Friday, May 30, 2008

Did Chinese hackers cause the 2003 blackout?

Here's an excellent article which talks about the possibility that Chinese hackers from the PLA may have had a hand in causing the 2003 blackout in the northeast and another one in Florida. I'm not sure if I believe this, mostly because I'd like to pretend that the nation's power grid is more protected than that (although deep down I know it isn't). My favorite quote:
A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”
The rest of the article talks about other cyber-threats occuring from China, including cyber-espionage. One interesting quote:
During a trip to Beijing in December 2007, spyware programs designed to clandestinely remove information from personal computers and other electronic equipment were discovered on devices used by Commerce Secretary Carlos Gutierrez and possibly other members of a U.S. trade delegation, according to a computer-security expert with firsthand knowledge of the spyware used.
This would be a great article to summarize for your execs, especially if they travel overseas. China is well-known to use any tactic they can (including information theft) in order to gain a competitive advantage. What are you doing to protect your information for your employees when they travel out of the country?

Thursday, May 22, 2008

I love getting spam!!!

OK, not really, but I have been looking forward to getting it the last two weeks. Why?

At the Ohio HTCIA spring conference Greg and I sat in on a talk entitled Illicit Distribution Networks: Spam Tactics of Online Criminals by Garth Bruen of Knujon (no-junk spelled backwards). Garth had a fascinating presentation on spam networks and how we should be targeting the web sites and domains selling spam instead the ones sending the spam.

The theory behind this is if we shut down the illicit domains selling spam products, those hiring spammers will make less money and go out of business, thus putting the spammers out of business. Sounds solid to me.

The way Garth's organization, Knujon, works is that it has people send them all the spam they can. Unlike other anti-spam orgs, Knujon is only interested in the spam body not the headers. They parse the body and use it to contact registrars and force the shutdown of illicit spam domains.

Garth gave alot of great statistics such as 90% of all spam domains are set up through just 20 registrars (out of 800+). Brian Krebs recently covered more of this on his blog.

Signing up for an account on their site is easy. There are also alot of plugins to mail programs which can be used to speed up the process. I've been using one for Thunderbird and have probably sent Knujon close to 300 spam a day. I have not received any reports back yet, but once I do I'll post the results.

Monday, May 19, 2008


I've been running Linux for at least 10 years. My entire "Linux life" has either been on a RedHat derivative or Gentoo Linux (which is what I currently use). While I have tried Debian-based distro's in the past, I haven't liked them because they were so different from what I was used to.

So, when my laptop told me FAN ERROR today and refused to boot, I had to decide what I was going to do. I was starting a big project and needed to get a machine running quickly. Fortunately, my mac mini was at hand so I could get email right away, but its a PowerPC version and is not able to run VMWare, which is what I needed.

I had a machine lying around which was powerful enough for my needs. The problem was I needed to install some Linux variant and get it up and running shortly. Gentoo wouldn't work because compiling everything from scratch would take too long. Fedora has become too bloated for me and I didn't want to fool around with CentOS.

So I turned to Ubuntu.

I have to say I'm impressed. The whole install took less than 10 minutes and then I was up and running with all the apps I needed, minus VMWare. While I'm not 100% convinced that its for me, I have to admit I may try it out the next time I decide to switch my distros.

Wednesday, May 14, 2008

Infected eBay watch

Just got back from the Ohio HTCIA 2008 conference and saw that Dave over at his Securi-D blog posted about an MP3 watch he bought off of eBay from a Chinese seller. When he plugged it into his computer, his AV detected a virus on the watch. Too funny.

Unfortunately, this thing isn't new. Within the last year, we've started to see more and more products appear which have been infected with some malware. This is not a new trend and I see this becoming more of a problem in the future.

Thursday, May 8, 2008

Notacon Videos Available

While I didn't get a chance to go to Notacon, which is a shame since its in my backyard, it appears the presentation videos have been posted and are available for download.

Speaking of conferences, the NE Ohio Information Security Summit is having a call for papers right now for this year's conference. I've been going to the conference ever since it started lo these many years ago and have been speaking at it for the last 2 or 3 years. Its an excellent opportunity to network with Info Sec people and listen to some great talks.

Friday, May 2, 2008

Race to Zero Controversy

A week ago I blogged about a new contest called Race to Zero at Defcon. The goal of the contest is to obfuscate malware enough such that when it is uploaded through a portal and scanned with AV there is a zero-percent detection rate. As expected, the AV community is up in arms about this.

My original intent was to play devil's advocate about this content and talk about the reasons why this contest is not as bad as the AV vendors are saying. However, Dancho Danchev posted something which says it best. Read that. :)

I still have my own opinions on the contest and how easy it is to obfuscate malware enough to bypass signature AV. However, I feel I would probably be beating a dead horse and so am going to forget about the whole thing.


I've come to a realization...30 days of blog posts is a pretty big thing to hope for, especially when you have a job (and blogging is not your full time job). ;)

So I broke my 30 day promise (if no one else but to myself), but I have kept it up well and am proud of that. I'm gonna keep posting, still trying once a day. In fact, I'll be posting two today - one now and some random malware thoughts later on.