Many commercial websites may be attacked to overwrite or delete stored preferences, session identifiers, authentication data, cart contents – with results ranging from minor annoyances to a possibility of fraudulent activity, depending on site design (bugs #1 and #2).

On sites where authentication data is tied on a server to a session ID, the attacker may be able to acquire credentials by tricking the visitor to authenticate within a session initiated by the attacker (bugs #1 and #2)

Some websites may be susceptible to malicious-activity-by-proxy attacks (bug #3).

There is no immediate universal threat to life as we know it, but numerous web scripts are an easy target of specific variants of the attacks described below.

Read the full paper by Michal Zalewski on Astalavista.


On a personal note

This blog has mainly been a place where I have shared interesting stories I have found while surfing the net.  I've built a strong readership (steady 1000-1500 unique readers a day), so you must like my choice of news.  I've create a new category call “Personal Note” where, when I can find the time, I will give some reflections and insights as a security consultant implementing a SIM product (Security Information Manager).  I will still keep up the stuff you've grown to love, but am ready to give more back to the community.

This week I have been in Washington, D.C. training for the SIM product NeuSecure, the product that I will be consulting with for my new job.  The product was originally developed by a company called Guarded.Net, who was purchased by Micromuse (makers of Netcool) in the fall of 2005.  The marriage was a good fit, since gathering security data and network health data had the same topology: gather data from numerous devices and give meaningful output.  Micromuse is now in the process of being bought by IBM and will be a division of the Tivoli team.

What I want to focus on today is how amazing NeuSecure is.  I've used ArcSight and a few other SIMs and log aggregators before, so I knew what I was getting into.  However, now that I know the power under the hood, my mouth is watering to go install this puppy everywhere.  The logic is dead-on when it comes to correlating data from Firewalls, NIPS, HIPS, routers, vulnerability scanners, virus scanners, spam blockers, content filters, VPN concentrators, identity management systems, physical security, server logs, wireless APs, wireless IPS…. name it, NeuSecure can do it.  It not only puts all the data together properly, it decides what is the “bad” guy through a complex series of statistical correlation, frequency analysis, susceptibility correlation, and rules engines to find the needle in the hay stack.  Truely amazing stuff.

What's also impressive is the client list.  While I can't give you exacts, let me tell you that a good majority of federal and military organizations use NeuSecure.  In fact, we just landed a deal with the Navy and EyakTek.  Many large telecoms and Fortune 500's use it too.  And this was with Guard.Net, a small 50 person start-up.  Thank what we will be able to do at IBM!

I think that my career has progressed forward and has led me to a nice pinnacle.  I have been installing and configuring security point products my entire career.  I spent the last few years architecting those solutions.  Now I am gathering data from hundred or thousands of security point products and am able to see all the data.  It's the crown jewels of security analysis for large operations.

I would love to get some more feedback on my personal notes, so feel free to post your opinion and tell me what you think.  I will be relating more personal notes soon.  Next week I will be at an Army base on the East Coast.  I'll let you know how that goes.  I hope I didn't come across too much like a corporate cheerleader, but I'm very excited about my new job.

PS – I will be at the RSA Conference.  Come find me at the Micromuse booth!

Boot Loader for PSP 2.5

Fanjita states We finally made a more solid breakthrough with the EBOOT
loader for GTA tonight. Not only does the menu now work properly, but
I've also managed to run the uo_SNES9x emulator, and play the
Pilotwings ROM (the only one I have), on both v2.0 and v2.5.

This package allows you to run some standard PSP homebrew on any
version of Grand Theft Auto, and PSP firmware version v2.0, v2.01 and
It's an initial test of the loader, that doesn't support the
full range of homebrew, but works well enough for an initial release.

It does NOT run on v2.60 firmware.

Please note also the new name for the EBOOT Loader – eLoader.

Download the file from our Server:


wxRipper v1.2 and wx360 v1.6

Gael360 released a new version of his tools to dump
Xbox 360 discs with a PC DVD-drive using an hot-swap method (means
you'll have to open your drive – see previous news). This is a translation from french to english of what he said on the gueux forums about the new release:

just released a big update of my tools, you will now be able to find
the 'magic number' immediatly, without having to scan an unknown Xbox
360 DVD.

So there's no longer a difference between known and unknown games, they will all be detected/dumped the same way.

advantage of this method is that you will be able to use wx360 directly
to open the content of the DVD without having to dump it first. After
doing the hot-swap you'll just have to open wx360, select the DVD-drive
and click the DVD icon.

wxRipper will thus have a feature to find
the 'magic number' immediately, without scanning the Xbox 360 DVD. The
features related to dumping did not change.

Nyxem worm spreading quickly

The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia.

the worm keeps this pace, Friday the 3rd of February might be nasty –
that's when the destructive payload is programmed to strike for the
first time.

From Kasperky:

We've just issued an alert for Nyxem.e,
due to the number of reports we've been receiving for the past few days
but also because of its destructive payload which activates on 3rd of
every month.

According to our data, the outbreak seems to be more
or less localized. We are still receiving reports from countries such
as the US and Germany, but the number of reports from (eg.) Russia is
becoming very small.

With the public Nyxem.e counter having well
passed 1,000,000 hits at the moment, there is no doubt that some people
will have unpleasant surprises on 3rd of February. If you do not have
an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it's too late.

Sunbelt Blog does a good job of telling us why Nyxen is so bad.

Botmaster going down

James Ancheta aka “Resjames” or “Botmaster” pleaded quilty in Los Angeles yesterday for running a botnet and selling bots.

faces up to six years in prison. He will also have to pay restitution
and give back about $60,000 and his BMW, bought with botnet money.

Ancheta was active in 2004. With another bot herder known as “SoBe”, they infected more than 400,000 computers.

They were making money by selling bots to spammers, and by signing up as affiliates in adware install programs run by Gammacash and Loudcash
(both are owned by 180Solutions nowadays). This way they earned money
every time they installed an adware program to an infected machine.

James Ancheta seems to be offline nowadays, but you can still find some of his old forum posts via Google. In this thread he has just rented a dedicated server from Sagonet, which he then used to run the irc server to control his bots.

The court papers make a fascinating read, with snippets like these:

From F-Secure.