zaCon

SO, zaCon is coming.

It’s a conference without all the fluff and hubub of commercial vendors. It’s being put on by people who live, eat, breathe and sometimes poop information security. It’s going to give people who wouldn’t usually have this platform to talk about new cool stuff they might be working on. New tools, new ideas, just about anything that’s going keeps us up at night.

There isn’t going to be any corporate sponsorship. It’s going to be very ad-hoc and probably very chaotic, but that’s a good thing. Nothing like this has happened in South Africa before (as far as I am aware).

So keep an eye on the website. The speaker list is up and running. The venue has been locked down and it’s happening.

If you have any questions, comments or general ideas, please feel free to contact people@zacon.org.za

But mostly, come along. It’s going to be alot of fun.

Malware/Anti-Virus

The days of signature based malware / trojan detection are over. We are now living in some of the most dangerous times to be using the Internet I consider if it’s even worth sticking around. Farming cats in the Karoo sounds like a far safer and less stressful job anyway. Long gone are the days when a cute character of the authors choosing would run across your screen and moon you. These days, with humanities greed, it’s all about how quickly and easily a 0-day can be transformed into a working exploit which can either be sent out in a (spear)phishing attack or hosted on some web server with Javascript doing the rest of the work. And the worst part of it all is that we are constantly playing catchup.

When new malware is introduced into the ecosystem that is the Internet at large, we rely on someone catching a specimen of this malware and either analyzing it themselves or sending it through to one of the big AV vendors who will analyze it and produce a signature which will then disseminate out to paying customers. This whole process leaves gaps which are filled by zombies and eventually botnets which plague not only home users, but big corporates. No one is safe.

Conficker, while a great example of what can be done by the community at large, is still very badly understood. No one seems to know why it’s out there and what it’s truly capable of. The media didn’t help us at all around April 1st either with all the hype that went around. I think the awful catch phrase of “Cyber Katrina” was thrown around with gay abandon. Please don’t get me wrong, I am not bashing the groups who worked on the Conficker Working Group, they did tremendous work. I am just worried that there is a fairly serious piece of malware floating around which no one seems to really know the capabilities of.

What are we going to do about this ? Switch to multi-engine scanning on our AV ? Move to a more proactive IDS/IPS setup ? How does this really help the little guy in the street ? Do you think Joe Average who just wants to download the lastest funny video from that site that needs that special codec from that other site that ends in .ru ? Oh wait…I’ve gone cross eyed. Am I the only person who is still worried that we are relying on vendors who’s principal goal is to make money for our anti-virus updates ? They’re not going to do anything rash are they ? Yes, they’re out to help us, but at what cost ?

I fear I may have too many questions and doubts with not enough answers. All I know is that there is a very, very wild west (and east) out there and suddenly, running my web browser in a Virtual Machine or Live CD doesn’t sound like such a bad idea.

Hold that thought, I’m going to fire up Vmware Fusion.

MSN Shenanigans

This is probably old hat to most, but I know a couple of people that have been pondering over this “problem” for a while. That and the fact that it’s been a fairly hot topic recently have made me want to post this for my general consumption of one.

Every now and again I will get a MSN message from someone on my contact list. The strange thing, however, is that at that particular point in time, said person is not online. So where did the message come from and how did they get it through to me ? I guess they could be in “invisible” mode or some such online lurk mode. It’s the content of the message that’s more important however. On one occasion recently I received the following message from a contact:

8:27:43 AM Hapless MSN User: hey lisen… are these your class fellows?? im confused…

http://XXX-XXX.com/?schooling=MSNADDRESS&image=DSC007956.JPG

So, being the inquisitive soul that I am, I fired up a virtual machine and went to the URL using good old wget. What I got was not an image file DSC007956.JPG as advertised above, but a rather fun url hosted in…China. Awesome. They aren’t a source of Malware. I swear. Thankfully though, there was no malware on the link. Just a very simple login page saying you have to login with your MSN ID to gain access to the said pictures of “class fellows”. There is a link to the terms and conditions which has a couple of very interesting lines that should flash huge red warning lights everywhere, but alas, Joe Average does NOT read T&C. Here they are for your enjoyment:

“By filling out this form, you authorize Tubela Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.”

“This is not a “phishing” site that attempts to “trick” you into revealing personal information”