new Gozi MBR rootkit component waits for Internet Explorer to be launched and then injects
malicious code into the process. This allows the malware to intercept traffic and perform Web injections
inside the browser like most financial Trojans programs do, Maor said.
"TeamSpy" used digitally signed TeamViewer remote access tool to spy on victims.
Researchers have unearthed a decade-long espionage operation that
used the popular TeamViewer remote-access program and proprietary malware to target high-level
political and industrial figures in Eastern Europe.
TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked
as "secret" from a variety of high-level targets, according to a
report published Wednesday
by Hungary-based CrySyS Lab.
Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and
the European Union, an industrial manufacturer also located in Russia, multiple research and educational
organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned
of the attacks after Hungary's National Security
Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental
Malware used in the attacks indicates that those responsible may have operated for years and
may have also targeted figures in a variety of countries throughout the world. Adding intrigue
to the discovery, techniques used in the attacks bear a striking resemblance to an online banking
fraud ring known as Sheldon, and a separate
analysis from researchers at Kaspersky Lab found similarities to the
Red October espionage campaign that the Russia-based security firm discovered earlier this
"Most likely the same attackers are behind the attacks that span for the last 10 years, as
there are clear connections between samples used in different years and campaigns," CrySyS researchers
wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half
They added: "The attackers surely aim for important targets. This conclusion comes from a number
of different facts, including victim IPs, known activities on some targets, traceroute for probably
high-profile targets, file names used in information stealing activities, strange paramilitary
language of some structures, etc."
The attackers relied on a variety of methods, including the use of a digitally signed version
of TeamViewer that has been modified
through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the
compromised program also provides attackers with a backdoor to install updates and additional
malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon.
The TeamSpy operation also relies on more traditional malware tools that were custom-built for
the purpose of espionage or bank fraud.
According to Kaspersky, the operators infected their victims through a series of "watering
hole" attacks that plant malware on websites frequented by the intended victims. When the targets
visit the booby-trapped sites, they also become infected. The attackers also injected malware
into advertising networks to blanket entire regions. In many cases, much of that attack code used
to infect victims was spawned from the
Eleonore exploit kit. Domains used to host command and control servers that communicated with
infected machines included politnews.org, bannetwork.org, planetanews.org, bulbanews.org, and
The discovery of TeamSpy is only the latest to reveal an international operation that uses
malware to siphon sensitive data from high-profile targets. The most well-known campaign was
dubbed Flame. Other surveillance campaigns include
Duqu, all three of which are believed to have been supported by
a well-resourced nation-state. Last year, researchers also uncovered an espionage
Researchers have unearthed
a decade-long espionage operation that used the popular TeamViewer remote-access program and
proprietary malware to target high-level political and industrial figures in Eastern Europe. TeamSpy,
as the shadow group has been dubbed, collected encryption keys and documents marked as 'secret'
from a variety of high-level targets, according to a report published Wednesday by Hungary-based
CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both
NATO and the European Union, an industrial manufacturer also located in Russia, multiple research
and educational organizations in France and Belgium, and an electronics company located in Iran.
CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence
that TeamSpy had hit an unnamed 'Hungarian high-profile governmental victim.'
Suspiscious based on what criteria?
We aren't allowed to use open source and so we have to "trust" every 'signed
binary' which executives and leaders want to use. If we could use open source, we could
at least read the source and even compile it to ensure the source we read was the binary
which was compiled.
When the malware doesn't do "harm" to anything, the sympoms of malware are
non-existant. No pop-up ads, no unusual crashing (see note about being unable to use open
source... the 'other' operaitng system crashes often enough for inexplicable reasons that
no one suspects malware as the cause any longer) and when a commonly used utility program
which performs remote access is used, how can it be detected as malware?
Arguably, that it was proprietary and commercial software which was exploited
is pretty disturbing. But at the same time, that software makers (and other device and product
makers, and service providers too) frequently enter into deals with government to spy on people
is unfortunately very common. That the "white-hat" (heh, I accidentally typed "white-hate"...
apropos?) nation called the USA has compromised global communications with Echelon and more
recently with the much celebrated NSA wiretapping, does not help matters.
I think no one appreciates the value of trust. Once
it's lost, it's lost. What amount of trust in government... any government... may have existed,
it is gone for most of us.
The unenlightened? Well... they still watch MSM (mainstream media, I have come
to know these initials). What hope have they against that?
Re:A strong push for open source in government (Score:1)
I suspect that as more malware and backdoors are discovered in systems used
by government, the penny will begin to drop more frequently. Closed source is incompatible
with security, by definition, since you cannot validly trust what you cannot see
Bullshit. Open or closed source has no direct bearing on the ability of an attacker
to infect a binary. Open source provides more eyes on a given bug or problem, but once compiled
and running its the exact same problem.
The article mentions use of a modified signed binary. So tell me how open source
is going to remedy that? Unless you're recompiling from scratch (your entire tool chain, plus
dependencies) on each launch, you're just as fucked as the next guy. Are you going to checksum
the binary in memory each time a method is called? Are you going to encrypt/decrypt on each
call? What's to stop an attacker from modifying your checksum code in the same manner as CD
checks on games are trivially broken?
The only thing open source is really going to do for you is ensure that if you
compile from source, the attack didn't originate from that source. So what?
The fact it's open source IS (or can be) the pathway. If it's a small piece of
software that does a specific function that's not of use to many people, your million eyeballs
shrink rapidly. And what you're left with (IMO) is a handful of eyeballs thinking "I don't
have the time/skills for this, it's open source, I'm sure someone will have looked over it"
while no one actually does.
Or someone auditing the code but not the stuff around it, or maybe the code as
distributed is clean and will compile into a clean and functioning binary, but the scripts
around it actually add some malicious steps if certain criteria are met.
Open source isn't a magic bullet.
Authorities are tracking a new computer virus that uses a fake “FBI” message in an attempt
to extort money from its victims.
Called “Reveton Ransomware,” officials say the virus is installed on a computer when a user
visits a compromised website. The computer then locks, while displaying
a warning that the FBI or Department of Justice has identified the computer as being involved
in criminal activity. The fake message instructs users to pay a fine using a prepaid
money card service, which will unlock the computer.
The computer’s webcam is also activated, showing the user a live picture of themselves.
“We started seeing versions of this virus last year, but of course, like all scams, it morphs
over time,” said FBI Supervisory Special Agent Marshal Stone, of the Knoxville Division.
Stone says FBI officials do not conduct business in that fashion, and would never demand payment
to unlock a computer.
The virus has already found victims in East Tennessee. Sean Woods of “Computer Solutions” in
Seymour says he has worked three cases within the past week.
“In this case, a person will lose everything that they’ve ever
had. If it’s not backed up, it’s gone,” he said.
Officials have not confirmed which websites lead to the virus, but Woods says he is connecting
some trends. He believes users are picking up the virus through shared files, illegal downloads,
or websites commonly linked to bugs.
“You don’t know who’s going on your computer and what they’re doing,” he said, cautioning users
to be careful who they share a computer with.”They download content such as music… they’re out
there for you to go view, this is where you’re getting hit.”
Woods says users should also keep their virus protection software up to date.
The FBI encourages any victims of the virus to file a complaint
with the Internet Crime Complain Center at
"Sebastian Holst makes yoga mobile apps with his wife, a yoga instructor. The Mobile Yogi is sold
in all the major mobile app stores. But when someone buys his app in the Google Play store, Holst
automatically gets something he says he didn't ask for:
the buyer's full name, location and email address.
He says consumers are not aware that Google Inc. is sharing their personal information with
third parties. No other app store transmits users' personal information to third-party developers
when they buy apps, he said." Oh Google.
Hopefully this applies only when "buying" an app.
If so, then I should be safe. This kind of privacy violation is just... wrong. Google seems
to think that their customers automatically trust third parties or something... if anything,
this demonstrates that Google themselves should not be trusted.
RE: Obviously a bug by darknexus
"If it had been a certain fruit company everyone would be rioting.
Man, it's so hard to be persecuted, eh? "
Much as I hate to be defending Apple this time, the OP is absolutely correct. There's definitely
a double standard in place for Apple in the tech media, particularly though not exclusively
when compared to Google.
If Apple had been the one doing this, everyone would have been
up in arms, torches lit, ready to burn down Apple HQ and any other buildings around them just
to make sure the deed was done.
When Google does it, not only do we get some people giving them the benefit of the doubt
but we even have some that claim Google are in the right to do this. If that's not a double
standard, I don't know what is. For myself, I say no app store should give
Video, you need Ad
obe Flash to view it...
-- Bloomberg Businessweek's Jordan Robertson discusses why the antivirus industry has so many
customers in the face of its ineffectiveness. He speaks on Bloomberg Television's "Market Makers."
The U.S. government is developing new computer weapons and driving a black market in “zero-day”
bugs. The result could be a more dangerous Web for everyone.
Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON,
conferences that have earned notoriety for presentations demonstrating critical security holes
discovered in widely used software. But while the conferences continue to draw big crowds, regular
attendees say the bugs unveiled haven’t been quite so dramatic in recent years.
One reason is that a freshly discovered weakness in a popular piece of software, known in the
trade as a “zero-day” vulnerability, can be cashed in for much more than a reputation boost and
some free drinks at the bar. Information about such flaws can command
prices in the hundreds of thousands of dollars from defense contractors, security agencies and
This trade in zero-day exploits is poorly documented, but it is
perhaps the most visible part of a new industry that in the years to come is likely to swallow
growing portions of the U.S. national defense budget, reshape international relations, and perhaps
make the Web less safe for everyone.
Zero-day exploits are valuable because they can be used to sneak software onto a computer system
without detection by conventional computer security measures, such as antivirus packages or firewalls.
Criminals might do that to intercept credit card numbers. An intelligence agency or military force
might steal diplomatic communications or even shut down a power plant.
It became clear that this type of assault would define a new era in warfare in 2010,
when security researchers discovered a piece of malicious software, or malware, known as Stuxnet.
Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have
yet to publicly acknowledge a role but have done so anonymously to the New York Times
and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control
industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group
with access to government-scale resources and intelligence, but it was made possible by four zero-day
exploits for Windows that allowed it to silently infect target computers. That so many precious
zero-days were used at once was just one of Stuxnet’s many striking features.
Since then, more Stuxnet-like malware has been uncovered, and it’s involved even more complex
techniques (see “The
Antivirus Era Is Over”). It is likely that even more have been
deployed but escaped public notice. Meanwhile, governments and companies in the
United States and around the world have begun paying more and more for the exploits needed to
make such weapons work, says
Soghoian, a principal technologist at the American Civil Liberties Union.
“On the one hand the government is freaking out about cyber-security,
and on the other the U.S. is participating in a global market in vulnerabilities and pushing up
the prices,” says Soghoian, who says he has spoken with people involved in the
trade and that prices range from the thousands to the hundreds of thousands.
Even civilian law-enforcement agencies pay for zero-days, Soghoian
says, in order to sneak spy software onto suspects’ computers or mobile phones.
Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike
desktop computers, mobile systems are rarely updated.
Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be
exploited for a long time. Sometimes the discoverer of a zero day vulnerability receives a monthly
payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it
you get paid,” says Soghioan.
No law directly regulates the sale of zero-days in the United States
or elsewhere, so some traders pursue it quite openly. A Bangkok-based security
researcher who goes by the name The Grugq tweets about acting as a middleman and has spoken to
the press about negotiating deals worth hundreds of thousands of dollars with government buyers
from the United States and western Europe. In an argument on Twitter last month, he denied that
his business is equivalent to arms dealing, as critics within and outside the computer security
community have charged. “An exploit is a component of a toolchain,”
“The team that produces & maintains the toolchain is the weapon.”
Some small companies are similarly up-front about their involvement in the trade. The French
security company VUPEN states on its website that it
“provides government-grade exploits specifically designed for the Intelligence community
and national security agencies to help them achieve their offensive cyber security and lawful
Last year, employees of the company publicly demonstrated a zero-day flaw that compromised
Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would
share how it worked. What happened to the exploit is unknown.
No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S.
defense agencies and companies have begun to publicly acknowledge that they intend to launch as
well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.
General Keith Alexander, director of the National Security Agency and commander of the U.S.
Cyber Command, told a symposium in Washington last October that the United States is prepared
to do more than just block computer attacks. “Part of our defense has to consider offensive measures,”
he said, making him one of the most senior officials to admit that the government will make use
of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing “Cyberspace Warfare
Attack capabilities” that could “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the
adversaries [sic] ability to use the cyberspace domain for his advantage.” And in November, Regina
Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal
about the direction U.S. defense technology is heading. “In the coming years we will focus an
increasing portion of our cyber research on the investigation of offensive capabilities to address
military-specific needs,” she said, announcing that the agency expected to expand cyber-security
research from 8 percent of its budget to 12 percent.
Defense analysts say one reason for the shift is that talking about offense introduces an element
of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S.
politicians and defense chiefs have talked mostly about the country’s vulnerability to digital
attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure
was being targeted by overseas attackers and that a “digital Pearl Harbor” could result (see “U.S.
Power Grids, Water Plants a Hacking Target”).
Major defense contractors are less forthcoming about their role in making software to attack
enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. “It’s
a growing area of the defense business at the same time that the rest of the defense business
is shrinking,” says Peter Singer, director of the 21st Century Defense Initiative at the Brookings
Institution, a Washington think tank. “They’ve identified two growth areas: drones and cyber.”
Large contractors are hiring many people with computer security skills, and some job openings
make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman
posted ads seeking people to “plan, execute and assess an Offensive Cyberspace Operation (OCO)
mission,” and many current positions at Northrop ask for “hands-on experience of offensive cyber
operations.” Raytheon prefaces its ads for security-related jobs with language designed to appeal
to stereotypical computer hackers: “Surfboards, pirate flags, and DEFCON black badges decorate
our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development
projects cover the spectrum of offensive and defensive security technologies.”
The new focus of America’s military and defense contractors may concern some taxpayers. As
more public dollars are spent researching new ways to attack computer systems, some of that money
will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating
cycle of competition between U.S and overseas government agencies and contractors could make the
world more dangerous for computer users everywhere.
“Every country makes weapons: unfortunately, cyberspace is like that too,” says Sujeet Shenoi,
who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program
trains students for government jobs defending against attacks, but he fears that defense contractors,
also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful
malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences
of active strikes against infrastructure. “I think maybe the civilian courts ought to get together
and bar these kinds of attacks,” he says.
The ease with which perpetrators of a computer attack can hide their tracks also raises the
risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware
is unsuccessful, there’s a strong chance that a copy will remain somewhere on the victim’s system—by
accident or design—or accidentally find its way onto computer systems not targeted at all, as
Stuxnet did. Some security firms have already identified criminal malware that uses methods first
seen in Stuxnet (see “Stuxnet
Tricks Copied by Criminals”).
“The parallel is dropping the atomic bomb but also leaflets with the design of it,” says Singer.
He estimates that around 100 countries already have cyber-war units of some kind, and around 20
have formidable capabilities: “There’s a lot of people playing this game.”
Adobe Engaging in a Detestable Practice
Adobe has began a new campaign of evil. They are installing unrequested software without
the user's permission. Although the software may seem fairly benign and even helpful, it isn't.
It is actually fairly harmful to the computing experience.
... .... ...
Please close Firefox to continue installation... flash player installed...McAfee Security Scan
Plus installed....WHAT? I never gave permission to install McAfee. I watched very carefully to
make sure I unchecked any boxes that asked me for permission to install additional software. Well,
maybe I missed it. Besides, it sounded fairly benign. I decided to let it go.
Problems with McAfee - May Adobe Die
I began noticing some new problems with my computer. This was very strange as I hadn't tried
any new programs yet. The only security that I use for my computer is WinPatrol and the only new
program it showed running in the background was McAfee. Programs and sound files would freeze
for about a tenth of second and I worried about a hardware problem caused by working on my computer.
Even YouTube videos would stutter. I even opened up my computer again and made sure everything
was seated tight and no cables bumping against the wrong thing. I couldn't find any physical problems
Luckily, I got around to uninstalling McAfee. It is easy to remove, just click on start,
all programs tab, then McAfee tab. There will be an option to
uninstall McAfee and it runs without any problems.
After removing McAfee, the next time I booted up my computer it ran perfect again. This got
me curious. I went online and discovered that I am not the first to have problems with Adobe and
their unwanted software. Other IT users noticed that McAfee was installed without any check boxes
or warnings. It might be in the EULA, but who reads that. The EULA
may protect them legally, but in my book it doesn't mean that what they are doing is moral. It
only means that Adobe knows how to legally scam people while protecting itself.
I heard that McAfee has caused some serious problems on other people's computers too. Recently,
it would cause computers to constantly reboot after installation. How many people would know how
to fix that problem?
Why would Adobe do such a thing? Well, it turns out that the McAfee installation isn't a full
working version. It may detect viruses, but you will have to pay money to upgrade to a full version
that removes them. Basically, Adobe and McAfee are trying to bleed
people for money.
I suspect in the long run, this will work against Adobe
... ... ... ...
Customer support criticisms
Reviewers have described customer support for McAfee products as lacking, with support staff
slow to respond and unable to answer many questions.
2010 reboot problem
On April 21, 2010, beginning approximately at 2 PM GMT, an erroneous virus definition file
update from McAfee affected millions of computers worldwide running Windows XP Service Pack 3.
The update resulted in the removal of a Windows system file (
on those machines, causing machines to lose network access and, in some cases, to enter a reboot
loop. McAfee rectified this by removing and replacing the faulty DAT file, version 5958, with
an emergency DAT file (version 5959) and has posted a fix for the affected machines in its consumer
2012 update issues
An August 2012 update to McAfee Antivirus caused the protection to turned off and users to
lose internet connections. McAfee was criticised for not notifying users promptly of the issues
when they learned about it.
and Win32/Tracur.AV. Using IE
8 became really dangerous those days.
Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's
own website to attack unsuspecting visitors.
The CFR is a non-partisan policy group, known mostly for publishing Foreign Affairs,
an influential journal on the subject. The group's website was infected with malware that uses
a "watering hole" attack -– waiting for users to visit the site before downloading the malware
to their machines. The malware involved allows a hacker to execute code remotely on the target
... ... ...
The malware only works on Internet Explorer 8 or earlier versions.
The hackers altered the HTML code on the CFR's website itself and
were able to remotely execute a program on any computer that accessesed the site.
The malware was hidden in several pieces and stored in areas that the web page needed to go to
file on the system that is usually used for a completely different purpose," he said.
Microsoft is reportedly working on a permanent fix, and issued a
advisory on Dec. 29. In the meantime there is an automatic work-around
according to Microsoft, but sometimes turning those two features on an off for different sites
can be inconvenient.
Users of Internet Explorer 9 and later aren't vulnerable.
While the particular attack on the CFR website used a previously
unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new:
a local government site in Maryland and a bank in Boston were hit by one called VOHO in July,
which infected targeted computers with code that sent information such as keystrokes back to a
“The traditional signature-based method of detecting malware is not keeping up.” : it was known
for 20 years or so. Nothing changed.
Consumers and businesses spend billions of dollars every year on antivirus software. But these
programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus
creators move too quickly. That is prompting start-ups and other companies to get creative about
new approaches to computer security.
“The bad guys are always trying to be a step ahead,” said Matthew D.
Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy
at Cisco Systems. “And it doesn’t take a lot to be a step ahead.”
Computer viruses used to be the domain of digital mischief makers. But
in the mid-2000s, when criminals discovered that malicious software could be profitable, the number
of new viruses began to grow exponentially.
In 2000, there were fewer than a million new strains of malware, most
of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test,
a German research institute that tests antivirus products.
The antivirus industry has grown as well, but experts say it is falling
behind. By the time its products are able to block new viruses, it is often too late. The bad
guys have already had their fun, siphoning out a company’s trade secrets, erasing data or emptying
a consumer’s bank account.
A new study by Imperva, a data security firm in Redwood City, Calif.,
and students from the Technion-Israel Institute of Technology is the latest confirmation of this.
Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and
analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made
by top companies like
Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than
On average, it took almost a month for antivirus
products to update their detection mechanisms and spot the new viruses. And two
of the products with the best detection rates — Avast and Emsisoft — are available free; users
are encouraged to pay for additional features. This despite the fact that consumers and businesses
spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion
spent on security software in 2011, according to Gartner.
“Existing methodologies we’ve been protecting ourselves with have lost
their efficacy,” said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield
& Byers. “This study is just another indicator of that. But the whole
concept of detecting what is bad is a broken concept.”
Part of the problem is that antivirus products are inherently reactive.
Just as medical researchers have to study a virus before they can create a vaccine, antivirus
makers must capture a computer virus, take it apart and identify its “signature” — unique signs
in its code — before they can write a program that removes it.
That process can take as little as a few hours or as long as several
years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that
had been stealing data from computers for an estimated five years.
Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a spectacular
failure” for the antivirus industry. “We really should have been able to do better,” he
in an essay for Wired.com after Flame’s discovery. “But we didn’t. We were out of our league
in our own game.”
Symantec and McAfee, which built their businesses on antivirus products,
have begun to acknowledge their limitations and to try new approaches. The word “antivirus” does
not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer
product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint
“Nobody is saying antivirus is enough,” said Kevin Haley, Symantec’s
director of security response. Mr. Haley said Symantec’s antivirus products included a handful
of new technologies, like behavior-based blocking, which looks at some 30 characteristics of a
file, including when it was created and where else it has been installed, before allowing it to
run. “In over two-thirds of cases, malware is detected by one of these other technologies,” he
Softpanorama hot topic of the month
Interviews and reviews
FAT32 New Problems
for Viruses or Anti-Virus -- a sober look on problems with interaction between scanners and file
systems. You will never read this in ZD publications ;-)
The Virus Creation Labs
- An excerpt from Dr. George C. Smith's book -- an interesting book about interaction between
virus writers and AV industry (see also
Crypt Newsletter) . Here is except from Rob Rosenberger (the author of
False Authority Syndrome) review. In his
Recommended books & publications
The media portrays virus writers as teenage prodigies whose temper tantrums
threaten the world. The media portrays antivirus companies as serious business professionals who
work closely with competitors and international agencies to keep virus writers at bay. If you
listen to the media, it's a World War with clear lines drawn between good & evil.
The media doesn't have a clue. "Drunken brawl" most accurately describes the virus/antivirus
conflict. You can't always tell the good guys from the bad guys (they occasionally switch sides)
and it's every man for himself. Virus writers rarely advance the state of the art -- but antivirus
firms profit by declaring them deadly computer terrorists. Few books about
viruses delve into this bizarre soap opera, and most of those only cover it briefly. Crypt Newsletter
editor George C. Smith's entire book exposes an insane world where everybody claws at each others'
throats -- and where even the virus writers have marketing departments. 172 pages written with
an utterly cynical sense of humor & irony. I read The Virus Creation Labs for the first time while
sitting in an airport terminal and I repeatedly embarrassed myself with bursts of laughter.
Microsoft Office 97
Visual Basic Programmer's Guide -- one cannot understand macro virus problem without understanding
Microsoft: Your one
stop shop for macro viruses.
Crypt Newsletter supplied this short paper to a consumer group in Washington, D.C., that's
trying to prevent the software industry from running over consumers in the area of product liability
law. The industry's position is, obviously, "It's your neck if you buy, use or download our products
and then wind up hosed in any way."
Most people with even half a brain grasp the point that this is a profoundly anti-consumer
In America, only the computer software industry has this
carte blanche ticket to screw with people unapologetically.
If any other type of company in your hometown were caught ignorantly putting saltpeter into the
water supply for years, you could go after them. Maybe you could even get the media outraged,
If this analogy isn't clear enough, consider the recent case of Williamson Sales of San Diego
and the distribution of hepatitis A contaminated strawberries. Now, you should know hepatitis
A -- if you're going to get hepatitis -- is the hepatitis to get. The virus that causes it is,
relatively speaking, mild. Some people who contract the disease often don't know they have it;
symptoms vary widely and may never appear noticeably. Children, who were the consumers of Williamson's
strawberries, generally don't get as sick as adults. Victims may become extremely jaundiced or
not at all.
In no cases during the media firestorm over the virus-contaminated strawberries were company
officials caught saying things like "It's not our fault, there's no liability, you broke the shrinkwrap
and ate the strawberries," or It's just a minor hepatitis virus (not B or non-A/non-B which are
extremely bad), a relative prankster, no one will get very sick, perhaps not at all." Can
you imagine what would have happened if any had? A vice-president of Williamson, or it's parent,
Epitope, would have been ceremonially lynched by the media.
However, the software industry lives in a kind of mystic never-never land where these conditions
do not apply. By the same token, the industry is allowed to drown everyone in ads creating the
impression that products will take you anywhere you want to go, educate your children, revivify
your moribund career, make you more appealing to women, earn riches for you . . . well, you know
Keep in mind as you read what follows that Microsoft's distribution of Concept and Wazzu macro
viruses are one reason these viruses have become two of the most widely reported macro virus infections
in the wild. Keep in mind, a hundred crazed virus writers busily uploading virus-infected uuencoded
binaries to alt.cracks or alt.sex.filthy.etc couldn't accomplish in five years what Microsoft
facilitated in two. Keep in mind that the level of technical attention to detail and preventive
measures needed to prevent these mass distributions was well within the capability of Bill Gates'
That's Not a Virus!
-- an important from the historical perspective paper by Chengi Jimmy Kuo, Director of AV Research
at McAfee Associates (in 2996 he left McAfee's AVERT research team to join the Microsoft. He has
been with McAfee since 1995, when McAfee's AVERT lab team started). Paradoxically McAfee was the
best virus hype propagandist in the world and owns a large part of his fortune to it.
-- an interesting article on the False Authority Syndrome. See also
False Authority Syndrome
Wolfgang Stiller, an internationally recognized virus expert and author of
the Integrity Master anti-virus program, says "Computer security experts today--people who deserve
that title--tend to have a good background on how viruses operate. They can dispense some good
But he chooses his words carefully when asked to comment
on virus expertise among computer security personnel.
"They're a little more likely than the average person to understand viruses,"
Stiller notes. "Some would say they're a lot more likely to
understand them, but I've met a fair number who don't know a thing about viruses, or, even worse,
they've got misconceptions. In light of the fact they are computer security experts,
their misconceptions carry a lot more weight than the average person. Errors are much more damaging
when they come out of the mouths of these people."
Stiller sums up False Authority Syndrome among computer security
experts by stating "Put me on a panel with a computer
security person, and I won't claim to have his level of security expertise. But the computer security
guy will invariably claim to have my level of virus expertise. How can you convince the audience
in a diplomatic way that he doesn't?"
NIST SP 800-68
Guidance for Securing
Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
[Feb 21, 2007] NIST SP 800-83 Guide to Malware Incident Prevention and Handling November 2005
PDF (2.89 MB)
Several useful Microsoft papers about setting more restrictive Unix-style (root vs regular
user) permissions in windows XP and 2000. The easiest way is to set them is via utility SHRPUBW
that one can from RUN menu.
2000 Macro Security -- Microsoft paper. See also HTML variant
SecurityFocus Building Anna Kournikova: An Analysis of the VBSWG Worm Kit by
Markus Schmall last updated August 2, 2001
Virus Behavior in the Windows NT Environment -- Symantec paper
Reference Features Ed Bott and Woody Leonhard on Office 2000 -- why it's better to update
to Office 2000
An Electronic Pearl
Harbor -- Not Likely -- From the National Academy of Sciences' Issues in
Science and Technology policy journal. Argument for the case that recent government and Department
of Defense assertions that hostile information warriors can devastate substantial segments of
American society . The paper is characterized by vague rhetoric, misused statistics, conflicts
of interest and poor understanding of technical issues.
Office 2000 has introduced digital signatures to help users distinguish legitimate code
from undesirable and viral code. If you open an Office document and see a macro security warning
with digital signature information, you can feel reasonably confident that the person (or corporation)
signing the macros wrote them. You can choose to trust all macros signed by this person by
checking the Trust all macros from this source checkbox. From then on, Office will enable
the macros without showing a security warning for any document with macros signed by this trusted
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level
feature is set to “High.” In fact, the default security setting for Word 2000 is "High." By
removing the chance that a user “accidentally” enables a virus-infected document, the high
security level helps reduce the spread of macro viruses. If all legitimate macros are digitally
signed, then users do not even need to see the security warning without digital signature information.
Digital - September 2 1997 The Competition Virus -- an interesting article by
GEORGE SMITH (The Virus Creation Labs author) about
FROM TUESDAY, SEPTEMBER 2, 1997
ORIGINALLY PUBLISHED IN THE NETLY NEWS
The anti-virus industry likes to think of itself as a team of collegial white knights riding
to the rescue of all beset by computer viruses. In truth, it's a mutually antagonistic, factious
business where everybody wakes up hoping everybody else has failed the night before. Case in
point: the recent series of lawsuits between
McAfee Associates and
Far from unique, such lawsuits are beginning to look like just another turd in the anti-virus
industry punchbowl. The difference in this latest news is that McAfee Associates has attempted
to attach a billion-dollar price tag to the squabble by suing Symantec for defamation.
While I won't go into great detail about the method Microsoft uses (alas,
"the enemy" is everywhere), I can say that the SR-1 modifications are quite effective in preventing
the spread of most existing Word macro viruses. The SR-1 changes stop almost all Word 97 macro
virus "upconverts" - viruses originally written for Word 6 and 95 that have been automatically
converted to infect Word 97 documents - dead in their tracks. Even better, the technique doesn't
rely on identifying individual viruses and counteracting them; instead, Microsoft has discovered
a way to prohibit the most common method viruses use to propagate. Think of it as birth control
for Word macro viruses. These new anti-virus routines work not only
on current viruses, but also on viruses that haven't yet been created. It's a very significant
step in the right direction.
Office 2000 has introduced digital signatures to help users distinguish legitimate code from
undesirable and viral code. If you open an Office document and see a macro security warning with
digital signature information, you can feel reasonably confident that the person (or corporation)
signing the macros wrote them. You can choose to trust all macros signed by this person by checking
the Trust all macros from this source checkbox. From then on, Office will enable the macros
without showing a security warning for any document with macros signed by this trusted source.
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature
is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the
chance that a user “accidentally” enables a virus-infected document, the high security level helps
reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users
do not even need to see the security warning without digital signature information.
Nikolai Bezroukov. Malware Defense History
(slightly outdated -- I was active in virus research from 1987 till 1991 when I published Computer
Virology -- one of the first academic-style books devoted to computer viruses; then I returned to
this field in 1996 and generally finished my AV career in 1998 with periodic splashes of interest
(some old file and boot viruses were FAT-specific).
FAT32 New Problems
for Viruses or Anti-Virus -- a sober look on problems with interaction between scanners and file
systems. You will not read this in ZD publications ;-)
Office 2000 has introduced digital signatures to help users distinguish legitimate code from
undesirable and viral code. If you open an Office document and see a macro security warning with
digital signature information, you can feel reasonably confident that the person (or corporation)
signing the macros wrote them. You can choose to trust all macros signed by this person by checking
the Trust all macros from this source checkbox. From then on, Office will enable the macros
without showing a security warning for any document with macros signed by this trusted source.
Office 2000 silently disables non-signed macros when the new Office 2000 Security Level feature
is set to “High.” In fact, the default security setting for Word 2000 is "High." By removing the
chance that a user “accidentally” enables a virus-infected document, the high security level helps
reduce the spread of macro viruses. If all legitimate macros are digitally signed, then users
do not even need to see the security warning without digital signature information.
comp.virus FAQ by Nick FitzGerald and AV crowd (outdated and somewhat scholastic -- Nick made
his mark before moving to Virus Bulletin by killing comp.virus newgroup with sporadic and late
moderation :-). Not recommended as a source of information but one can read it as an interesting
historical document (last update was made in 1995, but most material is earlier than that)
- alt.comp.virus.faq Co-maintained by David Harley, Bruce Burrell, and George Wenzel. It seems
to be written mostly by George Wenzel. Contains some useful info about boot viruses. For some
strange reason George Wenzel believes in usefulness of NSA (now ISA) :-).
[alt.comp.virus] FAQ Part 1/4
The following guidelines will, one hopes, be of assistance. However, you may get better
use out of them if you read the rest of this document before acting rashly... If you think
you may have a virus infection, *stay calm*. Once detected, a virus will rarely cause (further)
damage, but a panic action might. Bear in mind that not every one who thinks s/he has a virus
actually does (and a well-documented, treatable virus might be preferable to some problems!).
Reformatting your hard disk is almost certainly unnecessary and very probably won't kill the
virus. If you've been told you have something exotic, consider the possibility of a false alarm
and check with a different package. If you have a good antivirus package, use it. Better still,
use more than one. If there's a problem with the package, use the publisher's tech support
and/or try an alternative package. If you don't have a package, get one (see section on sources
below). If you're using Microsoft's package (MSAV) get something less out-of-date. Follow the
guidelines below as far as is practicable and applicable to your situation. Try to get expert
help *before* you do anything else. If the problem is in your office rather than at home there
may be someone whose job includes responsibility for dealing with virus incidents.
[alt.comp.virus] FAQ Part 2/4
( i) What does FDISK /MBR do?
It places "clean" partition code onto the partition of your hard disk. It does not necessarily
change the partition information, however. [It does sometimes, and when it does it us usually
fatal (for the common user, anyway). FDISK /MBR will wipe the partition table data if the last
two bytes of the MBR are not 55 AA.] The /MBR command-line switch is not officially documented
in all DOS versions and was introduced in DOS 5.0
(ii) What is the partition?
The partition sector is the first sector on a hard disk. It contains information about the
disk such as the number of sectors in each partition, where the DOS partition starts, plus
a small program. The partition sector is also called the "Master Boot Record" (MBR). When a
PC starts up it reads the partition sector and executes the code it finds there. Viruses that
use the partition sector modify this code. Since the partition sector is not part of the normal
data storage part of a disk, utilities such as DEBUG will not allow access to it. [Unless one
assembles into memory] Floppy disks do not have a partition sector. FDISK /MBR will change
the code in a hard disk partition sector.
(iii) What is a boot sector?
The boot sector is the first sector on a floppy disk. On a hard disk it is the first sector
of a partition. It contains information about the disk or partition, such as the number of
sectors, plus a small program. When the PC starts up it attempts to read the boot sector of
a disk in drive A:. If this fails because there is no disk it reads the boot sector of drive
C:. A boot sector virus replaces this sector with its own code and usually moves the original
elsewhere on the disk. Even a non-bootable floppy disk has executable code in its boot sector.
This displays the "not bootable" message when the computer attempts to boot from the disk.
Therefore, non-bootable floppies can still contain a virus and infect a PC if it is inserted
in drive A: when the PC starts up. FDISK /MBR will not change the code in a hard disk boot
sector (as opposed to the partition sector). Most boot sector viruses infect the partition
sector of hard disks and floppy disk boot sectors: most do not infect the boot sector of a
hard disk - the Form virus is an exception.
(iv) How can I remove a virus from my hard disk's partition sector?
There are two main alternatives: run an anti-virus product, or use FDISK /MBR. Most effective
anti-virus products will be able to remove a virus from a partition sector, but some have difficulties
under certain circumstances. In these cases the user may decide to use FDISK /MBR. Unless you
know precisely what you are doing this is unwise. You may lose access to the data on your hard
disk if the infection was done by a virus such as Monkey or OneHalf. Part 4, section 14 of
this FAQ contains details as to how losing data might happen.
(v) Won't formatting the hard disk help?
Not necessarily. Formatting the hard disk can result in everything being wiped from the
drive *apart* from the virus. Format alters the DOS partition, but leaves the partition sector
(AKA the MBR) untouched. There is usually a better way of removing a virus infection than formatting
the hard disk.
[alt.comp.virus] FAQ Part 3/4 -- What are the legal implications of computer viruses?
[alt.comp.virus] FAQ Part 4/4 -- Miscellaneous
It said in a review....
Reviews in the general computing press are rarely useful. Most journalists don't have the
resources or the knowledge to match the quality of the reviews available in specialist periodicals
like Virus Bulletin or Secure Computing. Of course, it's possible to produce a useful, if limited
assessment of a package without using live viruses based on good knowledge of the issues involved
(whether the package is ICSA-certified, for instance): unfortunately, most journalists are
unaware of how little they know and have a vested interest in giving the impression that they
know much more than they do. Even more knowledgeable writers may not make clear the criteria
applied in their review.
It is always better from a security point of view to replace infected files with clean,
uninfected copies. However, in some circumstances this is not convenient. For example, if an
entire network were infected with a fast-infecting file virus then it may be a lot quicker
to run a quick repair with a reliable anti-virus product than to find clean, backup copies
of the files. It should also be realised that clean backups are not always available. If a
site has been hit by Nomenklatura, for example, it may take a long time before it is realised
that you have been infected. By that time the data in backups has been seriously compromised.
There are virtually no circumstances under which you should need to reformat a hard disk, however:
in general, this is an attempt to treat the symptom instead of the cause. Likewise, re-partitioning
with FDISK is unnecessary. If you use a generic low-level format program, i.e. one which isn't
specifically for the make and model of drive you actually own, you stand a good chance of trashing
the drive more thoroughly than any virus yet discovered.
Do I have a virus, and how do I know?
Almost anything odd a computer may do can (and has been) blamed on a computer "virus," especially
if no other explanation can readily be found. In most cases, when an anti-virus program is
then run, no virus is found. A computer virus can cause unusual screen displays, or messages
- but most don't do that. A virus may slow the operation of the computer - but many times that
doesn't happen. Even longer disk activity, or strange hardware behaviour can be caused by legitimate
software, harmless "prank" programs, or by hardware faults. A virus may cause a drive to be
accessed unexpectedly (and the drive light to go on) - but legitimate programs can do that
also. One usually reliable indicator of a virus infection is a change in the length of executable
(*.com/*.exe) files, a change in their content, or a change in their file date/time in the
Directory listing. But some viruses don't infect files, and some of those which do can avoid
showing changes they've made to files, especially if they're active in RAM. Another common
indication of a virus infection is a change to interrupt vectors or the reassignment of system
resources. Unaccounted use of memory or a reduction in the amount normally shown for the system
may be significant. In short, observing "something funny" and blaming it on a computer virus
is less productive than scanning regularly for potential viruses, and not scanning, because
"everything is running OK" is equally inadvisable.
What should be on a (clean) boot disk?
A boot floppy is one which contains the basic operating system, so that if the hard disk
becomes inaccessible, you can still boot the machine to attempt some repairs. All formatted
floppies contain a boot sector, but only floppies which contain the necessary system files
can be used as boot floppies. A clean boot disk is one which is known not to be virus-infected.
It's best to use a clean boot disk before routine scans of your hard disk(s).
What other tools might I need?
Other suggestions have included a sector editor, and Norton Utilities components such as
Disk Doctor (NDD). These are not suitable for use by the technically-challenged - any tool
which can manipulate disks at a low-level is potentially dangerous. If you do use tools like
this, make sure they're good quality and up-to-date. If you attack a 1Gb disk with a package
that thinks 32Mb is the maximum for a partition and MFM disk controllers are leading edge,
you're in for trouble.... A copy of PKZIP/PKUNZIP or similar compression/decompression utility
may be useful both for retrieving data and for cleaning (some) stealth viruses. The MSD diagnostic
tool supplied with recent versions of DOS and Windows is a useful addition. Heavy duty diagnostic
packages like CheckIt! may be of use. There are some useful shareware/freeware diagnostic packages,
too. Obviously, these are not all going to go on one bootdisk. When you prepare a toolkit like
this, make sure *all* the disks are write-protected! Tech support types are likely to find
that an assortment of bootable disks including various versions of DOS comes in useful on occasion.
If you have one or two non-Microsoft DOS versions (DR-DOS/Novell DOS or PC-DOS), they can be
a useful addition. DoubleSpaced or similar drives will need DOS 6.x; Stacked drives will need
appropriate drivers loaded. My understanding of the copyright position is that Microsoft does
not encourage you to *distribute* bootable disks (even if they contain only enough files to
minimally boot the system) *unless* the target system is loaded with the same version of MS-DOS
as the boot floppy. Support engineers will need to ensure that they are legally entitled to
all DOS versions for which they have bootable disks.
What are rescue disks?
Many antivirus and disk repair utilities can make up a (usually bootable) rescue disk for
a specific system. This needs a certain amount of care and maintenance, especially if you make
up more than one of these for a single PC with more than one utility. Make sure you update
*all* your rescue disks when you make a significant change, and that you understand what a
rescue disk does and how it does it before you try to use it. Don't try to use a rescue disk
made up on one PC on another PC, unless you're very sure of what you're doing: you may lose
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
in our efforts to advance understanding of environmental, political,
human rights, economic, democracy, scientific, and social justice
issues, etc. We believe this constitutes a 'fair use' of any such
copyrighted material as provided for in section 107 of the US Copyright
Law. In accordance with Title 17 U.S.C. Section 107, the material on
this site is distributed without profit exclusivly for research and educational purposes. If you wish to use
copyrighted material from this site for purposes of your own that go
beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no
less then 90 days. Multiple types of probes increase this period.
Two Party System
as Polyarchy :
Corruption of Regulators :
and Control Freaks : Toxic Managers :
Harvard Mafia :
: Surviving a Bad Performance
Review : Insufficient Retirement Funds as
Immanent Problem of Neoliberal Regime : PseudoScience :
Who Rules America :
: The Iron
Law of Oligarchy :
War and Peace
Finance : John
Kenneth Galbraith :Talleyrand :
Oscar Wilde :
Otto Von Bismarck :
George Carlin :
Propaganda : SE
quotes : Language Design and Programming Quotes :
Random IT-related quotes :
Somerset Maugham :
Marcus Aurelius :
Kurt Vonnegut :
Eric Hoffer :
Winston Churchill :
Napoleon Bonaparte :
Ambrose Bierce :
Bernard Shaw :
Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient
markets hypothesis :
Political Skeptic Bulletin, 2013 :
Unemployment Bulletin, 2010 :
Vol 23, No.10
(October, 2011) An observation about corporate security departments :
Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 :
Vol 25, No.10 (October, 2013) Cryptolocker Trojan
Vol 25, No.08 (August, 2013) Cloud providers
as intelligence collection hubs :
Financial Humor Bulletin, 2010 :
Inequality Bulletin, 2009 :
Financial Humor Bulletin, 2008 :
Bulletin, 2004 :
Financial Humor Bulletin, 2011 :
Energy Bulletin, 2010 :
Malware Protection Bulletin, 2010 : Vol 26,
No.1 (January, 2013) Object-Oriented Cult :
Political Skeptic Bulletin, 2011 :
Vol 23, No.11 (November, 2011) Softpanorama classification
of sysadmin horror stories : Vol 25, No.05
(May, 2013) Corporate bullshit as a communication method :
Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000):
the triumph of the US computer engineering :
Donald Knuth : TAoCP
and its Influence of Computer Science : Richard Stallman
: Linus Torvalds :
Larry Wall :
John K. Ousterhout :
CTSS : Multix OS Unix
History : Unix shell history :
VI editor :
History of pipes concept :
Solaris : MS DOS
: Programming Languages History :
PL/1 : Simula 67 :
History of GCC development :
Scripting Languages :
Perl history :
OS History : Mail :
DNS : SSH
: CPU Instruction Sets :
SPARC systems 1987-2006 :
Norton Commander :
Norton Utilities :
Norton Ghost :
Frontpage history :
Malware Defense History :
GNU Screen :
OSS early history
Principle : Parkinson
Law : 1984 :
The Mythical Man-Month :
How to Solve It by George Polya :
The Art of Computer Programming :
The Elements of Programming Style :
The Unix Hater’s Handbook :
The Jargon file :
The True Believer :
Programming Pearls :
The Good Soldier Svejk :
The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society :
of the IT Slackers Society : Computer Humor Collection
: BSD Logo Story :
The Cuckoo's Egg :
IT Slang : C++ Humor
: ARE YOU A BBS ADDICT? :
The Perl Purity Test :
Object oriented programmers of all nations
: Financial Humor :
Financial Humor Bulletin,
2008 : Financial
Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related
Humor : Programming Language Humor :
Goldman Sachs related humor :
Greenspan humor : C Humor :
Scripting Humor :
Real Programmers Humor :
Web Humor : GPL-related Humor
: OFM Humor :
Politically Incorrect Humor :
IDS Humor :
"Linux Sucks" Humor : Russian
Musical Humor : Best Russian Programmer
Humor : Microsoft plans to buy Catholic Church
: Richard Stallman Related Humor :
Admin Humor : Perl-related
Humor : Linus Torvalds Related
humor : PseudoScience Related Humor :
Networking Humor :
Shell Humor :
Financial Humor Bulletin,
2011 : Financial
Humor Bulletin, 2012 :
Financial Humor Bulletin,
2013 : Java Humor : Software
Engineering Humor : Sun Solaris Related Humor :
Education Humor : IBM
Humor : Assembler-related Humor :
VIM Humor : Computer
Viruses Humor : Bright tomorrow is rescheduled
to a day after tomorrow : Classic Computer
The Last but not Least
Copyright © 1996-2015 by Dr. Nikolai Bezroukov. www.softpanorama.org
was created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified: September 27, 2016