Security

Victim Exposure by Anti-Malware Research

Leave a comment

Let’s say malware compromises your system. Do you want a responder or a researcher to let others know that you were compromised? That’s the question that came to mind when I read a new research report.

There certainly is precedent for privacy and secrecy practices among other emergency responders, as well as researchers. Health care privacy might be a good example. One of the interesting cases I had to deal with in a hospital was related to x-rays of sports teams. In the run up to a big game we saw threats increase as gamblers tried to get in and improve their chances on bets by stealing information related to player health.

From that perspective a report of a system breach by a security responder could be analogous to a report of a bone break by a doctor. The situation may be more complicated than some realize, given the market for data, when you try to ask a simple question like who does a report serve. People betting on a company want to know the company status, just like people betting on a player want to know the team status.

Regulations help because they can sort out the decisions and attempt to make it as clear as possible when a responder or even a victim has an obligation to report. Recently an anti-malware blog report seemed to unintentionally expose more than necessary.

The start of the story called “An Inside Look into a Customized Threat” has a screenshot of “targeted” email. From the redacted sections you can almost make out the company name, as you can see at the top of this image:

FireEye Email Example

The little clues to the company name might not be enough to do anything about if the image didn’t also reveal the location.

San Diego, CA is redacted but still very easy to read. So now you know elements of the company/domain name in a specific city. And then the report emphasizes it’s a billion dollar company with the title Senior Vice President and Chief Financial Officer.

The individual points on their own are not much to think about; taken together they significantly narrow down the possibilities.

The irony is if there is anything generic to that message, which the researcher might try to argue in their own defense, it works against their argument that this is a “Customized Threat”.

Moving on to the rest of the story reveals little customization. Nothing in the technical summary mentions customization at all.

To summarize, when the malicious file—disguised as a financial report—is executed, it drops an executable file in a temporary folder and executes it. The dropped file then requests an HTML page from a server located in Taiwan and downloads a compressed executable file. This downloaded file establishes SSL communication on the compromised computer.

Perhaps they’re omitting custom elements but that sounds pretty generic. Then the researcher gives more detail on the company.

The entire exploitation was customized for a specific individual—in this case, the president of a billion dollar corporation.

The entire exploitation was customized or just the initial attack path? It seems to reveal a message could be customized while at the same time trying not to reveal how customized it is.

I wonder why they didn’t go all the way and just give the company name. Approval to discuss customized information may have been more convincing and less likely to cause accidental exposure, compared with semi-exposing the target.

Or we can hope that the email was completely fabricated by the researcher and San Diego, etc. have nothing to do with the real victim. A simple disclaimer would have been nice in that case, like the usual “identities have been changed to protect…”.

Otherwise it’s like a doctor who says they are not going to reveal which team has an injured player, but test results could be a threat to a winning streak in Manchester.

Security

Future of Camouflage…is the Past

Leave a comment

Interesting article from Slate on why the US Army chose pixel camouflage and why it soon may change.

Seen with civilian eyes, the rise and fall of the [Universal Camouflage Pattern (or UCP)]—and the family of rectilinear camouflage patterns to which it belongs—reads like a parable of irrational exuberance. Pixelated camouflage started to catch on in the technophilic years of the late-1990s, a digital pattern for a dot-com world. By taking the flowing shapes of the old woodland prints and deconstructing them into tiny squares, military engineers applied a computer logic to nature: They made over the science of camouflage, once inspired by the evolution of peppered moths and other animals, into a kind of digital screen-print that could spread through the networked military as a piece of viral media.

How could engineers have lost touch with the evolution of dark moths and their adaptation to industrial pollution? Sounds like the Army is ready to return to reality and go fashion-analog. No more computer logic games. It’s back to nature.

Peppered Moth
Can you find the hidden pepper moth?

Energy, Food, Security

Virus Causes Firework Explosion

1 Comment

The Oregonian says San Diego accidentally launched its entire Fourth of July firework display in one giant fireball. The $250,000 arsenal was spent in less than a minute.

Garden State Fireworks has apologized, saying they’re working to determine what caused “the entire show to be launched in about 15 seconds.”

August Santore, part-owner in the company, said tens of thousands of fireworks on four barges and a pier had been prepared. But because of a glitch or virus in the computer firing system, they all went off with one command, he said.

“Thank goodness no one was injured. Precautions all worked 100 percent,” Santore said.

I think he means physical precautions. When it comes to the other precautions…they might have worked at a lower percentage.

Also, an explosion like that must have created quite a plume of chemical compounds, as listed by the New Hampshire Department of Environmental Services

Security

The High Cost of Park Vandals

Leave a comment

SF Gate recently reported on the cost of park vandals to the city of San Francisco. Only one day after a renovated children’s playground in Duboce Park was opened it was covered in graffiti. That event in May prompted a wider look at the problem.

In the past five years, the San Francisco Recreation and Park Department has spent nearly $1.8 million repairing and replacing equipment, buildings and even trees, lawns and flowers damaged or destroyed by hooligans.

In all, 17,108 incidents of vandalism were reported from Jan. 1, 2007, through Dec. 31, 2011. Work crews spent 22,266 hours of labor fixing the damage. Already this year, more than 1,400 vandalism-related incidents have been attended to, costing the city more than $156,000.

[…]

Denny Kern, director of operations for the department, added to the list: fire set at the newly renovated South Sunset playground that burned hot enough to melt the hard plastic play structure and the ground cover, the four-wheel drive vehicle that tore apart three greens at the Golden Gate Park golf course, the rash of destruction to rose bushes and young trees in Golden Gate Park.

Just the other day as I walked past Woh Hei Yuen (Garden of Peace and Joy) Playground on 922 Jackson St a flicker in the shadows caught my eye.

I looked closer. Three teenagers, two boys and a girl, crammed themselves into the bottom shadowy area of a ship-like structure. A boy then a girl held a small lighter flame hard against the walls next to them. Little children played above them on the “deck” and parents sat on benches to the side, all strangely unaware of the vandals lurking in the dark.

I stopped and said “Hey!” The two boys looked out from their hiding place and gave me a scowl. One of the boys said “you freak, what’s your problem?!”

Had I read the above SF Gate article sooner I would have said “$156,000! That’s my problem.” Instead I just turned them over to park authorities.