I don't want to bash too much on Facebook (see previous post), but there is another concern out there that I wanted to publicize: Your private Facebook profile may not be private!
As tested by Super-Phil (a guy I work with), having a private profile on Facebook is really only private (which does not imply that it cannot be hacked anyway) if you do NOT join any groups. What do this mean?????
For a situational example, let's say that you are bored and trolling Facebook for ex-girlfriends. Suddenly you find one and your excited to make contact...only to be deflated by the fact that when you click on your ex's profile, you are told that some or all content is visible only to your ex's Facebook friends. Now isn't that a bummer! However, there is a way around this, or a caution for those who wish to remain private: if your ex is part of a group on Facebook!
What do you do? Join the group! After joining the group, as Super-Phil tested this past weekend, you can see any other member's FULL profile. I leave it up to the reader to decide if this is good or bad. I cannot currently test this from where I am at right now, but I have faith in Super-Phil, as he is a Facebook and vulnerability guru.
Something else that Super-Phil noted: be wary of sites such as NING dot com (apparently they are currently being sued) becuase they scrape Facebook profiles and put your information out there for even more to see....even if your profile on Facebook is private, but you are a member/customer of sites such as NING.
Friday, September 11, 2009
What's Old is New...
There are hundereds of products that promise to "rejuvenate" our older population, remove wrinkles, or just plain make you "feel younger." These are items that attempt to "turn" the older people into "new." Most of these products, I think, are junk and do nothing but cost money.
However, there is a much larger problem with older now being new. For those unaware, old malware that continually resurfaces in an attempt to trick people into bad situations. These old-turning-new products are doing more than costing money. A recent example of this is the re-appearance of the Koobface virus on Facebook.
The Koobface virus has been around for awhile and yet it continues to be used. Facebook has reports from last year about it, and yet it is still rearing it's ugly head. Specifically, I have seen it three times in the last week:
1) A friend of mine posted to my wall a warning that an Facebook email had been sent from her account, linking to a video, that she didn't send it, and that she knew it was malicious.
2) I recieved an email from the same friend that contained a different video link. However, from some of the text in the message, I knew it was fake/spoofed.
3) A posting went on my wall yesterday, to a third video, and by the same friend's account.
Having faith in my setup at home, I decided I would follow the link on the wall posting. Sure enough, a "new" facebook page opened. This new page had a video player in the middle of it, with a message window telling me that I needed to Update my Flash Player Plugin. About 2 seconds later, a new window opened with nothing more than an obfuscated string of about 20 characters. It was then that Norton kicked off the big warning. I made note of the URL in the new window, clicked "view info" in my Norton warning, and then closed out the bad browser window.
For giggles, I clicked the movie link on my facebook page again. The exact same sequence of events happened, as expected, with one BIG difference: the URL in the new window had a different top level address. The initial URL started with 67.X.X.X and the second time I followed this malicious link, the URL began with 74.X.X.X. I didn't bother with a third time.
From what I have read on other blogs and sites, had I clicked the "upgrade flash plugin" option on the first pop-up (fake Facebook page), and clicked OK to the download, I would have invited trouble into my electron world.
Additionally, the second, almost blank window that pops-up with an obfuscated string is actually attempting to autodownload the Koobface virus as well. For more information on Koobface, check out:
http://sunbeltblog.blogspot.com/ (September 10, 2009 posting)
http://www.pcworld.com/article/155017/facebook_virus_turns_your_computer_into_a_zombie.html
http://www.scmagazineus.com/Koobface-spreading-through-thousands-of-IP-addresses/article/147964/
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23370
I should also note that this worm is infecting (ed) more than just Facebook. MySpace, Twitter, some blogs, and other Social Networking sites. The last link above provides some information on how to get rid of this "bad boy" should you become infected.
However, there is a much larger problem with older now being new. For those unaware, old malware that continually resurfaces in an attempt to trick people into bad situations. These old-turning-new products are doing more than costing money. A recent example of this is the re-appearance of the Koobface virus on Facebook.
The Koobface virus has been around for awhile and yet it continues to be used. Facebook has reports from last year about it, and yet it is still rearing it's ugly head. Specifically, I have seen it three times in the last week:
1) A friend of mine posted to my wall a warning that an Facebook email had been sent from her account, linking to a video, that she didn't send it, and that she knew it was malicious.
2) I recieved an email from the same friend that contained a different video link. However, from some of the text in the message, I knew it was fake/spoofed.
3) A posting went on my wall yesterday, to a third video, and by the same friend's account.
Having faith in my setup at home, I decided I would follow the link on the wall posting. Sure enough, a "new" facebook page opened. This new page had a video player in the middle of it, with a message window telling me that I needed to Update my Flash Player Plugin. About 2 seconds later, a new window opened with nothing more than an obfuscated string of about 20 characters. It was then that Norton kicked off the big warning. I made note of the URL in the new window, clicked "view info" in my Norton warning, and then closed out the bad browser window.
For giggles, I clicked the movie link on my facebook page again. The exact same sequence of events happened, as expected, with one BIG difference: the URL in the new window had a different top level address. The initial URL started with 67.X.X.X and the second time I followed this malicious link, the URL began with 74.X.X.X. I didn't bother with a third time.
From what I have read on other blogs and sites, had I clicked the "upgrade flash plugin" option on the first pop-up (fake Facebook page), and clicked OK to the download, I would have invited trouble into my electron world.
Additionally, the second, almost blank window that pops-up with an obfuscated string is actually attempting to autodownload the Koobface virus as well. For more information on Koobface, check out:
http://sunbeltblog.blogspot.com/ (September 10, 2009 posting)
http://www.pcworld.com/article/155017/facebook_virus_turns_your_computer_into_a_zombie.html
http://www.scmagazineus.com/Koobface-spreading-through-thousands-of-IP-addresses/article/147964/
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23370
I should also note that this worm is infecting (ed) more than just Facebook. MySpace, Twitter, some blogs
Thursday, September 3, 2009
Great Websites if you do anything with Network Security
Generally good sites for getting DNS information, identifying bad sites, or identifying malware
http://centralops.net/co/
http://www.malwareurl.com/listing-urls.php?urls=off
http://www.malwaredomainlist.com/mdl.php?search=172.30.33.5&colsearch=All&quantity=50
http://www.mynetwatchman.com/ListIncidentsbyIP.asp
http://www.domaintools.com/
http://www.threatexpert.com/
http://www.siteadvisor.com/
http://www.trustedsource.org/
http://www.unmaskparasites.com/security-report/
http://www.anti-malvertising.com/
http://www.malwareurl.com/search.php?domain=&s=www.arlingtonva.us&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on
https://www.arin.net/index.html
http://www.netscantools.com/nstpro_ping.html
http://www.apnic.net/
http://www.spamhaus.org/sbl/index.lasso
Javascript Deobfuscation
http://wepawet.cs.ucsb.edu/index.php
The guy who made the javascript packer (source code is here)
http://dean.edwards.name/
http://centralops.net/co/
http://www.malwareurl.com/listing-urls.php?urls=off
http://www.malwaredomainlist.com/mdl.php?search=172.30.33.5&colsearch=All&quantity=50
http://www.mynetwatchman.com/ListIncidentsbyIP.asp
http://www.domaintools.com/
http://www.threatexpert.com/
http://www.siteadvisor.com/
http://www.trustedsource.org/
http://www.unmaskparasites.com/security-report/
http://www.anti-malvertising.com/
http://www.malwareurl.com/search.php?domain=&s=www.arlingtonva.us&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on
https://www.arin.net/index.html
http://www.netscantools.com/nstpro_ping.html
http://www.apnic.net/
http://www.spamhaus.org/sbl/index.lasso
Javascript Deobfuscation
http://wepawet.cs.ucsb.edu/index.php
The guy who made the javascript packer (source code is here)
http://dean.edwards.name/
Friday, August 14, 2009
Unpack the Junk instead of Opening it
Today I learned a new and awesome trick for unpacking javascript that is found in packet captures. I have pasted the method below from the original site, along with the link to the author's posting. In short, this is an invaluable tool and makes me love Firefox even more!
Update: This technique can also be used to deobfuscate Yahoo Counters.
[Copied text]
Without any intro – crap that I usually write explaining why I had to write this post, I’m going for the subject. You(general junta or web developers or scared security guys) might see some eval packed javascript which phishing idiots ask you to copy paste on your URL bar and hit enter key.
Unpacking JS is a PITA was an answer that my brain use to give whenever I think about it. Just now, I found a very easy method to convert it into readable Javascript without any extra tool (IE boys, run away) Its very simple in FF or Opera.
FF guys, all you need to do is …
Copy the eval packed JS. something like —- eval(function(p,a,c,k,e,d){e=function(c) …………………. }
Open Error Console on your firefox
Paste the packed JS in Code input tab
Add eval = alert; at the beginning of the code
Hit Evaluate
You will get the proper javascript for the packed javascript. Copy paste it into any code prettifier. It will become perfectly readable. Opera folks, follow this. Packed JS is a huge asset for Phishing as who would have expected that packed JS in this code will make you join around 26 communities and send some stupid message to all your friends without your knowledge as soon as you copy paste some JS code on your URL bar and hit enter.
[End copied text from: http://karteek.selfdabba.com/2008/08/unpack-js/]
Update: This technique can also be used to deobfuscate Yahoo Counters.
[Copied text]
Without any intro – crap that I usually write explaining why I had to write this post, I’m going for the subject. You(general junta or web developers or scared security guys) might see some eval packed javascript which phishing idiots ask you to copy paste on your URL bar and hit enter key.
Unpacking JS is a PITA was an answer that my brain use to give whenever I think about it. Just now, I found a very easy method to convert it into readable Javascript without any extra tool (IE boys, run away) Its very simple in FF or Opera.
FF guys, all you need to do is …
Copy the eval packed JS. something like —- eval(function(p,a,c,k,e,d){e=function(c) …………………. }
Open Error Console on your firefox
Paste the packed JS in Code input tab
Add eval = alert; at the beginning of the code
Hit Evaluate
You will get the proper javascript for the packed javascript. Copy paste it into any code prettifier. It will become perfectly readable. Opera folks, follow this. Packed JS is a huge asset for Phishing as who would have expected that packed JS in this code will make you join around 26 communities and send some stupid message to all your friends without your knowledge as soon as you copy paste some JS code on your URL bar and hit enter.
[End copied text from: http://karteek.selfdabba.com/2008/08/unpack-js/]
Monday, August 3, 2009
Setting up Apache Tomcat on CentOS5
This past weekend I decided that I didn't like the performance on my current CentOS5 setup. With that in mind, I set out to re-install and begin, again, to configure from scratch. My whole goal with this server is to eventually have running a: web server, emial server for the family, and local domain for the home network (as opposed to the current workgroup settings.
The re-install of CentOS 5.3 was again a breeze. Although, I didn't get into too many security settings. The thought behind that is that I want to make sure it will work for my needs and then I will tighten it down before publishing any content to the world.
The complicated step was the installation and testing of Apache Tomcat 6.0.20. With that in mind, a short 'how-to' (based upon the below link) is below:
To get started:
1) Files needed:
- JAVA:
- These should be saved/moved to: /root
- jre-6u14-linux-i586.bin
- jdk-6u14-linux-i586.bin
- APACHE TOMCAT:
- These should be saved/moved to: /usr/share
- apache-ant-1.7.1-bin.tar.gz
- apache-tomcat-6.0.20.tar.gz
2) Directorys needed:
- /usr/java
3) Notes:
- If some of the below process 'aren't found by your bash shell, use /sbin/[servicename]
Commands:
Install Java (JDK and JRE):
1) move to the java folder:
# cd /usr/java
2) Install JRE and JDK:
# sh /root/jre-6u14-linux-i586.bin
# sh /root/jdk-6u14-linux-i586.bin
- Verify installation. There should be a jre and jdk file in the /usr/java folder
Install ant and Apache
1) move to share folder:
# cd /usr/share
- Install ant first:
# tar -xzf apache-ant-1.7.1-bin.tar.gz
- install apache tomcat
# tar -xzf apache-tomcat-6.0.18.tar.gz
Enable Ant linkage
# ln -s /usr/share/apache-ant-1.7.1/bin/ant /usr/bin
Configure environmental variable:
- move to folder with catalina.sh
#cd /usr/share/apache-tomcat-6.0.20/bin
- open catalina.sh in your favorite editor (I used vi)
- add as a second line:
- JAVA_HOME=/usr/java/jdk1.6.0_14
Test config
# cd /usr/share/apache-tomcat-6.0.20/bin
# ./startup.sh
Check for error log
# less /usr/share/apache-tomcat-6.0.18/logs/catalina.out
Run the startup file (I may have to edit file location...doing this from memory)
#cd /usr/share/apache-tomcat-6.0.20/bin
# ./startup.sh
A startup script can be found on the below link. This script can be used to cause tomcat to start automatically at system startup. I did test this script on my original install, but opted not to use it this time (remember, I reloaded CentOS to try to clear up performance issues). I should note that the below link uses older versions of java (update 10) and of apache tomcat (6.0.18).
My end result is that my service works as it should, I set up a DynDNS account to test it, and I am now ready to re-build my website and move my domain.
Reference:
http://de0ris.blogspot.com/2008/08/installing-tomcat-6x-on-centos-5.html
The re-install of CentOS 5.3 was again a breeze. Although, I didn't get into too many security settings. The thought behind that is that I want to make sure it will work for my needs and then I will tighten it down before publishing any content to the world.
The complicated step was the installation and testing of Apache Tomcat 6.0.20. With that in mind, a short 'how-to' (based upon the below link) is below:
To get started:
1) Files needed:
- JAVA:
- These should be saved/moved to: /root
- jre-6u14-linux-i586.bin
- jdk-6u14-linux-i586.bin
- APACHE TOMCAT:
- These should be saved/moved to: /usr/share
- apache-ant-1.7.1-bin.tar.gz
- apache-tomcat-6.0.20.tar.gz
2) Directorys needed:
- /usr/java
3) Notes:
- If some of the below process 'aren't found by your bash shell, use /sbin/[servicename]
Commands:
Install Java (JDK and JRE):
1) move to the java folder:
# cd /usr/java
2) Install JRE and JDK:
# sh /root/jre-6u14-linux-i586.bin
# sh /root/jdk-6u14-linux-i586.bin
- Verify installation. There should be a jre and jdk file in the /usr/java folder
Install ant and Apache
1) move to share folder:
# cd /usr/share
- Install ant first:
# tar -xzf apache-ant-1.7.1-bin.tar.gz
- install apache tomcat
# tar -xzf apache-tomcat-6.0.18.tar.gz
Enable Ant linkage
# ln -s /usr/share/apache-ant-1.7.1/bin/ant /usr/bin
Configure environmental variable:
- move to folder with catalina.sh
#cd /usr/share/apache-tomcat-6.0.20/bin
- open catalina.sh in your favorite editor (I used vi)
- add as a second line:
- JAVA_HOME=/usr/java/jdk1.6.0_14
Test config
# cd /usr/share/apache-tomcat-6.0.20/bin
# ./startup.sh
Check for error log
# less /usr/share/apache-tomcat-6.0.18/logs/catalina.out
Run the startup file (I may have to edit file location...doing this from memory)
#cd /usr/share/apache-tomcat-6.0.20/bin
# ./startup.sh
A startup script can be found on the below link. This script can be used to cause tomcat to start automatically at system startup. I did test this script on my original install, but opted not to use it this time (remember, I reloaded CentOS to try to clear up performance issues). I should note that the below link uses older versions of java (update 10) and of apache tomcat (6.0.18).
My end result is that my service works as it should, I set up a DynDNS account to test it, and I am now ready to re-build my website and move my domain.
Reference:
http://de0ris.blogspot.com/2008/08/installing-tomcat-6x-on-centos-5.html
Subscribe to:
Posts (Atom)