Skip to main content

Posts

Stay classy, Microsoft

Someone more cynical than myself might think that Microsoft's sudden 66% decrease of OneDrive storage space is a bait & switch - give away the space for free until users become dependent, than take it away, threaten to delete it, forcing those who have become accustomed to the free service to pony up and pay.

Media, "Experts", too quick to assign responsibility for DNC hacks

I'd like to tell you a story. Its a story that doesn't particularly make me look very good. It was at a point in my career where I still had a lot to learn, and like many young people I thought I was smarter than I was. But its a true story and there is an important point to it, so I'm telling it here even at the risk of looking a bit like a schmuck. To tell the story, we have to go back in time. The year was 2006. There were still movies in the theaters that didn't have a single comic book character in them. George W. Bush was still best known for destroying the middle east and not for his adorable stick-figure self-portraits. No one that worked outside of telecommunications or that didn't wallpaper their house in aluminum foil believed that the NSA was wiretapping everyone and everything. And I had just received a promotion. I was working within the primary data center of an internet service provider. The company I was working for had a tiered engineering

Reporters never open infected Wikileaks attachments

Since I've published my findings on malware in the GI Files Wikileaks file dumps and my subsequent attempts to encourage Wikileaks to label such malicious content , I've repeatedly been told by a variety of "Security Experts®" that no one will open infected attachments from email file dumps. I plan on writing a post on how assumptions about user behavior are frequently inaccurate, and how assumptions based on the behavior of Wikileaks researchers analyzing email dumps based on the typical behavior of normal email users is particularly prone to failure, but for now I'll just leave this here: Has anybody's InfoSec experts advised abt wisdom of opening WikiLeaks sound files? Are we all just downloading Russian malware like morons? — David Fahrenthold (@Fahrenthold) July 28, 2016

524.dat & chrome_patch.hta [UPDATED]

    A few minutes ago I clicked a link to an article and I noticed something fishy. The new site attempted to automatically redirect my browser to this:     This piece of garbage phishing page didn't even wait for me to be suckered by their super-convincing download link, and used a setTimeout() call to try to force my browser to download something called `9901224839027/1469890408944162/chrome_patch.hta`.      Here is chrome_patch.hta as it is seen in the wild:     And here is chrome_patch.hta after we apply deobfuscation 101:     As you can see, chrome_patch.hta downloads a .dat fie `17/524.dat` and creates an executable `g2924808f66985de3a9ad1e3d743e0d.exe` before providing victims with a reassuring "Update completed" window.     I've been seeing similar versions of this same method to force users to swallow the 524.dat payload, like this:     I've found some complaints as far back as a month ago. I'm going to try to get my hands

Fox News asked for my take on the DNC email dump

I was interviewed yesterday by Fox News science correspondent James Rogers. I was asked for my input on the distribution by Wikileaks of emails leaked from a Democratic National Committee email server earlier this month. The entire article, which includes quotes from a variety of infosec professionals, is now available here . If anyone is interested I might post my complete conversation with Rogers, where I talk in more detail about how the unlabeled distribution of email attachments from compromised email servers poses unique dangers to journalists, activists and researchers whose job involves reviewing each of those attachments. This article represents the most attention paid by US media to the significant dangers posed to Wikileaks users by the insecure review methodology in place prior to distribution of these files. Although major newspapers in Europe and the UK published my findings on malware within the GI Files, no major news outlets in the United States published those fin

Google labels wikileaks.org a dangerous website

Five days ago someone on Hacker News pointed out that Google's Safe Browsing system labeled Wikileaks.org a "dangerous site" . At some point the Google warning was rescinded, however Google continues to (accurately) point out that pages within Wikileaks.org will "install malware on visitors' computers". I've been contacted by many companies over the years who have discovered their web server was compromised after receiving a warning from Google's Safe Browsing system. What I have never seen before is Google labeling a website safe while that website continues to host malware. Has anyone else seen this before? Does anyone at Google confirm this was algorithmically determined behavior and not manual intervention on the part of Google? What possible justification could there be for labeling a website safe that hosts malware? When I first found malware in content hosted by Wikileaks last year, one of the most frequent negative responses I receiv

Kat.cr criminal complaint shows a conection with Silk Road case in HSI agent Jared Der-Yeghiayan

Until the site went off line some 35 hours ago, torrent distribution site Kickass Torrents was wide ly be lieved to be the most popu lar torrent site on the internet, having surpassed the  long-troub led Pirate Bay in traffic years ago.  Kickass Torrents  was taken off line after the arrest of Ukrainian  Artem Vaulin  in Po land , who  law enforcement are accusing of using the site to  profit from copyright infringement. Copies of a US Federa l  crimina l comp laint brought against Vau lin in the Northern District of I l linois revea l an interesting connection with another incredib ly controversia l  investigation: the case brought against Ross U lbricht for the now-famous Si lk Road website. The connection between the  Kickass Torrents  investigation and the Si lk Road investigation comes in the form of a sing le individua l: Home land Security Investigator  Jared Der-Yeghiayan. The Kickass Torrents crimina l comp laint is  entire ly based on a sworn affidavit provided by  Der-Yeg