Options to put a stop to the latest mutation of the Pushdo trojan
The Pushdo bot is a malevolent little beast that is nothing new to Infosec
professionals. What might be new, however, is that it recently changed its
code and now creates junk SSL connections. Lots of them.
I mean you are likely seeing an unexpected increase in traffic by several
million hits spread out across several hundred thousand IP addresses. No you
didn't read that wrong that is millions of hits and hundreds of thousands of
IP addresses. This might be a big deal if you're used to only getting a few
hundred or thousands of hits a day or you don't have unlimited bandwidth. --
Pushdo is usually classified as a "downloader" trojan - meaning its true
purpose is to download and install additional malicious software.
(SecureWorks, Analysis of a Modern Malware Distribution System... (more)
This is a two-part blog post that discusses HTML5 WebSocket and security. In
this, the first post, I will talk about the security benefits that come from
being HTTP-compatible and the WebSocket standard itself. In the second post
(coming soon) I will highlight some of the extra security capabilities that
Kaazing WebSocket Gateway offers, things that real-world WebSocket
applications will want to be fully secure.
A WebSocket connection starts its life as an HTTP handshake, which then
upgrades in-place to speak the WebSocket wire protocol. As such, many
existing HTTP security mechanisms also apply to a WebSocket connection —
one of the reasons why the WebSocket standard deliberately chose the strategy
of being HTTP compatible.
Unified HTTP and WebSocket Security
Thanks to the HTTP/WebSocket unified security model, the following is a list
of some standard HTTP securit... (more)
The current threat level is … the same as it was yesterday, and the day
before, and will be tomorrow.
We’ve all been in the airport before and heard the announcement. “The
current threat level is orange. Blah blah blah blah yada yada whatever.” At
least that’s what I hear today because I’ve become immune to the fact
that “orange” means there’s a threat. There’s always a threat, it
seems, and the announcement simply conveys what appears to many of us to be
the “status quo.” We have effectively been desensitized to a “higher”
threat level as it is now treated as nothing out of the ordinary. It is the
norm, rather than something that grabs our attention.
The same is true in the enterprise, where the threat level is always high.
Although most organizations likely don’t have a “threat level
announcement” the effect is the same: personnel and infrastructure alike
Purple WiFi, the cloud-based Social WiFi software company, has added Presence
Analytics and Location Based Services to its Guest WiFi product.
Presence Analytics bridges the gap between Google Analytics and the real
world, offering real time data and reporting using WiFi technology, similar
to how cookies track user browsing online.
This arms the venue with an unprecedented level of insight into consumer
behaviour and opportunities to engage customers directly. Purple WiFi already
serves demographic and engagement information from users to the venue through
its Purple Portal, which allows the business to understand who is visiting
and using the hotspot, how long they are online, as well as their age, gender
and any other relevant information that they offer in their social networking
Purple WiFi's Presence Analytics feature also incorporates Customer Trackin... (more)
Fernando Bermejo is giving a Berkman lunchtime talk titled “Mapping Online
Advertising: From Anxiety to Method.” He says that people sometimes hear
that he researches advertising and assume t)hat he works for advertisers and
wants to improve advertising. In fact, his interests are scholarly. He’s
going to talk about the dynamics and logic of online advertising. (The
subtitle of his talk is a reference to Devereaux.)
NOTE: Live-blogging. Getting things wrong. Missing points. Omitting key
information. Introducing artificial choppiness. Over-emphasizing small
matters. Paraphrasing badly. Not running a spellpchecker. Mangling other
people’s ideas and words. You are warned, people.
He begins with the John Wanamaker (1838-1922) quote: “Half of the money I
spend on advertising is wastsed. The trougle is, I don’t know which
half.”: It’s the most repeated sentence in adverti... (more)
In the wake of Google’s revelation that its GMail service had been
repeatedly attacked over the past year the search engine goliath announced it
would be moving to HTTPS (HTTP over SSL) by default for all GMail
connections. For users, nothing much changes except that all communication
with GMail will be encrypted in transit using industry standard SSL,
regardless of whether they ask for it by specifying HTTPS as a protocol or
not. In the industry we generally refer to this as an HTTPS redirect, and
it’s often implemented by automatically rewriting the URI using a load
balancing / application delivery solution.
Widely regarding as a good idea, and I’m certainly not disagreeing with
that opinion, SSL secures data exchanged between the client and the server by
encrypting every request and response using a private/public key exchange.
This is a Good Idea and the gener... (more)
A recent blog on EBPML.ORG entitled “REST 2010 - Where are We?” very
aggressively stated: “REST is just a "NO WS-*" movement.” The arguments
presented are definitely interesting but the most compelling point made is in
the way that REST APIs are constructed, namely that unlike the “ideal”
REST API described where HTTP methods are used to define action (verb) and
the path the resource (noun), practical implementations of REST are using a
strange combination of both actions (verbs) and resources (nouns) in URIs.
What this does is simulate very closely SOA services, in which the endpoint
is a service (resource) upon which an action (method) is invoked. In the case
of SOAP the action is declared either in the HTTP header (old skool
SOAPaction) or as part of the SOAP payload. So the argument that most REST
APIs, in practice, are really little more than a NO WS-* API is fa... (more)
Web 2.0 is as much about integration as it is interactivity. Thus it’s no
surprise that an increasing number of organizations are including a feed of
their recent Twitter activity on their site. But like any user generated
content, and it is user generated after all, there’s a potential risk to
the organization and its visitors from integrating such content without
A recent political effort in the UK included launching a web site that
integrated a live Twitter stream based on a particular hashtag. That’s a
fairly common practice, nothing to get excited about. What happened, however,
is something we should get excited about and pay close attention to because
as Twitter streams continue to flow into more and more web sites it is likely
to happen again.
Essentially the Twitter stream was corrupted. Folks figured out that if they
Stateless applications may be the long term answer to scalability of
applications in the cloud, but until then, we need a solution like sticky
Amazon recently introduced “stickiness” to its ELB (Elastic Load
Balancing) offering. I’ve written a bit about “stickiness”, a.k.a. what
we’ve called persistence for oh, nearly ten years now, before so I won’t
reiterate again but to say, “it’s about time.” A description of why
sticky sessions is necessary was offered in the AWS blog announcing the new
Up until now each Load balancer had the freedom to forward each incoming HTTP
or TCP request to any of the EC2 instances under its purview. This resulted
in a reasonably even load on each instance, but it also meant that each
instance would have to retrieve, manipulate, and store session data for each
request without any possible benefit from lo... (more)
Firesheep screengrab from http://codebutler.com/firesheep
Firesheep is a great new plugin that works in the Firefox browser. It is
easy for you to install, easy to run, and gives you, and just about anyone
else, the power to do pure evil using just your browser and a laptop.
With this post I’ll explain some of this evil and offer some thoughts on
what it means for CTOs.
First a bit about the code itself, from the author:
When logging into a website you usually start by submitting your username and
password. The server then checks to see if an account matching this
information exists and if so, replies back to you with a “cookie” which
is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting
the initial login, but surprisingly uncommon for websites to encrypt
everything else. This leaves the cookie... (more)
A rarely mentioned obstacle when attempting to duplicate or migrate
enterprise-class applications is IP-dependency. Not just topological
dependencies that are easily addressed with dynamic routing and switching
protocols in conjunction with a boot script, but internal dependencies –
the ones so deeply embedded in the application’s “identity” that to
change the IP address is to break the installation and render it useless.
These are the applications that, upon asking for an exported image for
testing purposes, virtualization experts will tell you is far more efficient
to start from scratch, because the IP dependency issue will cause more
trouble in the long term than simply starting over. Moving such an
application to a public cloud is nearly impossible due to this restriction,
and any bursting or data center extension model is out of the question. This
is also a pr... (more)