September 28th, 2011
It has been announced this week that Microsoft have taken action against the Kelihos botnet, removing the command and control structure and filing a lawsuit against the suspected owner. Details of this can be found on the official Microsoft blog located here.
Interestingly it seems that the reason they have been able to do this eventually comes down to the fact that the top level domains .com and .cc are maintained in Virginia, and therefore they have been able to gain the support of the US courts in authorising a takedown due to the negative effect on Microsoft and their customers. A consideration of this is that if there was no link to the USA, for example if the TLD was located in another country, whether Microsoft could make the same claims and be so successful in shutting down these botnets?
Whilst I support the efforts of Microsoft and think they do a fantastic job in taking down these botnets I don’t believe that the methods in use today are sufficient to stop it. As long as botnets remain a profitable (albeit criminal) business I believe they will find another way to operate, perhaps they will start using non-US domains, ensuring that they operate in countries where the laws are insufficient to deal with this type of crime, or maybe they will move away from domains altogether, and communication using peer-to-peer technology will become more prevalent.
Greater worldwide collaboration is needed or these criminals will simply move out of the reach of those opposing them and find new methods of evading detection. Although in this case Microsoft have been able to raise a civil case against the botnet owners they have been thus far unable to name others who were involved, even if they should do so these people may be beyond the reach of the US legal system. The problems of legislating the internet are not going anywhere and these problems are only going to grow as more and more criminals see cyber crime as a safer way to make a living.
August 26th, 2011
On Wednesday evening I attended the first meeting of the OWASP Manchester chapter, this was kindly hosted again at the (very nice) KPMG offices with much appreciated refreshments provided!
There were two excellent talks presented, the first by Richard Moore, the CTO of Westpoint, this was a very interesting talk about the security flaws of historic and current SSL and TLS versions, I was very surprised to discover just how many certificate authorities there were and it has certainly dented my confidence in https! That being said as always common sense does as always play a part in deciding who you want to give your details to and over what connection so I’m not completely put off online shopping just yet.
The second talk of the evening was by Ryan Jones of Trustwave SpiderLabs, this was regarding how much difference was made by proper incident readiness and logging. The concept of the talk was a very simple one, turn on your logging, but the way it was presented very effectively argued the case for doing so with the comparison of the incident response with and without sufficient logging being enabled, this demonstrated very effectively how this small change could make a big difference.
As always the talks were interesting and I met a lot of new people, I am now looking into organising a Newcastle meeting so I don’t have to travel to Manchester and Leeds every time!
August 18th, 2011
Would the user of IP addresses 184.108.40.206 and 220.127.116.11 please stop attempting directory traversal attacks on my blog, there’s really nothing on it so it’s a little pointless and just generates emails from my IDS which waste my time!
Oh, and I’m not running TimThumb
July 28th, 2011
Well yeah, I should really update this more, I’ve actually now finished my first year of university, enjoyed myself very much and made lots of fantastic friends, got stuck in a lift, taught most of the class one of our modules (due to the poor teaching), helped the homeless, got a good student job, played some Minecraft, went to Download festival (which was epic in it’s awesomeness), and finished top of my class (I think)! All in all a good year and looking forward to another one.
I will try and update this more often as we get into more security related topics, currently we have had a lot of technical background and ethics but without a real security slant, looking towards the next year that is hopefully going to be changing and I will hopefully have something interesting to tell you! For now though back to the joys of cleaning my room :/ I really should have asked people to become my personal slaves as payment for helping them with Unix…
September 23rd, 2010
Well, I’m at uni now, all good so far but don’t really have any updates yet as haven’t started, met up with some people I’ve been speaking to online which was good, and met some locals at the alternative night at the uni which is good
March 24th, 2010
Not had alot to post here recently so thought I would post about Gumblar!
Earlier this week a friend of mine who operates a gaming website with me was infected with a variant of the Gumblar virus.
Basically this virus stole ftp details from his computer, then used these to login to our FTP and add a small piece of code to the end of all pages which started with the word index, ended with .js, and additionally select WordPress and phpBB files. This code then advised some users visiting the website that they had a virus and needed to purchase the anti virus solution offered, others caught the site trying to download trojans on their anti virus.
Whilst fortunately this particular site is on a different web server and account to the site in question it did mean a sizeable cleanup operation which disrupted our website significantly and wasted about 6 hours of my life!
I figured I would post up the offending code incase anyone did want to have a look through it.
Code Samples are in .txt documents contained within this .rar file:
Right click and save file, do not open in browser
So there we have it! It pays to have a good antivirus, and if you don’t need to store your ftp password, don’t! For me it was alot of work sorting out my site, for my friend it was twice as much as all his other sites have been edited too!
January 14th, 2010
I saw this question asked on the maemo forums while looking into pentesting apps for the Nokia n900.
I thought this answer by a user called brendan was brilliant:
“pentesting is a term for the QA team under the employ of companies like Bic and PaperMate, that scribble with the pens coming off the production line, to ensure that each one works before it is packaged and shipped to retail stores.
a mundane and monotonous job, but someone has to do it.”
Now in the future I know what to answer when someone asks me!
If anyone does want a real definition please see http://en.wikipedia.org/wiki/Penetration_test.
January 12th, 2010
Read another interesting article today from Light Blue Touchpaper about tracability of people based on IP addresses, learnt some things I wasn’t aware of and looking forward to the next article, read it at http://www.lightbluetouchpaper.org/2010/01/12/extending-the-requirements-for-traceability/
January 12th, 2010
Just finished listening to the first of tmacuk’s interview with a Blackhat series, very interesting to see how the other-side thinks, I was particularly surprised when he said he would like to go whitehat if he had the chance, perhaps there is hope yet if they all feel that way! Check it out at http://tmacuk.co.uk/?p=109