Whois Hijacking

Security Watch from PC Magazine - Squatters Jumping Claims To Domain Names: "Whois Hijacking"

Have you ever researched an Internet domain, waited a bit and then, when you go to buy it, it's gone? You may have been a victim of whois hijacking.

Through a mechanism not yet well understood, some domain squatters are able to get information on domain lookups, which are performed using a protocol named "whois". They use it to quickly—and automatically—register the domain. This practice is usually combined with domain tasting, so the domains may be available again before too long.

In the meantime, the squatters put up an ad page on the site. If it gets hits, they keep the site. They also usually put up a link through which you can buy the site from them (at a vastly higher price than if you had gotten it first).

What can you do? Until there is a good understanding of how the whois requests are intercepted, all you can do is to move quickly to register domains once you see they are free. It's likely that some domain-checking services are more secure than others, but there is no reliable way to tell which ones they are.

External Link

They're HEEEEERE!!!

Remember my rant about unstoppable rootkits? Guess what? Yup, you can unplug your Windows machine and use it for a planter now.

Rootkits get better at hiding | Tech News on ZDNet: "Rootkits get better at hiding"

Here's a copy of the text, in case the news article goes down some day:

A new Trojan horse is so good at hiding itself that some security researchers claim a new chapter has begun in their battle against malicious-code authors.

The new pest, dubbed "Rustock" by Symantec and "Mailbot.AZ" by F-Secure, uses "rootkit" techniques crafted to avoid the detection technology used by security software, Symantec and F-Secure said in recent analyses.

"It can be considered the first born of the next generation of rootkits," Elia Florio, a security response engineer at Symantec, wrote in a blog late last month. "Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used."

Rootkits are considered an emerging threat. They are used to make system changes to hide software, which may be malicious. In the case of Rustock or Mailbot.AZ, rootkit technology was used to hide a Trojan horse that opens a backdoor on an infected system, putting it at the beck and call of an attacker, according to Symantec.

In their continuing race with security software makers, the creators of this latest rootkit appear to have looked closely at the inner workings of detection tools before crafting their malicious code, said Craig Schmugar, virus research manager at McAfee, which calls the pest "PWS-JM."

"Security companies are trying to stay one step ahead of the bad guys, but the bad guys already have the technology that is available from the security vendors," he said. "A number of techniques have been combined to really strengthen and harden this particular threat. They have done a pretty good job at closing all the doors."

The mixture of cloaking methods makes Rustock "totally invisible on a compromised computer when installed," including on a PC running an early release of Windows Vista, Symantec's Florio wrote. "We consider it to be an advanced example of stealth by design malicious code."

To avoid detection, Rustock runs no system processes, but runs its code inside a driver and kernel threads, Florio wrote. It also uses alternate data streams instead of hidden files and avoids using application programming interfaces (APIs). Today's detection tools look for system processes, hidden files and hooks into APIs, according to Florio's post.

Additionally, Rustock defeats rootkit detectors' checks for the integrity of some kernel structures and the detectors' efforts to detect hidden drivers, Florio wrote. Furthermore the SYS driver the rootkit uses is polymorphic and changes its code from sample to sample, according to the blog posting.

Still, chances of people being attacked by this rootkit and its malicious Trojan horse payload are slim, experts said. "People are blogging about it not because it is highly prevalent, but because of the challenges it poses to existing rootkit detection tools," Schmugar said. Symantec and F-Secure also both state the threat is not widespread.

F-Secure updated its BlackLight rootkit detection tool that can detect current versions of the pest, the company said in a blog. Symantec and McAfee are still working on tools to detect and remove rootkits from computers.

External Link

The Newbie's Guide to Detecting the NSA

27B Stroke 6:
The Newbie's Guide to Detecting the NSA
It's not surprising that an expert hired by EFF should produce an analysis that supports the group's case against AT&T. But last week's public court filing of a redacted statement by J. Scott Marcus is still worth reading for the obvious expertise of its author, and the cunning insights he draws from the AT&T spy documents.

An internet pioneer and former FCC advisor who held a Top Secret security clearance, Marcus applies a Sherlock Holmes level of reasoning to his dissection of the evidence in the case: 120-pages of AT&T manuals that EFF filed under seal, and whistleblower Mark Klein's observations inside the company's San Francisco switching center.

If you've been following Wired News' coverage of the EFF case, you won't find many new hard revelations in Marcus' analysis -- at least, not in the censored version made public. But he connects the dots to draw some interesting conclusions:

* The AT&T documents are authentic. That AT&T insists they remain under seal is evidence enough of this, but Marcus points out that the writing style is pure Bell System, with the "meticulous attention to detail that is typical of AT&T operations."

* There may be dozens of surveillance rooms in AT&T offices around the country. Among other things, Marcus finds that portions of the documents are written to cover a number of different equipment rack configurations, "consistent with a deployment to 15 to 20" secret rooms.

* The internet surveillance program covers domestic traffic, not just international traffic. Marcus notes that the AT&T spy rooms are "in far more locations than would be required to catch the majority of international traffic"; the configuration in the San Francisco office promiscuously sends all data into the secret room; and there's no reliable way an analysis could infer a user's physical location from their IP address. This, of course, directly contradicts President Bush's description of the "Terrorist Surveillance Program."

* The system is capable of looking at content, not just addresses. The configuration described in the Klein documents -- presumably the Narus software in particular -- "exists primarily to conduct sophisticated rule-based analysis of content", Marcus concludes.

My bullet points don't come close to conveying the painstaking reasoning he lays out to back each of his conclusions.

Perhaps the most interesting -- and, in retrospect, obvious -- point Marcus makes is that AT&T customers aren't the only ones apparently being tapped. "Transit" traffic originating with one ISP and destined for another is also being sniffed if it crosses AT&T's network. Ironically, because the taps are installed at the point at which that network connects to the rest of the world, the safest web surfers are AT&T subscribers visiting websites hosted on AT&T's network. Their traffic doesn't pass through the splitters.

With that in mind, here's the 27B Stroke 6 guide to detecting if your traffic is being funneled into the secret room on San Francisco's Folsom street.

If you're a Windows user, fire up an MS-DOS command prompt. Now type tracert followed by the domain name of the website, e-mail host, VoIP switch, or whatever destination you're interested in. Watch as the program spits out your route, line by line.

C:\> tracert nsa.gov

1 2 ms 2 ms 2 ms 12.110.110.204
[...]
7 11 ms 14 ms 10 ms as-0-0.bbr2.SanJose1.Level3.net [64.159.0.218]
8 13 12 19 ms ae-23-56.car3.SanJose1.Level3.net [4.68.123.173]
9 18 ms 16 ms 16 ms 192.205.33.17
10 88 ms 92 ms 91 ms tbr2-p012201.sffca.ip.att.net [12.123.13.186]
11 88 ms 90 ms 88 ms tbr1-cl2.sl9mo.ip.att.net [12.122.10.41]
12 89 ms 97 ms 89 ms tbr1-cl4.wswdc.ip.att.net [12.122.10.29]
13 89 ms 88 ms 88 ms ar2-a3120s6.wswdc.ip.att.net [12.123.8.65]
14 102 ms 93 ms 112 ms 12.127.209.214
15 94 ms 94 ms 93 ms 12.110.110.13
16 * * *
17 * * *
18 * *

In the above example, my traffic is jumping from Level 3 Communications to AT&T's network in San Francisco, presumably over the OC-48 circuit that AT&T tapped on February 20th, 2003, according to the Klein docs.

The magic string you're looking for is sffca.ip.att.net. If it's present immediately above or below a non-att.net entry, then -- by Klein's allegations -- your packets are being copied into room 641A, and from there, illegally, to the NSA.

Of course, if Marcus is correct and AT&T has installed these secret rooms all around the country, then any att.net entry in your route is a bad sign.

External Link

Novell ZENworks and Groupwise on the chopping block. Literally.

Novell's 66 yr old CEO was asked to step down. While Novell's revenue on Linux is only at 4%, the future of Suse Linux is secure. However, don't count on ZENworks and GroupWise being around much longer.

Excerpt:
Last fall, these investors wanted Novell to divest its "noncore businesses," such as ZENworks, GroupWise and Cambridge Technology Partners. Both also want Novell to become more of a leader in Linux and identity management through joint ventures and selective acquisitions.

Given this public opposition and Novell's recent lackluster financial results, few were surprised when the board dropped the ax on Messman. The former CEO himself though had intended to stay the course.

Here's the full article:
http://www.eweek.com/article2/0,1895,1980300,00.asp

External Link