So, there's really no news article to this. I'm sort of thinking out loud because someone I know recently sent me a Powershell script to get them back auto-run functionality for thumb drives.
Now, while the autorun functionality that removable media brings to the table is useful, it's problematic in that it is too trusting. Honestly, without some kind of verifiable trust relationship, pretty much anything can/will get launched from those things, and it's not like thumbdrives aren't a common vector for infection or anything. Actually, now that I think of it... *adds a vaguely-related URL*.
Let me say right now that I would consider this post to be prior art. I am not rushing out to try and scribble up a patent because I believe strongly that restrictive patent controls should never be applied to something like this. If someone reads this, goes and writes something up and sells it, you owe me a soda or a strippergram or something. Subsequently suing other people writing their own code to do the same thing makes you a craven bastard who murders defenseless kittens and orphans.
In short, there probably should be an autorun facility for removable media, just because of it's utility. In practice, this is dodgy as hell because media get tampered with. The proper solution, IMHO, is as follows:
1. Detect insertion of removable media. 2. Upon insertion, OS should examine filesystem looking for instruction as to what should be executed or read (in the case of HTML files or Flash media that can not be said to be "executed") from the drive. 3. Optionally generate some sort of unique identifier based on various parts of the filesystem when the type of filesystem is not strictly data, as with CDs and DVDs. 4. OS should then generate cryptographic data based on the contents of the files referenced from #2. This may include, but should not be limited to: __a. Multiple, disparate checksums __b. Fully-fledged cryptographic signatures based on public/private keys 5. Using either the index in #3 or the results from #4 the machine should then consult a local trust database on the (or network share, or even a freaking LDAP directory if you like) and look for record of a pre-existing trust relationship indicated by the actual user. 6. The data should then be executed/displayed/played if and only if a pre-established trust relationship has been recorded. If no such relationship has been recorded, you've basically got a few options depending on your relative level of caution. __I. Do nothing. __II. Warn the user of the possible execution (probably ideal), and require a trust relationship (either temporary or permanent) be recorded before going further. __III. Disallow further interaction with the media.
Post Scriptum: There's a reason for both A and B above, and an appropriate time/mode for using each. Post Post Scriptum: No I don't care that this is relatively "obvious". There are plenty of people craven enough to file for a patent on such things anyway. If they didn't already do it, too f'ing bad.
AllClear ID powered by Debix Identity Theft Protection Offer for PlayStation®Network and Qriocity™ Customers
Topic: Computer Security
4:49 pm EDT, May 25, 2011
This from my inbox:
AllClear ID powered by Debix
Identity Theft Protection Offer for PlayStation®Network and Qriocity™ Customers
Sony Computer Entertainment and Sony Network Entertainment have made arrangements with Debix to offer AllClear ID PLUS to eligible PlayStation®Network and Qriocity account holders in the United States who are concerned about identity theft.
AllClear ID PLUS is a premium identity protection service that uses advanced technology to deliver alerts to help protect you from identity theft. The service also provides identity theft insurance coverage and hands-on help from expert fraud investigators.
Sony has arranged, at no charge to eligible PlayStation®Network and Qriocity account holders, for twelve months of this service to be provided by Debix to those who choose to enroll. In order to be eligible, account holders must be residents of the United States with active accounts as of April 20, 2011.
If interested, please submit your email address by June 28, 2011, at 11:59:59 PM CST at: us.playstation.com/news/consumeralerts/identity-theft-protection.
Please note, you must enter the same email address used to register your PlayStation®Network or Qriocity account. Once your email address is validated, you will be sent your AllClear ID PLUS activation code.
Sincerely,
Sony Computer Entertainment & Sony Network Entertainment
Somehow, I'm not really encouraged by the fact that the people who've been getting hit on an almost daily basis for the last two weeks are expecting me to put an email address into a server they're running.
CCISDA means "California County Information Services Directors Association".
Basically, this is the policy document which basically states explicitly that Terry Childs shouldn't have given any passwords to his bosses just because they're his bosses.
Lots of juicy, juicy in this one, but there's something about it that smells funny.
A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels. There are still many unknown details regarding this exploit. It has been established that this compromise requires super user privileges. It is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs. The initial entry point is not confirmed at this time.
So basically, the people too stupid to pick a decent root password are getting exploited... nothing much new here... kind of hard to take over the Internet with unimportant machines no one puts much importance into and don't attract many pageviews.
This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
...alternatively, you could simply find an exploitable bug in tcpdump or grep and encourage many thousands of people around the world to run those binaries for several minutes on their really important, high page-view sites while you madly scan thousands of prospective target webhosts with your other botnet of more easily exploited machines.
Exploitable bugs in tcpdump you say? No... that's never happened before.
In case any of you have loved ones or whatever running Windows, this is something you may need soon. Normally this wouldn't be such a pain in the ass, but this is now one of those "landscape changes" resulting from people like the Russian Business Network (also known as "criminals"--there is no mincing words on this) really bearing down on the subject of installing malware onto people's computers.
I'm going to say something that will upset some of you now. Pregnant women and those prone to fainting may wish to stop reading now.
* * *
This fscker will get you through Firefox if you're not careful.
* * *
It's not Firefox that's being exploited, but any one of three plugins (and probably more than that) that are installed if you have not been keeping them up to date. High on the list of possibilities are Quicktime and Adobe Reader plugins for one very specific reason.
Those two things have their automated update checkers tied up in exceptionally ponderous system tray apps that most people disable because they're a big waste and slow down booting. ...so if you don't have these doing their thing through the system tray, the first time you may find out there's a necessary update is when the plugin is triggered by the browser--at which point it's too late, you've been compromised.
The machine I just cleaned up was infected while a person was browsing MySpace (and this isn't MySpace-specific, I'll explain at the bottom) using Firefox and it was infected through the Quicktime plugin. All the user initially saw was that Quicktime was informing them of an update being available... and then they started getting the popups advertising for what are essentially phony anti-spyware programs.
This particular variant did the following things above and beyond "the usual". It blew AVG right off the drive. It damaged the Quicktime installation so that it could not be updated without going and manually getting the update, although Quicktime itself still worked properly. After a partial removal in safe mode was attempted, it locked out all accounts, including the administrator account. Very not cool, that. (It of course disabled all the internet security settings in XP, and riddled the registry with itself, and installed "partner" software as the usual.)
Why this is not specific to MySpace
The problem that's coming up now is that the criminals are using front companies to buy ad space from legitimate/normal ad companies, and serving the ads from their own machines, which every so often will instead return a 404 document which invokes a vulnerable plugin. I've seen multiple perfectly reasonable sites go into a panic lately (CuteOverload got so freaked out their wiped their site and restored it from a scoured backup) because their users were reporting that their antivirus solutions were hollering about viruses on their site--which turned out to be coming from major ad banner companies that would otherwise be considered "safe".
Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools.
I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.
Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?
Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed.
Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution.
I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.
Microsoft Forges 'Pact' With Cyberwarriors Worldwide
Topic: Computer Security
7:23 pm EDT, Aug 8, 2007
Multinational corporations have foreign policies, and the "home" country doesn't necessarily get special treatment:
In an effort to curb distrust, in 2003 Microsoft signed a pact with China, Russia, the United Kingdom, NATO and other nations to let them see the Windows source code.
A few thoughts:
1) Possession of source code has limited defensive value unless you actually build your software from that source. Based on press reports the agreement does not facilitate local compilation. 2) Is it really feasible for a third party to audit the Vista source? The people involved seem to think so, or are at least making a show of it. I am dubious. 3) The utility of this 'pact' would seem to be substantially offensive.
Consider:
Microsoft has reportedly signed a new government security program source code agreement with China Information Technology Security Certification Center, allowing CNITSEC and other approved institutions to look over the source code and relevant technical data of Microsoft's products, including Windows Vista ,so as to improve their evaluation on the security of Microsoft products. The agreement is an important part of the MOU signed between National Development and Reform Commission and Microsoft in April 2006.
Microsoft's Government Security Program helps government departments and international organizations evaluate the security of Microsoft products. CNITSEC previously signed an agreement with Microsoft on security source code in February 2003 and was authorized to check over the company's major source code and technical data.
From 2003:
According to sources at the software company, China is the eighteenth nation to sign such an agreement to view Microsoft's proprietary source code.
NBC Reporter with hidden camera in purse hoping to catch conference attendees committing to crimes (according to Defcon staff) flees Defcon 15 after being outed.
OMG FUCKING LOOOOOOLLLLL!!!!
For more information on this awesome totally ethical NBC program, see this.