Many commercial websites may be attacked to overwrite or delete stored preferences, session identifiers, authentication data, cart contents - with results ranging from minor annoyances to a possibility of fraudulent activity, depending on site design (bugs #1 and #2).

On sites where authentication data is tied on a server to a session ID, the attacker may be able to acquire credentials by tricking the visitor to authenticate within a session initiated by the attacker (bugs #1 and #2)

There is no immediate universal threat to life as we know it, but numerous web scripts are an easy target of specific variants of the attacks described below.

From F-Secure:

The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia.

If the worm keeps this pace, Friday the 3rd of February might be nasty - that's when the destructive payload is programmed to strike for the first time.

From Kasperky:

We've just issued an alert for Nyxem.e, due to the number of reports we've been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month.

According to our data, the outbreak seems to be more or less localized. We are still receiving reports from countries such as the US and Germany, but the number of reports from (eg.) Russia is becoming very small.

With the public Nyxem.e counter having well passed 1,000,000 hits at the moment, there is no doubt that some people will have unpleasant surprises on 3rd of February. If you do not have an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it's too late.

Sunbelt Blog does a good job of telling us why Nyxen is so bad.

James Ancheta aka "Resjames" or "Botmaster" pleaded quilty in Los Angeles yesterday for running a botnet and selling bots.

He faces up to six years in prison. He will also have to pay restitution and give back about $60,000 and his BMW, bought with botnet money.

Ancheta was active in 2004. With another bot herder known as "SoBe", they infected more than 400,000 computers.

They were making money by selling bots to spammers, and by signing up as affiliates in adware install programs run by Gammacash and Loudcash (both are owned by 180Solutions nowadays). This way they earned money every time they installed an adware program to an infected machine.

James Ancheta seems to be offline nowadays, but you can still find some of his old forum posts via Google. In this thread he has just rented a dedicated server from Sagonet, which he then used to run the irc server to control his bots.

The court papers make a fascinating read, with snippets like these:

From eWeek:

The grant, called the "Vulnerability Discovery and Remediation Open Source Hardening Project," is part of a broad federal initiative to perform daily security audits of approximately 40 open-source software packages, including Linux, Apache, MySQL and Sendmail.

I think this is a great use of public funds. One of the limitations of open-source development is that it's hard to fund tools like Coverity. And this kind of thing improves security for a lot of different organizations against a wide variety of threats. And it increases competition with Microsoft, which will force them to improve their OS as well. Everybody wins.

Secure Elements, Inc., a leader in enterprise vulnerability management and compliance risk reduction solutions, today announced it has been selected to join the Google Enterprise Professional program, further extending the power of Google search to the security risk and compliance management realm and helping customers achieve more value from their Google enterprise search deployments by leveraging next generation security solutions utilizing advanced search and indexing techniques.

“The Google Enterprise Program enables Secure Elements to provide advanced search and index capabilities with our C5 Enterprise Vulnerability Management Suite,” said Ned Miller, chief executive officer for Secure Elements.  “Much press has been given to how hackers can utilize search capabilities for nefarious purposes, so we decided to identify ways to use advanced searching to advance the state of the art for decision support processes focused on assessment, compliance and remediation actions. Google’s enterprise search products offer the same quality and search experience as people receive with Google.com.”

I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Implementing Exchange Server 2003 Security (Part 1 of 2).  BIG thank you to Harold Wong and Blain Barton for handling the Q&A on the backend, and who’s work this really represents.

We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public.  The code takes advantage of the"Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001. The exploit code will generate a .wmf that downloads and executes a specified URL. The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with. And only 10 days after a patch has been released. 

Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon. The group responsible for this release is well-known for this.

For those of you that don’t know, Blacklisted!411 is the best hackers zine in the hacking community. Not only do they offer a handy paper version (Current Edition Volume 8 Issue 1 Winter 2005 - 2006), they also create a totally different online version to feed the need in between paper distributions.

In this issue you can find my articles entitled:
- Hacking Cryptograms 101: “Quid Pro Quo”
- Communication: “Coded Conversation”
and the two cryptogram challenges I created for this issue!

Direct Download (PDF MD5)

1. The Shmoo Group threw tons of manpower at this conference. I saw red shirts everywhere. This was welcome and unlike any other conference I've attended.


2. The quality of the talks was very good. They were not all stellar, but the value for the money is absolutely unparalleled.


3. I have not spoken with so many recognized speakers, authors, and researchers anywhere else. I personally shared at least a few words with Eric Cole, Jenifer Granick, Greg Hoglund, Brian Krebs, Dan Langille, Dru Lavigne, Ike Levy, Johnny Long, Mike Poor, Mike Rash, George Rosamond, Marcus Sachs, Ed Skoudis, and Visigoth. Several Sguil users were there, including #snort-gui regulars like Hanashi (with whom I presented), nr, snortboy, and transzorp. Many people were kind enough to say hello, and one even gave me a coin from his three letter .gov agency.


4. Many of the talks are available for sale in DVD format from Media Archives. I am sure their Web site will be updated to reflect ShmooCon soon, but I already see my talk in their catalog.

In principle there's nothing unique about affiliate marketing: As in other marketing channels, merchants pay third parties to promote their products. And as in other marketing channels, sometimes this advertising goes terribly wrong -- showing merchants' ads in ways that don't reflect well on the merchant or the ad channel, cheating merchants by claiming payments not fairly earned, and siphoning payments from other ad channels.

What's notable about affiliates is the relative prevalence of bad practices. Through affiliate networks, merchants sign up to advertise with hundreds of small companies (and individuals) they don't really know and haven't reasonably investigated. Worse, when an affiliate gets caught breaking the rules, the affiliate often just signs up under a new name: Having earned little reputation, the affiliate has little to lose, so there's little penalty for starting fresh under a new name. With such limited accountability, enforcement is tougher than in other channels. Hence my sense that there are more bad actors in affiliate marketing than in other kinds of marketing.

I show examples of these problems in my September piece on affiliates funding spyware and simultaneously defrauding merchants. See also my Affiliate Summit slides showing new examples of similar practices.

Unlike some other hacker groups, most of Shmoo's members make their names and email addresses public. Given that, do you worry about the legal implications of your work in light of the DMCA, the proposed INDUCE Act, and similar legislation?

Beetle: I'm confident that I'm one of the good guys and that my fellow Shmoo are, as well. If we face litigation in trying to inform the public with regards to how their security is at risk, that's obviously a shame, but it's a real risk these days — as was made evident at Black Hat this year. Michael Lynn is an Internet superhero for many folks, because he had the balls to face litigation for revealing serious software flaws that could potentially render the 'net infrastructure useless — ironically, the same infrastructure that those litigators depend on for a living. This summer was an eye-opener for plenty of hackers. Keep it to yourself, or post flaws anonymously. Didn't you know?

In this recent Cisco advisory, the company alerts us to a security problem with Cisco MARS (Cisco Security Monitoring Analysis and Response System).

The security issue is basically a user account on the system that will give you root when accessed.

The account is:
1. Hidden.
2. Default.
3. With a pre-set password.

In other words, this is a journey back 10 years when technicians would commonly have special keys (actual keys, electronics or passwords) to access a device if they have to troubleshoot it for anything, or say… the user lost his password.

Information security pros with bachelor's degrees don't get any more money than high school grads, but a master's or doctorate is convertible to higher salaries, according to the study. Moreover, communications skills rate more important than technical skills for career advancement.

A new study released today confirms that there is indeed a growing market for IS expertise.

Alan Paller, director of research at The SANS Institute, a respected IT research and education organization, suggests that people "are waking up to the fact that there’s a shortage of security talent."

The SANS Institute’s 2005 Information Security Salary and Career Advancement study of over 4,250 IS pros finds that compensation for IS jobs is strong and growing. For U.S. IS professionals, the median income, including bonuses, is now $81,558. In Great Britain, it’s $76,389. In Canada, it’s $67,982. In the rest of the world, it’s $51,250.