Targeted malicious code from devest@terrorism.com!
I am not sure whether to be worried or flattered, but it appears that someone is going through the trouble of creating targeted malicious code attacks by spoofing an email from me. They've even gone so far as to use the correct signature, return phone numbers, and to pick a topic that i am likely to actually send an email on. The only issue is that they've spelled my name wrong...probably to prevent any bounces from coming to me and alterting me. The message looks like this:
From: Matt Devest
Date: Sun, 1 Oct 2006 09:05:27 -0600
To: < ****@terrorism.com>
Subject: How China Steals US Military Secrets !Dear,
FYI-
http://www.usa.tmsasia.com/collections/prc/How_China_Steals_US_Military_Secr
ets.htmlMatt Devest
CEO
Terrorism Research Center, Inc.
Tel: (703)***-****
Email: Devest@terrorism.com
Obviously, if you get this message, don't click on the attachment. My good friend Eric took a look at the target web page and provided this assessment:
Basically, the link is for a page that's just javascript. What's interesting is that it uses the javascript 'unescape' function to set values to a couple vars. the unescape function takes what looks like gibberish and when unescaped, is plain javascript code. The last part of the initial script does an 'eval' on the variable, which runs the code. What the code does is run another set of javascript which was previously decoded and attempts to use a VERY new IE vulnerability to cause a buffer overflow and then allows running any program as administrator on the box. More details on the actual exploit can be found at:
http://www.us-cert.gov/current/index.html#exwbfldr
As such, only Windows users running IE 6 are vulnerable to this 'link'. From what I can find on the Microsoft website, it looks like this vulnerability might only apply to Windows 2003 Server, but that remains unclear. Microsoft did indicate they would have an update released by October 10.
In summary, whoever did this cleverly crafted email wanted to maximize his/her chances of getting a 'hit'. The exploit is considered a 0-Day and the way it was escaped took sometime to sort through and decode. If it wasn't for the misspelled Devost, it could almost be considered 'perfect'...
For what it's worth, the email came directly from a server in Utah.
IP: 205.118.75.84
OrgName: Utah Educational Network
OrgID: UEN-1
Address: 101 Wasatch Drive, Rm 215
City: Salt Lake City
StateProv: UT
PostalCode: 84112
Country: USProbably just a poorly patched server that was hacked and used as a jump-point...
More school shootings to come....
As a parent, I take increasing interest in the analysis of experts like this.
Therefore, I want to share what I am seeing, what I project as forthcoming in the next month, October 2006. I've been saying most of this on radio interviews and in suicide trainings for weeks. No one seems to be listening, especially in the US media. Nevertheless, readers may wish to know about the patterns that are so obviously developing. Full Story
Warren Ellis plays Second Life
Great entry on Warren Ellis's blog. I've often thought of PKD playing SL as well.
Second Life musings...
I'm long overdue in posting about SecondLife. Perhaps, it is because I've been too busy exploring it and writing about the implications of persistent virtual worlds in a paper I've been working on. From my perspective as a persistent, if not presient, technologist....SecondLife changes everything. It is a virtual world inhabited by several hundred thousand people with its own economy and its own emerging culture. I've got lots of ideas about how virtual worlds like this will be used in the future. Most of the ideas are exciting, but a few of them our outright scary. Within the next few months, SecondLife will also have the ability to render html code within the game, so some of those ideas I have for 3D virtual reference libraries don't seem as far fetched any more.
The potential for virtual collaboration is also very interesting. Just as an example, I attended a conference in SecondLife that was actually held in California. In SecondLife, I was able to sit in an auditorium with other SL residents, watch and listen to a live video feed of the event, and ask the speakers questions. If you think in the context of truly Distributed Intelligence Response Teams, the implications are huge. I hope to hold at least one class in SecondLife next semester at Georgetown.
I don't have a lot of time to explore something like SL, but to ignore it would be like ignoring the WWW in 1995. In 5 years, a lot of people will be using the web via a SL interface, and I want to be there first.
Irhabi007's silence on the net explained
Several months ago, stories on the AQ 007 where everywhere. Now we have an update from the Washington Post.
GroupIntel Blog rolling
Doogie Howser jokes, Bruce Schneier takedowns...all in the context of national security and intelligence issues. The GroupIntel Blog is rolling. If you haven't checked it out recently, it is worth a look.
What's old is new again...
A few new interesting details regarding a thwarted attack against a target in L.A.
A partial RIM shutdown is NOT the answer
I'll admit to being pretty frustrated over all the discussion about how the government should be excluded from a shutdown of Blackberry service in the United States. Partial infrastructure shutdowns are not the answer. If a shutdown is ordered, it should be for all RIM customers with no exclusions. By excluding the government, we are giving the courts a biased leverage that provides an escape clause from rulings that could directly impact them or the federal government.
What next, shut down all power in DC, but the power going to federal buildings. If an infrastructure provides an essential service, it is unrealistic to say that it is only essential to the federal government or that you can reasonably segment non-essestial users from essential users. I know several people that would be impacted by the Blackberry shutdown that provide a lot more "essential" national security services that 99% of the people on the official federal government list. If the court is going to show some teeth, show some real teeth and shut the whole service down and live with the consequences.
For its part, RIM has agreed with the Justice Department that it would be difficult to separate government from private BlackBerry users. In a filing Wednesday, it also argued that public interest in the network extends beyond government users. For example, it said, the financial services industry relies heavily on the devices. BusinessWeek