A case study by Zynamics illustrates the trouble with assuming each new discovery of malware is new, unique or sophisticated. They used a 50% litmus of similarity and discovered descendants came from only a few bots:

Files, which exhibit a mutual similarity of more than 50 % have been assigned to the same family. The next step was to have the files named by an anti-virus-program (ClamAV). We replaced the MD5 sums with the names in the tree. The result was this graph.

The graph enables us to draw interesting conclusions:

1. We could clearly assign several bots to a family even though ClamAV did not identify them.
2. Many “distinct” bots show a strong similarity to other bots and should actually be assigned to one single family (e.g. Trojan.GoBot and Trojan.Downloader.Delf as well as Worm.Korgo.Y and Worm.Padobot.I). This seems to be due to problems in the naming-process.
3. Basically, all bots are representatives of two big (GoBot, PadoBot) and 3 small families (Sasser, PoeBot, Crypt-8) as well as some “repairs”.

Two new Firefox plugin options for DNSSEC validation

1) DNSSEC Validator 1.1.4 from CZ.NIC Labs is available on the Mozilla plugin site

DNSSEC Validator gets DNS records for a domain name used in page address and compares them to IP addresses Firefox used to download the page. If the records contain DNSSEC signatures which can be validated, the user is protected by DNSSEC. Otherwise the user could have been a victim of DNS spoofing. The result of the comparison is displayed as green/orange/red key right in the address bar.

2) Alpha code tested with beta Firefox 4 is available from os3sec.org

Extended DNSSEC Validator is an add-on for the Mozilla Firefox 4 beta web browser, which allows you to check the existence and validity of DNSSEC signed DNS records for domains. If a valid DNSSEC chain to the domain has been found, it checks for the existence of TXT or TLSA records that can store a copy of the hash of the HTTPS certificate. The results are shown in the address bar using the same scheme that Firefox already employs (identity box). This allows owners of DNSSEC enabled domains to securely deploy self-signed certificates or provide additional trust in their CA-signed certificates.

Invincea has posted a live demo of malware targeting users who are interested in the “birther” controversy in America.

A reporter attended AusCERT and then wrote a story about a privacy presentation based on a stunt. The details of the stunt are not very interesting. In brief, photos set to private on Facebook were found exposed on publicly accessible systems, which is like saying cheese was made from milk today. What is actually interesting is that the reporter who wrote the report was then arrested by authorities.

I can’t help but wonder what made the police so interested in this case. The journalist was said to have received a copy of the presentation materials.

…arrested by Queensland Police yesterday and threatened with charges relating to the receipt of “tainted material”.

Tainted material? That piqued my curiosity.

A little digging around uncovered a 2002 reference called “Protection of privacy under the general law following ABC v Lenah Game Meats Pty Ltd” at the Australasian Legal Information Institute.

The facts in Lenah raised a novel issue under Australian law: namely, the extent to which a media organisation can be restrained from publishing material obtained as a result of a trespass, in circumstances in which the organisation is not itself implicated in the trespass.

Yes, indeed, a novel idea ten years ago. So what’s the answer?

Lenah argued in the case that reporters who receive information, which had been removed by a 3rd party without authorisation, should have to treat it as confidential.

…upon analogy with the action for breach of confidence, it was claimed that information obtained as a result of a trespass should be treated as equivalent to confidential information, meaning that it is possible to restrain disclosure by a third party that knows the information has been acquired unlawfully

That seems basically the same as the reported situation at AusCERT and apparently in 2002 the court did not agree with Lenah’s argument:

…the equitable doctrine of ‘unconscionability’ was not an independent equitable basis for awarding an injunction

I’m not a lawyer but I’m pretty sure that says there has to be another trigger mechanism to compell police to jump into action and prevent the disclosure of information. This sentence makes it more clear:

Drawing on the US tort of unreasonable intrusion into seclusion, Gleeson CJ proposed that information or conduct should be regarded as private if disclosure ‘would be highly offensive to a reasonable person of ordinary sensibilities’

Australian common law thus seems to only protect privacy as incidental to other protection from defamation and other recognised forms of harm.

The journalist at AusCERT would not be compelled to treat the information as confidential even if he knew that it had been obtained without authorisation. He would be at risk of violating privacy only if disclosure of the information could cause harm. So was that the assumption of the police? Was that a tip they received — there was taint?

Unfortunately, no, according to a statement they made later. Their rationale was far less eloquent or compelling and perhaps not even in accord with the law:

Receiving a photograph obtained from a Facebook account without the user’s permission is the same as receiving a stolen TV, Queensland Police have said after the arrest of a Fairfax journalist.

The head of the Queensland police fraud squad, Brian Hay, admitted this morning that police were “still cutting our teeth” in the rapidly evolving online environment and named cyber crime as the biggest law-enforcement challenge.

If they are going to arrest everyone that has photographs taken from Facebook without user permission, and treat them as stolen goods…well, I can see how they might find cyber crime challenging if that’s their position.

Good luck to them on investigating all those “stolen TVs” on the Australian Brocial Network. That must be taking a lot of their time lately, I mean arresting all the Bros.