Up and Coming: Detecting Malice
Detecting Malice
Next book to read: RSnake's Detecting Malice e-book.
Every day hackers are stealing millions from websites and this is the book that will help you detect it happening on yours. Detecting Malice was written to help website administrators, developers, operations personelle and security product managers in building and maintaining a higher security posture. Understanding user intent is the cornerstone for reducing fraud ratios in modern web applications. From retail to government, this book covers many different realms of fraud and how to detect it at many different technical layers. From DNS and TCP to embedded content and browser fingerprinting techniques it is possible to identify users who are most likely to become dangerous often before it actually happens. A plethora of tools and techniques are all available to you within the 300+ pages of this book.
Available for only USD$39.95, and free future updates for this book too 
(Spear-)Phishing the weakest link in the chain
Here phishy phishy phishy
Found this ZDNet article talking about a recent study on spear-phishing, which doesn't sound good at all:
A recently conducted ethical phishing experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.
(Have yet to read the articles and papers in detail, but I thought I'd share it first.)
Phishing and (its deadlier cousin) spear-phishing have been out in the wild for a very long time already, but they continue to be effective against users because:
- "Some" users don't exhibit caution &/or common sense when clicking on links, allowing themselves to be manipulated into giving away their credentials
- Others who're careful, can never be vigilant all the time
Security has always relied on the combination of both people and technology in order to be effective. In the past, technological vulnerabilities meant that programs were the main target for the malicious, but as technology improves, the human user is often the weakest link in the chain, and hence the many attacks relying on human silliness/carelessness.
There are plenty of efforts in making it easier to detect/prevent the phishing attack on the user, but it is still very much an arms race (the race to list the bad sites versus churning these sites out as fast as possible). And even if it were possible to flag out ALL phishing sites somehow, as long as people could retain full use of their computers somehow (we tend to not like systems where we don't know/have control on what's happening, like Windows...), there would be always the group that clicks "Allow" when prompted "Danger! Would you like to allow action?".
For now, keep the common sense when using the computer. Don't just happily do something (like logging in) whenever a seemingly legit page asks you for it. Pause and think first.
Beware of the Evil Maid
The friendly room cleaner, potentially no longer that friendly
Invisible Things Lab (founded by Joanna Rutkowska, who came up with the controversial Blue Pill) has released the Evil Maid tool. This tool is aimed at grabbing the passwords needed to decrypt entire hard drives using TrueCrypt.
The simplest mitigation factor from their list would be to physically secure the laptop when left unattended (i.e. shut down, lock it up). In addition, it's a good idea to remove external drives from the BIOS boot sequence, and to set the BIOS to ask for a password whenever it boots up.
There's another thing that can be done by the end user, though that needs to be properly managed too. Read the entry for details.
How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.
Edit: More discussion at Schneier's blog post.