Iraq cybersquatting Israel gov’t domains

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

Share

Severe T-Mobile Data Breach

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

Share

Liability for “cavalier disregard”

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

Share

Take it underground

This post was written because a very good friend of mine asked me to send them a mail about decent reasoning to use Tor, and explore the Onion net, so thank you (you know who you are), and this post will be followed by another more detailed post on the Onion net soon.

Okay, so with all that’s been going on in the world lately, I’m starting to think that we should really start moving things underground, by underground, I mean that we should start encrypting our traffic more, and making use of the means that we have available to us, and helping to support them more as a security community.

The things in the world that I’m referring to are not only UK based either, here are a few examples:

Pirate Bay – Guilty Verdict

Mobile Phone Tracking

CCTV Cars

Directive 2006/24/EC Of The European Parliament And Of The Council

It seems that we are seeing more and more of the worlds governments moving towards an Orwellian culture, and I for one really don’t feel comfortable operating in this way.

You may be asking yourselves at this point, what can we do to stop this, the honest answer is, really not that much right now.
We can however start to move our information systems somewhere else, somewhere more secure, and we can all help others to secure their online habits by setting up Tor relays.

The more relays the Tor network gets, the better it is for everyone involved, if you can’t configure a relay, or just don’t want to, then if at all possible, please dontate to the Tor project here.

So please people, if you value your privacy at all, please help the Tor project out in any way that you can, even if it’s translating articles.

Below are a few links that you may find useful:

Tor Overview

Volunteer

Download

This may seem like a shameless Tor plug, but I can assure you that it’s not, and I am in now way related to the Tor project at this point in time, but I really feel that it’s an extremely worthwhile project, and I plan on getting a lot more involved. This project has come a long way in the 2 years that I’ve been using it, and the more users we get contributing the better the anonymity and speed gets.

Keep it safe and private people.

Share

Carder spam or not?

I received this email today:

Good morning!

I inform you about site http://carder.su where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses :)

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer – you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there – on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

Share

CSIS Commission on Cybersecurity for the 44 Presidency

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C.  A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President.  Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better.  This report has been promoted on a number of security mailing lists as an important set of recommendations.  It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

Share

10 days later: The Israeli anti-spam law seems to work

Driving around Sao Paulo you don’t notice it. But when you drive back to the airport it suddenly hits you: billboard advertisements. They suddenly stick out, and you realize through all this time in the city there wasn’t a single billboard advertisement. Unsurprisingly, it’s too easy to get used to the lack of the big-city marketing assault on your senses that you usually see elsewhere. Sao Paulo may be polluted and congested, but when it comes to billboard advertisements there’s just none of it.

Spam is like that. You don’t miss it when it’s gone – you just get more attentive for spam that does get through.

A few months ago, Israel passed a law that might be the first of its kind(*): with very few exceptions, spam is now illegal in Israel. If you receive an email that you didn’t specifically opt-in for, and that email wants to sell you something, and either the entity who sent the email is Israeli or the company that benefits from the email is Israeli, you can sue in court and get the equivalent of $250 for every email you received(!) without any need to prove direct or indirect damages(!!). The law is phrased carefully to close all the obvious loopholes: Israeli companies are liable even if they were using off-shore machines to send the spam, and if you sue them, it’s them that have to prove that the email recepient voluntarily opted to receive those emails. Not only that, but you can’t use an opt-in consent to advertise someone else’s product (hence, list renting won’t work).

For me, seeing this type of law actually working is nothing short of incredible. My inbox was routinely filled with Hebrew emails from some of the largest consumer brands in Israel, who figured it’s cheaper to pay fractions of a cent per email to tell me about attractive deals for mineral water dispensers than take out a TV spot. Having qmail as my mail server allows me to make up emails addresses on-the-fly so I can easily track where a certain advertiser got my email: I signed up for the Jerusalem post alerts and got ads from a bunch of other advertisers. I opened an account in a now-defunct web 1.0 service and my email address for that service was sold on to about a hundred different small-time spammers. I signed up for the Israeli version of ‘classmates’ and in return got bombarded by offers to by TVs at a discount. Oh, and of course the typical spammers who just guessed my email address and are sending me updates about discounted airline tickets to Africa. The typical viagra-style emails arrive in quantities as well, but those are easily filtered out. Hebrew spam is a bit more difficult to filter because some of the legitimate email I get is Hebrew newsletters that I did actually sign up for.

So to think that from December 1, 2008, when the spam law becomes active, I will cut down on my delete-key presses was beyond what I could imagine.

The month of November was as you might expect:unbelievable quantities of emails asking me to opt-in to lists I never heard of. Each trying to convince me of the huge benefits of receiving unsolicited advertisements that might change my life. Some of these emails were angry: spammers don’t like it when their work is interfered, and a group claiming to represent the small businesses who ‘have no other choice than to send spam’ tried to tell me why the law is an immediate threat to small businesses. And when I say ‘tried to tell me’ I mean sent me a few dozen emails a day almost every day that month. Well, I stand unconvinced.

December 1st came, and the flood slowed down. Still the occasional email, usually treading on the border between legal and illegal – like emails that contained a request to opt-into the newsletter (this is allowed by the new law – once only) with a small commercial pitch towards the end. The notorious ‘people and computers’, a hitech magazine and an Israeli representatives of ‘information week’ sent me daily reminders that I have not yet opted in and ‘soon’ will stop receiving their daily newsletter if I don’t fix my ways. I would have sued, but the general manager of P&C met Bill Gates once and told him: “can I please have your card?” and when gates gave him his business card he replied with “No, your credit card”. You’ve got to hand it to him: he may be a bit of a jerk, but he is funny.

A couple of newsletters keep coming regularly, beginning the email with a long disclaimer that they are not an advertisement (the content is again borderline, I imagine at some point someone will challenge them in court) and there was the one spam email that arrived last week which I am taking to small claims court to get my $250 charity money.

But other than those – barely a handful, really – a peaceful silence. I can really get used to not getting Hebrew spam. Now if only we can get Russia to follow suit!

By the way: for those wondering where the ‘catch’ is in the spam law – or as the cynics would put it: how is it possible that politicians create an actually useful law – here’s a solution to the paradox. Being the parliamentarian state that Israel is, the law specifically allows political spam to be sent. So not to worry: the politicians excluded themselves nicely. Still, it’s a small price to pay for a relatively clean inbox.

Lets see how long this serenity will last – email is still a very tempting advertising channel. But when the potential cost is $250 per email, suddenly the ROI is not as not as attractive.

(*) I’m not aware of an opt-in spam law that allows anyone to sue the body who benefits from the spam without proof of damage. Please enlighten me if I’m wrong.

Share

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Share

Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

Share

Hacking is wrong, but abuse of process is wronger …

http://news.bbc.co.uk/go/em/-/2/hi/uk_news/7456216.stm

“Lawyers for Glasgow-born Gary McKinnon told the House of Lords US authorities had warned him he faced a long jail sentence if he did not plead guilty.

“The systems analyst is accused of gaining access to 97 US military and Nasa computers from his London home.

“Known as Solo, he was arrested in 2002 but never charged in the UK.”

So far, so bad.  Breaking into computers has very little justification, and “just having fun” isn’t exactly a defence.  However:

“Without co-operation, the case could be treated as a terrorism case, which could result in up to a 60-year sentence in a maximum security prison should he be found guilty on all six indictments.

“With co-operation, he would receive a lesser sentence of 37 to 46 months, be repatriated to the UK, where he could be released on parole and charges of `significantly damaging national security’ would be dropped.

“A US embassy legal official quoted New Jersey authorities saying they wanted to see him `fry’.”

This bothers me.  A lot.  It’s too much like security theatre, as well as being flat-out immoral.  He did something wrong: he should be punished.  But he should be convicted properly, and punished appropriately, not intimidated into pleading guilty in order to inflate someone’s prosecution records.

Share

Photos and laptop crypto

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

Share

Arrested for security research?

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

Share

Cryptome: NSA has real-time access to Hushmail servers

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
and
SAFe-mail.net – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
….

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.
….

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones

Share

Project Hayneedle

I came across this blog entry, which tries to help German citizens – and others people that are under similar circumstances – confuse the authorities that might be monitoring traffic originating from a single IP address in other to deter him (the citizen) from doing illegal things ( government stated illegal – in the German case security research).

The project named Hayneedle tries to baffle agencies monitoring Internet traffic by generating a multitude of apparently random traffic in order help you to better hide what you are actually looking for – in laymen term, generate enough “noise” so that the “signal” is hidden.

In my opinion, the idea is pretty nice, but I would think that in this case a TOR like solution would be better, as the government seeks here to monitor your IP address’s access to sites, TOR’s goal is to eliminate that ability. In any case I wish the Hayneedle project best of luck, and hope it will make the government understand how fullish they are – no big hops on this part :)

Share

Gmail as an email honeypot

You all remember cybersquatting, a popular sport in the late 90s, right?
McDonalds.com, JenniferLopez.com, Hertz.com and Avon.com thankfully all point to the right web sites today, but thaiairline.com, mcdonald.com, luftansa.com, gugle.com, barnesandnobles.com and other misspellings are fake web sites intended to trap the casual surfer with a hand that’s a bit too much quicker than the eye.

These web site traps are successful because web sites are so easy to remember, people don’t bother bookmarking them. It used to be that if you wanted to know the weather in Minnesota you had to go to http://www.geocities.com/Athens/rubytuesday71/weatherinminnesota281007.html . Today you go to weather.com (or type “weather for Minnesota” in google) and get an immediate response.
If you want to go to the McDonalds web site, you don’t even spend the 10 seconds to look it up – you will type McDonalds.com and expect to see the latest dollar meal menu.
But the same is true for the other popular form of communication – email. If I know the person’s name and company (or free email system) I will generally just type it up rather than look it up on my address book.
Of course, back in the hotmail days when John was john_sm1th253@hotmail.com I couldn’t rely on my memory alone. But today, if your name isn’t John Smith, it’s probably not too difficult to get a decent first name/last name combination on gmail, yahoo or some other free mail system, and certainly on your corporate email system.

So will we start seeing cyber-squatting on email addresses? Maybe we already do. There is no real way to know who’s behind a certain email address and while it’s merely funny if a guy names Roo Taylor gets the email root@aol.com, it could actually be dangerous if some bad guy owns john@gmail.com, johnsmith@gmail.com, johns@gmail.com, etc. Imagine how much legitimate mail is accidentally sent to those accounts by people who send the latest budget figures to their boss at work and also CC his personal address so he can watch it from his home machine too.

I have first-hand experience of this ‘attack’. Luckily for me I’ve got the login to aviram@gmail.com (piece of cake. All you need is to have a “google-in-law”. For me it was as simple as my office neighbor’s wife having a cousin that works for google. Then they sign you up for a new experimental beta google product called “google mail” and you get not only to pick your first name as login, but send invites to a bunch of envying friends). As gmail becomes more popular I’m receiving invitation to birthday parties of people I don’t know, detailed minutes of brainstorming meetings I’ve never been to and last week a bunch of emails with the list of hospital equipment and inventory, all sent to some other ‘aviram’. I can’t imagine what would have happened if my first name was more common. I’m also pretty sure it’s still possible to register gmail accounts with common misspellings and dig out some of the emails that come out.

At the very least, this would give the bad guys get a fresh harvest of active email addresses. But if they’re lucky, they may receive an email that carries a personal story that can be exploited further. Think about a young guy sending his parents pictures from an Internet cafe about his Africa safari trip. A simple typo sends the email to our bad guy who then forges a follow-up email to the parents telling them his wallet was stolen and that they need to wire money to help their stranded son.

Cybersquatting is easy to identify and is usually settled in court. With “email-squatting” I don’t see a clear and obvious solution; in the meanwhile, be sure to only use your address book…

Share

IMF going to be boring this year

The IMF (IT-Incident Management & IT-Forensics conference) is going to be boring this year, and I am not saying this because I wasn’t invited (hint :) ) its because Germany has recently passed a law that forbids:
German citizens to research, discuss or disclouse security problems.

Making it illegal for German citizens to participate in the conference and possibly making the guys organizing this conference act in an illegal manner.

The only ray of light here is the fact that RUS-CERT are the guys behind it, and they might be linked high enough to avoid prosecution – hopefully :) .

Share