As much as this technology is a risk and therefore a potential threat, unless you are of the reaslly paranoid (which would mean this interests you considerably) there are far easier ways of attacking a computer.
This attack came to show how to attack the key, which is why it interests these folks, I suppose, but it would be much easier to use TEMPEST if you get access to actually install some tool to hear && (record || trasmit) the audio.
I would suggest TEMPEST would also be more reliable, but some testing is in order, as well as a lot of research for every CPU you intend to attack.
The guy asked for volunteers, people who are willing to help - on NTBUGTRAQ.
The program is still being developed and there isn't much of a web page, it is an as-is service, and the program does a great job.
The guy runs a new project, which is still very much under development. I suppose you don't have to download and/or run the software if you don't want to.
It is good software, and it worked great, but I don't see any reason to shoot the guy for admitting to needing help with running nodes, while he further develops a currently IN-DEVELOPMENT stages project.
The program was obviously not ready for prime-time (slashdot), by what the guy said, but I believe it can take it. Use it if you like, it is freeware.
In answer to your questions.. I believe the author has the right to decide if his software is open source or not.
You as a user have the right to decide whether or not you'd use it.
The author is respectable and a very old timer in the AV and security field. He chose to make it freeware, that's something I am going to thank him for (already did, actually).
As explained by Roger, the author of WR, WormRadar calls home using SMTP and UDP for real-time, so that the data-sharing between all the nodes can exist.
This data-sharing/graphing of Internet attacks graphs.. etc.. comes as a second to the actual use for the program - a good and decent honey pot.
The program doesn't hide the fact that it "calls home" and it is all explained in another comment.
If you allow it, WormRadar will synchronize your pc to network time, and all events are recorded to the millisecond utc. Events are reported by both email and udp... email because it makes it convenient to attach a capture if it is something new, and udp because while unreliable, it is fast.
A summarized graph of activity is refreshed every 30 minutes to the website, and is refreshed every 15 minutes on the WorldView tab within WorldRadar itself. The WorldView tab also has notification options which allow you to be alerted by a variety of means if something new appears, such as email to a pager or by playing a wav file. In the fullness of time, I'll add more views and graphs. The summary graph is interpreted like this...
I am looking for some more folks who would be interested in running WormRadar. ( http://wormradar.com). The web site is still rudimentary, but the graph is generated every 30 minutes, and is interesting to watch, and WormRadar.exe is available for download from there.
It is essentially a distributed Windows honeypot that listens on known wormy ports (or ports that are likely to become wormy), and crcs, or scans, anything that comes along. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. It is free provided you allow it to report to the central site.
If you allow it, WormRadar will synchronize your pc to network time, and all events are recorded to the millisecond utc. Events are reported by both email and udp... email because it makes it convenient to attach a capture if it is something new, and udp because while unreliable, it is fast.
A summarized graph of activity is refreshed every 30 minutes to the website, and is refreshed every 15 minutes on the WorldView tab within WorldRadar itself. The WorldView tab also has notification options which allow you to be alerted by a variety of means if something new appears, such as email to a pager or by playing a wav file. In the fullness of time, I'll add more views and graphs. The summary graph is interpreted like this...
(1) Green bars are recognized things (2) Red bars are new (and should be watched) (3) If I didn't get any data, I generate a name based on whether it was tcp or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it was TCP port 17300 and was 0 bytes long. (4) If I got some data, but couldn't recognize it, I generate a similar filename, but the suffix is 'unk', for unknown. (5) I call it a 'summary', because if a single sourceip hits a single targetip 200 times on the same port (such as a sql dictionary attack on 1433), it is really only one incident, and that is how I summarize it.
It emulates some common servers, such as web and ftp, and some common backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp ports that can be set to whatever you like.
To install it, simply make a directory, copy it in, run it, configure it a bit if you want, and tell it to listen. You can set it to cc yourself, and you will receive a copy of the email sent to wormradar.com. The UDP messages are content-identical to the email, although without email-y things like headers, and I don't UDP the attachment if there is one.
It runs on about any Windows platform but runs best on Win ME, W2k or WinXP. Win ME is a good platform, because there are fewer services to turn off to allow WormRadar to listen on those ports. It runs nicely behind firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event that you want to install it on more than one computer, please don't install them on side by side IP addresses... this just skews the data. What we really want is a nice, random, widespread distribution.
Wrong, this is an honey-pot, easy to use in your system tray and without the hassle. You can use it in the DMZ, in VMware or in any other way. You can also chose not to use it.
It's nothing innovative, but.. Ever went through a metal detector at the entrance to a store and it beeped because of these magnetic stripes?
I wonder if one can WAR-WALK in a busy street, or "fix" one of these metal detectors to not only detect but copy the information on the magnetic stripes.
I have read the above thread, and I must say, as interesting as every comment was, we over-looked one significant issue: the resources.
The amount of resources required for undertaking a code evaluation of any kind, of MS Windows, is staggering.
Even if China is about to undertake such an immense project, and compile their very own MS Windows, supposedly hole-less (which would be a big step forward in security considerations) it would still not change the fact that:
A company willing to share the source code of a product they sell, already boost your confidence in the product. Now, would you be willing to spend money and resources on actually reviewing it? Not everyone is China. It might actually make more sense to make your own OS, like Germany did.
Even though the company that creates their OS has ~half a million employees, it is still a big step forward security-wise.
Like in every other security consideration, it's cost vs. benefit.
It would make China's life, and any hacker's life a lot easier to locate security holes in the OS once they have the source code, but compiling your own OS makes you feel more secure as well, no? Especially when you don't have to develop every driver on your own.
Slashdot Mirror
Actually, that sounds more like TEMPEST. The magnetic interferance on the unshielded cable sounds exactly that, or am I wrong?
As much as this technology is a risk and therefore a potential threat, unless you are of the reaslly paranoid (which would mean this interests you considerably) there are far easier ways of attacking a computer.
:)
This attack came to show how to attack the key, which is why it interests these folks, I suppose, but it would be much easier to use TEMPEST if you get access to actually install some tool to hear && (record || trasmit) the audio.
I would suggest TEMPEST would also be more reliable, but some testing is in order, as well as a lot of research for every CPU you intend to attack.
Cost vs. benfit? I can't really see it.
This is pretty cool though!!
(adding another mark on my paranoia list).
The guy asked for volunteers, people who are willing to help - on NTBUGTRAQ.
The program is still being developed and there isn't much of a web page, it is an as-is service, and the program does a great job.
The guy runs a new project, which is still very much under development. I suppose you don't have to download and/or run the software if you don't want to.
It is good software, and it worked great, but I don't see any reason to shoot the guy for admitting to needing help with running nodes, while he further develops a currently IN-DEVELOPMENT stages project.
The program was obviously not ready for prime-time (slashdot), by what the guy said, but I believe it can take it. Use it if you like, it is freeware.
Otherwise, make your own, or be quiet about it.
In answer to your questions.. I believe the author has the right to decide if his software is open source or not.
You as a user have the right to decide whether or not you'd use it.
The author is respectable and a very old timer in the AV and security field. He chose to make it freeware, that's something I am going to thank him for (already did, actually).
Try Google:i ngs/11192 003hearing1133/Thompson1799.htm
http://energycommerce.house.gov/108/Hear
I thought the idea of open source was to work together and help out? Not double and compet when there is no real need to?
Email the author and offer your help, he is a great guy and I am sure he will take any help he can get.
I trust him, the question is if he can trust everyone who offers to help with a project such as this? Ask him and you'll find out.
Constructive vs....
As explained by Roger, the author of WR, WormRadar calls home using SMTP and UDP for real-time, so that the data-sharing between all the nodes can exist.
This data-sharing/graphing of Internet attacks graphs.. etc.. comes as a second to the actual use for the program - a good and decent honey pot.
The program doesn't hide the fact that it "calls home" and it is all explained in another comment.
As Roger wrote on NTBUGTRAQ:
If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.
A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...
Hi Russ,
I am looking for some more folks who would be interested in running
WormRadar. ( http://wormradar.com). The web site is still rudimentary, but
the graph is generated every 30 minutes, and is interesting to watch, and
WormRadar.exe is available for download from there.
It is essentially a distributed Windows honeypot that listens on known
wormy ports (or ports that are likely to become wormy), and crcs, or scans,
anything that comes along. Its purpose is to both measure the frequency of
known, current worms and to alert us all when something new becomes active.
It is free provided you allow it to report to the central site.
If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.
A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...
(1) Green bars are recognized things
(2) Red bars are new (and should be watched)
(3) If I didn't get any data, I generate a name based on whether it was tcp
or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it
was TCP port 17300 and was 0 bytes long.
(4) If I got some data, but couldn't recognize it, I generate a similar
filename, but the suffix is 'unk', for unknown.
(5) I call it a 'summary', because if a single sourceip hits a single
targetip 200 times on the same port (such as a sql dictionary attack on
1433), it is really only one incident, and that is how I summarize it.
It emulates some common servers, such as web and ftp, and some common
backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp
ports that can be set to whatever you like.
To install it, simply make a directory, copy it in, run it, configure it a
bit if you want, and tell it to listen. You can set it to cc yourself, and
you will receive a copy of the email sent to wormradar.com. The UDP
messages are content-identical to the email, although without email-y
things like headers, and I don't UDP the attachment if there is one.
It runs on about any Windows platform but runs best on Win ME, W2k or
WinXP. Win ME is a good platform, because there are fewer services to turn
off to allow WormRadar to listen on those ports. It runs nicely behind
firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It
doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event
that you want to install it on more than one computer, please don't install
them on side by side IP addresses... this just skews the data. What we
really want is a nice, random, widespread distribution.
Thanks
Roger
Wrong, this is an honey-pot, easy to use in your system tray and without the hassle. You can use it in the DMZ, in VMware or in any other way. You can also chose not to use it.
It's great software, and it proved itself.
The distributed option of sharing data is a plus.
The author of WR is Roger Thompson, a well respected AV professional since the very first days in the late 80's/early 90's.
He is also a CARO member, which is a very respectable organization for old-timer AV researchers.
I know him personally and vouch for him, much like pretty much any other AV researcher in the world. Everybody knows Roger.
It's nothing innovative, but..
Ever went through a metal detector at the entrance to a store and it beeped because of these magnetic stripes?
I wonder if one can WAR-WALK in a busy street, or "fix" one of these metal detectors to not only detect but copy the information on the magnetic stripes.
Dangerous stuff.
I have read the above thread, and I must say, as interesting as every comment was, we over-looked one significant issue: the resources.
The amount of resources required for undertaking a code evaluation of any kind, of MS Windows, is staggering.
Even if China is about to undertake such an immense project, and compile their very own MS Windows, supposedly hole-less (which would be a big step forward in security considerations) it would still not change the fact that:
A company willing to share the source code of a product they sell, already boost your confidence in the product. Now, would you be willing to spend money and resources on actually reviewing it? Not everyone is China. It might actually make more sense to make your own OS, like Germany did.
Even though the company that creates their OS has ~half a million employees, it is still a big step forward security-wise.
Like in every other security consideration, it's cost vs. benefit.
It would make China's life, and any hacker's life a lot easier to locate security holes in the OS once they have the source code, but compiling your own OS makes you feel more secure as well, no? Especially when you don't have to develop every driver on your own.
Here come exploits for PlayStation.
:o)
Can I run telnet on it?