Archive for the 'Phishing, scams, etc.' Category

Dec 15 2013

Twitter spam filters overloaded

I believe the Twitter spam filters are currently overloaded or at least someone’s figure out a way around them.  In the last 72 hours, I’ve gotten more twitter followers than I normally get in a three weeks.  At first it was hard to tell if they were real people or not, but as they’ve accumulated, I’m certain that the vast majority of them are not.  It’s gotten to the point that I’m reporting all new followers as spam, unless there is sufficient reason to believe they might be a real person. 

So what characteristics do the spam followers share in common?

  1. Non-english speakers.  Russian, Spanish, Arabic, and any number of other languages I don’t recognize.  I’m assuming some are gibberish even in their own language.
  2. Very low number of tweets.  Almost all of these accounts less than 200 tweets and a significant number have less than 50 tweets.  There doesn’t seem to be a commonality of having links in these tweets, but I’ve given up on looking at their tweets.
  3. High following count/low follower count.  In an organic growth pattern, twitter users don’t tend to have a 10 to 1 following/follower ratio, since close to 10% of twitter is the bots anyway.  
  4. No listed count.  It doesn’t look like the bots have figured out how to get themselves listed quite yet.  Maybe there will be a botnet that will autolist bots in the future, but this is a big giveaway for now.

I’m confident the folks at twitter will figure out a way to stem the tide of the current bot invasion, but in the mean time I’ll continue to report these accounts for spam.  I apologize ahead of time if I block any real people by accident.  

One response so far

Oct 13 2013

Time to change DNS methods

I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now.  The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial.  Either way, your company is effectively serving up something other than the page you intended, which is what really matters.

There have been a number of high profile sites that have recently been attacked through their DNS registrar.  Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain.  In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet.  But the practice is different from theory, and even registrars have their weaknesses.  In the case of Register.com, this appears to be social engineering attacks.

The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp.  What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes.  To think that a technology that had it’s heyday in the 80′s would be the method used to attack companies in the second decade of the 21st century is amusing.  Hopefully Register.com has already begun reviewing their processes to prevent a similar event from happening again in the future.  And, again hopefully, other registrars are learning from the mistakes of Register.com and reevaluating their own processes.

There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar.  Also, not all registrars support locking, so this isn’t always an available option.  If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar.  That last part usually gets their attention.

I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS.  It’s not an enviable position to be in.  Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there.  But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.

Update: Add two more to the compromised list, Bitdefender and ESET.  And again Register.com is the common point of weakness.

No responses yet

Oct 02 2012

Network Security Podcast, Episode 291

This week’s show went a little long, as all three of us had a lot to say on the stories we covered.  We also spent more than a few minutes at the beginning of the show talking about some of the resources people can use to get mentorship when entering the security field.  We also ramble a little bit and Rich gives us an assessment of one of his co-workers technical skils.

(All three of us made the show this week, and to be honest it was a little wittier than usual, if we do say so ourselves).

Network Security Podcast, Episode 291, October 2, 2012

Time:  38:30

Show notes:

No responses yet

Jun 06 2012

Dumping LinkedIn passwords

*** Dire Warning ***
If you’re in the habit of reusing passwords AT ALL, 1) stop it! 2) if you have a LinkedIn account change your password immediately on as many sites as you can remember.  Then get yourself a password management program (like 1Password or LastPass) with a random password creator and learn to use it for all sites.
*** Dire Warning ***

Now that the dire warnings are out of the way, let’s look at what happened.  This morning it was disclosed that 6.5 million LinkedIn password hashes were posted online.  LinkedIn was not using a salted hash for storing passwords, which means that while the passwords can’t be decrypted in any way, attacking the password file by dictionary attacks and other similar methods are very effective.  Additionally, the 6.5 million hashes are each unique, meaning that they represent a much larger portion of the LinkedIn passwords, possibly even the entire database.  One of the best analysis of the password hashes and what they mean was done over at Hacker News and covers a lot of what the disclosed hashes mean in really geeky terms.  Another great resource, thrown up by Robert Graham this morning, lets you take a password to see if your password is amongst those stolen.  If you don’t find your password in the database, try replacing the first 5-6 characters with zeros and look again. 

The other point I wanted to make was that while LinkedIn’s response (1, 2) to this compromise hasn’t been atrocious, it’s been far from being a good example of how to do compromise disclosure.  If you want a good example, look at the recent post mortem writeup by CloudFlare, stating in great detail how they’d been compromised so others could learn from their problems.  I’m willing to give the LinkedIn team and Vicente Silveira the benefit of the doubt and assume they learned about the password file at the same time as everyone else, but their initial reaction was to say they were looking into it, even though a number of security professionals had already stated their passwords were definitely in the file.  When they did admit it was their database a few hours later, they stated they had ‘enhanced’ their security to include hashing and salting of the database.  I can only assume the enhanced security measures were put in place this morning, and I’d give them more credit if they’d admitted that instead of making it seem like it was something they’d already planned to do.  I do have to give them kudo’s for reacting quickly and giving users concrete steps to take in response to the compromise, but they lose at least as many points for not being up front about what’s really happening.  Of course, that may be because of the Marketing and PR departments more than anything, but I’m not willing to cut either of those departments any slack for a security incident.

Of course, this is all injury added to the assault that was disclosed yesterday, the fact that the LinkedIn mobile application collects all of your calendar notes.  And since they had your calendar data and there’s a possibility your account was compromised, if you’re using the LinkedIn iPhone app, you’d better assume all of your calendar data is also compromised.  I hope you didn’t have any important or sensitive information in your calendar!

4 responses so far

Nov 11 2011

Open Tabs 11/11/11

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

No responses yet

Nov 09 2010

Network Security Podcast, Episode 220

November marks five years of the Network Security Podcast.  Think about that for a moment: five years of Martin mouthing off into a microphone, nearly three years of Rich and over 18 months of Zach.  A little scary when you think about, or at lease when we think about it.  We’re probably going to put off celebrating much until hit episode 250, but we’re still going to talk about how things have changed in that time.  And we also want to make sure that everyone who’s listening knows how much all three of us appreciate that people still download the podcast week after week.

It’s just Martin and Rich this week.  Zach is off somewhere getting paid real money while Martin is sick at home and Rich is saying “Can we hurry up so I can take my daughter to swim class.”  In other words, pretty much situation normal.

Network Security Podcast, Episode 220, November 9, 2010
Time: 36:33

Show Notes:

No responses yet

Aug 27 2010

Certified Application Security Specialist in job description

Last year Rich Mogull and Jeremiah Grossman created a little know certification, the Certified Application Security Specialist or Certified ASS.  To those in the know, or with the intelligence of the average house pet, it should be immediately obvious that this was an April Fool’s joke.  Funny, and it’s been a continuing joke through out the community, but apparently someone took it seriously enough to actually include it in a job description recently on Craigslist.  And strangely enough, the link I had now leads to the scam page on Craigslist.  Luckily I had the foresight to grab a copy of the post before it disappeared.  What were these people thinking?  Don’t they know they’re supposed to save this sort of stuff for the beginning of April?  The full job description after the page break.

Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Continue Reading »

No responses yet

Nov 03 2009

Turn off SSH on your jailbroken iPhone!

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

One response so far

Nov 02 2009

The Reality Behind Facebook Ads

Micheal Arrington sure knows how to stir up a crap storm.  Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace.  I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes.  I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace.  Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do.  I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?

Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out.  He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition.  I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward.  And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.

One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source.  Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu.  Which has been one of the things that Facebook has been the leader of providing since it’s inception.  Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’.  Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.

It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads.  Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement.  The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards.  In other words, they don’t actually buy things that ads are selling.  But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number.  Toolbars are egregious because they are often nothing more than conduits for spyware.  An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook.  The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone.  After all, how many people actually check their phone bills that often?

The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made.  They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening.  But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run.  Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads.  Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools. 

2 responses so far

Oct 27 2009

Positive for Lifelock, Experian, a loss for consumers

Fraud alerts on your credit cards are one of those really useful tools that have been put in place by law, only to be neutered by the same law.  They’re great in that they put a lock on your credit scores and let you know when anyone is trying to open an account in your name, but at the same time they’re incredibly hard to use because you have to fill out paperwork every three months.  There is an extended fraud alert that will protect you for a period of seven years, but in order to qualify for that, you have to provide a police report proving that you’ve been targeted by identity theft.  To top off the insult from the credit reporting companies, you have to file separate fraud alerts with each company and maintain them yourself if you want to be relatively safe.

Enter Lifelock; for a small monthly fee they would maintain your fraud alerts for you and even provide a number that creditors could call in order to unlock your credit ratings.  This was great for consumers, it let them keep their credit scores locked so that it was that much harder for someone to open an account in your name or for the credit card companies to review your credit score and send your monthly junk mail offerings.  This a big win for us, but it cuts into the major source of the big three credit scoring companies, Experian, TransUnion and Equifax.  If too many people keep their credit scores hidden, the scoring companies can’t sell their big lists of names, or at least those lists lose some of their value.  So in 2008, Experian sued LifeLock to block the practice and won.  Experian and LifeLock have settled the lawsuit and LifeLock is forever forbidden from filing credit locks on behalf of consumers.

According to Experian and LifeLock, this is a positive for LifeLock, which it is.  They get to move out of the shadow of a nasty lawsuit and rework their business model to find something else to do to help protect consumers.  Experian and the other two credit scoring companies find this to be a huge win, since this sets precedence and makes it that much harder for any other company to provide a similar service.  The big loser in this transaction is us, the consumer, since we now have to remember to reset our credit lock with all three credit scoring companies every three months if we want to protect ourselves.  Thanks, Experian.  You’ve made it perfectly clear what you’re really trying to protect: your revenue stream.

4 responses so far

Next »