Trojan directs users to install Fake AV

Troj/JSAgent-J

Who is at risk?:	Windows users
How to get rid of it:	Please follow the instructions for removing Trojans.
For more information:	What is Fake Anti-Virus?

About this threat:

Troj/JSAgent-J is a malicious script that displays fake security warnings and scan results in order to trick users into installing fake security software, also known as fake AV.

Users are directed to pages containing Troj/JSAgent-J by social engineering techniques like search engine optimization as well as redirection from other compromised web pages.

Sophos products detect the fake AV installed via Troj/JSAgent-J-infected pages as Mal/Koobface-G.

The Trojan attempts to access to the following domains:

protection-foryou.com
ubershields<number>.com
ubershields<number>.net

more @ http://www.sophos.com/security/threat-spotlight/index.html#threat3

Spam targets online tax payment services

About this threat:

A new phishing target has emerged this past week: The Electronic Federal Tax Payment System (EFTPS), a free service offered by the US Department of the Treasury to help people and businesses make their tax payments online.


The spam messages claim that a recent payment has been rejected with a &quote;return code" of R21. It then provides a link so that the recipient can look up information about this particular situation. While the label around the link suggests that it leads to an explanation of what this return code means, the actual destination is an unrelated domain that changes quite often. When clicked, these links redirect the user to a variety of Russian domains.

Here is a typical message:

more @ http://www.sophos.com/security/threat-spotlight/index.html#threat2

Trojan hides itself like a rootkit

Mal/Bubnix-B

Also known as:

• Avira TR/Agent.765952.26
• AVP Rootkit.Win32.Bubnix.ft
• Kaspersky Lab Rootkit.Win32.Bubnix.bbr
• Microsoft Trojan:WinNT/Bubnix.gen!A 

Who is at risk?:

Windows users

How to get rid of it: 

Please follow the instructions for removing generically detected files to delete the file from your computer.

About this threat:

Mal/Bubnix-B is a Trojan with rootkit behavior. This means that it is usually dropped by other malware and then hides itself from users by modifying registry keys. This Trojan is also protected with a rogue packer to prevent it from being analyzed or detected by anti-virus software.

When executed, this Trojan creates a file:

merrrbhm.sys (or random name)

It also creates the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\<sys file name>
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip

more @ http://www.sophos.com/security/threat-spotlight/index.html#threat1
 

....................

e mail me zr01hax@yahoo.com for info on how to order this CD-R {$20.00}

....................

 

e mail me zr01hax@yahoo.com for info on how to order this CD-R {$20.00}

Antivirus Suite Released For Mac OS

As Mac usage grows and becomes a more popular platform, the threat of viruses increases right with it. This week, Panda Security released a new version of its antivirus suite geared specifically for Mac computers. This is in compliment to their line of Windows based antivirus solutions.

The majority of Mac users are as interested in anti-virus software as they are in running Internet Explorer. This is mostly because people like to think that by not running Windows, they are impervious to viruses, malware, spyware, and those other nasty things you find while surfing the internet. This is unfortunately not the case. Various viruses and worms have been found to affect Macs as easily as any other operating system. It is for this reason that Panda Security has released its new antivirus software for Mac computers. This is by no means the first program of its type on this platform, with companies such as Symantec and Kaspersky (known for their Windows solutions) also offering mac versions of their security software.

more @ http://www.securitypronews.com/insiderreports/insider/spn-49-20101021AntivirusSuiteReleasedforMacOS.html

Enormous Security Flaw In IOS 4.1

This is one for the record books. The password on your iPhone is not nearly as safe as you may like to think it is. A new vulnerability has been found that allows anyone to bypass that lock and get full access to your phone, contacts list, and even photos.

The way it works is like this. Let your phone lock to where you need to put in your passcode to unlock it. Swipe your finger to bring up the passcode screen. Press "Emergency Call." Now type in any numbers, stars or pound signs work too. This is the important part, press the call button and immediately press the sleep button on the top of the phone. You should be taken immediately to the Phone app, where you can access your phone numbers, voicemail, and full contact list. In order to see photos, go to your contact list and press on someone. Now press "Share Contact" followed by "MMS." You will now be taken to a text message screen, where you can press on the little image of a camera and get to the photos on your phone.

more @ http://www.securitypronews.com/insiderreports/insider/spn-49-20101028EnormousSecurityFlawiniOS41.html

Dirty Talking Slut takes BBC

Sex Slave To Two Hung Black Dude

Five Finger Death Punch-Never Enough

.......................

................

.................

And Death Shall Have No Dominion

And death shall have no dominion.
Dead mean naked they shall be one
With the man in the wind and the west moon;
When their bones are picked clean and the clean bones gone,
They shall have stars at elbow and foot;
Though they go mad they shall be sane,
Though they sink through the sea they shall rise again;
Though lovers be lost love shall not;
And death shall have no dominion.

And death shall have no dominion.
Under the windings of the sea
They lying long shall not die windily;
Twisting on racks when sinews give way,
Strapped to a wheel, yet they shall not break;
Faith in their hands shall snap in two,
And the unicorn evils run them through;
Split all ends up they shan't crack;
And death shall have no dominion.

And death shall have no dominion.
No more may gulls cry at their ears
Or waves break loud on the seashores;
Where blew a flower may a flower no more
Lift its head to the blows of the rain;
Though they be mad and dead as nails,
Heads of the characters hammer through daisies;
Break in the sun till the sun breaks down,
And death shall have no dominion.

found @ http://www.poemhunter.com/poem/and-death-shall-have-no-dominion/

Kanye West - Runaway

Ten minute host firewall, Part 2

Summary: Create a simple but effective host firewall for your machine in ten minutes or less.

Last week I explained how to run iptables rules to create a simplistic inbound-access-limiting firewall. Now you certainly don't want to run all these commands every time you start up your computer, so how do you have them run on reboot?
The easiest and most portable solution is to slap the iptables commands into a shell script which you place in the appropriate rc.d directory, for example

# cd /etc/init.d
  # vi inbound_firewall
  (create it)

  # cd /etc/rc2.d                # assuming you boot to runlevel 2

  # ln -s ../init.d/inbound_firewall S99inbound_firewall

Alternatively you can load your rules manually and use iptables-save to save them to a file, and iptables-restore to read them back in next time.

# iptables-save> /etc/iptables-save        # save the current rules

  # iptables-restore < /etc/iptables-save     # restore the previous rules.

You'd need to put these iptables-{save,restore} commands into a suitable startup script as well. Many Linux distributions have startup scripts already that will read these files automatically if they exist, so you should check out the scripts in /etc/init.d to see if it has something in place already.

For example Debian has an /etc/init.d/iptables script that will save and load your rules automatically. After running your iptables commands, you run /etc/init.d/iptables save active to save the current ruleset. You should check out the source of the iptables-loading scripts for your Linux distribution to see what they suggest and if there are any 'gotchas'.
 
more @ http://www.hackinglinuxexposed.com/articles/20030709.html

Ten minute host firewall, Part 1

Summary: Create a simple but effective host firewall for your machine in ten minutes or less.

One of my friends finds himself in a very annoying situation: he started a new job and now has a Windows machine on his desk. Worse yet, he's not allowed, by corporate policy, to wipe it clean and install Linux on it "for security reasons". Being that we both live up here in Seattle, close to the belly of the beast itself, it's not surprising that the Microsoft FUD machine is strong.

The IT department grudgingly agreed that he could use Linux if he had an adequate firewall installed. They intend to port scan him and, if all ports refuse inbound connections, they'll consider his machine secure.

Now this is not my definition of a very secure firewall.[1] However it is immeasurably better than no firewall rules at all, and it takes no more than a few minutes to set it up.

First, let's assume we're on a 2.4 kernel that has Netfilter (iptables) support compiled in. I'll assume you're using a 2.4 kernel for these examples, but I've restricted myself to commands that can be munged into their ipchains counterparts, meaning I've ignored Netfilter's ability to do connection tracking and the like. If you want to create a more secure firewall, then there are various pre-canned firewall scripts you can use, or you can read up on Netfilter's finer details online or in books such as Ziegler's "Linux Firewalls".

In this minimal setup, we want to allow all outbound access, and deny all inbound access that isn't in response to one of our outbound connections. This is surprisingly easy to manage.

We'll be adding rules to the INPUT chain. First, let's make the default rule (the 'policy') be to to DROP packets. This throws away the packet without informing the sender.

# iptables -P INPUT DROP

You now have a very secure machine - nothing can get in. Perhaps we should open things up a bit...

There are three protocols we'll want to support, TCP, UDP, and ICMP. TCP is the IP protocol that does the majority of the work on the Internet. It's a connection-based protocol that underlies all the major services, such as web (HTTP/HTTPS), mail (SMTP, POP, IMAP), remote login (SSH), and file transfer (FTP).

Any TCP connection has the oft-mentioned "three way handshake". The machine that wants to create a connection sends a packet to the destination with the SYN (synchronise) flag set. The server responds with a packet that has both SYN and ACK (acknowledge) set, and thereafter the SYN bit is never seen again. If we configure our firewall ACLs to drop any packets which contain the SYN bit without that ACK, we can prevent the first packet of TCP connections from reaching our machine, and no TCP connections can be created at all.

Iptables[2] can selectively block packets based on the SYN flag using the --syn flag, for example:

# iptables -A INPUT -p tcp ! --syn -j ACCEPT

Voila! No machines can connect to your machine with TCP, but you can make outbound connections and the associated packets will be allowed back in. You can't be a server (no SSH to your machine, for example) but all outbound TCP stuff should work fairly well.
Well, that's true about most 'well behaved' TCP-based protocols. Some protocols like to use more than one port. FTP is the classic example of a bastardly-designed protocol. Each time you type 'get', 'put', or 'ls' a new TCP connection is initiated to snag the data.

Note also that even though outsiders can't connect to your TCP ports, scanning tools such as Nmap will be able to see that the port is open if they are used in any mode other than straight TCP connection scanning. Newer Nmap versions use stealth scanning by default when run as root.

If the protocol you use wants to have the client (your newly firewalled machine) make an additional connection to the server, then your --syn firewall won't be a problem. However if it wants to have the server contact the client, these connections will be denied.

Protocols that create these ephemeral side connections include many P2P protocols, and most notably FTP. Most of these offer both a 'client connects to server' and 'server connects back to client' option. In the case of FTP, the former is called "Passive", while the latter is called "Active". Active was the original (really annoying for firewalls and proxies) model, and Passive has been favoured for some time now. Most FTP clients let you choose Passive if it's not already the default. For example typing pftp instead of ftp on the command line, or including --passive-ftp as an argument to wget.[3]
 
Now, to be a bit more restrictive, let's block UDP as well. UDP is a connectionless protocol, so it's harder to proxy and firewall. However it's also less commonly used. DNS is the the most important UDP protocol. Without DNS you're going to need to memorise many IP addresses, so we best open this up.

DNS servers live on UDP port 53.[4] Our machine will need to send packets to port 53 on one or more DNS servers, and receive packets that come from port UDP 53. So, restricting on the source port (the port on the DNS server) you'd have

# iptables -A INPUT -p udp --source-port 53 -j ACCEPT

This will allow any DNS servers to reply to you, which may be helpful if you get your DNS servers from DHCP and want to be lazy. If you want to hard code your DNS server's IP addresses to be most restrictive, you can use the following

# iptables -A INPUT --source DNS.SVR1.IP.ADDR -p udp --source-port 53 -j ACCEPT
  # iptables -A INPUT --source DNS.SVR2.IP.ADDR -p udp --source-port 53 -j ACCEPT

If your machine needs to get an IP address from the network using BOOTP or DHCP, then you'll need the following rule as well:

# iptables -A INPUT -p udp --destination-port 68 -j ACCEPT

 more @ http://www.hackinglinuxexposed.com/articles/20030703.html

Weaknet Linux – Penetration Testing & Forensic Analysis Linux Distribution

WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks. WeakNet Linux

IV was built from Ubuntu 9.10 which is a Debian based distro. All references to Ubuntu have been removed as the author completely re-compiled the kernel, removed all Ubuntu specific software which would cause the ISO to bloat, and used a non-Ubuntu-traditional Window Manager, with no DM. To start X11 (Fluxbox) simply type “startx” at the command line as root.

The tools selected are those that the developer feels are used most often in pen-tests. A sample of those included are:

• BRuWRT-FORSSE v2.0
• Easy-SSHd
• Web-Hacking-Portal v2.0
• Perlwd
• Netgh0st v3.0
• YouTube-Thief!
• Netgh0st v2.2
• DomainScan
• ADtrace
• Admin-Tool
• Tartarus v0.1

more @ http://www.darknet.org.uk/2010/08/weaknet-linux-penetration-testing-forensic-analysis-linux-distribution/

SHAKE DAT MUNKY

Kai's Shaky Saga

History of the Internet

This History of Hacking Documentry

download @ http://www.megaupload.com/?d=EF21X2A5

Mac users warned of growing virus threat

Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said as it launched a new product that offers such protection. 

Marketing spin to harvest the Apple economy or justified caution? Panda points to the numbers. There are now 5,000 'strains' of malware that target the Mac and the company says it is seeing 500 new Mac-specific samples appearing every month.

In 2009, 34 vulnerabilities were detected in Apple's OS X, which had risen to 175 so far for 2010, with a 20-year total of 170,000 macros 'viruses' affecting the platform. 


more @ http://www.networkworld.com/news/2010/102110-mac-users-warned-of-growing.html

Hackers Have At Google TV

Like the Apple TV, Google's new TV platform is getting the attention of developers and hackers: AndroidForums user Apeman made an attempt to root his Google-powered Sony Blu-ray player.

The video here shows how Apeman managed to get into the player's Recovery Menu by holding down the Power button. Note the System Update with USB there. This might allow hackers to gain root access to the Android-based Google TV OS, and potentially install apps onto it before Google launches the Android Market for Google TV next year.

Members on various Android and developer forums are currently debating all the cool apps and other custom hacks that could come into being if this hack works--imagine playing Angry Birds on your TV screen.


more @ http://www.networkworld.com/news/2010/102210-hackers-have-at-google.html

Rise of the cloud can be traced back a decade

Each month we take a look back 10 years to see what was "hot" -- at least by this newsletter's standards. Often I'm hard pressed to find something relevant to today's discussions, but October 2000 was a different kettle of fish -- lots of relevant stuff.

For example, did you know that cloud computing was getting started back then? As reported on the Oct. 23 newsletter: "ERoom Technologies this week will unveil tighter directory integration for its Web-based application that provides companies with online workspaces for sharing documents and organizing projects."

A couple of days later, IBM and Microsoft "…vowed they would spark the development of a business-to-business Internet directory standard that could greatly simplify completing transactions over the Web." They were touting UDDI -- the Universal Description, Discovery and Integration protocol. Yet only four years later I said: "XRI could be considered a competitor to Universal Description, Discovery and Integration, if UDDI had ever amounted to anything." Of course, XRI (eXtensible Resource Identifier) hasn't actually set the world on fire, either.

Really big news came from Novell as it finally released (after much foot dragging) DirXML, its join engine, which is necessary for a meta-directory to work.  My biggest complaint was that DirXML was only available by contracting for services from Novell Consulting. But what Novell told me about that is the same thing that's come up over and over again for the past 10 years. As explained to me by then VP of product Marketing Ben Anderson: "Because it's not the directory that is seen as the potential problem, but a company's business processes which could (and should) be changed at the time DirXML is installed and deployed. From the political problem of 'who owns that data?' to the process problem of 'how does the data flow?' it's a major business problem to use metadirectory technology efficiently and effectively. And very few directory specialists are also business process specialists." 


more @ http://www.networkworld.com/newsletters/dir/2010/102510id1.html

.......

.............................

How to secure iPads for corporate use

When Apple's iOS 4.2 debuts next month, it will offer enough features to make the iPad tablet a device that's safe for business if IT security teams take the right steps. 

Top among these additions is encrypting stored e-mails and attachments on the devices, says Andrew Jaquith, an analyst with Forrester Research.  
9 real iPad alternatives

"We expect Apple's new hardware-assisted cryptosystem to enable encrypted data to stay encrypted, even if the phone itself has been jailbroken or compromised in a side-channel attack," Jaquith says in his report "Apple's iPhone and iPad: Secure Enough For Business?"

Also, mobile device management adds APIs that support third-party applications that can lock or wipe clean iPads believed to be compromised, he says. These APIs also support remote inventorying of the devices and password management by third-party applications, he says.

Corporate security policy installation can also be supported through the APIs, but there is no Apple management platform suitable for corporate use, Jaquith says. However, vendors such as Mobile Iron, Odyssey and Tangoe all have privileged access to Apple's APIs that may give them a leg up on developing such tools.

In combination with other security already supportable on the devices, iPads should be safely deployable and manageable within enterprise networks, he says.


more @ http://www.networkworld.com/news/2010/102210-ipad-corporate-security.html

One in ten websites send spam emails

One in ten websites send spam email, says Spam Ratings.

The spam research firm revealed spam created by websites has risen by 110 percent since October last year. Furthermore, one in five websites automatically opt-in consumers when it comes to sharing their details with third-parties, despite the fact its breaches email marketing best practice.

Spam Ratings said Argos, Ticketmaster and Money Supermarket were among the offenders.
Two in five of spam emails that contain malware feature pharmaceutical or sex-related content, while 35 percent are related to finance and 15 percent are phishing emails that impersonate bona fide sites in a bid to steal log-in details.


more @  http://www.networkworld.com/news/2010/102210-one-in-ten-websites-send.html

Stitch & Angel- Someone Great

..........

How to measure page load time with google analytics

I’ve been playing around with Google Analytics’ Custom Variables feature and put together a neat integration that lets us measure the real performance of visitors to our website. It’s a little clumsy since Google Analytics wasn’t really meant to do this, but it’s good enough that many of you might find it useful.

Before we get started, here’s how it works:

1. When a visitor lands on our landing page, we capture some timing information to measure the page load time.
2. We’ll record that page load time in a Session scope Custom Variable.
3. The page load time is reported to Google Analytics with the trackPageview call.
4. The data is aggregated in Google Analytics and can be viewed in the Visitors > Custom Variables section.
5. We need to export the data into excel to do anything useful with it because Google Analytics isn’t too good at dealing with numerical data in custom variables.

Now, here’s the step by step:


more @ http://blog.yottaa.com/2010/10/how-to-measure-page-load-time-with-google-analytics/