SQL Injection Attack Warning

December 2nd, 2011

Well, that’s not particularly unusual in itself, except that it’s been flagged by the Internet Storm Center as (a) happening right now and (b) escalating somewhat dramatically: in fact, it appears to resemble the lizamoon attack which was reported as affecting around a million sites earlier in the year.

According to Mark Hofman, if you’re in a position to block the lilupophilupop.com site referenced in the injection string for your client machines, that should prevent them being infected for the present. But if you are responsible for protecting your site against stuff like this, I’d strongly recommend that you read the whole diary entry, including the comments.

Hat tip to Conny Javerdal for bringing this to our attention on the AVIEN list.

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow

Posted in AVIEN, David Harley, SANS, SQL Injection | No Comments »

Support desk scams – some updates

November 30th, 2011

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs: as the comments I quoted were all to ESET articles, I’ve posted that information on the ESET blog too, in Support-Scammer Tricks, but I’ve also linked to it from the AVIEN PC Support Scam Resources page.

David Harley CITP FBCS CISSP
AVIEN Scapegoat
ESET Senior Research Fellow

Posted in cold call scams, David Harley, Resources, support scams | No Comments »

Support scams: what can AVIEN do about it?

November 9th, 2011

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Tags: , , ,
Posted in AVIEN, David Harley, Facebook, Virus Bulletin | No Comments »

The perils of Internet vigilantism

September 22nd, 2011

An interesting and instructive story flagged by Softpedia: Turkish Hackers Confuse Israel with Palestine.

A report by Ilil Ben Zur-Laron for ynetnews, the English language version of a major Israeli news site, quotes  Shai Blitzblau, the head of Maglan-Computer Warfare and Network Intelligence Labs, as claiming that Turkish hackers left anti-Israel messages on 70 websites hosted on Israeli servers. Apparently, however, they failed to realize that the sites were actually Palestinian, even though the domains in question had .ps suffixes rather than .il.

While there’s a certain grim humour in this instance of defacement by friendly fire, there’s also a message. As “cyberwar” (sigh) becomes a more regular feature of our online society, I guarantee that SNAFUs (and black ops masquerading as SNAFUs for purposes of misdirection) will also be seen more and more often. So this is what it’s like to live in the pages of a Netforce novel… Hat tip to Ian Cook for bringing this story to my attention.

On a not altogether disconnected note, a very nice article on The Rise of Techno-Vigilantism | LulzSec and Public Opinion crossed my path today. Briefly, Tim Libert used comments he found posted to articles on LulzSec as a way of assessing public attitudes to high-profile, hi-tec vigilantism. He doesn’t claim that it represents the views of society as a whole, but it is a fascinating piece of research nonetheless, and reflects my own conviction that the comments to an article often tell us as much about the world as the article itself does. What it tells us is not always comfortable, but that’s (virtual) life… I suspect I’ll be visiting Tim’s site again.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Posted in Cyberterrorism, cyberwarfare, David Harley, Human Factors in Information Security, misdirection, psychosocial security | No Comments »

And I thought I was quite softly spoken…

September 9th, 2011

I was more than a little flattered to find myself included in Sys-Con Media’s Top 25 “Most Powerful Voices in Security” (article by Jim Kaskade). (Let’s not get too excited: I just scraped in at number 22.) But when I checked through the whole top 100 and saw some very familiar names there, I’d have been grateful to scrape in at #100, let alone in the top quarter.

Actually, it’s a little scary too, to get some idea of how many people might notice when I get something wrong. Oh yes, it does happen…

The study apparently included researched over 800 people, including security company executives, bloggers and media people, top names in cloud computing,  government officials, CISOs, and industry analysts. So it’s not surprising to see big hitters like Eugene Kaspersky, Rich Mogull, Brian Krebs and Bruce Schneier in there.

 On a more personal level, congratulations to Graham Cluley and Richi Jennings, both of whom were, inevitably, much higher placed than I was. :) (Hat tip, too, to Dan Raywood for drawing my attention to it.)

Enough self-congratulation: back to the grindstone…

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN Dogsbody-in-Chief
ESET Senior Research Fellow

Posted in Brian Krebs, Bruce Schneier, David Harley, Graham Cluley, Richi Jennings | No Comments »

Geeks & Trojans

August 15th, 2011

Actually, this has very little to do with Trojans, directly at any rate. My face is unlikely to launch a thousand ships (though it might sink a few), but my fingers have just launched a new blog at The Geek Peninsula which is intended (among other things) to address the frustrating fragmentation of outlets for my blogs and articles. Look upon it as the equivalent of the @DavidHarleyBlog Twitter account which flags pretty much everything I write, irrespective of who runs the platform, and in (approximately) real time.

What it won’t flag (at the moment, at any rate) is other people’s output. And stuff like the Japan tsunami resources blogs, which link to all sorts of relevant sources and resources, will continue to be flagged here.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Posted in David Harley, Geek Peninsula, Resources | 1 Comment »

Be Prepared

August 7th, 2011

…and ordinarily, there’d be a witty allusion here to Tom Lehrer, who used the same title for one of his songs, but there’s a very serious edge to this post.

The part of the world I live in is mostly spared (touch wood) the sort of dramatic, extreme disaster that I sometimes discuss here in the context of disaster-related scams, blackhat SEO and so forth. Even flooding in the often-rainsoaked UK lacks drama compared to the impact it has in other parts of the world. But it’s depressing to think how much of my security writing in recent years has related to criminal exploitation of the 2004 and other tsunami, earthquakes and so on, and at the beginning of September I’m addressing the topic again at the CFET 2011 conference in the UK.

Many of my friends, acquaintances and readers are rather more used to the risk and reality of earthquakes, tsunami, forest fire, eruptions and so on, not least those who are situated close to the Pacific “Ring of Fire”, which has 75% of the world’s active and dormant volcanoes and experiences 80% of its largest earthquakes, and includes most of the West coasts of North and South America. However, a glance at the links on the Federal Emergency Management Agency’s page at http://www.fema.gov/ demonstrates that the US population as a whole is at enough risk from national disasters to justify the existence of the National Prepared Month Coalition. AVIEN’s US subscribers may well want to think about supporting the initiative (it’s free, it isn’t restricted to USians, and it gives access to some resources you may find especially useful in the US).

The point I really want to get over here, though, is less this particular initiative (though AVIEN does support it as a member, so you may hear more of this from me) than the importance of training for disaster as a mindset that we can all benefit from, even if we don’t live too close for comfort to a major fault line, like my colleagues in San Diego. Disaster is a beast with many faces, and not all disasters are “natural”.

Tip of the hat to Robert Slade for turning my attention to the issue (not for the first time, of course) .

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Tags: , , , , , , , , , , , , ,
Posted in AVIEN, David Harley, disaster management, SEO poisoning | 1 Comment »

Not even the end of an era

August 5th, 2011

Well, not entirely, my last post notwithstanding.

Andrew Lee and I have been busily housekeeping and fitting various bits of ideas and web pages together over the last week or so, and have managed to keep more of the old site together than I originally anticipated. So I hope it won’t sound like I’m blowing my own trumpet if I say that that my last post wasn’t quite the Last Post after all. Or, indeed, the Flowers of the Forest.

I’m a little hard-pressed right now, but I’ll get back here with some more details. That doesn’t mean I won’t be making more use of the AVIEN Portal, but that won’t be with quite the same urgency.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Posted in Andrew Lee, AVIEN, David Harley | No Comments »

The end of an era…

July 29th, 2011

…but not of AVIEN.

Since AVIEN has gently declined from being a major player on the fringes of the anti-malware industry to a few low-volume mailing lists, I’m reducing its footprint on the web and the drain on the pocketbooks of Andrew Lee and myself (subscribers haven’t been charged for some time, so there is no income with which to maintain the sites). Existing and future blog articles will be available from the AVIEN portal from next week (the first week in August, 2011). The existing AVIEN web site (including this blog page) will be taken down when the domain is transferred to Small Blue-Green World, but some of the content will also be transferred in some form. 

Thanks again to Andrew Lee for maintaining the sleeping giant for so long. Unfortunately, its current sleeping quarters mean running at a significant loss, so we have to change the decor a little. However, the fact that quite a few people want to remain on the new mailing list is encouraging, and I don’t think we have to call in the undertaker just yet.

David Harley CITP FBCS CISSP
De-facto CEO, I guess….

Posted in Andrew Lee, David Harley | 1 Comment »

Vanya Kaspersky home and safe

April 30th, 2011

Some people might have heard the news that the son of Eugene Kaspersky was kidnapped last week. This sort of nightmare scenario is the worst thing any parent could imagine and so it is with some relief that I can post that Vanya is home and safe, and the kidnappers are awaiting trial, having been captured.

A message from Eugene is here:

https://www.facebook.com/notes/eugene-kaspersky/vanya-is-back-home-safe-and-sound-thanks-for-your-support/10150156314765998

I am sure every member of AVIEN will join me in sending my best wishes to Eugene and family, and expressing our gladness that this awful situation turned out with the best possible result in the circumstances.
Andrew Lee

 

Posted in Uncategorized | No Comments »

« Older Entries