Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing “Malware Attribution: Tracking Cyber Spies and Digital Criminals” is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks — signs of the environments in which the code was written — that can help identify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that’s not the route this attacker chose. tifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. “The bad guys don’t change their code that often,” Hoglund says.

A traditional antivirus platform tifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company’s intellectual property, he says.

“You are not going to succeed in keeping the bad guys out of your network,” Hoglund says. “But if you can detect them as early as possible, you can prevent losses.”

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low — in the hundreds rather than the thousands, he says.

If that’s the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

To do this the IDS needs to be on endpoints where the code executes and can be seen in the memory of the computer as a human-readable text. At the network layer, a packed executable would not reveal these attributes.

At the conference, Hoglund plans to release a tool called Fingerprint that analyzes and compares the similarities among the underlying artifacts found in different pieces of malware. Businesses could use the tool to determine what identifiable attacker wrote the code and what its intent is.

That in turn can give businesses an idea of whether they are under a concerted assault from a common group rather than being the victim of random attacks. Using this type of analysis, Hoglund says he found that one identifiable attacker was responsible for targeting the Department of Defense as well as a particular military base five years before.

That indicated the attacker was the same, and use of a Chinese-language development environment indicated the attacks came from there. Some of the source code used was exact copies of code traded on China hacker sites.

Source

Today, we at Rackspace launched an ambitious project called OpenStack that aims to make this new world a reality.

I want to lay out the thinking that got us here and why we think this moment will change computing forever.

“The cloud” at its most fundamental level is all about a massive supply increase in computing power. The PC era was all about putting a computer on every desk. The cloud era goes a step further, putting the power of supercomputing at the literal fingertips of every individual at anytime. Whether it’s enabling a youth soccer coach to schedule practice across the online calendars of 18 families, or helping a scientist fold proteins to design new cancer drugs, or encouraging a frontline employee to instantly and cheaply test a new marketing campaign, the exponential growth in computing power and applications is changing every corner of our economy and society. And, this era is truly just beginning. We have seen only a tiny fraction of the potential gains that arise from cheap, ubiquitous computing power.

As this landscape has evolved, some have dismissed cloud computing as just a return to the mainframe era. This view is fundamentally wrong. Mainframes were available to only the smartest employees at the richest companies. The cloud is accessible to all, and usable by anyone, at low cost. Its ubiquity is the source of its power.

However, there is one area where mainframe concepts are intruding into the cloud – the vertically integrated technology stack. As hardware and software merge into services, the danger of locked down proprietary software stacks are emerging in the cloud space. The cloud world changes everything, and that is not good to many entrenched interests of the old guard. Core technologies from operating systems to hypervisors to databases are being used to tie cloud customers into an integrated view of the world.

If the web has taught us anything, it is that open systems, portability, and choice drive innovation. The open Linux system brought us a mountain of software and tools to help accomplish almost any task. And, each component, whether a database or a widget could be moved in and out freely based on the job getting done.

We at Rackspace have long talked about an “open” cloud. And as a service provider built on our Fanatical Support difference, we have never had an interest in creating technical walls around our service. But, given that no standards tools have emerged to build massively scalable clouds, we too have had to build custom software that creates some level of wall around our cloud offerings. For months we have debated how to drive greater standards and increase the velocity of cloud technologies in general. We finally converged on the obvious answer: open source our cloud technology.

Today, we announced a new open source project that includes those core technologies: OpenStack. And, we are not alone. As we looked at all the projects that already existed to drive standards we saw that other efforts were underway that complemented what we have done. We saw a ton of promise in the Nebula computing project built by NASA and are making it a core part of the project. Taking the contributions of Rackspace and NASA as a starting point, OpenStack forms a powerful foundation of technologies including, a scalable compute provisioning engine – OpenStack Compute – and a fully distributed storage engine – OpenStack Object Storage.

The community, which we plan to actively support and drive, is live today at openstack.org with code available for download.

Last week we assembled a strong group of cloud community leaders and developers to meet and review the architecture, engage on technology direction and contribute code. The effort attracted more than 100 participants from 25 companies including hosting companies, telecom providers, hardware manufacturers, cloud ecosystem companies and beyond. This enthusiasm and collaboration around OpenStack has laid the foundation for a vibrant and innovative approach to building the core software to power the future cloud world.

What do we expect OpenStack to mean for the cloud community? Some pretty major things. One, anyone will be able to run this cloud and do it anywhere. Enterprises and governments will be able to build private clouds. Service providers will have the same technology used by Rackspace and NASA to build new offers. Choice and portability are inevitable in this world. Two, the whole tech ecosystem can build around this foundation. With wide adoption, there will be a market for new services all around this core engine. From storage systems to monitoring tools to management systems, there is no end to what can be attached to the core project. Three, the cloud will advance faster than ever. Between just NASA and Rackspace, an army of developers are committed to the continued advancement of OpenStack. With our emerging supporters in the project, we expect to dramatically expand that army. Finally, a core set of standards will be freely available and totally open. New technologies can be attached. Better solutions will be driven into the product. And, the use of this powerful technology will not tie you to the use of any other technologies.

For our customers, we think there are many benefits that flow from these community gains. Not only will this help our offers develop faster and more transparently, but our customers can run private editions of our core systems in house or in our managed hosting operation.

We could not be more excited about the launch of this project and the enthusiasm around it. As a company that has invested a great deal in the development of cloud technologies, we did not take the decision to open source lightly. We think this decision will serve our interests and those of our customers. While we at Rackspace hire top developers and engineers to make sure our technology is second to none, seeking a technology advantage has never been our approach. We have our own vision about how to deploy this technology and serve customers – by giving them seamless access to scalable computing with the trusting partnership that comes through Fanatical Support. But, there will be many approaches and winning formulas. We think by welcoming those approaches and driving standards and more rapid innovation we will all win.

We hope you join us in this cause. We know there are many parties who might want to join us in the effort, please reach out to us.

We look forward to updating you as we make progress.

Source

Web development can be little tough if there had been no frameworks to make our life easier. Any Web Framework is a boon to a web developer as it provides so many options, flexibility and its a big time saver.

Here, we have compiled the best of web development frameworks in PHP, CSS, JavaScript, Python and Java. All these frameworks have there pros and cons, they can help you make your project look clean and robost. For future reference, you can bookmark this post and share it with your friends and web-programmers.

Source

Security research firm Qualys is attempting to paint a detailed picture of SSL deployments and their shortcomings with a new, still under-development study that aims to deliver a deeper degree of information on the state of the SSL marketplace than what is currently known. Most industry intelligence on the subject thus far has come from Netcraft research reports and from vendor reports.

In its study, Qualys scanned 119 million domain names, but found that only 92 million were active. Approximately 12.4 million domains failed to resolve properly and 14.6 million failed to respond. Of the active domains that did respond, nearly 34 million responded to the Qualys scan on both port 80 and port 443. Port 80 is typically used for HTTP while port 443 is typically used for HTTPS-, SSL-secured Websites.

Digging a layer deeper into the active sites on Port 443, Ivan Ristic, director of engineering at Qualys, said in a Webcast that he found that only about 23 million of the sites were actually running SSL.

SSL certificates can be generated for any domain name. It is considered to be a best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used, though Ristic’s research shows that’s not always the case.

“Only about 3.17 percent of the domain names matched,” Ristic said. “So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside.”

Detecting invalid SSL certificates
In a preview of a talk set to be delivered at this summer’s Black Hat USA conference, Ristic explained that his company has had an SSL security-checking service available publicly for some time. However, the Qualys SSL checker required that users came to the site to check their own SSL status. With the new research conducted by Ristic, Qualys set about scanning the Internet to collect information on how sites are implementing SSL.

“For us, the question is: How exactly is SSL used on the Internet as a whole?” Ristic said during the Webcast. “Interestingly enough, as popular as SSL is, no one had made public the information about how it is used.”

According to VeriSign, there are currently approximately 193 million domain names. In terms of SSL, Netcraft reports that there are 1.5 million SSL certificates. Ristic decided to focus his research on the total number of .com, .net, .org, .biz, .us and .info domains, which total 119 million domain names in total.

Ristic explained that he built a virtual machine that was able to run 2,000 threads in parallel to scan those millions of domain names. The process took him two days at a speed of 1,000 servers scanned per second.

In response to a question from InternetNews.com about his testing hardware and software infrastructure, Ristic noted that the scanning software had been custom-written for the task.

“The hardware was nothing special — I’m using a virtual server in the cloud and it’s just a medium-sized box,” Ristic said. “The trick to why the tests are quick is that it’s only a couple of network packets that are being exchanged, and that’s enough to determine if the server on the other side is capable of supporting the protocol.”

As part of the complete report that he is working on, Ristic said that he’ll be doing a deeper analysis of 720,000 SSL certificates that he uncovered in his initial scan and considers valid. The plan is to collect up to 300 data points on each SSL server to better understand how the certificates are deployed and configured.

Source

* a RESTful Web Service (RWS)
* a NICNAME/WHOIS port 43 service
* a user-friendly web site (http://whois.arin.net)

When using Whois-RWS you will notice some differences in behavior for
certain queries and corresponding result sets on the NICNAME/WHOIS TCP
port 43 service. These minor differences are documented at:

https://www.arin.net/resources/whoisrws/whois_diff.html

ARIN’s Directory Service for registration data has used the
NICNAME/WHOIS protocol since its inception. The limitations of the
NICNAME/WHOIS protocol are well known and documented in RFC3912.
Whois-RWS was created as an alternative to the ARIN Whois and will
provide much richer functionality and capability to the community.

Whois-RWS can easily be integrated into command line scripts, or it can
be used with a web browser, which makes it applicable for programmatic
consumption and accessible for interactive use. ARIN will continue to
maintain services for the NICNAME/WHOIS protocol on TCP/43. This is
achieved by using a proxy service to translate traditional ARIN Whois
queries into Whois-RWS queries. However, ARIN recommends use of the
RESTful Web Service.

Those who choose to use the Whois-RWS Proxy will find it has many
features unavailable over the existing Whois service, including:

* Support for new query types such as CIDR queries
* Better feedback for ambiguous queries
* More finely scoped record type queries
* Options for NICNAME/WHOIS clients that re-interpret traditional
parameters used by ARIN’s service.
* RESTful URL references, useful for embedding into documents and e-mail
* Better grouping of record types and delineation of results

Another major benefit is that data from ARIN’s registration database is
distributed to the Whois-RWS servers many times throughout the day,
versus the once-a-day update of ARIN’s previous Whois service. Changes
will be reflected more quickly through Whois-RWS, so query results will
be more current than the previous Whois service.

ARIN continues to welcome community participation on the Whois-RWS
mailing list, and we invite you to subscribe and provide feedback to:

http://lists.arin.net/mailman/listinfo/arin-whoisrws

Source

How to Become the World’s No. 1 Hacker is purportedly written by Gregory D. Evans, an animated felon who went on to become CEO of Ligatt Security International, a publicly traded company worth about 0.0002 cent per share that bills itself as a full-service computer security firm. Released by the obscure Cyber Crime Media publishing house, the 342-page PDF is a comprehensive, step-by-step guide for consumers who want to learn how to harden their networks against attackers. Unix security, Wi-Fi cracking, and web service configuration are all covered.

But it turns out that huge chunks of the book weren’t written by Evans at all, even though no other authors are credited. For instance, virtually all of Chapter 12 – 5,894 words, to be exact – is identical to this tutorial on port scanning written by Armando Romeo and published on the hackerscenter.com website in early 2008. And 1,750 words found in Chapter 9 were lifted from this manual posted to ethicalhacker.net, including screenshots that make reference to Chris Gates, the original author.

In all, at least 13 of the e-book’s 26 chapters were lifted almost entirely word-for-word from other sources without attribution, according to this analysis from Ben Rothke, a senior security consultant for a professional services firm, who ran the portions through iThenticate, an online tool for spotting plagiarism. Other sources that were used without credit include Security Focus, Auditmypc.com, and Squidoo.com.

“Mr Evans has never asked any permission from me and I’m the only owner of the copyrights of my website,” said Armando Romeo, CEO of eLearnSecurity who says in all five Chapters in How to Become the World’s No. 1 Hacker “have been literally copied and pasted from my guides” on the Hacker Center website. He added that this is the second run-in he’s had with Evans, who regularly appears on local and national TV shows to talk about computer security.

Chris Gates and Donald Donzal, the author and editor respectively of the articles on the Ethical Hacker site, are also steadfast that Evans never had permission to use their content, which was first published published in 2007. Donzal said he’s in the process of filing a take-down demand under the US Digital Millennium Copyright Act.

Evans – who in 2002 was sentenced to 24 months in federal prison after pleading guilty to wire fraud – has vociferously defended his use of the previously published articles. In an interview with The Register, he said he began work on the book in 2008, and largely drew on ghost writers who by contract agreed to submit “original content.” He insisted the submissions were vetted for authenticity by a service he declined to name. But he nonetheless went on to challenge the authors who have stepped forward to complain their work has been misappropriated.

“What you’re doing is you’re saying Greg, you put other people’s stuff in your book, but if I go out on the internet, you cannot tell me who owns those other people’s stuff,” he said. “All you’re doing is you’re telling me that who owns a website where other people publish at that website, but they’re not the owners of the content.”

‘Mitnick under my wing’
Evans, who is African American, has pushed back equally hard against other people asking hard questions about the true origins of his book. In a reference to another company Evans leads, he published a this rebuttal headlined “National Cyber Security Uncovers Racism Within the Computer Security Industry,” and continued to refer to himself as the author of the book.

In an accompanying video blog that was posted late last week, Evans went on to defend his hacker credentials, noting the he was incarcerated on the same floor as Kevin Mitnick during the latter’s five-year prison stint for hacking and fraud crimes.

“When I get in there, I take Kevin Mitnick under my wing,” Evans said in the video. “We used to turn around and have contests like who can get free phone calls, who can get away with making a three-way call without getting caught.”

Evans went on to claim that he advised Mitnick on a plea bargain he was negotiating with federal prosecutors and was in the same room as Mitnick when he learned he was going to be interviewed on the CBS News show “60 Minutes.” Mitnick denies the account.

“He basically misrepresented our relationship, our meetings” Mitnick told The Register. “He certainly didn’t take me under his wing, whatever that means. I didn’t really discuss my case with him because you don’t discuss your case with other people in jail because they’ll become informants.”

According to Mitnick, by the time he was approached by “60 Minutes,” he had been transferred to the Lompoc Federal Correctional Complex and hadn’t seen Evans in months.

Evans “made that whole story up,” Mitnick said. “He was never there.”

Mitnick also challenged the hacking skills of Evans, whose previous books include Memoirs of A Hi-Tech Hustler and Hi-Tech Hustler Scrap Book 2004-2005.

“What I recall of him, he wasn’t too savvy with hacking, but he did understand phone phreaking,” Mitnick continued. Evans’s 1998 prosecution “was a typical fraud case. It wasn’t hacking or phone freaking, really. He seemed to be a nice guy, a very evangelist type personality. I kind of sized him up kind of like a hustler, a grifter.”

Indeed, in video blogs promoting Ligatt Security to potential shareholders, Evans comes across at some points as a high-pressure salesman and at others as a class clown. In this video from last year discussing a deal involving a property known as spoofem.com he shares this nugget:

“I got the news this morning on my way to work, got here late because I caused an accident when I was reading my email and I saw it and I started screaming and I swerved and then this tractor trailer fell over and hit this bus full nuns and it was just [a] mess, but I took off real quick because I got a fast car. They didn’t know it was me, so I’m here doing this video blog. Pray for me.”

Be like ‘Googles’
In the same video a few minutes later, he compared Ligatt shares to those of Google – which he mistakenly refers to as “Googles” – before the stock hit sky-high prices: “It’s just like buying Googles,” he said. “You could have bought Googles years ago. Just imagine if you bought Googles at a penny or less than a penny how trillionaire you’d be today. I’m trying to give you that same vision.”

But it’s fair to say Evans, who says he’s 41 years old, has a temper as well. About a half hour into his interview with The Register, after growing increasingly agitated with the questions, he abruptly stopped the conversation and, through a spokeswoman, refused to continue.

And according to this account from security blogger and podcaster Chris John Riley, someone left a post threatening “to go after you family [sic]” less than 15 minutes after he spoke with Evans on the phone to arrange a taped interview regarding the allegations of plagiarism.

“I will have my friend in your country tracked down [sic] everyone you are friends with and your family and see what you are all about,” the posting stated. The person didn’t sign the message, but the IP address used to leave the message belongs to a Bell South customer in the Atlanta area, where Ligatt Security is headquartered.

Evans – who often refers to himself as the “world’s No. 1 hacker” and is regularly interviewed by various Fox News anchors and affiliates – has yet to say whether he played any role in posting the comments. He terminated his interview with The Register before the issue could be addressed.

Riley said that nothing during his brief conversation with Evans on Wednesday gave any indication there were any hard feelings. But when the time they had arranged to conduct the podcast came, Evans was a no-show.

Said Riley: “I did log onto Skype and I did wait and nothing ever came around. I thought it was funny. To be honest, I think Greg is more bark than bite.”

Source

The U.S. Computer Emergency Readiness Team must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves, the audit said.

Issued Wednesday by the Homeland Security Department’s inspector general, the report lays out criticism that long has been aired by U.S. officials and outside experts who say the government’s computer systems are vulnerable to attacks, are persistently probed, and lack the needed management and security standards.

And it highlights many of the problems Congress is trying to address in a number of bills aimed at creating a more effective government structure to improve and enforce security standards.

Cyber security has become a top priority for the government, bolstered by President Barack Obama’s declaration last year that it is “one of the most serious economic and national security challenges we face.” Officials say U.S. networks are scanned and probed millions of times a day, and in some cases breached by hackers, cyber criminals and other nations.

The 35-page report said the Computer Emergency Readiness Team, which is a part of DHS, has made progress helping federal agencies protect against computer-based threats, including the creation of a cyber center. But it said the team does not have the enforcement authority it needs to get other federal agencies to take the steps required to secure their systems.

In a detailed response to the report, DHS Undersecretary Rand Beers noted that the inspector general did not make a recommendation on how the agency could gain more enforcement authority. But he said the agency agrees that giving DHS more formal authority would be helpful.

Members of Congress currently are tussling over legislation that would give Homeland Security greater power to draft and enforce standards, and require federal agencies to more quickly address gaps in their computer systems. Other lawmakers say that authority should reside in the White House and with the National Institute of Standards and Technology.

Sen. Susan Collins, R-Maine, who along with Sen. Joe Lieberman, I-Conn., has legislation to increase the DHS’ power, said the agency needs “precise authorities with real teeth.” That effort got a boost Wednesday as key House members said they would introduce a similar bill.

The report also said the Computer Emergency Readiness Team has been plagued with staff shortages and leadership turnover, hindering its ability to retain qualified staff. And due to the security clearance process, it can take nine months to 12 months for a new hire to begin work.

DHS is in the middle of a major boost in staffing. In early 2009, the readiness team had 16 employees, but the number jumped to 31 by October, and is now at 55, with another 25 workers in the hiring process.

The report notes that officials from other federal agencies have complained that the readiness team doesn’t quickly share data on cyber threats or incidents. DHS officials responded that much of the data is from intelligence agencies and is classified at various levels, making it difficult to coordinate and share.

Source

No one can set up a web server on an IP (Internet Protocol) address that hasn’t been allocated, but anyone can write code that points to the unused addresses. The unexpected activity found in these “dark spaces” may come from a variety of sources, including both Internet-borne attacks and benign code for testing an application or PC. Though the traffic doesn’t represent a security threat itself, an enterprise that acquired the affected addresses from an Internet service provider (ISP) typically would have to pay for the transmission of the irrelevant packets, said Manish Karir, a researcher at Merit Network. Merit is an educational network operator and Internet research center in Michigan.

IPv4 only allows for about 4.3 billion addresses, and that supply is expected to run out within the next two years. If some of those remaining addresses are polluted with unwanted traffic, that could make the problem even more urgent for enterprises that want new, usable IPv4 addresses.

IP addresses are allocated by regional Internet administrators, usually to ISPs, which then assign smaller blocks of them to their enterprise customers. Only a small number of blocks of IPv4 addresses are still waiting to be handed out. Karir and a group of other researchers tried to find out whether the addresses at the bottom of the virtual barrel are as good as those that have already been handed out.

“There’s growing concern that these blocks are less desirable,” Karir said. The concern is over types of traffic that have been blocked or moved from already-allocated blocks to ones that so far haven’t been assigned.

Karir’s team joined with APNIC, the Internet registry for the Asia-Pacific region, to test one new block, called 1.0.0.0/8, because it was known to have been used in examples and test cases over the years. Capturing packets over a period of about 10 days, they found a large amount of traffic.

In the entire 1.0.0.0/8 block, there was an average of 170M bps (bits per second) of sustained traffic, at an average of 150 packets per second, Karir said.

Some of the traffic occurred in a subnet called 1.1.1.0, which is commonly used to test computer and router configurations. But the researchers were puzzled by a very large amount of traffic in another subnet, which made up nearly 35 percent of all the traffic in the entire address block. So they used the Wireshark protocol analyzer to reconstruct it. The traffic consisted of fast busy signals and audio messages advising callers they had the wrong phone number. “If you’d like to make a call, please check the number and try again,” said one of the messages, which Karir played for the NANOG audience.

The researchers believe these signals were a side effect of problems with SIP (Session Initiation Protocol), a commonly used technology for voice over IP and other types of packet-based communication. The signals could have appeared in the dark space because of misconfigured SIP servers or because of “SIP invite” attacks, in which a system is flooded with malformed invitations to join a SIP session, Karir said. Because of a “hard-coded default,” the busy signals are configured to come to that particular subnet, he said.

Another source of packets to the address block, more than 17 percent of the total, was misdirected DNS (Domain Name System) queries embedded in Web pages that users clicked on.

Given the findings, APNIC decided to block the worst hotspot subnets within the 1.0.0.0/8 block. Cutting off the 10 worst hotspots significantly reduced the unwanted traffic, Karir said.

However, the researchers found evidence of similar types of pollution in several other unallocated address blocks, and it’s hard to predict where such traffic will turn up, he said.

“Each dark space is different … because hotspots exist in strange and unusual places,” Karir said.

He advised network administrators who are given polluted blocks to talk to the ISP about exchanging them. But this may become harder to do as the number of unused IPv4 addresses dwindles, he warned. There are only 16 remaining blocks of about 16.7 million addresses each, down from 22 such blocks just three months ago, Karir said.

Source

I’d like to let you know that there’s been a compromise of the
unrealircd website and ftp and the 3.2.8.1 tarball release had been
replaced by a backdoored copy.

I’m attaching Syzops original security advisory from

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Yours,
satmd
UnrealIRCd support staff

Hi all,

This is very embarrassing…

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t
allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at
least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we’re taking precautions
so this will never happen again, and if it somehow does that it will be
noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in
practice
(very) few people verify files, it will still be useful for those
people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be
safe, but you should really double-check, see next.

How to check if you’re running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by
running ‘md5sum Unreal3.2.8.1.tar.gz’ on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you’re running the backdoored/trojanized
version.
If it outputs nothing, then you’re safe and there’s nothing to do.

What to do if you’re running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed
running the
backdoored version, as mentioned above. Otherwise there’s no point in
continuing, as the version on our website is (now back) the good one
from April 13 2009 and nothing ‘new’.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to ‘clean’ UnrealIRCd
without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running ‘md5sum Unreal3.2.8.1.tar.gz’, it should
output: 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the
initial 3.2.8.1 announcement to the unreal-notify and unreal-users
mailing list.

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Source

The security appliance company is profitable and growing — its earnings last quarter were 17% higher than for the same quarter last year — but with the security appliances industry consolidating, it needs to grow faster, says Patrick Sweeney, vice president of product management for SonicWall. The company has $200 million in cash as well, he says.

If approved by shareholders, the deal will enable faster development of the company’s next big product push, called Super Massive, a jump to 10Gbit/s speeds for its unified threat management hardware with all the security features turned on, he says. “It’s important for us to grow as fast or faster than the market,” he says. “This will allow us to build a larger company a lot faster.”

Size is important because the industry is consolidating, he says, pointing to HP’s purchase of 3Com and its security devices division Tipping Point, making smaller companies more vulnerable.

As a listed company, SonicWall’s goals were constrained to ever increasing 90-day demands between fiscal reporting quarters, which limits longer term investments that can alter a company’s strategic course, he says.

SonicWall, which makes unified threat management, firewall, VPN and backup appliances as well as endpoint security, email security and antispam software, says the deal will buy out current shareholders for $11.50 per share in cash, which is 63 percent more than the stock is going for publicly. Stockholders still have to approve the deal, and that is expected by early in the fourth quarter of this year.

Source