Who’s Who phish

And here, I thought I was finally famous.  It’s so disappointing.

I got a “Weekly Follow-up from the National Academic Association.”  I suppose it doesn’t really matter that I’d never heard of them, let alone weekly, because it came from the “Academic Association.”

“Hello Candidate,” it starts, and goes on to tell me that “As the school year opens, the Who’s Who Among Executives and Professionals begin a global search for accomplished individuals in both faculty and administrative roles at post-secondary institutions of learning.”

Could this possibly be a job offer?  They apparently need me to “verify your contact information so that we can properly publish your updated credentials alongside 30,000 of your prestigious peers. Such a listing can only bring you increased visibility and networking opportunities within the scholastic community.”  Only 30,000!  Such a select group!

Alas, when I actually went to the site http://www.wittersphere.info/YM40/53/1338/710177.1/4/13295/1600293/3O80?gy=?qqu06/vc/ld-99505.g78 (tested with a safe browser, but it doesn’t actually seem to be feeding malware) it turned out to be the “International Association of Successful Individuals.”  Therefore, I don’t qualify, but no doubt a number of you do, so I’m letting you know  :-)

Share

Amex clueless about security–so what else is new?

American Express is, as far as I know, alone among major financial institutions (for large values of “major”) in sending out phish-like messages.  Pretty much every other bank has gotten the message: don’t send email to your customers, and alert them that if they receive email, it’s not from you.

(I’m still getting those messages, by the way.  Ironically, it’s because I don’t want them.  If I want to tell Amex to turn them off, the only way I can do that is to register to receive them.  Explain to me the logic underlying that process …)

Amex is also alone in not providing an email account to which you can send phishing messages.  I guess Amex doesn’t want to do any more takedowns than they absolutely have to.

As a security pro, I’ve got contacts; personal contacts; in many major banks and financial institutions.  These are people who work in phishing and malware takedowns, and I’ve encountered them in the course of my research into same over the years.  I’ve never come across anyone from Amex.  I’ve never had anyone from Amex in any of my seminars.

So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it.

Share

RSA APT thoughts

By now people are starting to hear that RSA has been hit with an attack.  Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general.  But I’d like to opine about a few points.

First, we, in the profession of information security, are still not taking malware seriously enough.  Oh, sure, most people are running antivirus software.  But we don’t really study and understand the topic.  Malware gets extremely short shrift in any general security textbook.  Sometimes it isn’t mentioned at all.  Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth.  (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.)  Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment.  It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.

Second, we aren’t taking security awareness seriously enough.  These types of attacks rely primarily on social engineering and malware.  Security awareness works marvelously well as a protection against both.  RSA is a security corporation: they’ve got all kinds of smart people who know about security.  But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines.  For a number of years I have been promoting the idea that corporations should be providing security awareness training.  Not just to their employees, but to the general public.  For free.  I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security.  In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.

(Third, I really hate that “APT” term.  “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on.  Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for "lying"] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself.  It’s so last millennium.  But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)

Share

IEEE eCrime Researchers Summit 2010

The fifth IEEE eCrime Researchers Summit 2010 (http://ecrimeresearch.org) will be held in conjunction with the 2010 APWG General Meeting between October 18-20, 2010 at Southern Methodist University in Dallas, TX.

Topics of interest include:

* Phishing, rogue-AV, pharming, click-fraud, crimeware, extortion and emerging attacks.
* Technical, legal, political, social and psychological aspects of fraud and fraud prevention.
* Malware, botnets, ecriminal/phishing gangs and collaboration, or money laundering.
* Techniques to assess the risks and yields of attacks and the success rates of countermeasures.
* Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures.
* Spoofing of different types, and applications to fraud.
* Techniques to avoid detection, tracking and takedown; and ways to block such techniques.
* Honeypot design, data mining, and forensic aspects of fraud prevention.
* Design and evaluation of user interfaces in the context of fraud and network security.
* Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation.

Important dates: (11:59pm US EDT)
Full paper and RIP (Research in Progress) paper submissions due: June 30, 2010
Paper notification: Aug 1, 2010
Poster submissions due: August 29, 2010
Poster notifications: September 5, 2010
Conference: October 18-20, 2010
Camera ready due: October 27, 2010

For more information on the submission process, visit
http://www.ecrimeresearch.org/2010/cfp.html

Share

T-Mobile phishing camp

Cory Doctorow shares his experience of being ‘phished’. I had a similar experience, only in reverse.

As I’m waiting to board a flight, my phone rings and someone claiming to be a T-Mobile rep is on the other side.

“You’ve been using your phone a lot” she says

Yes, I spent a week in China and the roaming charges are especially high there.

“Well, you are over $2,000 in your phone bill”

Well, thanks for letting me know. When the bill comes I will be happy to pay it.

“No, you need to pay it now; it is higher than your monthly average and we need to collect the payment outside your monthly billing cycle”

Fine. I will call the billing center once I get back to the office tomorrow

“No, you need to pay it now”

I am just about to board the plane. Call me in 3 hours when I land.

“Sorry, I need to collect a payment or we will suspend the account”

Fine. Bill me. You have my credit card details on file.

“No, we need you to provide them again as proof that you are ok’ing the billing”

Hmm… This is beginning to sound like the most unsophisticated phishing attack ever. You need my credit card details? Now? Can’t wait? Ok. Give me your number and I will call you right back and give you my CC.

“This line is for outbound calls only. There is no direct number back to me”

No problem – I will call the t-mobile 800 number and ask for your department.

“They cannot transfer you to me”

Then how do I know you’re a real T-mobile rep and not someone out to get my credit card number?

“Well, how else would I have known your charges this month were especially high?”

At this point I burst out laughing and since boarding is about to end I give her my full credit card details. VISA will take the loss on that one, but who will save me from the embarrassment of ‘securiteam blogger falls victim to the most amateurish phishing attack in history”?
I land, and log online to my t-mobile account, and am shocked to see a bill of $2,500 that is marked as paid. It really was T-Mobile.

Somewhere in Eastern Europe some guy is telling his boss: “Sergei, you’ll never believe this. The fake training material we planted at T-Mobile are actually being used. They are teaching their customers to be phished!”.

Phishing camp indeed.

Share

Some issue at Yahoo??? Your accounts can be deleted…

I received a mail stating that there are some congestions in Yahoo-accounts service and hence they will be closing down unused accounts. They wanted me to send them few of my personal details. If I fail to do so my account will be discontinued. Who will want their account to be discontinued which they have been using for a long time? So should I send them my details? The mail which I received was:

——————————————————————————–

From:”Yahoo-account-services”
To:undisclosed-recipients
Due to the congestion in all Yahoo-accounts, Yahoo! would shut down all unused
accounts. In order to avoid the deactivation of your account, you will have to confirm your e-mail by
FILL-IN  your Login Info below by clicking the reply button. The personal information requested are
for the safety of your Yahoo! account. Please LEAVE all information requested.

 

Your Username:——————— ——-
Your Password::——————– ——–
Your Date Of Birth:———————— -
Your Occupation:——————- ———
Your Country Of Residence:—————-
After you must have followed the instructions in the sheet, your Yahoo! account will not be interrupted and will continue as normal. Thank you for your usual co-operation. We apologize for any inconvenience.
Yahoo! Customer Care

——————————————————————————————————–
Well many innocent people may fall to prey and end up sharing their personal information along with their login credentials.

You should understand that no mail service provider or any bank or any legitimate site will ask for your login credentials (username & password) on mail nor will direct you to any site which would collect the same.However there are sites which would ask you to log into the site else your id would be temporarily disabled. This is the part their policy which requires users to log into the site atleast once in a month or 3 months or so. But even they will not ask your personal info. They will simply require you to log into their site.

Such type of mails are called phishing mails & the people behind it are called phishers. You should understand the difference between a legitimate site/mail & a phishing one.

Tips for the day are:

1. Bookmark your financial/banking sites.

2. Prefer typing web address in URL rather than clicking on any suspicious link.

3. Always remember your banking sites or any other site will never ask for your personal information. But if you strongly feel the mail may be legitimate but don’t want to take any chances, simply call up their support desk for any clarification. Also remember to refer to help line number from their site rather than dialing the  number mentioned on the suspicious mail.

4. Also check the source of mail generation. Well this can be easily spoofed easily but in few cases, they don’t when they expect the victim to reply back the mail like in my case. Even if the phisher has spoofed the name as Yahoo-account-services, the email id remains ACfalcon@aol.com. Think why would yahoo send you such mails through AOL or with such ids like ACfalcon.
There are few sites available online which can help you  understand the difference between a legitimate & phishing site. Some of my favorites are http://www.sonicwall.com/phishing/index.html & http://www.uakron.edu/its/learning/training/Phishing.php

Have a happy phishing free life!!! :D

Share

Anti-Phishing Working Group: CeCOS IV

The Anti-Phishing Working Group has asked its members to publicize the forthcoming Counter eCrime Operations Summit in Brazil, which I’m pleased to do. Apologies to those who will have come across this elsewhere, including some of my other blogs.

This year the APWG is hosting it’s fourth annual Counter eCrime Operations Summit (CeCOS IV) on May 11, 12 & 13 in São Paulo, Brazil. The Discounted Early Bird Registration rate will end on April 9th. Do not miss this opportunity to join our host CERT.br with APWG Members from around the globe at this one of a kind event. Counter-eCrime professionals will meet for sessions and discussion panels that look into case studies of organizations under attack and deliver narratives of successful trans-national forensic cooperation.

This is APWG’s first visit to South America and will help build our network of trusted friends worldwide. The discounted registration rate of $250 USD covers all three days of content, lunch, breaks and the Wednesday night reception. (NOTE: APWG Members will receive an additional discount during registration) This “Early Bird” rate will end on April 9th, after that through the beginning of the event on 11 May registration is $325 USD.

A partial agenda is posted at the link below. Translation services for English, Spanish and Portuguese will be available for all session.

http://www.apwg.org/events/2010_opSummit.html#agenda

Register Here:

http://secure.lenos.com/lenos/antiphishing/cecos2010/

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:

http://avien.net/blog

http://www.eset.com/blog

http://blogs.securiteam.com

http://blog.isc2.org/

http://dharley.wordpress.com

http://macvirus.com

Share

Is it phish, or is it Amex?

I am a bit freaked.

Last month I received an email message from American Express.  I very nearly deleted it unread: it was obviously phish, right?  (I was teaching in Toronto that week, so I had even more reason to turf it unread rather than look at it.)

However, since I do have an Amex card, I decided to at least have a look at it, and possibly try and find some way to send it to them.  So I looked at it.

And promptly freaked out.

The phishers had my card number.  (Or, at least, the last five digits of it.)  They knew the due date of my statement.  The knew the balance amount of my last statement.

(The fact that this was all happening while I am aware from home wasn’t making me feel any more comfortable with it …)

So I had a look at the headers.  And couldn’t find a single thing indicating that this wasn’t from American Express.

(I had paid my bill before I left.  Or, at least, I *thought* I had.  So I checked my bank.  Sure enough, that balance had been paid a couple of days before.  However, I guess banks never actually transfer money on the weekend or something …)

A couple of days later I got another message: Amex was telling me that my payment was received.  That’s nice of them.  They were once again sending, in an unencrypted email message, the last five digits of my card number, and the last balance paid on my account.

Well, I figured that it might have been an experiment, and that they’d probably realize the error of their ways, and I didn’t necessarily need to point this out.  Apparently I was wrong on all counts, since I got another reminder message today.

Are these people completely unaware of the existence and risk of phishing?  Are they so totally ignorant of online security that they are encouraging their customers to be looking for legitimate email from a financial institution, thus increasing the risk of deception and fraud?

Going to their Website, I notice that there is now an “Account Alerts” function.  It may have been there for a while: I don’t know, since I’ve never used it.  Since I’ve never used it, I assume it was populated by default when they created it.  It seems to, by default, send you a payment due notice a week before the deadline, a payment received notice when payment is received, and a notice when you approach your credit limit.  (Fortunately, someone had the good sense not to automatically populate the option that sends you your statement balance every week.)  These options may be useful to some people.  But they should be options: they shouldn’t be sending a bunch of information about everybody’s account, in the clear, by default.

(There are, of course, “Terms and Conditions” applicable to this service, which basically say, as usual, that Amex isn’t responsible for much of anything, have warned you, and that you take all the risks arising from this function.  I find this heavily ironic, since I knew nothing of the service, don’t want it, and got it automatically.  I never even knew the “Terms and Conditions” existed, but in order to turn the service off I’ll have to read them.)

(In trying to send a copy of this to Amex, I note that their Website only lists phone and snailmail as contact options, you aren’t supposed to be able to send them email.)

Share

The achilles heel of the Internet

It won’t surprise you if I say the achilles heel of the Internet is passwords. But the problem is not that our passwords are too weak: in fact, the bigger problem is that our passwords are too strong.

Preventing brute force password attacks is a problem we know how to solve. The problem is that web service providers have bad habits that cause our passwords to be less secure. Remember the saying “the chain is only strong as the weakest link?” If you are strengthening an already strong link in the chain but weakening another, you are not improving security and usually decreasing the overall security of the system. Those “bad habits”, mostly of web services that require a login, are all wrapped in supposedly ‘security concerns’: meaning some security consultant fed the CSO a strict compliance document and by implementing these rigid security methods they are actually making their users less secure.

Here are some examples.

Don’t you remember who I am?
What’s the easiest way to fight phishing? Have the web site properly identify itself. When the bank calls, most people don’t ask the person on the other side of the line to prove they are really from the bank (though they really should). The reason is you assume that if they knew how to reach you, they are indeed your bank.

So why not do the same for phishing? The bank of America uses Sitekey, which is a really neat trick. But you don’t have to go that far: just remember my username and I’ll have more confidence that you are the right web site. In fact, if I see a login page that does not remember my username I’ll have to stop and think (since I typically don’t remember all the usernames) and that gives me more time to spot suspicious things about the page.

If you can tell me what my username is, there are higher chances you are the legitimate site. But some sites block my browser from remembering my username, on the excuse of increasing security. Well, they’re not.

Let me manage my passwords

This is where most financial sites really fight me – they work so hard to prevent the browser from remembering my passwords.

Why? I can see the point when I’m on a public terminal. But what if I’m using my own laptop? By letting my browser remember the password I am decreasing the chance of phishing, and in fact if I know for certain a web site will let me remember the password (rather than force to type it in) I select a strong, complicated password – since I don’t have to remember it. In some cases I even stick with the random-assigned password; I don’t care as long as my browser remembers it.

But some people are stuck with “security!=usability” equation. They are wrong; in many cases usability increases security. This is one of those cases.

Not to mention they will almost always lose the fight. If paypal won’t let firefox remember the password, I’ll find ways around it. Or maybe I’ll just write a post-it note and put it on my monitor. All of those ways are less secure than firefox’s built-in password manager.

Oh, and forcing me to choose a strong password (‘strong’ being something absurd and twisted that makes no security sense)? Good luck with that. I don’t really mind these silly efforts just because they are so easy to circumvent they are not even a bother anymore. But just remember that putting security measures in place that will be circumvented by 90% of your users means teaching them not to take your security seriously.

Stop blocking me
Next week I will have my annual conversation with the Lufthansa ‘frequent flyer’ club support people. It’s a conversation I have at least once a year (sometimes more) when my login gets blocked.

Why does my login get blocked? Because I get the password wrong too many times. What’s “too many”? I wish I knew. Since I usually pretty much know what my password is, I get it right within 4-5 tries, so I guess Lufthansa blocks me after 3 or 4. I don’t know for sure, because I also need to guess my username (long story, lets just say Lufthansa has 2 sets of usernames and passwords and you need to match them up correctly). So the bottom line is that I get routinely blocked and need to call their office in Germany to release it.

Why are they blocking me? I’m guessing to prevent brute-force password attacks, and that’s a good thing. But why not release it automatically after a day? A week? An hour? Why not authenticate me some other way (e-mail)? I bet I can guess why: Because everybody that complains is told that “it’s due to security concerns”. Nobody can argue with that, can they? After all, security is the opposite of usability. Our goal as security professionals is to make our services not work, and hence infinitely secure.

So Lufthansa is losing my web site visit, which means less advertising money, and they are making me agitated which is not the right customer retention policy. Some credit card issuers like to do this a lot, which means I can’t login to see my credit card balance and watch if there is any suspicious activity. Now that’s cutting your nose off to spite your face.

Don’t encourage me to give out my password
How many web sites have my real twitter password? Must be over half a dozen, maybe more. If you are using any twitter client, you have given them your twitter username and password. If you are using twitterpic, or any of the other hundreds of web 2.0 that automatically tweet for you, they have your login credentials. Heck, even facebook has my twitter credentials – I bet Facebook can flood twitter in an instant if they decide to fight dirty.

Twitter wants me to use all these clients because it raises my twitter activity, and that’s ok. But there are plenty of single-sign-on methods out there, that are not too complicated, and are all more secure than spreading my real username and password all over the place. Even Boxee has my twitter login, which makes me think. If I was building a web 2.0 service and asked everyone who opens an account to give me their twitter login details – how many would do that just out of habit?
Giving my credentials is not necessarily a bad thing. Services like mint and pageonce are good because they make it unnecessary for me to login to all my financial web sites; the less I login the better: assuming these sites have better security than my own computer, I’d rather have them login to my financial accounts than me. This leap of faith is not for everyone – some will ask what happens if these startups go out of business. Cybercrime experts like Richard Stiennon will argue that an insider breach in one of those companies can be devastating. And of course Noam will say that until they’ve been scanned by Beyond Security he won’t give them any sensitive information. I agree with them all, and yet I use both Mint.com and PageOnce. So I guess it boils down to a personal judgment call. I personally think there’s value in these type of services.

Stick with passwords

One thing I am almost allergic to, is the “next thing to replace passwords”. Don’t give me USB tokens or credit-card sized authentication cards. SMS me if you must, but even that’s marginal. Don’t talk to me about new ideas to revolutionize logins. A non-trivial password along with a mechanism that blocks multiple replies (blocks for a certain period of time, not forever – got that Lufthansa?) is good enough. It’s not foolproof – a keylogger will defeat all of those methods, but those keylogging Trojans are also capable of modifying traffic so no matter what off-line method you use for authentication, the transaction itself will be modified and the account will be compromised. So Trojans is a war we have lost – lets admit that and move on. Any other threat can be stopped by simple and proper login policies that do not include making the user wish he never signed up for your service.
There are other password ideas out there. Bruce Schneier suggests to have passwords be displayed while typing them. I think that makes absolutely no sense for 99% of the people out there, but I do agree that we are fighting the wrong wars when it comes to passwords, and I think fresh thinking about passwords is a good thing. The current situation is that on one hand we are preventing our users from using passwords properly, and on the other hand we leaving our services open to attack. That doesn’t help anyone.

Share

Elance user information compromised

God bless the law that forces companies to disclose when they are hacked and customer information is compromised. Not only do we get a chance to protect ourselves but it also reminds us that this apparently happens more often then we would think.

This time it’s elance.com:

Dear (my account name),
We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.
We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.
We sincerely regret any inconvenience or disruption this may cause.
If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html
For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262
Thank you for your understanding,
Michael Culver
Vice President
Elance

What I would like to see, is what “additional security measures” are they really taking. Also (and I’ll admit I have a one-track-mind) did they do a proper security scan to ensure the servers don’t have any holes? What were the results?

Share

The month of twitter bugs

Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

Share

Iraq cybersquatting Israel gov’t domains

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in law.co.il (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. law.co.il traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

Share

C-level execs ignorant of Web 2.0 dangers

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

Share

To tinyurl or to tr.im, that is the question …

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

Share

Vonage phish

This is interesting:

Dear Vonage Member,

Your Vonage Account will expire in: January, 20 2009

This might have happened due to the following reasons:
- You did not accessed your account for more than a month.
- You have dynamic IP address and due to that our system might have interpretated it as a hacking attempt.
- You entered a wrong password 3 times when you tried to connect to your Vonage Account.

To avoid an account suspension, please click link below:

http://www.adsmirchi.com/vonage/login.htm

*We will check your IP address, time zone, and confront it with our database logs.

We are very sorry if this affects you in any way but our client’s security is a top priority for Vonage Inc.

Regards,

Vonage Security Team.

The link points to a phishing site that is stored in India and collects your vonage username and password. Go one directory up to see the complete kit.

This is a cute attack: you may be thinking, what can they possibly gain by logging into a vonage account? Well, Vonage has a useful feature of redirecting your calls to another number. If that other number is a paid service (or an international number, say, in India) you will pay extra and Vonage will pay that service provider (or telcom company). At that point, they just need to call your number and hold the line while counting the revenue coming in – very oldschool.

Share

So you can fake your SSL Certificate. That don’t impress me much

Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher – I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.

I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.

But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.

But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.

So broken SSL certificates are ignored, and valid SSL certificate mean very little – until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know – does that mean anything? Is the Banc of America  the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.

SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.

Share