Chinese Hard Drive Manufacturer Embeds Trojan

“Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.”

“The affected hard discs are Maxtor Basics 500G discs.”

“The bureau said that hard discs with such a large capacity are usually used by government agencies to store databases and other information.”

“Sensitive information may have already been intercepted by Beijing through the two Web sites, the bureau said.”

source: http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

This sounds rather sensational, eh? I certainly hope it is.

Lets start with the “carried two Trojan horse viruses” part. This is a common mistake made by writers who don’t know anything about technology or information security. The word “viruses” is incorrect. To qualify as a virus the malicious software would require a propagation mechanism. As best I can tell from the articles, this is just a run of the mill trojan.

Next we see that they believe a hard drive shipped to a defense contractor or government agency wouldn’t be formated before being put into production. I will admit that from time to time large organizations may seem inept (none of us are as dumb as all of us) but policy and procedure should be in place to prevent things like this.

The same hysteria came about in May of 06 with Lenovo at which time I made the same argument. The only difference in this case is that this is an actual threat instead of a perceived threat.

In the article it also says…

“The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to www.nice8.org and www.we168.org, the bureau said.”

So following this trail starting with nice8.org we come up with;

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca

Apparently we are dealing an evil mastermind named “Ga ga” who lives on “gagaga street”.  I have heard grumblings of this mad man in the hacker underground.  Okay, so its made up… probably random keyboard bashing.  Dead end.  You get similar worthles results when whois’ing we168.0rg.  Both of which are down now.

Mac OS X Trojan in the Wild

There are reports of an in-the-wild Trojan horse program that targets
Mac OS X systems.  Users are encouraged to visit malware-serving sites
through spam messages in Mac forums.  The Trojan, which pretends to be
a QuickTime plug-in, can hijack users’ search results, sending them to
websites the attackers want them to visit.

http://isc.sans.org/diary.html?storyid=3595
http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/

This is yet another example of malware exploiting stupidity and thats all.  I am sick of people jumping at every trivial little article they find regarding mac malware and saying “see, the mac isn’t safe either”.

First off, nothing is ‘safe’… just safer.  Second, you can have the most secure operating system in the world but if someone is stupid enough to install malicious software onto it then it will be infected just like windows.

When I see a self-propagating  worm that exploits a zero-day vulnerability in OS X, only then will I change my rant… but only slightly. 🙂

OS X 10.5 Leopard File Share Issue

I just picked up a copy of Leopard and am LOVING it so far.  Spaces, stacks, cover flow and the new finder — alone — make it worth the upgrade.

Although I have found one minor issue.  When mounting a hidden share (active directory smb://servername/share$) it mounts it as you would expect… but then when you go browse back to in finder it will not display the share.

Now when mounting a share it will display the server name in the left area of finder, when clicking on that server it displays all shares that you have access to.  I am assuming because the share is hidden it is unable to enumerate it from the server, but it obviosly works because it opened it when I specificly told it where the share is located.

Hopefully they fix this in a update because I am not able to find anything on it on their support site.

Microsofts ‘Stealth’ Update

Microsoft has done it again.

We receive reports from our WSUS server telling what updates are rolling out to what servers. So when I started receiving TripWire reports indicating files being altered on a bunch of windows boxes I got concerned.

I started opening the files with hex editors looking for strange junk and ran sigverif to see if files are properly signed. After doing that I detected nothing fishy.

So why did these files change?!

After doing a couple quick searches the answer became clear… Microsoft pushed some updates that it told no one about. These updates come even if you choose not to have updates downloaded automatically.

In this world of heightened security awareness, file integrity verification and patch pre-validation I can’t think of why they would do this.

I guess its just Microsoft’s way.

Why do we need to waste so much energy with those air conditioners in the server room?!

Wow, just wow.

Apparently a state (who’s name was changed to protect the stupid) did’nt have controls in place that would prevent a single well intentioned but misguided person from shutting off the air conditioners in the data center to preserve power.

Read the horrible and tragically funny story here. 

What is the ‘soul’ of a computer?

At work I am mapping out our network.  Instead of visio I am using omni graffle and very happy with the asthetics and ease of use.

I am setting it up so that it is separated into both logical (firewall security zone) and physical (rack number with list of computers that are inside it).  I am running into problems doing it this way, as I have already found racks that have machines that exist it multiple security zones.

Another problem I encountered is the one that brought me to the title of tonights post: We have a number of virtual machines that don’t really (physically)  live anywhere.  The OS may consist of file systems mounted from multiple SANs in multiple racks and being run from a hypter-visor that exists in yet another rack. So, what rack does that vm belong in?

How have you guys dealt with this soft of thing?

todo.sh

I am a firm believer in David Allen’s GTD (or Getting Things Done) and have been searching for a nice and easy to use task tracking system. I am also a huge fan of all things gui-less so naturally I started coding series of scripts for the purpose and GeekTool to display todo’s on my desktop.

Initialy it was nothing more the following line added to my .bash_profile

alias todo=’echo $1 >> ~/todo.txt’

But before long I found myself wanting to write a ‘done.sh’ script to remove items. At that point I realized I had to implement a numbering system, use copious amount of awk and sed and spend far more time than I cared to on the project.

At some point I recall briefly reading about something similar on digg. A quick google search lead me to todotxt.com.

What a system this is! Combined with GeekTool I have an excellent way of staying organized.

Rather than explaining how it works I embedded an example video for you.

Now all I have to do is implement a system that uses DUE:MM/DD and a cron’ed script to alert me via growl when something is due. Ahhh, if only I had some free time. 🙂

Juniper NetScreen Policy Configuration Cheat Sheet

NetScreen Config Cheat Sheet (Thumb)I use a lot of NetScreens at work and found myself sprawling notes containing syntax of different commands for the ScreenOS CLI (Command Line Interface). Being the OCD type of person I am, I decided I needed something more zazzy… yes, more zaz. So here is the pdf and original graffle of my NetScreen policy config cheat sheet.

Coming soon: “Netscreen VPN Cheat Sheet” and “NetScreen Debug Cheat Sheet

NetScreen Config Cheat Sheet (PDF)
md5: f69855226d84eccdfc8bc4cb64d527ea

Change Log 

06-08-2007: v1.4
Updated the “set policy” line to include dst_zone.