SecurityZone.org - Information Security Blog

Have you heard about the new Google Chrome browser lately? Chances are high that you have. However, are you or anyone you know actually using the browser? My guess is there’s a good chance the answer is NO. Sure, it’s just a beta version, but it’s been getting all kinds of hype.. seemingly out of no where. In fact I haven’t used it and don’t plan on even trying it out for some time. Why? Well, for starters I haven’t seen a real compelling reason to use it yet. Couple that with the horrendous privacy issues that have been raised and you’ve got a potential (as the article puts it) security nightmate. Oh did I mention there’s already been multiple public proof of concept exploits that can possibly result in a remote compromise?

It looks like Google Chrome is a pretty risky proposition right now. Yes, it is beta but some of these items are a bit alarming. I am not one of the people that calls Google evil, but I try not to let them near my data whenever possible. Using this browser definitely won’t further that cause. It is still a bit early with a few early adopters(testers), so we might see a lot of fixes and improvements across the board before its final release. I’ll post my two cents at a later date for anyone that might care.

I did a quick check and I can see that at least two visitors of the blog are trying out Google Chrome. Hopefully I’m not scaring anyone away from testing the browser, that certainly isn’t my intent. However, I just want people to know about the potential risks to privacy and security that presently exist. All browsers have security issues, however, that doesn’t mean we should ignore them. If you have any comments on this issue or the browser, feel free to submit them and I will post them.

In case there’s any interest, the Google Chrome User-Agent looks like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13

Woops! It looks like multiple servers by the Red Hat and Fedora projects were compromised last week. It’s always unfortunate when this sort of stuff happens, especially when the hackers make modifications to the SSH packages. Fortunately the issue only affects a few versions of the packages and only existed for a short time. There have been various announcements and mailing list postings on this issue that can be viewed here and here.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.

According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.

While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.

As you might know, this blog runs on WordPress which already supports RSS feeds. It seems a few of you out there and several search engine/social media sites have already manually located the URLs to subscribe to my RSS feed. In an effort to be more RSS and Web 2.0 friendly, I am now signed up with Feedburner and have put direct link to my RSS feed on this website (continue reading). Hopefully this change is relatively seamless for those that are already subscribed.

For anyone that is not subscribed, you can now click the RSS Feed link on the right panel on my website or subscribe via http://feeds.feedburner.com/securityzone. If you check in on my site regularly or even infrequently and have an RSS reader, I’d recommend signing up. It’ll help you keep up with my sporadic update schedule that not even I can predict!

Apparently CNN recently interviewed some hackers from China and posted a story about it on the website here. It looks like they claimed to have hacked into to many sensitives sites to include that of the Pentagon. The article is interesting although it’s very light on verifiable facts — as the article mentions. Slashdot also just had a recent posting that’s closely related to this and even links to the article. It’s all fairly interesting, but people still don’t seem to understand that these machines you can get to from the Internet do not (or at least should not) have any classified information on them. This is not to say there is not sensitive information that they may have gotten, but I doubt the Chinese are going to suddenly know our battle plans or copy our technology as a result.

Well, it looks like there might be good news regarding Abdallah_Internet Hizmetleri, a group that owned a few IP ranges on TurkTelekom. It appears they might no longer be operational. As of late last night or early today, all routes going to 88.255.90.0/24 and 88.255.94.0/24 appear to have gone dead. Part of the WHOIS record now reads as follows:

person: Mahmod AbdAllah el Gashmi
address: SISTEMNET TELEKOM BLACKLISTED PERSON
e-mail: admin@sistemnet.com.tr
phone: +902122666060
remarks: ——————————————————
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: For Abuse Contact : abuse@sistemnet.com.tr
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: ——————————————————

This is pretty good news as we have previously blogged about these IP ranges here. One of my Shadowserver colleagues also just recently published a whitepaper about AbdAllah Internet Hizmetleri. It would be awesome if this is what ultimately pulled the plug. You can read the whitepaper entitled “RBN Rizing” at whitepapers section on the Shadowserver website at whitepapers section or view it directly by going to RBN Rizing document itself. Happy reading and good riddance (?) to AbdAlllah_Internet!

Shaun from honeynet.org.au (and Shadowserver) recently released Version 1.0 of his Tracker Tool that is designed to determine if certain domains are in fact Fast Flux domains and track their unique IPs on top of that. This first version has a few kinks to be worked out and might not have the clearest README in the world at the moment, but it does work pretty well. There will most likely be another release in the near feature that eliminates a few of the kinks, has new features, and will be crystal clear on how exactly to use and setup everything. Just shoot Shaun an e-mail if you end up grabbing it and have any trouble.

You can find the latest version of the Tracker Tool at http://honeynet.org.au/?q=node/10

Right now it’s helped discover over 40,000 unique IPs associated with the current fast flux Storm Worm domain ibank-halifax.com in the last few weeks. This is definitely down from the approximate 100,000,000,000,000 (Note: number exaggerated) IPs that were seen with the Storm Worm fast flux domains back in September-August of last year.

The other day while searching some of the Storm Worm domains, I found myself clicking onto a link to the website http://bsn.borderware.com. As it turns out, it’s a pretty interesting little site. Their website displays snapshots and statistics in a number of different categories. A quick summary right from their website say that “The BorderWare Security Network (BSN) is a real-time reputation service that monitors and identifies threats across multiple Internet communication protocols.” On the website you can get a top 10 for Zero Hour Threats, Recent Offenders, Most Wanted, Top Phishers, Top Spammers, and Virus Senders. You can also look up IP addresses and domains to check their reputation as the BSN has it.

The most interesting of the Top 10 lists it has is the “Top Phishers” list. The name itself is a bit of a misnomer. The list that appears under this list is actually the most frequent domain names in phishing and spam e-mails that they have seen. It should be no surprise that the last few Storm Worm domains have appeared as #1 or #2 every time I check their website. Other similar services are the Internet Storm Center’s Top 10 and ATLAS from Arbor Networks. However, neither of these will give you a list of some of the most frequently seen mass e-mailed domain names, which is an interesting statistic to see.

If you know of any other similar services that you use or provide, please feel free to share them via comments or by e-mailing me [steven[AT]securityzone.org].

Well, you may have heard some of ruckus about terrorists calling for a cyber jihad against websites on November 11, 2007 (today). It seems this was about as successful as just about anything a terrorist and/or DDoS kiddy normally organize. Did you notice or hear about any websites being down today? Well that makes two of us because I didn’t hear about anything either. I wonder if they even tried. I think the results would be about the same. It just goes to show that whether you’re a DDoS kiddy or a terrorist, you’re pathetic idiot either way.