Wednesday, February 28. 2007
As someone who does spam research, I actually read every spam email that my honeypot email accounts receive. It doesn't take long to start seeing patterns and being able to identify spammers based on their habits. For example, every 1st and 15th of the month, I and about 100,000 close friends receive phishing emails that asks for our ISP account information. But not all spam is bad -- every morning I win the lottery! It might be the "Casino Award Agency" (550,000.00 Euros) or the "LOTTERY PROMOTION.UK" ($950,000.00) or some other fake lottery scam, but I am a winner every morning.
Then there are the 419-scams (named after the Nigerian legal code that makes advanced fee fraud illegal). You see, word has gotten out that I am a very trustworthy person. Like clockwork, one of my honeypot email accouts regularly receives confidential solicitations. Why, just this week I was contacted by DR PALO DONO of SOUTH AFRICA, Raheem Kudus Salem (a merchant in Dubai), and Mr.Aminu Martins from Benin.
The problem with these scams is that people do take them seriously. After talking with some friends in a security forum, I came up with a good solution:
Dear friend,
I am trying to stop some of these 419 scams. Please help me protect people from losing their money to these scams by sending me a donation. Please email me your:
* Credit card number
* CVV2 (the numbers on the back of the card, in the signature box)
* Expiration date
* You full name as it appears on the card
* Your credit card billing address
* A picture of your signature
* Your social security number
* A picture of your passport photo or drivers license
* Your mother's maiden name
(The latter items are, uh, so I can validate that you are who you claim to be.)
Please help me do the right thing by stopping these evil scams. Please donate.
If you think that my solution sounds like a scam... Well, you're right. It is. Yet people fall for this sort of thing every day. Until we reach out to educate our friends and neighbors, this problem will not go away. It is human nature to think the best of others. We want to help, we like compliments (you're trustworthy, right?), and if we can make money as well, then that is wonderful! Criminals know this. They are betting on it. While I may not really win the lottery every day, these criminals do.
What can you do about it? Talk to others. Point out that "something for nothing" is a scam. And if they still want to help someone out, have them help you. I mean... if someone is going to end up with money from gullible people, it should be you, right?
Saturday, February 24. 2007
I just spent a few hours this week checking all of the computers I manage for compatibility with the new Daylight Savings schedule. For anyone still in the dark, Canada, the United States, and the Bahamas are adopting a new DST schedule this year. There will be four more weeks of DST, from March 11 to November 4, 2007.
The good news: most of the newer computers are ready. In the worst case, they needed some simple patches installed. Some of the older computers and embedded systems that I manage (e.g., some VCR and DVD players) don't have patches available, so I will need to set the time on them manually.
While I was checking systems, a thought occurred to me: We will spend more time in DST than in regular time. This makes me wonder: why not call the summer time "regular" and the winter "DST"? Since we will be spending 8 months in DST, shouldn't that make it the regular time zone?
DST is intended to reduce energy costs by shifting work hours so they align with the sunlight hours. This is a great idea, but the hours are set by Congress, not science. I wonder how soon it will be before some congressman decides to save more money by making DST last all year? We can save energy all year 'round! (This follows the philosophy: if a little is good, then a lot is better.) We could even introduce a Delayed Daylight Savings Time (DDST) where a few months during summer would be an hour back, in contrast to the revised winter DST where we would move the clocks forward an hour. The three time zone system (DDST, regular, and DST) would really save us money!
Or would it? I wonder how much has been spent trying to ensure that all systems will work with the new DST schedule (the real one, not my facetious revisions). Airlines, for example, need to make sure that all of their systems work; they would hate to land, only to learn that they are an hour late and their gate is occupied. Banks could end up canceling charges if they look out of sync and stock trades could end up missing the closing bell. It's like Y2K without the mass media coverage.
In industry, this one-time cost is called pro forma and is ignored during accounting. However, in 2002, many public companies got in trouble for using pro forma numbers in their financial statements as they attempted to obscure corporate losses. While I hope the new DST hours will save money in the long-run, I wonder about the current cost.
Friday, February 16. 2007
Recently the people at Wired News 27B Stroke 6 blog wrote about a TSA website where people on the terrorist watch list could try to get their names removed. They found some problems on this site. For example:
- You would think that a TSA website would be at "tsa.gov". However, this was hosted by a third-party (desyne.com).
- The online form had no tracking or control number.
- There is no cryptography or security for submitting personal information (name, address, SSN, etc.).
All of this seemed very similar to a phishing site: wrong domain, no security, no tracking. They just want your personal information.
The response was pretty remarkable. In what seemed like hours, the site was moved to a "tsa.gov" address. However, 27B Stroke 6 found another problem:
Now travelers are directed, as they had been in the past, to download a Word document (proprietary, insecure format) and mail [or fax] it in.
If you download the Word document, you can see the email addresses of the DHS TSA employees who created the document. Their names are stored in the document's meta information. Yes: In their rush to change their security model, they exposed employee names.
Security is a process, not a destination. These initial mistakes, being replaced quickly by other mistakes, suggests a significant lack of process. These are knee-jerk reactions rather than planned actions. As my friend Rags mentioned, if they have no security-oriented planning here, then what can we expect from their screening process?
Thursday, February 15. 2007
Its happened again! Head for the hills! Hide in your basements! There's a new exploit being blown out of proportion!
This time, the topic is being called "Drive-By Pharming". Symantec is calling it a new exploit and advertising it as if it were a critical risk. Even the mass media has picked up on this hysteria. Here's some links:
There's a few problems with this alarming exploit. First, it only impacts default router configurations (not cable-modems, as incorrectly detailed is the Full Disclosure posting). Second, it isn't new. And third, it is a very low risk. But let's look at each of these in detail.
The exploit works when a user downloads some hostile code; in this case, JavaScript. The code connects to your home firewall and changes the DHCP DNS settings. This way, when you go to bankofamerica.com, the DNS resolution is sent to a hostile DNS server rather than the real one. Instead of getting the real IP address, you get one that goes to a fake server.
Now, in order for this exploit to work, there are some needed elements that are not mentioned in the exploit announcement. You need all of the following:
- A home firewall that is supported by the exploit. Ok, this might not be too bad, but the exploit must know at least a few dozen common routers.
- The default IP address. If you changed your firewall's IP address or subnet, then you're safe. (But most users are probably vulnerable.)
- The default admin password. If you changed the password, then you're safe.
- Your computer(s) configured to use DHCP from the router.
I have helped many people configure their home firewalls and routers. I have yet to find one where they had not already changed the default password. However, even the non-technical people work in techie fields, so I don't know how normal this sample is. I do know that, during my last wardriving, the vast majority of homes had changed their SSID, so assuming that they changed their default password is very reasonable.
This type of exploit -- the threat of hostile code or users changing your default configuration certainly isn't new. The FTC released an advisory in March 2006 and even PC World warned about it back in March 2004. Other people made the threat known back in 1999 and 2000.
Now Symantec warns that as much as 50% of all households could be vulnerable. Uh... right. This isn't new and I could find no viruses -- even proof-of-concept ones -- that have ever used this exploit. If it wasn't exploited years ago when more people were vulnerable, what is to make us think it will become wide-spread now.
Fear. Uncertainty. Doubt. Don't be a victim of FUD.
Tuesday, February 13. 2007
Earlier today, Fergie pointed me to a news article announcing a new banking service: Bank of America to launch mobile banking. This article starts by saying:
Bank of America Corp.'s online customers will soon be able to use their cell phones and smart phones to check account balances, pay bills and transfer funds.
My immediate reaction was you've got to be kidding me. This really sounds like one of the worst ideas I have ever heard of. It is just screaming hack me!
It is not enough that the companies mentioned in this article have a less than stellar record at protecting people's privacy... (To name a few)
Now these same companies have banded together to allow banking from your cell phone. According to the news report, customers will be able to:
- Check account balances for checking, savings and credit card accounts, as well as mortgages and home equity lines held with Bank of America.
- Pay bills.
- Transfer funds between Bank of America accounts.
- View transaction details for Bank of America checking and savings accounts, mortgages and home equity lines, including posted, pending and scheduled transactions.
They say that they offer security by encrypting the communication between the bank and the cell phone. Unfortunately, they do not say that they will do anything to better authenticate the user. It is as if these companies have completely forgotten about cell phone fraud and the risks from phone cloning.
Authentication also becomes a problem. If they are planning on authentication based on the user's phone number, then they need to remember Caller-ID spoofing. And for those people without the technical abilities to implement spoofing, they can always go to SpoofCard.
Cell phones have their own problem. As I mentioned in my previous post, any shoulder surfer can easily read the display. Cell phones also have a large history, so a stolen phone may contain bank passcode information. Of course, the banks may decide to use voice recognition. I can't wait to hear people at restaurants shouting their bank account numbers into their phones.
And let us not forget cell phone viruses. Previous viruses were mainly proof-of-concept or malicious. Now virus writers have an incentive to create cell phone viruses for capturing bank information. According to the Bank of America press release, "customers can begin using the Internet browser on their mobile phone to access their accounts, similar to how they use their computer to access Online Banking services." Let's see, phishing, downloadable malware, and browser-related exploits become viable attack vectors, as well as any bluetooth connectivity.
Few people are security conscious, and banks know this. Putting customers in a position where they are likely to compromise their own security is irresponsible on the bank's part. This can only lead to a new direction for phishing and identity theft.
|
