Silicon Shecky

Infosec Practitioner

Connect

This week and some thoughts on Kaspersky

By Leave a Comment

Interesting week this week for me. I uploaded a few new Powershell Scripts to my Github, mind you that while changing telephone numbers or unchecking an attribute box in AD is not sexy security, these scripts do show how to do some manipulation. The Attribute box for “Deny this user permission to Remote Desktop Session host server,” is the more interesting one due to Powershell having to manipulate the object using LDAP instead if normal AD commands. This is due to that attribute as part of the normal AD schema being buried in a single attribute that covers a bunch of odds and ends, and tough to manipulate otherwise. The idea of manipulating AD through LDAP does leave questions open to LDAP bugs being exploitable through Powershell, and how easy that could be. Also it means you have to make sure that some sort of LDAP logging is on, as some of the smaller attributes might not have changes logged by AD into the Windows Event Logs. I am going to investigate further into that.

One of the big things going on in our world is the whole Kaspersky debacle. So much information and/or misinformation has been floating around, that it really feels to me like a lot of this is PR posturing by the U.S. Government. What I want to point out is a few things.

  1. The data that was found using Kaspersky was not on a government machine. This was another Contractor that took classified materials out of the NSA and back to his house. This is important as we do not know the motives of this contractor. Yes I am going to go a little tin foil hat here, but what if it was a setup? What if said contractor intended for the data to get swiped from his home machine. I am not saying this is the case, but it is a possibility.
  2. The source of proving the Russians used Kaspersky to do this ex-filtration was Israel. More specifically Israeli hackers who had hacked into Kaspersky’s network. Think about that. If the Israelis hacked into Kaspersky’s network, why must Kaspersky have worked intentionally with the Russian government? Now Kaspersky being hacked is a black eye on the company, but we all know that there is no perfect security and anything can be hacked.
  3. Vendors work with Governments. Period. NSA had RSA put in a backdoor into its encryption. McAfee and Symantec have at times worked with the U.S. Government. It is a fact of life.
  4. Reuters reported that German intelligence found no evidence of Kaspersky software used for hacking. Now we start getting back into a he said/she said about what has happened.
  5. With all the cloud systems out there, this same hack is possible to do using Symantec, McAfee or any other AV vendor.

Now I am not saying that there are not issues, trust issues that Kaspersky has to work through, but this is the good ol’ U.S.A. here. We forgive Target, Home Depot, soon, Equifax, and all these other breaches of our own personal data. Keeping Kaspersky off Government machines I can understand, but it is still one of the top AV vendors and I will continue to recommend their software for home users until I see better proof not to. Remember in this day and age, it is all about who you want to have the data, and in the end it is probably everyone who does have it.

TDL-4: Is it the Godfather of Botnets?

By Leave a Comment

“I’ll make them an offer, they can’t refuse.” Remember that line? Well it seems that the TDL-4 botnet is using the same line, and very effectively.

TDL-4 has over 4.5 Million Zombies according to recent reports. It removes Malware it doesn’t like. It hides in the MBR of a machine, making it difficult to remove. All of these statements have been going around, and you can read more about the inner workings of TDL-4, all over the web. Kaspersky has a real good look at it. All that said, why am I looking at this phenom of a botnet? The botnet they claim is nigh indestructible.

to tell the truth, I’m looking at this from another angle. You see the ads on the sidebar of my page (unless you have an ad blocker). Yes, I put ads up on my site, in hopes of someone clicking on that ad, and then purchasing from the site. Its called affiliate marketing. I get a kickback if anyone does. I personally would love for those ads to pay for this blog, but so far, I haven’t made a cent. That is fine, this blog isn’t going away, and that is not the point of my rambling. The point is Affiliate Marketing.

Affiliate Marketing, is used by some people to great success. There are people who make millions of dollars per year through Affiliate Marketing. There are states which are writing laws to stop online companies from not paying taxes, claiming that Affiliate Marketing means the company has a physical presence in their state. It a big deal.

This brings us back to TDL-4. TDL-4 not only is a nasty nasty bug, but it gets spread through its own form of Affiliate Marketing in the underworld. In fact, people can get anywhere from $20 to $200 dollars per 1000 infections according to the Kaspersky article. These Affiliates can get credit for infections through multiple methods. Man in the middle Hijacking, Fake ads, Phishing scams, you get the picture.

So the botnet expands, the criminals all get a chunk of the cash, and we, the normal users get stuck with PCs that wind up slow, or mail servers that wind up blacklisted. It becomes a headache for IT. We can patch, run anti-viruses, have firewalls, and follow best practices to our hearts content, and we still are going to be vulnerable. We need some way of getting ahead of the curve on the whole issue. Unfortunately, that would rely con companies being forthcoming about their shortcomings, and letting people see code. That isn’t going to happen for a long time. So instead, TDL-4 will keep making deals the criminals can’t refuse.

Can’t see a website… OOOPS thanks Kaspersky

By Leave a Comment

Don’t you hate it when you can’t see a website? I know it drove me crazy for a few days. Then I checked my security software settings.

I was trying to check a couple of websites recommended to me out, and couldn’t see them on one of my machines. Laptop was fine, but my desktop would just show a blank page. As the pirate who had a steering wheel attached to him said, “It was driving me nuts.” I knew it was something on the desktop that I had either installed for testing or had set wrong. Turns out I was half right.

I use Kaspersky Internet Security suite on my machines, love it and recommend it to people. Its technology has allowed me to watch it block drive-by download attempts. So I decided a long while ago to tighten the security down on my Desktop. It worked really well, but the banner ad blocker was the thing keeping me from a website run by a marketing company, which had an article I wanted to see. Once I went in and whitelisted the URL, it was fine, but man, what a way to find out something works, and works well.