It probably hasn’t escaped your notice that there’s a lot of malware/SEO/scamming whenever a major disaster occurs. A few days ago I started to put together a list of commentary (some of it my own) and resources relating to the Japanese earthquake and tsunami, in anticipation of that sort of activity.

Originally, I was using several of my usual blog venues, but decided eventually to focus on one site. As ESET had no monopoly on useful information, I wanted to use a vendor-agnostic site. Actually, I could have used this one, but for better or worse, I decided to use the AVIEN blog, since I’ve pretty much taken over the care and feeding of that organization. The blog in question is Japan Disaster: Commentary & Resources.

It’s certainly not all-inclusive, but it’s the largest resource of its type that I’m aware of. Eventually, it will be organized more so as to focus again on the stuff that’s directly related to security, but right now, given the impact of the crisis, I’m posting pretty much anything that strikes me as useful, even if its relevance to security is a bit tenuous.

I’m afraid I’m going to post this pointer one or two other places: apologies if you trip over it more often than you really want to!

David Harley CITP FBCS CISSP
AVIEN COO
ESET Senior Research Fellow

Attended an IBM seminar today. Started out with a history of the company, year by year over the past hundred. They still haven’t forgiven Howard Aiken

They also take full credit for DES, instead of Lucifer.

Note to presenters: in order to ensure your audience turns off right away, ask a series of questions about who has, who doesn’t have, and who has a mature “information governance practice,” and only then define “information governance.” Use no less than seven meaningless buzzwords in any definition. (I was amused when he got to a slide about “semantic consistency,” and stressed the importance of everyone agreeing on the meaning of words, since, by using buzzwords, he was using words which had an agreed upon meaning: it just wasn’t the meaning he meant. Business glossary = data dictionary [in the "venacular" (sic)], administrator access = power user) Read your (very busy) slides, word for word (turning away from the microphone frequently in order to do so).

The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.

So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.

The details that I managed to dig up about this person were the following:

- D.O.B

- In a relationship

- Hometown

- Religion

- Last 3 employers, as well as current

- Current Job Title

- Universities attended and relevant dates

- Schools attended and relevant dates

- Work e-mail address

- Private e-mail address

- Work phone number

- Home phone number

- Cell phone number

- Home address

- Work address

- Car make and model

- Car registration number

- Roughly how long it takes him to get from home to the office (average of 33 minutes)

- Roughly how long it takes him to get from home to his son’s school.

- Musical tastes

- Photo’s of his house, his dogs and his children

- He spends a lot of time (and I mean a lot) playing World of Warcraft

- He used to run Windows XP, but has recently upgraded to Windows 7

- I managed to map out the first two layers of his family tree

I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.

- He goes running each day, and also uploads his routes and stats via Runkeeper

- He’s been in the newspapers a couple of times for good deeds and charity work

- He coaches a kids soccer team at his sons school every other weekend

- He spends a fair amount of time on forums relating to legal highs

- There’s some video’s of him and his family on YouTube

- He has a personal web site, with a photo gallery of his travels with his family

- He runs a server from home, it’s running Windows 2003, IIS, and Exchange

- He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams

- He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.

- His citizenship

I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.

Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.

People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.

I’d like to thank George for taking part in my little experiment

If you’re at all interested in Social Engineering as I’m sure that most of our readers are, then you will probably be very interested in the report over at the Social-Engineer.org site.

At DEFCON 18 this year, held in Las Vegas there was a Social Engineering Capture The Flag event held. This proved to be quite a success, well more so for the participants, than the actual companies targeted, but hey. All’s fair in love and war.

Some of the rules for this event were the following:

- Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
- Contestants may not attempt to falsify or falsify employment records;
- The list of target organizations will not include any financial, government, educational, or health care organizations;
- Contestants must keep it clean, for example, use of any pornography is banned.

Even the FBI were extremely weary of this contest and contacted the organizers beforehand, so this was getting a lot of press coverage. I am also aware that quite a few companies sent out internal communications about this event to their employees, warning them not to give out any sensitive information.

I’d personally just like to thank the team over at Social-Engineer.org for doing so much to bring social engineering into the public’s eye, and also for all the hard work they’ve put into SET and the Social Engineering Framework. Keep up the amazing work guys!
So without further ado, you can read the full report here.

For those of you who have never used the Social Engineering Toolkit (SET), you really are missing out on an amazing tool, and one that is guaranteed to make your lives simpler in the social engineering realm.

SET was written by David Kennedy a.k.a ReL1K, and you can find this amazing tool in either the BackTrack Linux distro, or you can get it via svn directly from Dave’s site. Full info on how to download this via svn can be found here.

SET is also tightly integrated with the Metasploit Framework, so you can easily make use of all the exploits within MSF to perform some really technical social engineering attacks.

I’m guessing that if you’ve never heard of SET before, you’re probably wondering what it can do, well, let’s put it this way, in the context of social engineering, what can’t SET do?

I would say that the best way to familiarize yourself with SET and all it’s features would be to download it and have a play with it. Then to go through some of the many tutorials available online.

There is now a section dedicated to SET over at Offensive Security‘s free Metasploit Unleashed training page, which you can find here.

Dave has also kindly put up a load of tutorial videos to walk you through the basics, and then some on his site. To check these out just head over to the Tutorials section on his site.
If you’d like to see a video of all the new features in SET 0.7, then have a look here.

By now you’ve probably all heard about the security researcher Ron Bowes, who wrote a script to grab the list of usernames from Facebook’s public directly. You probably also know that the torrent containing all these unique usernames is available as a torrent to download.

You may not know though that at present, on just one torrent site there are currently 4248 people who have downloaded this list, and that there’s a further 8141 currently downloading this list, that’s a hell of a lot of people that are interested in complete strangers personal information and lives.

Let me just set the record straight here as there are quite a few rumors on the Internet at the moment, this was NOT a hack people. The information is publicly available, via Facebook’s directory page. Some say that the users are to blame for not setting their privacy settings securely, others say that Facebook’s convoluted way of implementing user security settings is too complicated for most common users. Me, personally, I’m a member of the latter camp, security settings should be easy for users to apply, not difficult, a simple “Security Yes/No” would be sufficient for most users.

The social engineering possibilities that you could use this list for are just amazing, and you never know when it may come in handy, or is that just me?
Anyway, what’s done is done now.

Oh yeah, I almost forgot, if you want the torrent, well, that can be found right about here, here, or on pretty much any torrent site at the moment, please remember though, if you do download it………..please seed.

Social engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Over the years I’ve done my fair share of social engineering, and the one thing that I have always found to come in handy is being able to read people’s body language. Being able to notice when someone is pacifying themselves, when you ask certain questions, and knowing where to hone in on for example, has helped me countless times in the past. Being able to notice the little things like when people are extremely nervous when you mention things like “Well, I’m not too sure Mr Jones, you manager would be too happy about me not being able to gain access to this room, as he’s paying me to have a look around in your data hall.” When they’re blatantly telling you, that they can’t allow you access under company policy, etc, etc.

I would encourage anyone that performs penetration testing that includes social engineering exercises, to really take the time to read up on body language and how you can make it work for you, it will help your social engineering skills, and this will also help you to help your clients.

There are countless books on this topic that you can get from most decent bookstores to help you along your way, and the good news is that some of these are really not expensive at all.

Another thing that you may want to look into is reading micro expressions, although I would recommend that you start with learning basic body language first, and then progressing on to micro expressions.

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.

This is depressing, but probably true.  Ethan Zuckerman, at the current TED, notes that the Internet makes us think we being exposed to, and learning from, differing world views, but that, particularly in relation to social networking, we are usually simply seeking out similar views to our own, and reinforcing our existing viewpoints.

You can read a report from the BBC or see the actual talk at TED.

(I like the “imaginary cosmopolitanism” phrase.  It reminds me of being in NYC.)

(If you can’t see the security implication in broadening your outlook, there is no hope for you.)

By the way, in non-Sonne-erous G8/20 news, our government(s) have spent a billions dollars on security for a couple of days of meetings.  Even given the degraded value of the American billion, that’s a lot of money.

Part of it was used to buy sound cannons.  (The police don’t like you saying that: they prefer the term “long range sonic control devices.”)  These sound cannons generate noise at 130 decibels, which the civil liberties folks are concerned will damage human hearing.

That’s the same level of noise a vuvuzela makes.

So, look, why didn’t we save the billion dollars, go down to Canadian Tire, and, for a hundred bucks (possibly in Canadian Tire money) equip the entire riot squad with vuvuzelas?

For all of those who have been eagerly awaiting the release of Maltego 3, it’s now available to download here.

There are new versions of the community and commercial editions, and I have to say that it really is worthwhile getting the commercial version if you can afford it.
I have to say that this is one of the most fascinating tools around at the moment, for those of you who have never heard of Maltego or what it’s capable of, here’s the blurb from Paterva’s web site.

What is Maltego?

With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your “environment” is not always clear or complete. In fact, most often it’s not what we know that is harmful – it’s what we don’t know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based?

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.

What does Maltego do?

• Maltego is a program that can be used to determine the relationships and real world links between:
  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
• These entities are linked using open source intelligence.
• Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

• Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
• Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
• Maltego provide you with a much more powerful search, giving you smarter results.
• If access to “hidden” information determines your success, Maltego can help you discover it.

I came across a very interesting article today.

It relates to the Miranda decision and warning.  Although this is American case law everybody knows about it, since it is the basis of the warning, on every cop show and movie, that the suspect has “the right to remain silent” etc.

This comes from a decision in 1966 that police must ensure a suspect understands his rights (not to incriminate himself) and waives them only “knowingly and intelligently.”

Now comes a case where a suspect was warned, and was then questioned for nearly three hours, during which time he said almost nothing. A detective then began asking the suspect about his religious beliefs: “Do you pray to God to forgive you for shooting that boy down?”  The suspect said, “Yes,” but refused to make any further confession. The prosecution introduced the statement as evidence, and a jury convicted.

The case was appealed and went to the US Supreme Court.

Four justices held that allowing the statement turns Miranda upside down and that criminal suspects must now unambiguously invoke their right to remain silent—which, counterintuitively, requires them to speak.

However, five justices held that after giving a Miranda warning, police may interrogate a suspect who has neither invoked nor waived his rights.

So, I guess the right not to incriminate, in the US, is now opt-in only.

Somebody is selling places/reservations in/for a doomsday bunker.

Professional paranoid that I am, I immediately thought of what a great opportunity this is for a scam.  Take the deposits, sell the spaces.  Don’t spend anything on the bunker.  If there is no disaster, you’re golden.  If the world ends, what are they going to do, sue you?

(I like the “pets are free” mention.  Nice touch.  And, if you were going to build a shelter, it would extend the protein supply.)

I was watching some of the Social Engineering Toolkit (SET) tutorials this weekend, and this really got me thinking. How many enterpises actually brief their employees on Social Engineering, and how it can be avoided? This should be part of the security training programme within any large organisation and yet so often this vital piece of security is often overlooked or ignored.

I’ve often found that so many organisations will spend a fair chunk of their budget on the latest IT security measures, like web application firewalls, database proxys, etc, but they neglect the easiest target of all, which is the staff.

If staff aren’t properly trained to recognise Social Engineering attacks, then they won’t know how to respond, and this is a threat to your business. I’ve had countless e-mails sent to me by users over the years with comments like the following.

“I recieved this e-mail telling me to please change my password on Facebook,it looked a bit weird, but after I changed it, it didn’t seem to take effect, should I be worried?”

Now, aside from the fact that the user is using their work e-mail address to sign up to a social networking site, this wreaks havoc on my mind for a few minutes, then I realise that it’s not the user’s fault. It’s down to the organisation and their security team to educate users to pick up on things like this.

As security professionals, every now and then we need to look at things from a different point of view, I know that it’s all too easy to mutter the words “Stupid users, or “Really? What were they thinking?” But unless we educate users, how can they help us to secure our organisations?

A step in the right direction would be to try and get some time reserved from your organisations induction programme for Information Security, and make sure that you cover Social Engineering in as much detail as the employees can handle.

If you don’t know where to start have a look at Social-Engineer.org the guys are doing some amazing work.

Cory Doctorow shares his experience of being ‘phished’. I had a similar experience, only in reverse.

As I’m waiting to board a flight, my phone rings and someone claiming to be a T-Mobile rep is on the other side.

“You’ve been using your phone a lot” she says

Yes, I spent a week in China and the roaming charges are especially high there.

“Well, you are over $2,000 in your phone bill”

Well, thanks for letting me know. When the bill comes I will be happy to pay it.

“No, you need to pay it now; it is higher than your monthly average and we need to collect the payment outside your monthly billing cycle”

Fine. I will call the billing center once I get back to the office tomorrow

“No, you need to pay it now”

I am just about to board the plane. Call me in 3 hours when I land.

“Sorry, I need to collect a payment or we will suspend the account”

Fine. Bill me. You have my credit card details on file.

“No, we need you to provide them again as proof that you are ok’ing the billing”

Hmm… This is beginning to sound like the most unsophisticated phishing attack ever. You need my credit card details? Now? Can’t wait? Ok. Give me your number and I will call you right back and give you my CC.

“This line is for outbound calls only. There is no direct number back to me”

No problem – I will call the t-mobile 800 number and ask for your department.

“They cannot transfer you to me”

Then how do I know you’re a real T-mobile rep and not someone out to get my credit card number?

“Well, how else would I have known your charges this month were especially high?”

At this point I burst out laughing and since boarding is about to end I give her my full credit card details. VISA will take the loss on that one, but who will save me from the embarrassment of ‘securiteam blogger falls victim to the most amateurish phishing attack in history”?
I land, and log online to my t-mobile account, and am shocked to see a bill of $2,500 that is marked as paid. It really was T-Mobile.

Somewhere in Eastern Europe some guy is telling his boss: “Sergei, you’ll never believe this. The fake training material we planted at T-Mobile are actually being used. They are teaching their customers to be phished!”.

Phishing camp indeed.

I received a mail stating that there are some congestions in Yahoo-accounts service and hence they will be closing down unused accounts. They wanted me to send them few of my personal details. If I fail to do so my account will be discontinued. Who will want their account to be discontinued which they have been using for a long time? So should I send them my details? The mail which I received was:

——————————————————————————–

——————————————————————————————————–
Well many innocent people may fall to prey and end up sharing their personal information along with their login credentials.

You should understand that no mail service provider or any bank or any legitimate site will ask for your login credentials (username & password) on mail nor will direct you to any site which would collect the same.However there are sites which would ask you to log into the site else your id would be temporarily disabled. This is the part their policy which requires users to log into the site atleast once in a month or 3 months or so. But even they will not ask your personal info. They will simply require you to log into their site.

Such type of mails are called phishing mails & the people behind it are called phishers. You should understand the difference between a legitimate site/mail & a phishing one.

Tips for the day are:

1. Bookmark your financial/banking sites.

2. Prefer typing web address in URL rather than clicking on any suspicious link.

3. Always remember your banking sites or any other site will never ask for your personal information. But if you strongly feel the mail may be legitimate but don’t want to take any chances, simply call up their support desk for any clarification. Also remember to refer to help line number from their site rather than dialing the  number mentioned on the suspicious mail.

4. Also check the source of mail generation. Well this can be easily spoofed easily but in few cases, they don’t when they expect the victim to reply back the mail like in my case. Even if the phisher has spoofed the name as Yahoo-account-services, the email id remains ACfalcon@aol.com. Think why would yahoo send you such mails through AOL or with such ids like ACfalcon.
There are few sites available online which can help you  understand the difference between a legitimate & phishing site. Some of my favorites are http://www.sonicwall.com/phishing/index.html & http://www.uakron.edu/its/learning/training/Phishing.php

Have a happy phishing free life!!!