·:[ Arik’s blog ]:·
• • • • •

Well, the flight is familiar torture. The plane leaves just before midnight, after a full day of packing. Check-in, passport control, security, gate, take your seat, buckle up, what would you like to drink, chicken or beef, feature movie, try to sleep, try to read, try to watch the movie, try to make conversation, belt sign, buckle up, final descent, seat upright, flaps, touchdown, reverse thrusters, taxi, deplane, wait 3 hours in a sleepy airport, repeat, but this time in English.

I arrived at SFO around 10am PST, which is a total of 22 hours from the time I entered TLV. It took me way too much to rent a car though, so I left SFO around noon.

Now this is going to be weird. It all feels very familiar.

I have been to Los Angeles for a considerable time, and it feels like LA here. The weather is perceptibly colder, but it is the same California, the same kind of people, the same cars, the same buildings, the same chain stores. It feels like one of the many other business trips I’ve made to LA. I don’t feel “at home” but I do feel “at ease”.

As you may or may not know, I’m relocating to the US. Specifically San Francisco Bay Area.

My company’s new offices are in Palo Alto, so I’ll probably be living nearby.

I’m scheduled to fly over this Friday. It won’t actually be relocation, because I don’t have my US work visa yet, it’s in the works - I’m still an employee of the Israeli company, and it’s considered a business trip. I do intend to scope the area for places to live and acquaint myself with the new surrunding.

I will probably have more to write on this in the near future, so stay tuned.

Some more information about the trojan in this link:

How This Trojan Horse Works in this Case – 4Law Exclusive Presentation

Some very detailed logs of its activity.

– Arik

I’ve followed up on some info regarding the specific trojan used, and it seems like it’s the Hotword.B trojan.

The symantec analysis (and a similar one on Aladdin’s site) show that the protocol used to get a configuration file was FTP. No mention of the protocol used to actually get the data out, but it may as well be FTP.

This surprises me - in many organizations in Israel that I’ve been in, FTP is disallowed at the perimiter. I guess those attacked didn’t bother to disallow it, or - more properly - allow only a limited set of protocols. An average organization with a private network, a properly configured HTTP proxy (i.e. only HTTP traffic) and no direct routing to the Internet would have been safe from this particular attack.

And on a different note, the Aladdin link above was in an unsolicited message I got from Aladdin. I might have given them my email address at some time in the past, but I did not intend it to be used to send me UCE. A lot of Israeli security companies are trying to jump on the bandwagon and make money off the trojan discovery.

My previous post on this topic is here.