Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the “Report the file as a false positive” option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don’t flip out, don’t go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================

KickAss Torrents also referred to this discussion thread on Avast’s forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.

[Summary]

Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents’ OpenX platform.
3. Spreading fake antivirus “Security Sphere 2012″ by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1′ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

[Details]

KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:

http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn’t just a few lines of “injection”–the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String(“robo”), new String(“.dynd” + “ns.tvmg7j”.substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here’s a screenshot of the installed fake antivirus Security Sphere 2012:

Related posts:

1. Security In the Golden Age Of The Internet
2. Is Apple’s Pre-emptive Censor Anti Customer?
3. What is the Deal with Security in Smart Grid?

In the midst of the Fox scandal, Lulzec issued a statement saying they “have 4GB of emails taken from an alleged hack on servers at the Sun, but won’t make them public for fear of jeopardizing ongoing legal actions.” Either that, or they are still licking their wounds for messing with the man and don’t see any percentage in taking on Murdoch who may be worse.

		Monitoring Physical Threats in the Data Center

While Murdoch’s boys are busy scuttling the would be evidence against them by attempting to dismiss email entirely from the court room, the boys and girls of the anonymous hack job are threatening to selectively provide the content of some of these to chosen media outlets. The British government, which stands a lot to lose from the alleged Murdoch thievery, and hack job on prominent cell phones, is trying to sort the mess out.

The most interesting piece of technology video on the topic of Internet security recently comes from a video by Mikko H. Hypponen, Chief Research Officer at F-Secure. We’d love to get Mikko to do a video interview on our site so let us know if you like the idea.

http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html

Related posts:

1. Obama Administration And Political Internet Decisions
2. Malvertising on KickAssTorrents (kat.ph), OpenX compromised to serve fake anti-virus “Security Sphere 2012″
3. 2011 Q1 Internet World Statistics

So while the mid-nineties represented a time when owning racks of servers was some sort of status symbol, today all that iron is an albatross around the necks of many small and medium-sized companies. The cloud as it is now framed is not new or different. The only real difference is the security situation and the techniques used to manage the wide area network we call home. With our team scattered around the world, that demands enough of our bandwidth.

So now the decisions for companies to make are inundated with fear and loathing on the way to the cloud and its accoutrements. As Dr. Alastair MacWillson, the global managing director of Accenture’s global security practice, puts it, “It’s certainly justified for an organization to worry about theft, loss or legal noncompliance.”

The good doctor lists Five (5) major points for us to address when assessing the situation:

1. Know your appetite for privacy and security risk.

2. Expect to share responsibility.

3. Demand transparency and accountability from cloud providers.

4. Use the cloud to address identity and access management issues.

5. Architect solutions that address the risk.

The first point is dynamic and changing as fast as the markets, and, as MacWillson points out, much faster than legislation on things like privacy and compliance. For us it was simple, since the IT provider that now manages our data and our iron is the same as we used when we had all our racks on premise. He also mentions Common Assurance Maturity Model (CAMM) and the introductory video below explains how you might use these services to help ascertain you are covering your data correctly.

Secondly, he reminds us that we will have to share responsibilities, not really new but a bit different, than managing in premises servers.

		Allocating data center energy costs and carbon to IT users

“It is critical to clarify the roles of the data owner and cloud provider (and systems integrator, if applicable) in delivering legally compliant solutions. While the law doesn’t state any clear division of labor as long as certain things get done, many data owners and cloud providers have misconceptions about their responsibilities.”

In his third point, he provides a template for how to negotiate your requirements and I strongly urge those considering moving their data to a third party to meticulously follow these points. Questioning cloud providers requires a variety of checklists and an open framework with which to insure your risks are managed correctly. If you are not comfortable, there are many consultants versed in these situations and you should consider having someone experienced make sure you are covered.

Number four is about identity issues which you must look carefully at before you make any decisions. In a recent post, we discussed the intrusions and options. Review that post for a more fluid approach to assessing your options. There are some, like phone id’s but those have other challenges. If the secure ID’s are replaced, this may drive it. Stay tuned on that one.

Number five is a bit of mystery to this writer because I am really not sure how any of the architected choices are any different. If Google is as vulnerable to the threats that they seem to be, if Amazon hasn’t got all of this wired, than I would say smaller vendors, like Lan Logic, which we use, are on an equal par. Check it out and let us know what you learn, what questions you are not able to find answers to and what advice you would like to share with others going through the same pain staking analysis.

Related posts:

1. Cloud Contains a Storm but not a Shower
2. An Indispensable Element to Cloud Computing
3. Is “Cloud” Just A Euphemism For Proprietary?

“Our systems remain secure; no customer, program or employee personal data has been compromised,” Company spokeswoman Jennifer Whitlow of the Bethesda, MD.-based company said. White House spokesman Jay Carney said, “Based on what I’ve seen, they feel it’s fairly minimal in terms of the damage.”

Back in March, Art Coviello, Executive Chairman of RSA, an EMC Company, said in statement, “the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.” He went on to say, “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		Classification of Data Center Operations Technology (OT) Management Tools
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

Advanced Persistent Threat (APT) is a big deal, usually associated with a nation/state organization level. If cyber-security threats are on the rise, we want to trace them and the systems being threatened. EMC is reporting that remediation has been provided in the form of replacing the SecurID tokens. These memory stick- like units that generate random numbers used in combination with a personal identification number, to gain entry, may have lost the confidence battle: If intruders get the key, the seed that enables one-time passwords to be generated, then they may have the capability to break into networks that depend on such systems to authenticate users.

In the world of APT’s, confidence tends to be a bigger threat to product life cycles. If Lockheed throws out the bay with the bath water, and RSA too, this may lead to a new way to manage identities. For the nation’s defense contractors, this may already be happening.

Related posts:

1. RSA Media Alert: Lifestyle Hackers, the Latest Insider Threat
2. RSA Conference Coverage April 20-24 2009
3. RSA Conference Coverage April 20-24 2009

Probably, available and reasonably priced power is the most important factor, and access to the fiber network is the second.

Steve Rosa

When I started looking into the power issue, I looked at my power and gas bill for the first time. I was amazed that it included several charges beyond the charge for actual use. A residential bill is not the same as a data center bill. The following slide from Steve shows what is involved in the power bill.

Power charge consists of demand charge, power surcharge, service charge, and sales tax.

(courtesy of Unique Infrastructure Group)

Steve continued by discussing what needs to be considered: utility portfolio, rate increases, NERC CIP-compliance, regulatory, future capacity, PUE, and today’s bill. He covered each of these elements:

Utility portfolio: This is the source of power generation and needs to be considered because some sources, such as coal, may be regulated more than others. Some utilities are heavy users of crude oil, while others use little oil for power generation. The price of oil is very volatile and must be considered in your site selection.

	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
		Virtualization: Optimized Power and Cooling to Maximize Benefits
	- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

Rate increases: It is likely that the cost of power will increase over time, and that increase may depend on the site you select. The president of Rocky Mountain Power predicted that power cost would double in the next 10 years.

Future capacity: This is important because you need to have reliable delivery of power even when your demand for power increases in the future. For example, you cannot get even 1 kW for your new needs in Manhattan.

Factors to consider beyond today’s bill: utility portfolio, rate increases, NERC CIP-compliance, regulations, future capacity, PUE.

(courtesy of Unique Infrastructure Group)

Steve also talked about the EPA’s Maximum Achievable Control Technology (MACT) Standards, which is a court-sanctioned mandate that will take effect later this year. MACT is concerned with the emissions from coal-fired power plants. MACT is one type of National Emission Standards for Hazardous Air Pollutants (NESHAP). See for NESHAP and for MACT.

Bernstein Research’s comprehensive analysis of the impact of the new standards on coal-fired power plants concluded that 9% of them will need to be shut down. The following is a short summary of Bernstein’s report.

If your utility is a heavy user of coal for power generation and its coal-fired power plants are to be shut down for noncompliance with MACT standards, you will not get enough power for your data centers. Your utility will lose a lot of its power generation capacity, increasing the power cost for sure. One such example Steve mentioned is a utility that might lose 43% of power generation capacity. In general, coal-fired power plants are concentrated in the mid-Atlantic region, where coal is abundant and cheap. Many power plants in that region are small, old, and less efficient. Steve predicts that the owners of such plants will not renew but abandon them.

He also covered security requirements (NERC CIP-compliance)for utilities’ facilities in view of malware, such as Stuxnet (attacks SCADA systems) and cyber attacks. NERC CIP-compliance is for the security of power generation and the power transmission infrastructure. The auditors are getting serious about enforcing it, and if a utility does not comply, it will be fined $1M a day, which will be passed onto consumers. To date, not a single utility satisfies this requirement. Steve’s suggestion is to get off the power grid and rely on your own facilities for power. The military is working to get its critical infrastructures off the grid now.

When I talk to people responsible for managing energy for a large corporate campus, they tell me their number one reason not to consider having their own power microgrid is the cost of implementing and maintaining it. But as power cost increases and the supply gets smaller, the move to microgrid may become a reasonable choice. Steve’s talk was geared towards data center operators in their site selection. But those who already have data centers and a campus to manage their energy should also take his warning seriously and consider their future energy demands.

Related posts:

1. An Example of Data Center Site Selection: Reno Technology Park
2. Direct Current Power Distribution in a Data Center
3. Sentilla: Measuring Power Consumption At A Data Center

Attend this webcast and you will learn five steps you can take to make the process of finding and fixing defects across shared code more efficient to increase developer productivity and reduce the risk of a schedule slip.

In this 30 minutes session you will learn:

• How to effectively scan your software to identify hard to spot defects in shared code
• How to identify which projects and products are impacted by defects to prioritize which defects should be fixed first
• What actions and best practices are needed to ensure the necessary fixes are implemented to prevent defects from entering the field

View webinar

Related posts:

1. ip.access Ensures Quality of 3rd Party Code
2. How to Find, Fix and Prevent Top Software Defects with Static Analysis
3. Coverity Maintains Software Integrity of Sun Microsystems’ Award-Winning Storage Products

With more than 3.6 million lines of C/C++ and Java code, development leaders at ip.access recognized that unit tests and manual peer review were becoming too labor intensive to stay on the company’s development timeline. Therefore, the company elected to create a continuous integration development process that would accelerate the ability of both internal and external teams to ensure the quality of their combined code. A key component in this process would be the use of static analysis to evaluate code prior to run-time.

ip.access selected Coverity Prevent as its static analysis solution because Prevent automatically finds a high concentration of critical software defects with the lowest false positive rate in the industry. In fact, ip.access reports false-positive rates at or below 5%. Because these analysis results are so accurate, developers at ip.access and its development partner can now avoid a significant amount of time-consuming manual code reviews and can check in code with greater confidence.

"During our preliminary trial process, Coverity Prevent identified 27 ‘must-fix’ defects in our draft code," said Jason Cooper, Senior Software Engineer at ip.access. "With results like that, selecting Coverity was a quick decision for us."

Download whitepaper

Related posts:

1. Cut Time, Not Corners: 5 Steps to Efficiently Manage Defects across Shared Code
2. Schneider Electric Improves Product Quality While Saving Over 2,500 Engineering Hours with Coverity
3. Coverity Maintains Software Integrity of Sun Microsystems’ Award-Winning Storage Products

Schneider Electric has adopted Coverity to improve product quality and software integrity while reducing development costs and re-focusing resources on innovation, benefits which have been realized within the development organization, across the company, and supported at the highest level within Schneider Electric management.

"We run the analysis from a centralized team and send out an email one week later announcing the results are available for the developers to review. If there is ever a delay in getting this information out to the developers, they come to us and seek it out. Not a single developer did this in the past. Now we have developers demanding Coverity."
- Frank Klosek, Qualimetry and Senior Technical Manager

Download whitepaper

Related posts:

1. ip.access Ensures Quality of 3rd Party Code
2. Frequentis Standardizes on Coverity Static Analysis for Safety-Critical Software Integrity
3. Coverity Maintains Software Integrity of Sun Microsystems’ Award-Winning Storage Products

In a highly competitive market, companies like Sun constantly need to increase quality and reliability, speed delivery, and reduce costs just to stay even with its rivals. Coverity Static Analysis is a great addition to help not only achieve these objectives, but also surpass them. It has proven to be a tool that can find defects earlier, which reduces development costs and accelerates time to market.

Using Coverity Static Analysis also results in higher quality products in the field because there is more complete coverage of exception handling code in testing. Finally, the real-time feedback improves software developers’ coding skills resulting in fewer testers needed relative to the number of developers. These benefits help Sun and its already award-winning products to not just stay on par with the competition, but widen the gap between Sun and its challengers.

Download whitepaper

Related posts:

1. Frequentis Standardizes on Coverity Static Analysis for Safety-Critical Software Integrity
2. ip.access Ensures Quality of 3rd Party Code
3. Schneider Electric Improves Product Quality While Saving Over 2,500 Engineering Hours with Coverity

Frequentis’ mission and commitment to safety is engrained into every part of the company, and the software quality organization is a direct reflection of this commitment. Coverity has helped Frequentis ensure a high level of software integrity to support its product mission of freedom from failure, while continually improving the productivity of its developers.

According to Andreas Gerstinger, Software Quality and Software Safety Engineer, who drove the evaluation and introduction of Coverity Static Analysis into the organization, "We had used other analysis tools in the past but they did not go as deep as Coverity–they only provided metrics such as complexity measurement–but did not go as far as finding faults and pinpointing where they reside in the code. Developers didn’t want a tool that only showed them abstract metrics, but would instead show them exactly where they made a coding error."

Download whitepaper

Related posts:

1. Coverity Maintains Software Integrity of Sun Microsystems’ Award-Winning Storage Products
2. Schneider Electric Improves Product Quality While Saving Over 2,500 Engineering Hours with Coverity
3. ip.access Ensures Quality of 3rd Party Code