Upcoming SANS Incident Handling course in Cork, Ireland

As part of the SANS mentor program I will be mentoring a class for a SANS course in Incident Handling and Hacker Exploits.

The course will run for 8 weeks at the Trend Micro offices on the Model Farm road, every Wednesday from 6.30-9.30 - October 24th to Dec 12th.

The course is a great oppurtunity for those interested in IT Security, and presents the current environment from both the Attackers and Defenders perspectives. As part of the Mentoring, I will be doing plenty of demos, and attendees will be bringing laptops along to get hands on experience with all of the tools and technologies presented during the course.



Full details of the event can be found here but if anyone is interested, or has any questions please feel free to email me at RobertMcArdle[INSERT OBVIOUS SYMBOL HERE]gmail.com

Robert McArdle in Full Frontal Shocker

I did an Interview last week for Irish paper, the Irish Examiner, which was published today. To be honest I was expecting a small column tucked away somewhere in the back, but it was great to appear on the Front page of the Money and Jobs section, and it is some great exposure for Trend Micro in Ireland. Hopefully the team here will have many more publications in the future.

I tried to get them to use this picture for me, but unfortunately they did not fall for it.

STORM + Fools = $$$

Posting this to the TrendMicro blog also

Would you like to earn $50 per hour in a job that only take 3-5 hours of your free time every day? If so the Storm team want people like YOU!

The latest version of Storm is aimed at people who want to make loads of money, for minimal effort, from the comfort of their own homes...so not a huge target audiance then.



Users that follow the link will will be brought to a site hosting a Bulliten Board, and refreshingly, not hosting an entire arsenal of vulnerabilities - which makes for a nice change. The Scammers waste no time in explaining how this wonderful scheme works. The helpful user (i.e. Mule) simply receives some funds (i.e. Money stolen from Phishing scams), takes 10% for themselves, and send the rest back via Western Union.

Unfortunately for budding entrepreneurs in Europe and Asia, this fantastic offer is only available to people with a bank account registered in Canada, Australia, New Zealand or the United States.

Joking aside, this is what is known as a "Money-Mule" scheme. It is an essential part of the money-laundering side of the Crimeware business, and is used to launder stolen money through unsuspecting users. Needless to say, it is a very bad idea to get involved in this type of business.

Interestingly this forum has been Active since December 2004 and at the time of writing has around 150 members. The fact that this is been spammed out now suggests that the Storm team are in need of more mules, either because of the increased amount of money that they need laundered, or because existing mules have stopped particapating.

Lets hope its the later case.

CISSPafied

Got the good news todays the I have passed my CISSP Examinatination, which is a nice relief. Overall it was actually one of the most enjoyable exams I have done (spot the glutton for punishment), but I would like to pay homage to the fantastic job that the folks at Firebrand Training, who are currently rebranding from The Training Camp.

I attended their 1 week CISSP boot camp, and really found it excellent in helping prepare for the exam. Obviously you need to have done some study before going, but the atmosphere in the Firebrand camp is perfect for getting you in the right frame of mind for the exam. I arrived in England on the Sunday evening (they also hold courses in Ireland and Germany). Sunday evening training runs 6-9pm, and then Mon-Fri is 8am-8pm. Saturday is revision and a practice exam, before the real 6-hour slog on the Sunday (but it should not take that long).

Apart from all the great people I met on the course, I would like to particularly thank Kevin Henry (the best teacher you could want for a course like this), and the Chefs at Firebrand for their fantastic food (especially one in particular for the lift home from the pub).

EDIT: Reading back over that I should charge an advertising fee for that, it really is a ringing endorsement :)

Donations not welcome

There is a very interesting artivle over on the Washington Post related to well known security website CastleCops.com . The gist of the story is that CastleCops, which survived a month long attack from hackers relatively unscathed are now being attacked in the most unlikely way.

The hackers are using hundreds of compromised Paypall and eBay accounts to actually donate money to CastleCops (which is a voluntary organization). Payments are apparently between $1 and $2800. This is basically an attack on CastleCops reputation, as right now CastleCops is accepting (albeit non-intentionally) thousands of dollars in illegally stolen funds. Needless to say CastleCops is working with Paypal to refund the money, but I would imagine that if this is being done in large volumes it could take quite some time to do.

Not everyday that you have to scramble around trying to give away money, only to find you are continually making more despite your best efforts. I wonder is this what Bill Gates has to go through.

More details can be found on CastleCops own page

Image Censoring on Websites

It is standard practive for most security / anti-virus sites to blur images in key locations before posting them in blogs. This helps to block offensive content, and more commonly the IP addresses/URLs where malicious contents are stored. However every now and then some other details slip out that are quite interesting. Look at the picture below that was posted on the McAfee Weblog

Notice anything strange?



Any one else find it funny that McAfee have icons for Norton Ghost (from Symantec) and ZoneAlarm (from CheckPoint) in the bottom corner. Don't get me wrong, they are both excellent products, but surely you should not be advertising your competitors on your own blog.

Two Excellent Educational Videos

There's a very nice post over on MSNBC, by Eric Chien of Symantec (who I had the good fortune to work with). It gives a nice overview of how a bot net works, infects people etc. Go check it out here


Also another fantastic video I was introduced do during my recent CISSP course was http://www.warriorsofthe.net/ - which is a great (starts a bit cheesy, but funny in places) description for people who do not really know how the internet works.

Pfizer stuck hard with SPAM

Someone should really go an edit the Wikipedia definition for Irony to include the following story:

http://www.wired.com/politics/security/news/2007/09/pfizerspam

I would be very surprised if there was anyone left in the online world today who has not received some sort of Viagra related spam in their lives. A quick glance at the Spam folder in my Gmail account has numerous offers for me to "Xtrasize" myself, or kindly offering to help me obtain "Meg@dik" status.



The fact that some of these mails are actually being sent, albeit non-intentionally, from within Pfizer is just fantastic.

I wonder how many in their marketing department are infected :)

P.S. In my search for a Viagra Spam, image I also came across this one (NSFW)

NUWAR poses as TOR Proxy

This is also now up on the Trend Micro main blog

The next wave of the NUWAR worm is doing the rounds, with thousands of emails being sent to an email inbox near you. The Worm acts in 2 waves. Firstly it is sending out a wave of emails similar to the one below, purporting to offer downloads of the Tor Anonymous Proxy.




If the user follows the link in the email, they will not be taken to the official site for the legitimate Tor Application (http://tor.eff.org/ ), but instead be redirected to fake site that displays the following:



Once the user clicks the Download Tor button, they will be given a NUWAR variant which will be detected proactively as POSSIBLE_NUCRP-4 , and which has the file name Tor.exe. As with previous examples of this threat, the website also contains multiple exploits to attempt to download this file automatically. Once run the threat is used to send mails to spread itself further, and then as a second wave will send spam to increase the Share Prices of select Stocks. This is just the latest in a long line of Social Engineering ploys by the NUWAR creators which has seen them impersonate everything from ecards, to BETA testing software and even Youtube Videos.

Blog has moved

I have moved the technical part of my Blog to new software on Blogger.com. The URL http://www.robertmcardle.com/blog/ now points to this blog (or at least it will shortly). I getting fed up of some of the limitations of the old Wordpress software, and blogger seems to have all of the features I am looking for. The old archives of content will still remain accessible at this location , although I might move over some of the key posts to this newer, swankier version

My personal blog (the non-technical stuff such as holidays etc) will remain at its current URL for now, but I will be working on changing that shortly.

Happy Labor Day .. courtesy of the Russian Business Network

This is also posted (slightly changed) on Trend Micro Trendlabs

Next round of NUWAR Worm (Zhelatin, Storm, Peacomm) looks like this. You know the drill, avoid

From: REMOVED
To: REMOVED
Subject: A Labor Day E-Card
Created: 09/03/2007 19:50:03

Here is the link to view your holiday greeting online: http://hallmark.com/07greetings/holiday?1eqj1pc77i5h0ldsp

SAMPLE 2

From: REMOVED
To: REMOVED
Subject: The Big Labor Day Weekend
Created: 09/03/2007 22:00:01

Here is a special greeting, to see it, click here: http://digitalcards.com/humor/laborg?i6n0oeup21bel7r

Actual links point to IP addresses registered to the Russian Business Network, not to the URLS shown. They have all of the usual exploits, so avoid them. This time around the keywords to watch for are anything related to "Labor Day" or "The Holidays". It is generally 1 line followed by a link (which will actually point to a different IP).

The webpages display the following image and prompt the user to download a file called labor.exe