Just how sweet can a baby bee?

Sweet as honey, as you can see! Bee-hold a honey of a favor that’s perfect for celebrating the new baby. Bee-sides its practicality, this ceramic honey pot is bee-yond cute, and it simply bee-longs at the baby shower!  Prices start at $4.33.  Shop now!  http://goodwitchgifts.theaspenshops.com/product/sweet-as-can-bee-ceramic-honey-pot-with.html/categoryid=60d21eaf-2b85-4c9d-9517-1ac180f94194

Features:

Add to: Facebook | Digg | Del.icio.us | Stumbleupon | Reddit | Blinklist | Twitter | Technorati | Yahoo Buzz | Newsvine

Last week I had the pleasure of being asked to speak at Northumbria University, presenting to students of the Computer Forensics and Ethical Hacking for Computer Security programmes. As I graduated from Northumbria a few years ago it was interesting to come back to see some familiar faces and have a look at how the facilities had developed.

Despite the nerves of having to speak in front of a crowd I really enjoyed the event, especially as the other speakers were excellent and I enjoyed their sessions. The event kicked off with Dave Kennedy, a soon to retire member of Durham Police’s computer crime unit. Dave’s talked about his personal experience with a couple of high profile cases, explaining some of the groundwork and behind the scenes activity that isn’t known to the general public. I found the information interesting; but also disturbing, given the nature of the material that is handled by Dave and his department I can safely state that I wouldn’t want to have much experience in the area.

Next up was Phil Byrne, an internal auditor for HM Revenue and Customs (HMRC). For those that don’t know, HMRC were/are at the centre of one of the UK’s largest data loss stories in 2007 after CDs containing approximately 25 million child benefit records were sent, unencrypted, by standard post and did not reach their intended destination (some backstory here). Phil talked openly about the incident, discussing both the incident itself and the changes made in response. One of Phil’s comments has stayed with me (if I’m mis-quoting someone let me know):

If you put people into the process, something will go wrong at some time

Third to the stand was Gary Witts, owner of a manage services company specialising in on-line backups. The talk was very indepth and had some interesting content, but from my perspective I felt it was more of a sales pitch than a technical discussion of the secure backup’s place within a security standing.

I took the fourth and final slot of the day, which left me with the unenviable position of being between around 100 students and the pub, which didn’t help my usual rapid-fire presentation style. My presentation took a different focus from the previous sessions, discussing some of the real-world security incidents that can regularly be encountered, and some advice on handling the incidents in question. I also discussed my findings from honeypot systems, introducing a less common method for monitoring an environment for malicious activity. Assuming the feedback I’ve recieved is genuine the presentation seems to have been well-recieved.

From a student’s perspective; Tom was in the audience and has been writing up his take on the event in a series of blog postings. Tom also recorded the talks, for any one interested a direct link to my session is available here.

– Andrew Waite

As I discussed in my last post about Dionaea I am really impressed with the improvements to logging capabilities over Nepenthes. I’ve now had a Dionaea system online for ~24hours, which while it isn’t enough data to draw any meaningful statistics, it has provided enough data to work on some new tools. I had been intending to extend my Nepenthes tools to parse the logs and enter data into a database for additional and simpler analysis. This was promptly squashed with the migration to Dionaea, but the theory has proven to be a good one as Dionaea’s default logging to an SQLite database has made development much quicker and easier.

To get a feel for the new system, and to keep my capabilities up to speed, I’ve spent this evening writing a script to provide the same information for a Dionaea system that my Nepenthes statistics script provided previously. As usual, the script can be found over at InfoSanity, here. An initial set of results from my system is below for an example:

Statistics engine written by Andrew Waite – www.infosanity.co.uk

Number of submissions: 11
Number of unique samples: 10
Number of unique source IPs: 8

First sample seen: 2009-11-09 14:19:15.518382
Last sample seen: 2009-11-10 18:35:28.235052
SystemrRunning: 1 day, 4:16:12.716670
Average daily submissions: 11.0

Most recent submissions:
2009-11-10 18:35:28.235052, 195.90.106.212, emulate://, a4dde6f9e4feb8a539974022cff5f92c
2009-11-10 16:23:12.925538, 195.93.135.67, tftp://195.93.135.67/ssms.exe, 1d419d615dbe5a238bbaa569b3829a23
2009-11-10 16:00:14.846435, 195.170.57.28, tftp://195.170.57.28/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2009-11-10 15:39:48.598303, 195.46.34.91, http://zonetech.info/61.exe, beee7a74712b2e3c84182c1bf18750ae
2009-11-10 13:00:29.916721, 195.95.170.138, emulate://, ddf1259a8fcef0776054460ebdf3cae4

– Andrew Waite

As my previous post states, my Nepenthes system has been retired. In it’s place I’m building up a Dionaea system. The new features proposed by Dionaea should go a long way to improving on a couple of Nepenthes’ shortcomings, a good comparison of the two systems can be found on the Nepenthes blog (post October 27th). But what really caught my attention was the recent post on November 6th detailing the improved logging capabilites that are going to be built into Dionaea. I intend to cover these features at a later date once I’ve had more time to get used to the new system.

I must admit that I was shocked with the ease of installation and compilation. The instructions on Dionaea’s home page look a bit long winded to me, especially as I’m used to the ease of ‘apt-get’ and past experience with manual compilation of source code always leaves me expecting a headache. This was doubled when I discovered my available hardware is starting to show signs of it’s age, and was unable to successfully complete a fresh install of the latest Ubuntu, resulting in some of my components not quite meeting the written requirements. Some how though I manage to muddle through the compilation instructions without issue, and now have a working Dionaea install.

Getting the system started was also a breeze, one-line command as prescribed in the documentation and the system is live. Unsurprisingly it didn’t take long get my first hits, retrieving my first binary within 40 minutes of first starting the system. As I restarted several times whilst playing with config settings it could be that I missed a compromise that would have shortened this time frame in the real world.

So far I have only made a couple of changes the config, replacing the dev’s email with my own to recieve sandbox reports for collected binary samples (thanks for pointing that out in the mailing lists, probably would have missed it) and enabling the ihandler for p0f to try and take advantage of the system’s included fingerprinting capabilities.

As I’ve always liked statistics from honeypot systems, here is what I’ve got so far:

• Running approximately 4 hours
• Logged 20 unique attacks
• Retrieved 4 unique malware binaries (and received the third party sandbox reports)
• Generated 10,000+ log entries

Finally, thanks to the dev team for continuing to build and improve systems that I love to use. Couldn’t do have of what I do without quality systems to work with.

– Andrew Waite

Following on from the move from Nepenthes to Dionaea, I’m decomissioning my Nepenthes server to start afresh with Dionaea. As such I thought I’d share the final statistics using InfoSanity’s statistic script for Nepenthes.

Statistics engine written by Andrew Waite – www.InfoSanity.co.uk

Number of submissions: 4189
Number of unique samples: 1189
Number of unique source IPs: 2024

First sample seen on 2008-05-09
Last sample seen on 2009-10-31
Days running: 540
Average daily submissions: 7

– Andrew Waite

As regular readers will know (do I have any of those?) I’ve been running a Nepenthes honeypot for a while. Current statistics show that the server ran for 540days, was ‘exploited’ 4189 times, collecting 1189 unique samples (based on MD5 hash) from 2024 source IP addresses.

The latest post (dated October 27th 2009) on the Nepenthes site indicates that development on Nepenthes is coming to a close, stating 7 reasons preventing newer features being implemented with Nepenthes. As a result I’m stopping development on my statistics scripts for parsing the Nepenthes’ log files. The good news is that work on Nepenthes’ spiritual successor is well underway, in the form of Dionaea.

I’m hopefully going to get a Dionaea box up and running in the near future to continue were I’ve left off with Nepenthes, watch this space…

– Andrew Waite

First of all, I want to apologize for not getting around to writing part 2 of my previous post yet. I have more free time now and have started research for that post, but haven’t had a chance to write everything down yet. Hopefully I’ll get to it soon.

Update: some people have been confused at to my intention or my recommended use of the code I present here.  Let me make a few things clear:

1. Don’t make these modifications on any production machine
2. Don’t make these modifications on any machine receiving a lot of traffic
3. This isn’t the best way to capture logins.

I called it a “hack” for a reason.  It’s something I threw together in a few minutes in order to gather the necessary data to conduct the analysis I did in my next post.  As dozzie pointed out, this can be done better by writing a PAM module.  My purpose here was not to write something robust, rather to write something quick in order to find a password file being used against me.  I apologize for any confusion.

Keeping in mind that:

• only a fraction of the subdomains pinged will actually be registered with DynDNS
• only a fraction of the registered subdomains will be offering authentication services
• only a fraction of the authentication services will allow predictable usernames*, and
• only a fraction of those valid usernames will have predictable passwords

* root logins aren’t allowed by default on openssh and many other SSH implementations.

The (hopefully) small number of boxes that can be owned by brute forcing with this method apparently outweighs the cost to our adversary(ies).  As I later discovered, our IP address wasn’t enumerated via our DynDNS entry, but was brute forced.  Yeah.  They are trying IP addresses sequentially.

We noticed the SSH logs for our box were getting suspiciously long and it was pretty obvious why:

09/24/2009 12:49:19 PM: [FAIL] An error occured during key exchange auth done
09/24/2009 12:49:19 PM: [NOTE] Connection from 118.46.137.101 disconnected
09/24/2009 12:49:20 PM: [FAIL] An error occured during key exchange auth done
09/24/2009 12:49:20 PM: [NOTE] Connection from 118.46.137.101 disconnected
(repeat about 100 times)...

Our gateway Snort agreed that something was up:

[ ** ] [ 1:2001219:18 ] ET SCAN Potential SSH Scan [ ** ]
[ Classification: Attempted Information Leak ] [ Priority: 2 ]
09/17-10:49:59.339210 118.46.137.101:50905 -> ***.***.***.***:22
(repeat about 100 times)...

The attacking IP addresses would change periodically.

Perhaps I could discover if this is a single attacker or if this is multiple attackers:

• If there is a single group behind these attacks, it would make sense that they would synchronize this work amongst the attacking IPs, allowing the attack to evade simple IDS rules and avoid duplication of effort.
• If there are multiple parties behind these attacks, it would make sense that the same username/password combinations would be tried by different hosts, pointing to a lack of synchronization.

Of course this is a lot of assuming and is hardly scientific, but promises to be a fun experiment regardless.

My first thought was: I’ll build a honeynet!  After reading more about honeynets, however, I came to realize that a honeypot would require a lot of network work and a tough cost/benefit analysis. The problem is that a smart attacker will first check his/her newly compromised environment: is he/she root? is he/she in an obvious VM or jail? what others hosts are on this subnet?

If the attacker isn’t satisfied that what they’ve compromised is a unwitting user’s box (and not a honeypot), they may never execute telling commands or push interesting payloads. On the other hand, if you give the attacker too much access, the attacker may use your box to attack others, host child pornography or conduct other malicious/illegal actions.  To everyone else it will look like your box (and by extension, you) are doing these illegal things. In such a scenario, you would be presumed guilty unless you can prove you’re running a honeypot and aren’t actually the person breaking the law.

Having a severe lack of lawyers at my side (I do know a few poly sci majors), I opted to go a different route, at least for now:

I’ll modify sshd itself, causing it to log the time and origin of all attempts to authenticate, along with the complete usernames & passwords attempted.

This is not a new idea, in fact, it’s kinda what honeyd is for, but I thought it would be fun to do the ssh modification myself and follow the password trail to see where it leads.  (Where these harvested passwords lead will be the topic of my next post.)

For obvious reasons, openssh and others never log incorrect passwords (a mistype of your password would get winblowz logged when you meant winblows…such logging would make it trivial to escalate privilege).

Setting up the Server:

I chose to use VirtualBox on a Windows XP machine to virtualize Ubuntu 9.04 Desktop, on which I will be serving SSH with openssh.  VirtualBox is like VMware Workstation except it’s free (as in speech).  The process of creating and configuring a VM is outside the scope of this post.  Don’t do this on a production machine or any machine that has multiple users, as privilege escalation may become trivial.

The rest of these instructions will be valid for Ubuntu 9.04 Desktop’s default directory structure, installed software and openssh-5.1p1.  They can easily be adapted to other environments & versions of openssh.  The instructions listed here result in multiple installations of openssh-server.  I did’t really care about overlap in this throwaway VM environment, so long as I could get my modified sshd running with Ubuntu’s daemon manager.  A purist might do this another way.

1) Install the required dependencies for building openssh:

sudo apt-get install zlib1g-dev libssl-dev

2) Install openssh-server itself (we’ll modify the default installation):

sudo apt-get install openssh-server

3) Check which version of openssh you’re running:

ssh -v

4) Get the source code of the version of openssh you’re currently running (by the using the same version we may avoid odd version dependency issues).

5) (Optional) Download the corresponding .asc file & verify your copy of openssh.

gpg --recv-key 86FF9C48
gpg --verify openssh-5.1p1.tar.gz.asc openssh-5.1p1.tar.gz

(The above is the signing key for Damien Miller, maintainer of portable openssh. Try to guess which is him.)

Of course, if you’re really concerned about the integrity of your openssh download, you’ll want to verify gpg fingerprints as well.

Hacking sshd:

1) Extract the source & verify you can successfully build it:

tar -xvf openssh-5.1p1.tar.gz
cd openssh-5.1p1
./configure
make
ls -al | grep sshd

If you see an sshd binary, you compiled it.

2) Stop the sshd daemon:

sudo /etc/init.d/ssh stop

3) Install the openssh build you just created. (This is to put the config files, etc. in locations that our modified sshd will expect, while breaking very little of the Ubuntu package installation.  Since we’re not going to modify the config files, we don’t need to worry about syncing changes between them.)

sudo make install

4) Back up your current sshd binary (just in case):

sudo cp /usr/sbin/sshd /usr/sbin/sshd_original

5) Make the following modification to openssh-5.1p1/auth-passwd.c:

--- auth-passwd_original.c    2007-10-25 21:25:12.000000000 -0700
+++ auth-passwd.c    2009-09-28 21:35:04.000000000 -0700
@@ -53,6 +53,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
+#include "canohost.h"

 extern Buffer loginmsg;
 extern ServerOptions options;
@@ -82,6 +83,23 @@
 {
 struct passwd * pw = authctxt->pw;
 int result, ok = authctxt->valid;
+
+    if (*password != '')
+    {
+        struct tm *timePtr;
+        time_t localTime;
+        char timeString[100];
+
+        localTime = time(NULL);
+        timePtr = localtime(&localTime);
+        strftime(timeString, 100, "%D %r", timePtr);
+
+        FILE *logFile;
+        logFile = fopen("/var/log/sshd_attempts","a+");
+        fprintf (logFile,"From: %s at: %s | user: %s, pass: %s\n", \
get_remote_ipaddr(), timeString, authctxt->user, password);
+        fclose (logFile);
+    }
+
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 static int expire_checked = 0;
 #endif

Or you can grab my modified auth-passwd.c file and throw it in your openssh source directory.

6) Rebuild sshd:

make

7) Stop SSH, replace sshd, Start SSH:

sudo /etc/init.d/ssh stop
sudo cp sshd /usr/sbin/sshd
sudo /etc/init.d/ssh start

You’re done.  You should now have a modified sshd binary running your openssh server and logging all connection attempts to /var/log/sshd_attempts.  I’ve been running my modified sshd for a few days now and have collected quite a few of these attempts. Click below to view the connection attempts against my server.

View my Log

Part 2: From pass_file to Script Kiddies

Πριν αρχίσουμε να αναλύουμε τα βασικά μέρη ενός honeypot θα πρέπει να δώσουμε έναν ορισμό για το τι είναι το honeypot. Ένα honeypot μπορεί να είναι ένα σύστημα, ένας router ή απλώς κάποια services τα οποίο και χρησιμοποιείται για να προσελκύσει χάκερς να το επιτεθούν ούτως ώστε να αναλύσει τα στοιχεία της επίθεσης για να βοήθησει στην ασφάλεια του δικτύου.

Έτσι λοιπόν εκτός από το ίδιο το honeypot θα χρειαστούμε επίσης και τα ακόλουθα μέρη για να το λειτουργήσουμε:

Συσκευές δικτύωσης

Αυτές οι συσκευές μπορούν να είναι Firewalls, routers και switches και οι οποίες θα μας βοηθήσουν να δημιουργήσουμε πάνω στο δίκτυο μας το honeypot.

Εργαλεία παρακολούθησης και καταγραφής

Ο βασικός λόγος για να έχουμε ένα honeypot στο δίκτυο μας είναι φυσικά για να παρακαλουθεί και για να καταγράφει την δραστηριότητα του hacker.Κάθε honeypot έχει τέτοια εργαλεία και αναφέρει αυτήν την δραστηριότητα σε κάποιον υπολογιστή που έχουμε ορίσει.

Εργαλείο καταγραφής πλήκτρων (keystroke logger)

Το εργαλείο αυτό χρειάζεται για να καταγράφει τις εντολές που πληκτρολογεί ο hacker στο σύστημα.

Packet Analyzer

Το packet analyzer ή αλλιώς sniffer είναι σημαντικό να υπάρχει για να καταγράφει όλη την κίνηση μεταξύ του honeypot και του Internet.Το snort στο packet sniffing mode χρησιμοποιείται συχνά σε αυτές τις περιπτώσεις.

Μηχανισμός ειδοποίησης

Οτιδήποτε συμβαίνει πάνω στο honeypot είναι συνήθως κάποια κακόβουλη δραστηριότητα.Γι’αυτό και κάθε honeypot έχει έναν μηχανισμό ειδοποίησης ούτως ώστε ο διαχειριστής του δικτύου να μην χρειάζεται να ελέγχει συνέχεια το honeypot.

Data backup

Το backup είναι επίσης πολύ σημαντικό συστατικό ενός honeypot διότι μπορεί να χρησιμοποιηθεί για να επαναφέρει το honeypot στην κατάσταση στην οποία βρισκόταν πριν την εισβολή του hacker.Επίσης όλες οι τροποποιήσεις που θα κάνει ο hacker πάνω στο honeypot είναι ουσιώδες να βρίσκονται σε κάποιο backup για να μπορούν να μελετηθούν.

Σταθμός διαχείρισης

Ο υπολογιστής αυτός είναι υπεύθυνος για να συλλέγει τα δεδομένα που στέλνονται από το honeypot ή το honeynet.Επιπρόσθετα είναι και ο υπολογιστής από τον οποίο ο διαχειριστής του δικτύου θα ενημερώνεται για τυχόν ύποπτη δραστηριότητα πάνω στο honeypot και απαιτεί μεγάλη προστασία προκειμένου να αποτρέψει τους εισβολείς από το να ανακαλύψουν αυτόν τον σταθμό.

Έρευνα στις πηγές

Κάθε διαχειριστής ενός honeypot πρέπει να έχει μία μεγάλη λίστα από ιστοσελίδες σχετικές με ασφάλεια,βιβλία και άλλες πληροφορίες από το Internet προκειμένου να είναι σε θέση να αναλύσει τις έκανε ο χάκερ στο honeypot και γιατί.

Forensics Tools

Αυτά τα εργαλεία θα μας βοηθήσουν στο να μπορέσουμε να εξετάσουμε τυχόν επίθεση πάνω στο honeypot καθώς και να αναλύσουμε ευκολότερα τα logs του honeypot.

Συνοψίζοντας ένα honeypot χρειάζεται κάποιον να το δημιουργήσει, να το παρακολουθεί και να το κρατάει ενημερωμένο σύμφωνα με τις νέες τεχνολογίες στα honeypot.Το τι θα ελέγχει το honeypot στο δίκτυο εξαρτάται από τον διαχειριστή του δικτύου.Όλα τα παραπάνω είναι όμως ότι χρειάζεται να έχει ένα honeypot σε ένα δίκτυο.

I’ve moved onto a different theme on Ugh!!’s Greymatter Honeypot; not that I was unhappy with the the theme I was running before, but I wanted to try out the latest and the greatest new theme from FreshPress themes. It’s called Freshtweet and is as nice and clean as you would like a theme to be. It has some funky features too, like some cool AJAXy features and integration with social networks.

I like the cleanliness of the theme, something you don’t tend to find on most themes nowadays. They’re a bit too busy with slideshows and carousels which is fine if you get some sort of Orange County web design firm to do it for you. Unfortunately too many people try to do something about it themselves and the result just doens’t work.

Happy I found this theme .. it works for me (not quite a ranch though, is it?)

I really like the idea of a SCADA honeypot. John Strand live-demoes a SCADA Honeypot. It uses several services which can later on be used to demonstrate (and lure an attacker) the life inside a SCADA universe.

You can download the SCADA Honeypot from here.

From the scadahoneynet site:

[The] goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

• Build a HoneyNet for attackers, to gather data on attacker trends and tools
• Provide a scriptable industrial protocol simulators to test a real live protocol implementation
• Research countermeasures, such as device hardening, stack obfuscation, reducing application information, and the effectiveness network access controls.

George Ure writes:

If an informed reader has any memory at all, the adventure of the ‘disappearance” of South Carolina Governor Mark Sanford and his re-emergence after admitting to an affair in Argentina, brings into focus a very interesting question. Are we seeing another application of what in the alphabet agency/spy business is called a “honey pot” operation?

If I were looking at one of my computer reference books like Head First Design Patterns, I’d have to at least ask the question am I seeing a dandy way for the PTB to put those who get in the way of the globalist agenda to single out and destroy opposition? Why, it’d be far more efficient than assassination or disappearances, although there’s enough wet-work to bring those along, too, in one remembers Dr. David Kelly and those missing microbiologists, but that’s a whole different branch of the global railroad.

[...]

Either there’s a class of politician that is so smart in politics as to make it into high office, yet dumb enough that along comes a good looking woman and they wander off following their pechusezelwhackers (* it’s an old fire house term analogous to “Johnson”) in a testosterone fog OR if you want to get a hot affair going, all you need to do is be in a position to challenge the PTB paradigm and hotties will be sent in to take you down…and then…er…take you down.

I have to wonder if Sanford even had an affair. I suspect he was taken away for a little come-to-Jesus meeting after refusing to take Obama’s stolen bribe money.

You may recall how the CIA threatened Jesse Ventura after he became Governor of Minnesota against their will.

Glastopf e` un honeypot in Python che emula un webserver e permette di collezionare dati relativi agli attacchi effettuati a livello di applicazione web. Al momento e` in grado di gestire solo dei Remote File Inclusion, essendo un giovanissimo progetto, ma e` prevista l’estensione anche ad altre tipologie di attacchi. Come altri honeypot, prevede il logging su IRC e inoltre ha la possibilita` di interfacciarsi anche con Twitter.

Glastopf scansiona tutte le richieste in cerca di stringhe come “http://” o “ftp://”. Qualora dovessero essere individuate, cerchera` di rispondere in modo da trarre l’attacker in inganno e fargli inviare il resto dell’attacco: ad esempio l’ URL dal quale scaricare un eseguibile.

La home del progetto e`: http://glastopf.1durch0.de

Johannes Ullrich recently posted an article detailing quick and simple traps you can add to a web site or web app to flag up suspicious and malicious activity on the site. Johannes does a better job of explain than I could so I’d recommend a read of his post, but put simply the traps discussed are:

• Don’t hand session credentials to automated clients
• Add fake admin pages to robots.txt
• Add fake cookies
• Add ‘Spider loops’
• Add fake hidden passwords as HTML comments
• Use ‘hidden’ form fields

All of the ideas are relatively simple to implement to a greater or lesser extent. I’ve spend the last week experimenting with some of the proposals and have seen some success so far. If I gain any unusual or interesting results I share my findings in a future post.

– Andrew Waite

P.S. if your not already following the AppSec Street Fighter blog I’d highly recommend it.

Now that the effects of the champagne have worn off, I’ll do my best to remember the highlights of this week’s Melissa Nathan Award ceremony.

The company: my favourite publisher – Lyn of Choc Lit.

The venue: Café de Paris, off Leicester Square. Actually, once we got inside, it could have been anywhere – it was pretty dark! But what we could see was very fetching (as far as I can remember).

The goodie bag, complete with lovely MNA logo: a copy of one of the shortlisted books (fortunately not mine), Love Heart sweets (my favourite in the absence of chocolate) and a few flyers, including the latest Honeypot newsletter (Honeypot received this year’s charity cheque from the Melissa Nathan Foundation) and the Story of Choc Lit (wonder where that came from?).

The judges and shortlisted authors: Lyn and I spoke to them all briefly. Next to some of them - no names, no pack drill – I felt about 150 years old and a size 48! I particularly remember chatting to Joanna Trollope and Gaynor Allen about Newcastle.

The entertainment: Jo Brand – compère – and Paul Hamilton – performance poet – had us in stitches. Then we were treated to a spot of ‘Britain’s Got Talent’ as Sophie Kinsella played piano and her husband Henry sang. A Gershwin song, with lyrics adapted to reflect current political reality, was followed by a rendition of ‘These Foolish Things’. Two lines stood out for me – ‘Miss Emma Woodhouse thinks she’s high and mighty, When all she really wants is Mr Knightley’!

The award: all of us – not just the winner – were presented with a glass trophy inscribed with our name and book title. A very tasteful memento. And congratulations to the winner - Farahad Zama with The Marriage Bureau for Rich People! This has prompted headlines such as ‘Man beats all-female competition’ (guardian.co.uk, 11th June) – when he was actually a very polite, peaceable sort of man!

The catering: the place was awash with champagne and, as Harriet Smith would say in The Importance of Being Emma, ‘canopies’. Of course, it was so dark I didn’t know what I was eating (well, that’s my story), but I remember sampling the teeniest weeniest little burgers in buns. Sign of the credit crunch or this year’s posh nosh?

The irresistible hero: dressed in a white suit, setting female hearts a flutter with his cheeky grin, displaying the poise of someone 20 years older - it had to be 6-year-old Sam Nathan Saffron!

The last to leave (almost): yours truly and most of the Ed Victor Agency - Maggie, Sophie, Rebecca, Edina and (cue voiceover) Amy from Rhode Island!

Da qualche giorno abbiamo configurato i moduli log-irc delle due sonde, DolceFederica e RootMe. Ora e` possibile vedere i log, in realtime, semplicemente entrando nel canale #klaatuproject su FreeNode (calvino.freenode.net), con un client IRC. Io sto usando MacIrssi, mi trovo bene.

Credo che in molti si stiano chiedendo come mai Nepenthes non venga praticamente piu` mantenuto. Beh la risposta si chiama Dionea e sara` il successore di Nepenthes. E` scritto in C e supporta lo scripting in Python. E` parte del Google Summer of Code 2009.

Come per Nepenthes anche Dionea e` il nome di una particolare specie di piante carnivore.

http://dionaea.carnivore.it/

2 NEW SURFids Plugin

[10/06/2009]

by Alberto Fontanella – itsicurezza [at] yahoo [dot] it

• Norman SandBox Plugin v1.0 – DOWNLOAD
  • MD5 HASH: 1cc2ae5faf57097a7b4172d96933ebdd
• Sort By Country Plugin v1.0 – DOWNLOAD
  • MD5 HASH: 5a6af874f2516ca0aa18640fdecacc12

Plugin Info [English]:

• Norman SandBox Plugin v1.0: This plugin allow you to use a simple web procedure to send nepenthes downloaded malware binaries to Norman SandBox, and to fastly check/downloading Norman SandBox report, and allow you to scan with your antivirus all downloaded malware binaries just pressing one button.
• Sort By Country Plugin v1.0: This plugin allow you to sort and show stored attacks by Country and seeing the attacker/attack city.

Plugin Info [Italiano]:

• Norman SandBox Plugin v1.0: Questo plugin ti permette di usare una semplice procedura via web per inviare il malware binario scaricato con nepenthes alla SandBox Norman, e di verificare/scaricare velocemente il report della SandBox Norman. Ti permette anche di eseguire la scansione con i tuoi antivirus di tutti i binari di malware scaricati, premendo semplicemente un bottone.
• Sort By Country Plugin v1.0: Questo plugin ti permette di ordinare e mostrare per Paese gli attacchi memorizzati e di vedere la città dell’attaccante/attacco.

About these plugins:
I think it will be integrated in the next SURFids release.
Penso che saranno integrati nella successiva release di SURFids.

Credits:
Plugins created by Alberto Fontanella – itsicurezza [at] yahoo [dot] it
SURFids project: http://ids.surfnet.nl

Incluir las carpetas que rastrean normalmente los scanners para ver el ataque que intentan:

• /user/soapCaller.bs
• /roundcube/
• /webmail/
• /abc.php
• /pp/anp.php
• /thisdoesnotexistahaha.php
• /cmd.php
• /portal/cacti/cmd.php
• /portal/cmd.php
• /stats/cmd.php

Salve, non eravamo morti, ma semplicemente è passato un po’ di tempo per mettere bene a punto la macchina.
Dato che ad oggi la macchina è attiva da un mese (dal 18 Aprile), cogliamo l’occasione per fornirvi qualche nuova informazione.
Ad oggi sono stati registrati circa 7000 attacchi malevoli possibili ed inoltre sono stati registrati dal nostro sensore 1186 attacchi malevoli (Nepenthes).
I binari scaricati al momento sono circa 200, di cui il 50% sono unici.
La vuln più sfruttata resta sempre la DCOM , mentre ci sono attacchi su vuln come ASN1, NetDDE,  LSASS, IIS e Sasser in % molto minore.
Per quanto riguarda le porte con maggiore attività registriamo che gli attacchi sono in prevalenza sulla 445 e 135.
Pubblichiamo a corredo di questo articolo la solita mappa con la provenienza degli attacchi e la top 20 dei nomi dei binari.

Since it’s part two of the story, I’ll share two examples of ineffective sales strategy.

And even though I say “sales” in these cases, if you take a good, long look it’s clearly marketing that shares the blame. As a marketer, you have to align with and win over the sales team, and implement a holistic strategy that gives the customer consistency and value all the way through the value chain. If you don’t then you’re not doing your job. And making your job harder at the same time — because crappy sales contact leads to customers who don’t respond or come back in the future.

Example one is from a company in the meeting business. I get an email out of the blue from someone I don’t know — which in itself isn’t terrible, although we all know that the From Line is the most important factor in email open rates. We won’t even red flag this. However, the subject line of the email was “(E-mail Subject)“. Literally, that was it, character for character. Tells me this is a broadcast email gone wrong. That’s red flag #1.

Red flag #2, as you see in the graphic above, is that the company’s logo doesn’t appear correctly. So not only does it push down the message in the email, it takes away from the brand and the message because it’s cut off. Again, this is a broadcast email done terribly — or a horrible cut and past job by the sales person who sent it. Lastly, red flag # 3 is the damn message is all about the company, nothing about the customer. No questions about my need for such services, no inquiries about my goals and problems, no facts about my industry. No dialogue.

I’ll actually throw in one more red flag too — when I asked how this person got my email, her response made it clear that it was harvested off of a website where it appeared. Now, that’s fine if you send me a personal email — but if you’re harvesting to broadcast, you’re setting yourself up for some very unfortunate consequences if you hit a honeypot and an ISP blacklists you. Did you know there are more than 43 million email addresses being monitored as spam honeypots?

Example two is from a genious operation (sarcasm) called InsuranceAgents.com. Same old story: unexpected email from sales rep, message that’s irrelevant to my business because they know nothing about me, terrible email copy and message. Well, all that and the fact that the email did not provide an opt-out mechanism. So now we’ve moved from just terrible judgement to actually violating the CAN-SPAM law. However, this person was actually — and sadly — all too honest when I asked how he got my email address. His reply was “One of my web spiders picked it up I guess.” Are you kidding me? Then after I informed him what a horrible practice this is and that not providing an opt-out for commercial email is illegal, he say “Thanks for the heads-up. Didn’t realize it was illegal.”

Now, this person is either a really clueless sales rep, or it’s a strong example of why you need to provide your sales team with training and messaging with which they can engage customers. Clearly these examples show that if they lack clarity and guidance on how to make the customer experience value-laden from the first point of contact, they will create an environment that’s actually counter-productive to things that customers value and that makes it harder for marketing to do its job. And while email is the most popular channel for these kind of abuses, it can also extend to telemarketing, direct mail and social media channels like Twitter.

So charge ahead right now and make sure your sales team isn’t engaging customers in any was similar to what’s mentioned above.