Domain: finjan.com
Stories and comments across the archive that link to finjan.com.
Comments · 8
-
Re:Good idea
-
T(Real)FA .. the actual report
Why hasn't anyone posted this already? The article linked from the post is useless, and that's being kind.
The actual Finjan report can be downloaded here. Requires you answer a survey before downloading. http://www.finjan.com/content.aspx?id=1994&objid=620
-
Maybe our "crimeserver" is really a "harvester?"
Unless the criminal is a complete idiot there's more than one drop spot...
Indeed. If I were writing botnet software I'd distribute multiple copies of the collected data across a number of the compromised computers. The press release and article abstract indicate that the botnet control programs and the data were located in the same place. That doesn't seem like a particularly good architecture for this type of system. I'd keep the command programs far away from the harvested data. My hunch is that the data aren't that valuable as I outline below.
I can accept that buying, installing and running a botnet could be as easy as installing an RPM. What appears more disturbing is the reported "timeframe of less than a month" to harvest over 5,000 records. But what kind of records are these? Finjan tells us that the data "consisted of 5,388 unique log files [my emphasis]. Both email communications and web-related data were among them."
They go on to list some specific examples:
Compromised patient data
Compromised bank customer data
Business-related email communications
Captured Outlook accounts containing email communication
I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files." /var/log/maillog on my servers would certainly reveal "business-related email communications" in the sense of senders and recipients. Mail logs might also contain some entries for mail between providers and patients or between banks and their customers. Apache logs wouldn't be so useful, though they do contain the usernames when Basic Authentication is used. But none of those logs would reveal much about the content of those communications. I don't know anything about Outlook so I have no idea how its logs might reveal "captured Outlook accounts containing email communication."
Still if all they got after a month were logs, I'm not sure how valuable they would be unless the goal was harvesting addresses for spamming or phishing. Capturing the logs of compromised mail servers would certainly yield a pretty high proportion of legitimate addresses, especially recipient addresses. This method seems especially attractive if you're trying to identify targets for "spear-phishing." If you can compromise some corporate mail servers, you can build up a nice list to "spear."
So I'm guessing Finjan found a machine containing some 5,600 mail server "log files" totalling 1.4 GB. Since the logs are worthless once the addresses are harvested, protecting them isn't much of a priority. I suppose competitive spammers might want to keep these potentially higher-yielding names to themselves, but given the volumes at which spammers operate, they probably don't care.
I think I'll go take a look at my mail servers now just to ease my mind. -
Re:Identified about 5 months ago
Old news :
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
Full analysis document is advertised here, after registration :
http://www.finjan.com/content.aspx?id=1367 -
Re:Identified about 5 months ago
Old news :
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
Full analysis document is advertised here, after registration :
http://www.finjan.com/content.aspx?id=1367 -
Not just YouTube links.
They are hacking websites too!
-
Watch 'em "improve" the situation!
Google. What a mystique! They can 'innovate' new forms of -
Cross-site scripting exploits:
http://blog.outer-court.com/archive/2007-01-01-n12 .html
http://blogs.zdnet.com/Google/?p=338
Exposure of personal and sensitive data:
http://www.finjan.com/Pressrelease.aspx?id=1261&Pr essLan=1230&lan=3
Data loss:
http://dream.sims.berkeley.edu/MT/vanhouse/archive s/000663.html
http://googlewatch.eweek.com/content/google_featur es/google_email_troubles_continue.html
Site failure:
http://status.blogger.com/
Privacy violation:
http://www.google-watch.org/bigbro.html
http://www.google-watch.org/krane.html -
Re:Encryption?
Several:
Any SSL accelerator can do it , given the private key.
An example is the Radware CT100/Appaccel, but most load balancing companies have this capability.
SSLDump is an OSS app that does the same thing.
If you have an in-line device, you can break any session, and proxy the connection both ways. Some Examples:
SCIP
Finjan
Blue Coat
Breach Security also provides an SSL Inspection plugin and appliance that is OEMed by various IDS vendors.
A Google search for SSL Proxy traffic Monitor returns a number of interesting responses. If you can proxy the service, you can do transparent man in the middle attacks on it.
Full Disclosure: I have worked for both Radware and Breach security on these products, and did a SANS tooltalk on the topic (login required).