Irregular Expressions

February 26, 2013  10:44 PM

CERT Poland Report

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Cert PL took over a bot net involved with fake AV and published the results of what they found. This includes connection counts and locations.

I have to admit that I am surprised that the counts of the this network. Check out page 15, 16 and 18.

February 26, 2013  10:32 PM

TPB Has Set Sail

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Not in to the sunset but to Spain and Norway. I don’t think that continually using resources against TPB is the best way to go about this. Not that the war on drugs is doing any better, but I will use it as an analogy.

TPB is just the dealer along with the trackers. The trackers used to be a viable target but over time the reliance on them has dwindled. Now what do you target? I think it would have to be the uploaders. Now even saying that I do not think it will stop anything, people will continue to share until the culture changes.

February 26, 2013  10:22 PM

Nintendo Unhappy With Piracy

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I can understand that they would be, but I still think the whole Special 301 Report is sketchy. To me that is an awful lot of power given to corporations. Letting the private sector dictate trade relations with countries.

This really makes the point I think.
Nintendo wants Mexico, China, Brazil and Spain to be listed on the Government’s copyright watch list this year, and recommends specific actions to be taken in each of the countries. The game company picked these countries because of their high prevalence of game piracy, and the lack of enforcement.

They are recommending, not the government, but the private company is recommending actions.

February 26, 2013  10:11 PM

Recent Corporate Attacks

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you missed it there was a bunch of announcements in the last couple weeks. By the sound if it the attacks were targeting software developers, I doubt that any of the companies were targeted directly. But they may have done a bit of research and known that developers from these companies frequent these sites.

Here they are in no order.



And a very brief on from MS.

February 26, 2013  10:01 PM

Mega updates

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Kim Dotcom has been back in the news again, he released a bit of stats of how Mega is going too.

So far they have 3 million registered users and they have shared a total of 125 million files in the first month of operation. He was quoted saying that it took dropbox two years to do that.

You can read it here.

The main reason that I wanted to bring this up, is that Mega is getting in to the email business. Fully encrypted end to end. I like the sound of that.

February 25, 2013  11:59 PM

Iranian scans

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Checking out the Internet Storm Center the was a post about increased activity coming from Iran. Check out the post and see if you have seen an increase too DSheild.

February 22, 2013  1:23 AM

Unit 61398 – Part 6

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I don’t want this to seem entirely one sided. It would not be fair to think China is not under constant attacks them selves. The attacks would in this case would not be looking for industrial information, but I think the target would be more administrative information and planning of the state. Such as strategies regarding Taiwan or disputed islands.

I would guess these would be variants of the Flame malware.

For the foreseeable future I do not see any of this changing. Both countries will continue to go back and forth, and I cannot see the US impose trade restrictions. I think there is a slight chance that it will slow down, but only to try and not make this so public.

February 20, 2013  10:56 PM

Unit 61398 – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Now today the response from the US Government. I was not sure what to expect in a response or if there was even going to be one. Up until now silence has been the go to strategy.
At one point I remember reading that the Pentagon’s plan was to respond to cyber attacks as if they were kinetic. What do you classify these breaches against US companies? Does espionage cross the red line?

I think the US response is well measured, I don’t know if it will have any effect on the attacks or if they will stick to the it is not us line.

I found a little more information regarding Unit 61398 from the CBC. The last part about the usage of facebook and twitter is what really caught my eye.

Revealing tweets: And what helped Mandiant track down the source of hacking into more than 140 companies and organizations from the U.S. and elsewhere? Facebook and Twitter.

China’s “Great Firewall” of internet filtering blocks those U.S.-based social networks, but Unit 61398 operators got around that by accessing them directly from the unit’s system. Mandiant was able to see that Facebook and Twitter accounts were being accessed from internet protocol addresses connected to the unit. It’s not clear whether those accounts aided in hacking or were simply for the hackers’ personal use.

“These actors have made poor operational security choices, facilitating our research and allowing us to track their activities,” the report says.

February 20, 2013  10:22 PM

Unit 61398 – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There has been what I would call official responses to the Mandiant report from both sides of the Pacific.

First if you did not notice the US Government was silent on the day that the report was released, and I cannot say that was not unexpected. Next here is story on the response from the other side of the ocean. I am just going to quote a section of the story that sticks out to me.

The Chinese ministry statement, posted on its website, said that many hacking attacks were carried out using hijacked IP addresses.

There was no clear definition of what constituted a hacking attack, it went on, and as it was a cross-border, deceptive business, it was hard to pin down where attacks originated.

It suggested that the “everyday gathering” of online information was being wrongly characterized as spying.

To me that is them saying that the IP addresses involved, ones that people are pretty sure belong to Unit 61398 were hijacked to make it look like they did it. But if they were not, it is not like the were doing anything that bad, just normal information gathering. I need to read the original, but I am not sure how to take those comments.

February 20, 2013  10:01 PM

Unit 61398 – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you are able to use yara rules. You can get an APT1 specific set here. The posting has instructions on how you can leverage them.

Now back to the video.

They do point it out during the video but if you look around 1:20. You can see the alert at the top from gmail that someone has logged in to the account from a China IP. This part does not feel right to me. I wonder if it is being careless, not caring, or something else is going on.
With everything that this account is used for why would you log in to it with your own IP address? I just don’t know why in the world you would setup an account like this then log in to it from home? I almost think it was an accident by the attacker.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: