I just posted an article for Blogsecurify about a new Facebook phish that I stumbled upon. Thanks again to Greg and Tyler for helping out with some of the detailed analysis! You guys rock!

Hey...I actually found a few minutes for a quick blog post! :-)

Just a quick post to check out the report that my friend and malware researcher Greg Feezel was mentioned in a report over at Hostexploit.com. He contributed data to this report. The report was on the McColo web hosting firm which is apparently responsible for sending 75% of spam world wide! If you didn't know, McColo was taken offline a few days ago and there has been a massive decrease in spam across the Internet. If you want more information on McColo check out Brian Kreb's article here. Brian is actually one of the guys that helped shut this firm down based on some of the reporting he did.

Goes to show you that we can do some good as security professionals if we all work together!

Today at the Ohio Information Security Summit I released my Facebook Security & Privacy Guide. This guide gives you suggested "baseline" security settings that you can use when configuring your Facebook account. Obviously, you can adjust these settings based on your own level of risk but it should give you a good starting point.

How did this project get started?
I have been doing several months of research with my own Facebook account as well as gathering the input of other Facebook users to determine what the privacy and security settings would be without loosing the key features of using a social network website...the networking!

Please feel free to distribute this document to friends and family or use it for any security awareness campaigns. I will hopefully be keeping up with any updates to the document when Facebook changes things. I might be putting together a similar document together for MySpace but MySpace is a totally different animal altogether. We shall see! :-)

You can download a pdf version of the guide here.

I won't go into detail about the new Microsoft vulnerability...you all know it's pretty serious and there are a ton of blogs and websites talking about the dirty details. Hopefully you have all read about it and are getting the word out about patching. However, there are some updates on the status of currently available exploits for the vulnerability that I found interesting.

Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A - Is it a worm or a trojan?
Don't let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in "targeted" attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a "network-aware" trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities...reliable public exploit code will be out before you know it! Make sure you take your patching seriously...

UPDATE: If you follow HD Moore on Twitter you will see that he has just released MS08-067 PoC code for Metasploit.

Last Wednesday I gave a presentation to the Northeast Ohio Information Security Forum on Maltego which is a fantastic tool for information gathering. The presentation focused on a high level overview of the application and how it can be used for all types of security related work including security assessments, investigations and helping find public information about a company or person.

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on Room362.com or Ethicalhacker.net.

Over the weekend I posted my first article on Social Network/Media security over at Blogsecurify. You can check out the post here. My next article will talk about the security of third-party applications and widgets for social media applications.

This article was just too good and worthy of a blog post...apparently a MI6 digital camera went missing and went up for sale on eBay...for only $30. The kicker is that the camera's memory card contained the following information:

Via Reuters:

"Its memory had names of al Qaeda members, fingerprints and suspects' academic records as well as pictures of rocket launchers and missiles, the Sun newspaper reported."

Opps... So did the camera have a "If lost, please call the following MI6 number" sticker on it? :-) That is one big mistake for the British intel boys...

Just a reminder to head over to malwarechallenge.info to start the malware challenge that was mentioned on the last Security Justice podcast as well as a blog post that I did a few days ago. The contest runs from October 1st - 26th and is open to everyone! May the force be with you...

I am excited to announce that I am now part of the GNUCITIZEN Blogsecurify social media "tiger team". I am officially a blogger for Blogsecurify and will be posting about security issues/vulnerabilities in social media applications. As you may already know, I have been doing a lot of research recently into Facebook privacy and security. Blogsecurify/GNUCITIZEN is the perfect outlet for the research I am doing as well as other projects I am about to work on. GNUCITIZEN has always been about cutting edge, progressive thinking security research and I am looking forward to working with others that have a passion for social media security.

Do you have a Wordpress blog? If you do then you really need to check out the Blogsecurify tool. The Blogsecurify tool was basically formed from the wp-scanner project and was a joint effort between GNUCITIZEN and BlogSecurity.net. The tool is an online Wordpress vulnerability scanner. It will scan your Wordpress blog via a plugin that you activate on your end. It will then run a series of checks and let you know the results. I am under the assumption that this scanner will evolve with the ability to scan other types of blogging software and social media applications. If you are interested in helping out with research and/or blogging on Blogsecurify check out this post.

Stay tuned for my Facebook Privacy & Security Guide release and details on other social media security related projects I plan on working on through this site and now blogsecurify.

Tyler (aka: The Security Shoggoth) announced on the Security Justice podcast last week about the "Malware Challenge" that begins October 1st. I think this is a great idea and is a fantastic way to learn about how malware works and how to analyze it.

Via The Security Shoggoth:

"Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes."

Yes, this is a real piece of malware that you will analyze! More about the malware and the contest:

"Participants in the malware challenge will download the malware, analyze it and answer questions based on their findings. The answers to these questions will be evaluated by the judges in order to determine who the winners are. At a minimum, submissions should include the answers to the questions. However, submissions which also include a narrative on such things as how the malware was analyzed or how the analysis lab was set up will be more likely to win. Be creative."

What are the prizes? So far they have a Best Buy gift card, IDA Pro Book, Full version of IDA Pro software, Hacker game from Steve Jackson Games and many more prizes as well. For the most up-to-date-list, check here.

Even if you have never analyzed malware before...everyone is encouraged to participate! This is a great way to learn about how malware works and also a way to develop a new emerging skill set! The contest site has some links for you to get started if you never did malware type analysis so you have some place to start. Winners will be announced at the 2008 Ohio Information Security Summit on October 31st. You don't need to present to win but there will be special prizes for those that can be there. Good luck to everyone participating!