Google Analytics is the best free web stsattics software out there. They recently opened registration to anyone, and even the bad guys seem to have noticed:

Everyday we see different things that the miscreants develop to make their job easier. Today I was checking the 288th variant of Opanki. The really interesting thing about this one is that the botnet owner seems concerned over not having an organized way to check the bots, like geographic distribution, for example. But how can he or she accomplish this in an easy way? Yes, Google Analytics!

Google Analytics and Bots [McAfee Avert Labs Blog]

Newsday has a story that, if true, is fascinating. They are reporting that using technology supplied by Iran, Hezbollah fighters were able to listen in on Israeli radio communications. They of course used this intel to evade the advancing units and counter attack.

“We were able to monitor Israeli communications, and we used this information to adjust our planning,” said a Hezbollah commander involved in the battles, speaking on the condition of anonymity. The official refused to detail how Hezbollah was able to intercept and decipher Israeli transmissions. He acknowledged that guerrillas were not able to hack into Israeli communications around the clock.

…a former Israeli general, who spoke on the condition of anonymity, said Hezbollah’s ability to secretly hack into military transmissions had “disastrous” consequences for the Israeli offensive.

For some interesting reading on this, try Ross Anderson’s Security Engineering on Electronic and Information Warfare [PDF]. This attack also reminds me of the man in the middle attack he talks about in Chapter 2 [PDF].

Hezbollah cracked the code [Newsday]

After a weekend of monitoring here’s what we seem to know about the MS06-040 Worm(s) in the wild:

• There’s at least two variants in the wild so far (ref)
• It appears to be primarily targeting Windows 2000 machines (ref)
• After infecting machines it communicates out via IRC via port 18067 and scans for additional machines to infect via port 445 (ref)
• One variant is also spreading via AOL IM. (ref)
• Most AV Vendors have released updates to detect for at least some of these known exploits.
• The purpose of the worm seems to be to spread a botnet to SPAM.

A couple of stats to ponder:

• Time from patch release to public POC code: ~40 hours
• Time from patch release to self propagating worm: ~96 hours
• Average time it takes an enterprise to patch a critical vulnerability: A lot more than 96 hours.

References:

• Microsoft Security Response Center Blog
• SANS ISC
• LURHQ
• Security Fix

Metasploit has proof of concept code for exploiting MS06-040. The countdown to the worm begins.

Exploit Module: netapi_ms06_040 [MetaSploit.com]

The day of the primary is a bad day to have your website attacked. It had happened before but this time it looks like a DDOS attack:

But the earlier two attacks involved defacements — the hacker altered content on Lieberman’s home page. This time, attackers toppled the Lieberman site with requests, probably by directing an army of hacked computers at the site.

Lieberman lost the primary and now goes on to run as an independent. Might it be time to find a new host?

Lieberman campaign site, e-mail hacked [MSNBC]

Wired has a story out of DefCon picturing Blackberries as the perfect backdoor into your corporate network. Since many cop orations inherently trust the blackberry straight in through their firewalls, it might be worth a read.

The program, called proxy, has to be placed on a Blackberry either physically or as a Trojan horse delivered by e-mail. Once installed, it causes the Blackberry to call back to the attacker’s system in the background, opening a communications channel between the attacker and the company’s internal network.

Details are sketchy, and I can’t find the mentioned “documents on its website” or get to their website at all, but the fact that he says he’ll release the app in the next week or so doesn’t make me feel all warm and fuzzy.

Blackberry a Juicy Hacker Target [Wired]

Our normal scope here is on information based security, but this you gotta see. A new lock-picking technique called “bumping” renders almost all traditional tumbler locks useless with very litte skill or tools.

A bump key is a key in which all the cuts are at maximum depth. The picture below shows bump keys for various locks. Bump keys are sometimes called ‘999′ keys because all cuts are at maximum (9) depth.

Once you get a properly cut key ($10 on eBay) they are easy to copy, and it takes about 1 minute to train someone how to do it. Most importantly this technique works on most very expesive locks as well. Also, it seems to be virtually undetectable:

Given that the insertion of a bump key isn’t much different from inserting a regular key, we’d suspect no special scratch marks would be found other than maybe some miniature dents and deformations caused by the impacts. Until more is known, we think it is diligent to assume that any lock that can be bumped can also, with some care, be bumped without leaving any telltale traces.

This YouTube Video shows bumping in action because we had to see it to believe it:

Bumping locks (pdf) [Netherlands Open Organization of Lockpickers]

The guys at Black Hat are demonstrating some interesting attacks against the device drivers for the wireless card in a MacBook Pro:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This highlights an emerging trend of attacks against device drivers. Should attacks like this become a trend I suspect we’ll see the following:

• Wireless Cards Hit First: Many attacks focused on Wireless cards, and not just because they are remotely accessible. The fact that there’s only a couple of chipset manufacturers will make attacks easier. Especially considering this:
  

  After the demo, Ellch … will talk about a new tool he’s developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

  “I’m getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that ‘x’ number are running them on a Windows box with a specific version of the driver,” Ellch said. “The userful thing for that information is that if you have a device driver exploit and it’s version-specific, you could tweak [the exploit] before you launch it.”

• Homogenous Environments Hit Hardest: As demonstrated Macs will be easier targets, But think about other homogenous environments: Corporate networks whole use all the same PCs (or maybe just all the same nibs), ISPs that use all the same kind of DSL/Cable Modems, etc…
• Mitigates Slow to Come: There won’t be patches coming out of Windows Update for many of these. Expect longer windows of vulnerability and traditional mitigations like firewalls to prove ineffective.

So what do we do? Assuming the attack involves over running a buffer, some sort of kernel-level buffer overflow protection in a Host Intrusion Prevention-type product seems to be in order. The whole article is worth a read. Share your thoughts by leaving a comment below.

Hijacking a Macbook in 60 Seconds or Less [Security Fix]

Counter to what the movies might say, hacking grades is not just cheating it’s a crime:

An investigation showed the professor’s network account had been accessed without her permission and grades were assigned to nearly 300 students, prosecutor Robert Fratianne said.

I bet they just guessed her password but still, there’s more legal ways to cheat.

Students face 1 year in jail for hacking [Yahoo News / AP]

There’s a nice little demo over at Gadget Trail on how to eavesdrop on a VoIP session. They use a Voyage account as an example. The basics:

• Get on the same subnet as the victim.
• Fire up CAIN, and poison the ARP cache.
• Use CAIN to record the call.

Nothing earth-shattering, but it helps demonstrate how easy it is using free Windows tools.

Hacking Voyage: How To Eavesdrop On Calls [Gadget Trail]

Interesting:

The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and
North Korea, The Associated Press has learned.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking.

Their response is even more interesting:

State Department’s emergency response severely limited Internet access at many locations… The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim’s network.

Yet again again demonstrates that cypto can be used for you or against you.

Agency recovers from computer break-ins [Yahoo/AP]

July brings fixes for 18 vulnerabilities bundled in 7 patches. July also makes the official end of security support for all Windows 9x products. Let us pause and take a moment of silence for our fallen friends of old…

Now back to our regularly scheduled patch announcement:

• MS06-033 .NET 2.0 Application Folder Information Disclosure Vulnerability - “could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders explicitly by name.” Yawn.
• MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Lead To Remote Code Execution - - The only people who can exploit this are ones that already can upload ASP files to and IIS server. This basically makes it a privilege escalation attack, even though it uses a buffer overflow to accomplish it. Not to serious, and if you have untrusted people uploading ASP files to your web server, you have bigger problems.
• MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution - This is the grand daddy of the patches, and Microsoft should create a ubber critical category for patches like this. It’s wormable, and makes a good cases for personal firewalls. Get this one out fast.
• MS06-036 Vulnerability in DHCP Client Service Could Allow Remote Code Execution - This one’s pretty critical, too. But the attacker has to be on the subnet as the victim (same switch?).
• MS06-037 Vulnerability in Microsoft Excel Could Allow Remote Code Execution - Open a malicious Excel doc and you are owned. In Office 2000, just visiting a website could do it. Already exploits in the wild.
• MS06-038 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-037, except it applies to any office doc and there’s no known exploits yet.
• MS06-039 Vulnerability in Microsoft Office Could Allow Remote Code Execution - Same as 06-038.

Get ‘um done.

Security Bulletin Summary [Microsoft]

Microsoft Patches 18 Security Flaws in Windows, Office [Security Fix]

The non-profit Privacy Rights Clearinghouse has compiled a summary of all the published data breaches since the choice point breach in Feb 2005:

TOTAL number of records containing sensitive personal information involved in security breaches: 88,795,619

When will the madness stop? The real challenge is knowing which of these breaches is meaningful. With the best data (pdf) I’ve seen says that only 8.9 million people actually reported having their identities stolen, and that number is actually decreasing:

In the last twelve months, 8.9 million American adults (4.0% of US adult population) became victims of identity fraud, an 11.9% decrease from 2003.

Also, if this data is right, 90% of those beaches were by non-electronic means. By my count, that means that less that 1% (~890,000) people were actually affected by a data breach. While this is a significant number, it’s not the crisis the news makes it out to be.

What’s happening with the other 99% of these records? They are lost. People lose things.
We need something other than data breach reporting. They are becoming so common, and actually affecting so few people, that the noise is drowning out the true signal of what people should be worried about.

Until we get sensible regulations about these things there are a few things that security professionals can be doing to make sure their company doesn’t add to the statistics:

• Encrypt portable devices - laptops, thumbs drives, etc.
• Encrypt backup tapes
• Implement good access to controls to your databases where sensitive data is held.
• Educate users about the risks. Use the all the examples in the PRC’s report to make your point.
• Pray.

A Chronology of Data Breaches Reported Since the choice point Incident [privacyrights.org]

2006 Identity Fraud Survey Report (PDF) [Javelin Strategy and Research]

Also useful is the PRC’s link to the Consumer’s Union compilation of all the relevant state laws. When can we get one national standard?

Notice of Security Breach State Laws (PDF) [Consumers Union]

An update on the largest loss of personal information ever, the stolen laptop with 26 million VA records on it. They found it! Never underestimate the power of a $50,000 reward:

Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We’re talking about the kind of market that is literally run out of the back of a truck, one official said.

Compared to the estimated $500 million it was going to cost to clean it up, $50,000 is a steal. (Pun intended). The “experts” think the data wasn’t accessed.

… the FBI ran forensics tests on the equipment and concluded the sensitive data – such as veterans’ Social Security numbers — had not been accessed.

Of course there’s no way to guarantee the data wasn’t lifted, it seems like a pretty fair bet that anyone dumb enough to sell it out of the back of a van wouldn’t have known how to retrieve the data without being traced.

VA Laptop Sold From Back of Truck [MSNBC]

VA chief says laptop with vets’ data recovered [MSNBC]

Seven Patches next week:

Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical… Some of these updates will require a restart.

Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical… These updates may require a restart.

Have Fun.

Microsoft Security Bulletin Advance Notification [Microsoft.com]