http://downgrade.org The rantings and insight of a 20 something ethical hacker, coder and IT samurai. Fri, 08 May 2009 21:07:37 +0000 http://backend.userland.com/rss092 en While investigating an unrelated issue and digging through firewall logs I noticed a decent amount of traffic destined for tcp/2550 on one of my work servers. The traffic mostly (82 of the 84 events today) originates from sequential IPs out of China.  This immediately raises alarms with me. Upon further examination I ... http://downgrade.org/2009/05/08/tcp2550-and-the-chinese I know, its sad.  I too am a die hard mac user. Today alone I have received 4 copies of an email with the subject line "2 Populaar Myths About Female Orgasms -  How to Become an Irresistible Lover" containing an attachment named "Preview.app Document". I haven't had a chance to analyse ... http://downgrade.org/2009/05/01/hey-mac-users-the-honeymoon-is-over Whenever anyone speaks of virtual machine security the absolute worst case scenario is the dreaded "VM Escape".  That is the ability of a malicious user to escape a virtual machines encapsulation and reach the host (or hypervisor).  This class of attack could potentially expose all other virtual machines running on ... http://downgrade.org/2009/04/15/vm-escape I recently wrote a script that runs croned and port scans all of our servers daily.  It saves the output and diffs it compared to the previous days and emails me as new ports open up. I think this will be a good way to detect new services and potential malware ... http://downgrade.org/2009/02/25/mining-ports-for-malware I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft's listdlls.exe. *** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image: *** File timestamp:         Wed Apr 18 12:25:36 2007 *** Loaded image timestamp: Wed Apr 18 12:25:37 2007 *** 0x77e40000  0x102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll Now ... http://downgrade.org/2009/02/04/loaded-cwinntsystem32kernel32dll-differs-from-file-image For some reason people keep buying Dells. I remember a couple of years ago all the small form factor optiplex's I had suffered from a bad cap on the motherboard.  Eventually all of them just die. My whole team at work have the same model workstation and the PSU went on each ... http://downgrade.org/2009/02/04/why-wont-dell-stop-sucking A roadside traffic sign in Austin, Texas was hacked into so that it displayed a message warning passing motorists of zombies ahead. Police are investigating the incident, and if they are caught, the perpetrators could face misdemeanor road sign tampering charges.  The vandals broke a lock on the sign and ... http://downgrade.org/2009/02/02/a-very-righteous-hack Bruce Schneier just posted an interesting article on his blog entitled "Interview with an Adware Developer". This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in. I should probably first speak about how adware works. Most adware targets ... http://downgrade.org/2009/01/30/take-that-ie-fan-boy Dark Reading posted an article entitle "Report: Law Enforcement Closing In On Heartland Breach Perpetrator" "Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late ... http://downgrade.org/2009/01/27/more-on-heartland Heartland Payment Systems acts as a payment gateway for credit card transactions for over 250,000 businesses.  At some point a sniffer was installed in their data center intercepting all transactions.  Some media outlets are calling this the "largest data breach ever".  They process "100 million credit card payments a month ... http://downgrade.org/2009/01/26/heartland-breach