Tổng quát về Tội phạm máy tính

- Khái niệm - Đặc điểm - Tính chất

Tố giác tội phạm máy tính như thế nào?

Cách thức, thể thức và trình tự

Miễn phí bản quyền phần mềm

Tập hợp bản quyền miễn phí theo ngày

30 April 2011

[NFPC] Puzzle #1: Ann’s Bad AIM

Đề bài
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.
Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

Yêu cầu: 
You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:
1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?
Here is your evidence file:
http://philosecurity.org/558/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Email submissions to contest@philosecurity.org. Deadline is 9/10/09. Good luck!! 

Đến sau cũng là 1 lợi thế :))

Trở thành nhà điều tra tội phạm máy tính

Post này sẽ tập hợp các loat bài, dựa trên loạt bài của http://forensicscontest.com
1.Puzzle #1: Ann’s Bad AIM

[Skill] Network Forensics Puzzle Contest

Tình cờ tìm kiếm được http://forensicscontest.com có 1 phần Puzzle rất thú vị.
Loat bài này đã được "trình làng" từ 25/9/2009. Chúng ta là những người đến sau, không sao, theo dõi và đọc lại để tăng skill cho mình.
Mang về blogspot này, mình chuyển nó với title mới: "Trở thành nhà điều tra tội phạm máy tính" :)). Hy vọng sẽ giúp các nhà điều tra tương lai, những tội phạm máy tính tương lại có thể Hiểu và Phòng thủ :))

29 April 2011

[Avast] Another nasty trick in malicious PDF


A new method of producing malicious PDF files has been discovered by the avast! Virus Lab team. The new method is more than a specific, patchable vulnerability; it is a trick that enables the makers of malicious PDF files to slide them past almost all AV scanners.
Overall, PDF specifications allow many different filters (such as ASCII85Decode, RunLengthDecode, ASCIIHexDecode, FlateDecode, …) to be used on raw data. In addition, there is no limit on the number of the filters used for a single data entry. Anyone can create valid PDF files where the data uses, for example, five different filters or five layers of the same filter. All of these features are based on extremely liberal specifications, a fact which allows bad guys to utilize malicious files in a way that does not allow antivirus scanners access to the real payload.
The new trick is based just on one filter, so it doesn’t sound exciting, does it? So what’s the reason for posting this blog post?
The filter used to encrypt text data is meant to be used only for black and white images. And apart from avast!,  probably no other AV scanner is currently able to decode the payload because no other AV can detect those PDF files.

This story began when we found a new, previously unseen, PDF file a month ago. It wasn’t detected by us or by any other AV company. But its originating URL address was quite suspicious and soon we confirmed the exploitation and system infection caused by just opening this document. But our parser was unable to get any suitable content that we could define as malicious. There wasn’t any javascript stream, just the single XFA array shown in the next image.

XFA form definition
XFA forms usually contain a malicious TIFF image that exploits the well-known CVE-2010-0188 vulnerability. We were interested in the objects referenced by the XFA array. As you can see, there were just two references:
  • template – object 201
  • dataset – object 301

The dataset object was easy to decode by our scanner as it uses one extremely common filter – FlateDecode. The data decoded from the stream wasn’t suspicious anyway – just some data encoded with the base64 algorithm (as shown in next image). The main payload had to be covered by the first - template object.

dataset - decoded data
Unfortunately, our scanner wasn’t able to decode this content. So what was wrong? Why were other AV engines also unable to detect such an exploit? The answer to those questions is shown in the next image.

template object definition
The image above is the object stream definition. It says that the object is 3125 bytes long and that we must use 2 filters to decode the original data – FlateDecode as first layer and JBIG2Decode as a second layer. But why JBIG2Decode? That’s a pure image encoding algorithm isn’t it? Correct,  and following text is what Adobe says about it in the PDF documentation (Part 3.3.6, page 80):

The JBIG2Decode filter (PDF 1.4) decodes monochrome (1 bit per pixel) image data that has been encoded using JBIG2 encoding. JBIG stands for the Joint Bi-Level Image Experts Group, a group within the International Organization for Standardization (ISO) that developed the format. JBIG2 is the second version of a standard originally released as JBIG1.

JBIG2 encoding, which provides for both lossy and lossless compression, is useful only for monochrome images, not for color images, grayscale images, or general data. The algorithms used by the encoder, and the details of the format, are not described here. A working draft of the JBIG2 specification can be found through the Web site for the JBIG and JPEG (Joint Photographic Experts Group) committees at < http://www.jpeg.org >.
And following text that is taken from the same specification (Part 4.8.6, page 353):
Also note that JBIG2Decode and JPXDecode are not listed in Table 4.44 because those filters can be applied only to image XObjects.
That’s another surprise from PDF, another surprise from Adobe, of course. Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want? And that’s the reason why our scanner wasn’t successful in decoding the original content – we hadn’t expected such behavior. To be fair, any data (text or binary) can be declared as an monochrome two-dimensional image – that’s the reason why JBIG2 algorithm works here.
We guessed that the image would probably has its first dimension set to 1 pixel and the second would be set to a much higher number of pixels. That’s the easiest way how to declare non-image data as a monochrome picture. The following picture shows the data processed by the FlateDecode filter, so it’s actually a JBIG2 stream (PDF version of JBIG2, as the file header is missing here).

Data representing JBIG2 stream (after initial FlateDecode filter)

Two colored 32bit numbers on the picture above represents the image dimensions. You can see that our guesses were right. Image is 25056 (red: 0x000061E0) pixels wide and just 1 pixel (yellow: 0×00000001) high. Remember that the image is monochrome so 1 pixel = 1 bit. To get the size of the decoded data in bytes, we need to divide the width by 8 and get 3132 bytes. The following image shows real content after two decoding procedures.

Decoded content of the template object
The content is the well-known as CVE-2010-0188 exploit. The bad guys are building a specially-crafted TIFF (see underlined text in the image, that’s a TIFF header encoded by base64 algorithm) file which exploits Adobe Reader. The vulnerability is patched in current versions, only old versions are affected.
We released PDF:ContEx [Susp] detection immediately after this discovery.  We have been monitoring this new trick now  for over a month and now added this decoding algorithm to our PDF engine. Based on the information from the avast! Virus Lab logs, this new trick is currently used in only a very small number of attacks (in comparison to other attacks) and that is probably the reason why no one else is able to detect it. However, we have seen this nasty trick also being used in a targeted attacks.
Here are the links to VirusTotal showing the detection score:
In addition, we have found another 10 malicious PDF files based on the JBIG2Decode trick. All of them were actually detected using our heuristic detection JS:Pdfka-gen even if we did not actually decode the JBIG2 streams. In these cases, different objects (objects without a JBIG2Decode filter) have been marked as malicious parts. In summary, we can say that bad guys are using this trick to hide any possible object they want to be hidden (XFA forms, JS, TTF).
The following image shows an object which is encoded using the JBIG2Decode filter, but this time the object contains specially crafted font (TTF) file which exploits CVE-2010-2883 vulnerability.

TTF font hidden under JBIG2 stream
The image above contains only two (the source PDF contains many more) objects. Object 12 (line 91 in the image) contains encoded data. After we decoded the content using all three filters (JBIG2Decode, ASCIIHexDecode, and FlateDecode) we got the malicious font file. But this object defined only the raw data, there had to be another object that defined the font itself and that’s the second object shown in the image – object 20 (line 162). This  is the FontDescriptor which is used to specify the metrics and other parameters of custom embedded fonts. In this case, last parameter is the key to malicious font file – /FontFile2 12 0 R, a reference to the previously defined object.
Here is the link to VirusTotal showing the detection score:

I’m not happy to see another trick based on a glitch in the PDF specification. What should we expect to happen next?
For more goodies, come attend our talk in Prague at the CARO 2011 Workshop. (link)

Source: https://blog.avast.com/2011/04/22/another-nasty-trick-in-malicious-pdf/

[[IC3] The Dangerous Side of Online Romance Scams


The IC3 is warning the public to be wary of romance scams in which scammers target individuals who search for companionship or romance online. Someone you know may be "dating" someone online who may appear to be decent and honest. However, be forewarned: the online contact could be a criminal sitting in a cyber café with a well-rehearsed script that scammers have used repeatedly and successfully. Scammers search chat rooms, dating sites, and social networking sites looking for victims. The principal group of victims is over 40 years old and divorced, widowed, elderly, or disabled, but all demographics are at risk.
Scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their "undying love." These criminals also use stories of severe life circumstances, tragedies, deaths in the family, injuries to themselves, or other hardships to keep their victims concerned and involved in their schemes. Scammers also ask victims to send money to help overcome a financial situation they claim to be experiencing. These are all lies intended to take money from unsuspecting victims.
In another scheme, scammers ask victims to receive funds in the form of a cashier's check, money order, or wire transfer, claiming they are out of the country and unable to cash the instruments or receive the funds directly. The scammers ask victims to redirect the funds to them or to an associate to whom they purportedly owe money. In a similar scheme, scammers ask victims to reship packages instead of redirecting funds. In these examples, victims risk losing money and may incur other expenses, such as bank fees and penalties, and in some instances face prosecution.
Victims who have agreed to meet in person with an online love interest have been reported missing, or injured, or in one instance, deceased. IC3 complainants most often report the countries of Nigeria, Ghana, England, and Canada as the location of the scammers. If you are planning to meet someone in person that you have met online, the IC3 recommends using caution, especially if you plan to travel to a foreign country, and, at the very least:
      Do not travel alone.
      Read all travel advisories associated with the countries you will visit. Travel advisories are available at http://travel.state.gov/.
      Contact the United States Embassy in the country you plan to visit. Even though it seems to be contrary to the thought of starting a new romance, do not be afraid to check a new acquaintance's story online. Remember, like most fraudulent schemes, scammers use whatever personal information you provide to quickly paint themselves as your perfect match. If your new friend’s story is repeated through numerous complaints and articles on the Internet, it is time to apply common sense over your feelings. To obtain more information on romance scams and other types of online schemes, visit www.LooksTooGoodToBeTrue.com. Anyone who believes they have been a victim of this type of scam should promptly report it to the IC3's website at www.IC3.gov.

Source: IC3

[RAT] Công cụ dành cho Điều tra tội phạm máy tính

1. WinPcap http://www.winpcap.org/install/bin/WinPcap_4_1_2.exe
WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.
Winpcap là một thư viện mã nguồn mở cho việc bắt gói (captrure paket) và phân tích mạng, trên nền tảng (platform) win32. Winpcap hổ trợ những chức năng sau:

• Thu thập những gói dữ liệu thô, một là ngay trên chính máy đang chạy truyền dữ liệu đi và một là sự trao đôi bởi những máy khác trên môi trường chia sẻ.

• Lọc gói dữ liệu theo những luật của người dùng trước khi chúng được truyền tới ứng dụng

• Truyền những gói dữ liệu thô tới mạng

• Thu thập thông tin thống kê lưu lượng mạng

Một tập các tính năng này được được cung cấp, khi mà bạn cài đặc nó như là một trình điều khiển thiết bị (device driver), và nó được cài đặt bên trong phần hoạt động mạng của phần nhân win32 (win32 kernel) cùng với một cặp thư viện động DLL.
2. WireShark http://wiresharkdownloads.riverbed.com/wireshark/win32/wireshark-win32-1.4.6.exe
WireShark có một bề dầy lịch sử. Gerald Combs là người đầu tiên phát triển phần mềm này. Phiên bản đầu tiên được gọi là Ethereal được phát hành năm 1998. Tám năm sau kể từ khi phiên bản đầu tiên ra đời, Combs từ bỏ công việc hiện tại để theo đuổi một cơ hội nghề nghiệp khác. Thật không may, tại thời điểm đó, ông không thể đạt được thoả thuận với công ty đã thuê ông về việc bản quyền của thương hiệu Ethereal. Thay vào đó, Combs và phần còn lại của đội phát triển đã xây dựng một thương hiệu mới cho sản phẩm “Ethereal” vào năm 2006, dự án tên là WireShark.
- WireShark đã phát triển mạnh mẽ và đến nay, nhóm phát triển cho đến nay đã lên tới 500 cộng tác viên. Sản phẩm đã tồn tại dưới cái tên Ethereal không được phát triển thêm.
- Lợi ích Wireshark đem lại đã giúp cho nó trở nên phổ biến như hiện nay. Nó có thể đáp ứng nhu cầu của cả các nhà phân tích chuyên nghiệp và nghiệp dư và nó đưa ra nhiều tính năng để thu hút mỗi đối tượng khác nhau.

Các giao thực được hỗ trợ bởi WireShark:

WireShark vượt trội về khả năng hỗ trợ các giao thức (khoảng 850 loại), từ những loại phổ biến như TCP, IP đến những loại đặc biệt như là AppleTalk và Bit Torrent. Và cũng bởi Wireshark được phát triển trên mô hình mã nguồn mở, những giao thức mới sẽ được thêm vào. Và có thể nói rằng không có giao thức nào mà Wireshark không thể hỗ trợ.

Thân thiện với người dùng: Giao diện của Wireshark là một trong những giao diện phần mềm phân tích gói dễ dùng nhất. Wireshark là ứng dụng đồ hoạ với hệ thống menu rât rõ ràng và được bố trí dễ hiểu. Không như một số sản phẩm sử dụng dòng lệnh phức tạp như TCPdump, giao diện đồ hoạ của Wireshark thật tuyệt vời cho những ai đã từng nghiên cứu thế giới của phân tích giao thức.

Giá rẻ: Wireshark là một sản phẩm miễn phí GPL. Bạn có thể tải về và sử dụng Wireshark cho bất kỳ mục đích nào, kể cả với mục đích thương mại.


3. Perl http://downloads.activestate.com/ActivePerl/releases/5.12.3.1204/ActivePerl-5.12.3.1204-MSWin32-x86-294330.msi

Download ActivePerlActiveState Perl has binary distributions of Perl for Win32 (and Perl for Win64).

Download Strawberry Perl 

Strawberry Perl: A 100% Open Source Perl for Windows that is exactly the same as Perl everywhere else; this includes using modules from CPAN, without the need for binary packages. Help is available from other Windows Perl developers on the #win32 irc channel on irc.perl.org (see website for access through a browser).


4. Python :))

28 April 2011

[Tài liệu] China's Baidu Rips Off Copyrighted Content, Fined Just a Tiny Bit

Baidu, China's most popular search engine, has just been found guilty--in China--for violating copyright on music lyrics found on its service. But this is China, home of dodgy thinking about intellectual property: The fine was just $8,000.
The case centers on 50 tracks owned by China's MCSC record label, the lyrics of which Baidu was making available through its MP3 lyrics search system. MCSC contended Baidu didn't have the rights to do this, and took the search engine to court. A judge in the Haidian district of Beijing has just examined the case, and ruled in favor of MCSC.
The penalty is to remove the offending content--a pretty standard move, of course--and pay compensation. The amount is laughable though: It's just 50,000 Yuan or $7,300, and another 10,000 Yuan in court fees. Arguably the matter concerns just 50 tracks, and the content in question is merely the lyrics. But that MCSC-owned IP will have been served up by Baidu to potentially millions of users, magnifying the issue somewhat. Though we're not talking about serious music pirating here, it does seem somewhat ridiculous that such a small penalty has been levied against a big-business search engine.
$8,000-odd dollars seems even more ridiculous when you look at the size of fines enforced in the U.S. for piracy--the most obvious counter example being the ruling against Jammie Thomas-Rasset, who faced a $2.4 million fine for pirating just 24 music tracks.
But, the Baidu ruling has a bigger, slightly iconic significance. Though there are some legal shenanigans behind the case, it demonstrates that serious questions of IP violation can be successfully tried in China. The nation is absolutely notorious for rampant theft of IP, be it gadget design, look and feel of Web sites, imagery, and code--in 2007, the Office of the U.S. Trade Representative added China to its "priority watch list" for widespread violation of copyright. Though nobody's suggesting that the Baidu case means that the legal establishment has turned a corner, and copyright will be viewed with a new respect, it may be seen as a test case, with seriously positive implications for other rights holders who've seen their creations stolen inside China. Chinese e-publishers recently planning to sue Baidu for copyright violations will also be watching this ruling closely.

Source: http://www.fastcompany.com

Sony admits complete failure of PSN Security

the e-mail that Sony has sent out to all members of the PlayStation Network and Qriocity
Valued PlayStation(R)Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.
Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.
For your security, we encourage you to be especially aware of email,
telephone and postal mail scams that ask for personal or sensitive
information. Sony will not contact you in any way, including by email,
asking for your credit card number, social security number or other
personally identifiable information. If you are asked for this information,
you can be confident Sony is not the entity asking. When the PlayStation
Network and Qriocity services are fully restored, we strongly recommend that
you log on and change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.
To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and
to monitor your credit reports. We are providing the following information
for those who wish to consider it:
- U.S. residents are entitled under U.S. law to one free credit report annually
from each of the three major credit bureaus. To order your free credit report,
visit www.annualcreditreport.com or call toll-free (877) 322-8228.
- We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit bureaus
place a “fraud alert” on your file that alerts creditors to take additional steps
to verify your identity prior to granting credit in your name. This service can
make it more difficult for someone to get credit in your name. Note, however,
that because it tells creditors to follow certain procedures to protect you,
it also may delay your ability to obtain credit while the agency verifies your
identity. As soon as one credit bureau confirms your fraud alert, the others
are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report,
please contact any one of the agencies listed below:
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790
- You may wish to visit the website of the U.S. Federal Trade Commission at
www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
Avenue, NW, Washington, DC 20580 for further information about how to protect
yourself from identity theft. Your state Attorney General may also have advice
on preventing identity theft, and you should report instances of known or
suspected identity theft to law enforcement, your State Attorney General,
and the FTC. For North Carolina residents, the Attorney General can be
contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
(877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney
General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
telephone: (888) 743-0023; or www.oag.state.md.us.
We thank you for your patience as we complete our investigation of this
incident, and we regret any inconvenience. Our teams are working around the
clock on this, and services will be restored as soon as possible. Sony takes
information protection very seriously and will continue to work to ensure that
additional measures are taken to protect personally identifiable information.
Providing quality and secure entertainment services to our customers is
our utmost priority. Please contact us at 1-800-345-7669 should you have any
additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
===================================
LEGAL
“PlayStation” and the “PS” Family logo are registered
trademarks and “PS3″ and “PlayStation Network” are
trademarks of Sony Computer Entertainment Inc.
(C) 2011 Sony Computer Entertainment America LLC.
Sony Computer Entertainment America LLC
919 E. Hillsdale Blvd., Foster City, CA 94404

27 April 2011

[Tài liệu] Fraud Alert Involving Unauthorized Wire Transfers to China


The FBI has observed a trend in which cyber criminals —  using  the  compromised online banking credentials of U.S. businesses — sent unauthorized wire transfers to Chinese economic and trade companies located near the Russian border.   
Between March 2010  and April 2011, the FBI identified  twenty  incidents in which the online banking credentials of small-to-medium sized U.S.  businesses were compromised  and used to initiate wire transfers to Chinese  economic and  trade companies. As of  April 2011, the total attempted fraud amounts to approximately $20 million; the actual victim losses are $11 million.   
In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the  U.S.  business is compromised by either a phishing e-mail or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks  typically  located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.  
Victims
Like most account takeover fraud,  the victims tend to be small-to-medium sized businesses and public institutions that have accounts at local community banks and credit unions, some of which use third-party service providers for online banking services.
Recipients
 The intended recipients of the international wire transfers are economic and trade companies located in the Heilongjiang province in the People’s Republic of China. The companies are  registered in port cities that are located near the Russia-China border
The FBI has  identified multiple companies that were used for more than one unauthorized wire transfer. However, in these cases the transfers were a few days apart and never used again. Generally, the malicious actors use different companies to receive the transfers. The companies used for this fraud  include the name of a Chinese port city in their official name. These cities include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the companies also include the words “economic and trade,” “trade,” and “LTD.”
 The economic and trade companies appear to be registered as legitimate businesses and typically hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.
 At this time, it is unknown who is behind  these unauthorized transfers,  if the Chinese accounts were the final transfer destination or if the funds were transferred elsewhere,  or why the legitimate companies received the unauthorized funds.  Money  transfers to companies that contain these described characteristics should be closely scrutinized.
 Unauthorized Wire Transfers
 The unauthorized wire transfers range from $50,000 to $985,000. In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the  unauthorized  wire transfers  were  under $500,000.  When the transfers went through successfully, the money was immediately withdrawn from or transferred out of  the recipients’ accounts. 
 In  addition to the large wire transfers, the malicious actors also sent domestic ACH and wire transfers to money mules in the United States  within minutes of conducting the overseas transfers. The domestic wire transfers range from $200 to $200,000. The intended recipients are money mules, individuals who the victim company has done business with in the past, and in one instance, a utility company located in another U.S. state. The additional ACH transfers initiated using compromised accounts range from $222,500 to $1,275,000.   
 Malware

The type of malware has not been determined in every case but some of the cases involve ZeuS, Backdoor.bot, and  Spybot. In addition, one victim reported  that  the hard drive of the compromised computer that was infected was erased remotely before the IT department could investigate.
   ZeuS  —  malware that has the capability to steal multifactor authentication tokens, allowing the criminal(s)  to log in to victims’ bank accounts with the user name, password, and token ID.  This can occur during a legitimate user log-in session.
   Backdoor.bot — malware that has worm, downloader, keylogger, and spy ability. The malware allows for the criminal(s)  to access the infected computer remotely and  further infect computers by downloading additional threats from a remote server. 3
   Spybot —  an IRC backdoor Trojan which runs in the background as a service process and allows unauthorized remote access to the victim computer.
   Recommendation to Financial Institutions
   Banks should notify their business customers of any suspicious wire activity going to the following Chinese cities: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning.  
  Wire activity destined for the Chinese cities of Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning should be heavily scrutinized, especially for clients that have no prior transaction history with companies in the Heilongjiang province.  
For recommendations on how businesses can Protect, Detect, and Respond to Corporate Account
Take overs such as this, please refer to the “Fraud Advisory for Businesses: Corporate Account
Take Over” available at http://www.fsisac.com/files/public/db/p265.pdf.
 Incident Reporting
 The FBI encourages victims of cyber crime to contact their local FBI field office, http://www.fbi.gov/contact/fo/fo.htm, or file a complaint online at www.IC3.gov.  

Source: IC3

[Update] PowerPoint 2003 hotfix package 26/4/2011

When you open presentations that contain layouts with background images in PowerPoint 2003, an error may occur. When the error occurs, you receive a message that states that some contents (text, images, or objects) have corrupted. You can determine what content has been lost by viewing the layout, but not by viewing the slide content. Items that were removed will display a blank box or a box that contains "cleansed." 

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problems that are described in this article. Apply this hotfix only to systems that are experiencing the problems described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Microsoft Office 2003 Service Pack 3 installed to apply this hotfix package.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces security update 2464588, which is described in bulletin MS11-022.

Registry information

To use one of the hotfixes in this package, you do not have to make any changes to the registry.

File information

This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.

The global version of this hotfix package uses a Microsoft Windows Installer package to install the hotfix package. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel. 


-----------------------------------------------------------
KB Article Number(s): 2543241
Language: English
Platform: i386
Location: (http://hotfixv4.microsoft.com/Microsoft%20PowerPoint%202003/sp4/office2003KB2543241ENU/11.0.8335.0/free/431548_ENU_i386_zip.exe)
Password: [*****4
Password Changes On: 04/30/2011
Next Password: 9*****5
NOTE   Make sure that you include all the text between "(" and ")" when you visit this hotfix location.
 Link download:

Microsoft

26 April 2011

[RAT] Hỗn độn secuiry Linh tinh :))

Cho các bạn có cái nhìn toàn cảnh :))















[Video] an ninh mạng Việt Nam 2010



24 April 2011

[NDT] Báo điện tử Nguoiduatin.vn bị DOS

Trưa 27/3, báo điện tử Nguoiduatin.vn đã bị tin tặc tấn công từ chối dịch vụ. Cuộc tấn công kéo dài gần 2 giờ đồng hồ, bắt đầu từ 10h30 sáng.
Click vào Hình để xem link gốc bài báo
Click vào hình để xem link gốc bài báo
Click vào Hình để xem link gốc bài báo
 Ngoài lề:
+ Hình như Luật sư Phạm Hồng Hải chưa cập nhật bản update của Bộ Luat Hình sự 1999 sửa đổi bổ sung năm 2009 .... làm gì còn điều Điều 225: Tội vi phạm các quy định về vận hành, khai thác và sử dụng mạng máy tính điện tử :)) . Chém ghê quá
+ Phân biệt giữa DOS và DDOS
+ Phải chăng là PR? .... Tự dưng lại nhớ đến vụ của Vietnamnet.vn
+ Sẽ có những phân tích khác sau

21 April 2011

[Lượm] Computer forensic tool

20 April 2011

[KAS lab] Spam report: March 2011

  • The amount of spam in email traffic increased by 0.9 percentage points compared to February and averaged 79.6%.
  • Phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared to the previous month.
  • Malicious files were found in 3.23% of all emails, an increase of 0.05 percentage points compared to February’s figure
 Source: http://www.securelist.com/en/analysis/204792171/Spam_report_March_2011
Read more:

Spam report: January 2011

Spam report: February 2011

 

19 April 2011

[VNN] Người dùng bị xâm hại, web hò hẹn ra tòa

Một phụ nữ tại Los Angeles, Mỹ đã bị quấy rối và tấn công bởi người đàn ông cô quen qua trang web hẹn hò trực tuyến Match.com khi cả hai cùng hẹn nhau gặp gỡ.


Vụ tấn công, theo lời kể nạn nhân, xảy ra khi hai người gặp nhau trong buổi hẹn thứ hai, khi gã này bám theo cô gái về tận nhà và tấn công cô. Sau khi vụ việc xảy ra, cô đã tìm hiểu và phát hiện kẻ tấn công mình từng có tiền sử tội ác và vì thế cô quyết định đâm đơn kiện trang Match.com ra tòa án Los Angeles.

Nạn nhân không đòi bồi thường tiền bạc, thay vào đó cô yêu cầu những người đứng đầu trang Match.com phải hiển thị một danh sách những thành viên có tiền sử phạm tội (tấn công và quấy rối tình dục) lên trang chủ của dịch vụ.

Công tố viên Mark L.Webb, đại diện cho bên bị hại, cho biết ông sẽ yêu cầu thẩm phán tòa án tối cao Los Angeles ban hành một lệnh cấm (tạm thời) trang Match.com được nhận thêm thành viên đăng ký mới, cho đến khi nào yêu cầu của thân chủ ông được đáp ứng. “Họ (Match.com) là dịch vụ hẹn hò trực tuyến rất thành công và cũng rất lớn, họ hoàn toàn có đủ điều kiện để đáp ứng yêu cầu này” - Webb cho biết.

Về phía bị đơn, trong một bài nói chuyện với kênh truyền hình KABC-TV 7 Channel, đại diện của Match.com nói luôn cung cấp những khuyến cáo an toàn cho người sử dụng dịch vụ khi họ đăng ký làm thành viên và những sự cố (nếu có) xảy ra ngoài đời thực nằm ngoài phạm vi trách nhiệm của trang web.

Nạn nhân, còn được biết đến với tên Jane Doe, đã tốt nghiệp Đại học Ivy League, hiện đang làm trong ngành phim ảnh và truyền hình. Cô gặp kẻ tấn công mình vào năm ngoái tại Tây Hollywood. Buổi hẹn đầu diễn ra rất ổn, tuy nhiên vào lần gặp gỡ thứ hai điều không may đã xảy ra.

“Sự cố kinh khủng này đã làm tôi tổn thương nặng nề, vì tôi vốn luôn cho rằng mình hiểu biết hết về sự an toàn cũng như rủi ro trong việc hẹn hò trực tuyến” - cô tâm sự.

Vì nhiều lý do cũng như hoàn cảnh đặc biệt, hẹn hò trực tuyến tỏ ra tương đối có ích cho rất nhiều người, dịch vụ này sẽ giúp họ tìm được người cùng sở thích để từ đó hẹn hò cùng nhau, và nếu đủ may mắn sẽ dẫn dắt hai người đến những mối quan hệ sâu sắc hơn, đó là ý nghĩa căn bản rất nhân văn của loại hình dịch vụ trực tuyến này.

Tuy nhiên, có câu nói “mọi đồng xu đều có hai mặt của nó”, hẹn hò online đôi khi có thể trở nên rất nguy hiểm, bạn không thể biết được người mình sắp hẹn gặp thật sự là ai. Thế nên bạn cần trang đủ kiến thức và thông tin trước khi gặp gỡ một ai đó từ Internet.
Vietnamnet 
Đây là bài dịch từ trang http://www.latimes.com
A Los Angeles woman who this week filed suit against Match.com, saying she was sexually assaulted by a man she met on the dating site, is speaking out about the incident.

Attorney Mark L. Webb, who represents the woman identified in the lawsuit only as Jane Doe, said he will ask a Los Angeles County Superior Court judge for a temporary injunction barring the site from signing up more members until his client's demands are met. He said his client wants the site to screen members to determine if they are sexual predators.

"They are a very powerful and successful online dating service, and they have the means to do this," Webb said.

In an interview with KABC-TV Channel 7, the woman said her relationship with the man started innocently enough: "He sent me an email and said he was into golf and tennis and he had a house in the Palisades over Malibu and he liked art and culture, travel and food."

Webb described his client as an Ivy League graduate who works in film and television. He said she met her alleged assailant last year at Urth Cafe in West Hollywood. He seemed charming and she agreed to see him again, he said.

But after the second date, the woman said, the alleged assault occurred: "He went straight into the bathroom when he came in my place and I sat down on the couch and waited for him," she told the TV station. "Then he came out of the bathroom and jumped me and forced me to have oral sex and then he left."

"This horrific ordeal completely blindsided me because I had considered myself savvy about online dating safety," the woman said in a statement released through her attorney last week. "Things quickly turned into a nightmare, beyond my control."

After the man left, the woman went online and learned that he had been convicted of several counts of sexual battery. Charges are pending in the Match.com case, Webb said.

The attorney said his client wants Match.com to check members' names against public sex offender registries. "It's not a guarantee," he said. "But don't you think something is better than nothing?"

Officials with Match.com could not be reached for comment late Wednesday. But in a statement to KABC-TV last week, officials that they provide safety tips on the website and warn members that they are responsible for screening the people they meet.

"While incidents like this one between individuals who meet on Match.com are extremely rare, it doesn't make them any less horrifying," the statement said. 
Source: Woman suing Match.com over alleged sexual assault speaks out about incident


18 April 2011

[Tài liệu] PlayStation_Network [at] playstation-email [dot] com


=================================== 
 
PlayStation(R)Network
 
=================================== 

Valued PlayStation(R)Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, 
certain PlayStation Network and Qriocity service user account 
information was compromised in connection with an illegal and 
unauthorized intrusion into our network. In response to this 
intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full 
and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our 
network infrastructure by rebuilding our system to provide you 
with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill 
as we do whatever it takes to resolve these issues as quickly and 
efficiently as practicable.

Although we are still investigating the details of this incident, 
we believe that an unauthorized person has obtained the following 
information that you provided: name, address (city, state, zip), country, 
email address, birthdate, PlayStation Network/Qriocity password and login, 
and handle/PSN online ID. It is also possible that your profile data, 
including purchase history and billing address (city, state, zip), 
and your PlayStation Network/Qriocity password security answers may 
have been obtained. If you have authorized a sub-account for your 
dependent, the same data with respect to your dependent may have 
been obtained. While there is no evidence at this time that credit 
card data was taken, we cannot rule out the possibility. If you have 
provided your credit card data through PlayStation Network or Qriocity, 
out of an abundance of caution we are advising you that your credit 
card number (excluding security code) and expiration date may have 
been obtained.

For your security, we encourage you to be especially aware of email, 
telephone and postal mail scams that ask for personal or sensitive 
information. Sony will not contact you in any way, including by email, 
asking for your credit card number, social security number or other 
personally identifiable information. If you are asked for this information, 
you can be confident Sony is not the entity asking. When the PlayStation 
Network and Qriocity services are fully restored, we strongly recommend that 
you log on and change your password. Additionally, if you use your PlayStation 
Network or Qriocity user name or password for other unrelated services or 
accounts, we strongly recommend that you change them as well.

To protect against possible identity theft or other financial loss, we 
encourage you to remain vigilant, to review your account statements and 
to monitor your credit reports. We are providing the following information 
for those who wish to consider it:    
- U.S. residents are entitled under U.S. law to one free credit report annually 
from each of the three major credit bureaus. To order your free credit report, 
visit www.annualcreditreport.com or call toll-free (877) 322-8228. 

- We have also provided names and contact information for the three major U.S. 
credit bureaus below.  At no charge, U.S. residents can have these credit bureaus 
place a "fraud alert" on your file that alerts creditors to take additional steps 
to verify your identity prior to granting credit in your name. This service can 
make it more difficult for someone to get credit in your name. Note, however, 
that because it tells creditors to follow certain procedures to protect you, 
it also may delay your ability to obtain credit while the agency verifies your 
identity.  As soon as one credit bureau confirms your fraud alert, the others 
are notified to place fraud alerts on your file. Should you wish to place a 
fraud alert, or should you have any questions regarding your credit report, 
please contact any one of the agencies listed below: 

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, 
P.O. Box 6790, Fullerton, CA 92834-6790 

- You may wish to visit the website of the U.S. Federal Trade Commission at 
www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania 
Avenue, NW, Washington, DC 20580 for further information about how to protect 
yourself from identity theft. Your state Attorney General may also have advice 
on preventing identity theft, and you should report instances of known or 
suspected identity theft to law enforcement, your State Attorney General, 
and the FTC. For North Carolina residents, the Attorney General can be 
contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone 
(877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney 
General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 
telephone: (888) 743-0023; or www.oag.state.md.us.

We thank you for your patience as we complete our investigation of this 
incident, and we regret any inconvenience. Our teams are working around the 
clock on this, and services will be restored as soon as possible. Sony takes 
information protection very seriously and will continue to work to ensure that 
additional measures are taken to protect personally identifiable information. 
Providing quality and secure entertainment services to our customers is 
our utmost priority. Please contact us at 1-800-345-7669 should you have any 
additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment

17 April 2011

[HVAonline] Thảo luận việc định hướng

HVAonline thì hẳn ai cũng biết rồi, lượm 1 vài cái mình nghĩ có ích cho mình :))
 1.1 http://www.hvaonline.net/hvaonline/posts/list/38361.hva
Chào mọi người.
Mình đang tập tành viết code. Thời gian viết code cũng được một, hai năm. Nhưng hiện tại mình thấy việc lập trình của mình càng ngày càng đi vào lối mòn.

Vấn đề hiện tại của mình là như sau: Công việc lập trình của mình chỉ đơn thuần là:
Đọc hiểu yêu cầu -> Tưởng tượng trước chương trình của mình có diện mạo như làm sao và các hành vi như thế nào -> Lên google tìm kiếm mã nguồn -> Tìm được thì copy - paste từng khúc mã nguồn sao cho phù hợp - rồi chỉnh sửa cho đến khi đạt yêu cầu thì thôi.

Xem chừng nó chả đòi hỏi gì về chuyên môn sâu sắc. Với cách làm trên thì mình quá phụ thuộc vào mã nguồn tìm được trên mạng. Thú thật, nếu không tìm thấy thì mình cũng chả biết viết code thế nào nữa. Nếu không có các tutorial hướng dẫn với mã nguồn mình hoạ thì ngồi nhìn đống APIs, và đọc mô tả của APIs cũng không giúp mình viết được chương trình. Việc đọc APIs mình cũng cho là cần thiết nhưng nếu thiếu mã nguồn minh hoạ sử dụng APIs thì mình cũng không biết phải viết như thế nào nữa.

Mình không muốn phần đời lập trình còn lại của mình là đi copy-paste code của người khác về chỉnh sửa như thế mãi. Mình cũng chưa gặp nhiều lập trình viên. Số mình đã gặp thì cũng lập trình hệt như mình. Mình cần biết những lập trình viên kinh nghiệm hơn thường làm gì vì với cách làm hiện tại của mình thì thế giới phần mềm không thể phát triển như ngày này được.

Thêm nữa như đã nói, mình toàn dựa trên mã nguồn của người khác đã viết, mình chưa thể sáng tạo ra mã nguồn. Vậy thì có những điểm nào trong công đoạn lập trình mình có thể khai thác để đưa vào đó sự sáng tạo ? 

Cái bồ cần không phải là "mở rộng" mà cần thay đổi hoàn toàn tư duy lập trình. Những việc bồ làm trước đây không phải là lập trình mà chỉ là công tác "xào nấu". Lập trình ở cấp độ thủ công nhất đi chăng nữa cũng đòi hỏi suy nghĩ, phân tích và lập luận để hình thành code. Lập trình ở cấp độ master luôn luôn trăn trở là liệu mình code có đẹp nhất chưa, sạch nhất chưa, tối ưu nhất chưa, vững vàng nhất chưa.... ?

Bồ cần bắt đầu với cái này:
Hiểu rõ đòi hỏi (requirements) --> phân tích & hình thành giải pháp cho đòi hỏi ---> thực hiện coding --> thử nghiệm ---> điều chỉnh và hoàn thiện.
Bồ có thể tham khảo code của người khác nhưng tuyệt đối không bao giờ dùng code của người khác một cách lười lĩnh như vậy.

15 April 2011

[white book 2010] Viet nam Information and Communication Technology

Tài liệu do MIC công bố
Một số nội dung:
Download:

Vietnam
English