GMA Fake Site and Tricks Scammers Use

GMA News warned the public last week regarding a fake site that reports fake news, which has fortunately been taken down as of press time. This reminds me of the recent fake news item about Megan Fox being a man. If anyone actually checked that site’s menu, they’d see links to a “Mutants” section and an “Aliens” section, which should readily warn anyone about the veracity of news on that site. Unfortunately some educated people believed that piece of news, which is really quite sad.

CSOOnline came out with an article detailing the Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines, which are divided as Social Networking Scams, Office Offenses and Phishing Lures:

Social Networking Scams
“I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
“Someone has a secret crush on you! Download this application to find who it is!”
“Did you see this video of you? Check out this link!”

Office Offenses
“Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
“This is Chris from tech services. I’ve been notified of an infection on your computer.”
“Can you hold the door for me? I don’t have my key/access card on me.”

Phishing Lures
“You have not paid for the item you recently won on eBay. Please click here to pay.”
“You’ve been let go. Click here to register for severance pay. “

Check out the site link above for more details.

The same author, Joan Goodchild, also wrote about Social Engineering:8 Common Tactics, and 3 Ways a Twitter Hack can Hurt You, which might interest you if you want to learn more about Social Engineering.

---

Tips
If in case you aren’t using encryption yet and want an easy and free encryption solution, you may want to check out TrueCrypt. Tom’s Hardware has published a how to and review to start you out.

---

Auditing
A consortium of US agencies and organizations released a draft of the Consensus Audit Guidelines that define the 20 most critical security controls to protect federal and contractor information systems.
The press release states that: “The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.”

---

Other Security News
(The Register) New OS X research warns of stealthier Mac attacks
(The Register) Banking app vuln surfaces 18 months after discovery
(The Register) Hacker pokes new hole in secure sockets layer
(PCWorld) New Attacks Target IE7 Flaw
(PCWorld) IE8 Focuses on Improved Security and Privacy
(PCWorld) Microsoft Adds Clickjacking Protection to IE8 RC1
(PCWorld) Downloads for Hard Economic Times

Advertisement

Info Sec News, Jan 19, 2009

Secure Coding and Application Dev
What is probably the most significant security news item of the past week is the release of SANS and Mitre of their Top 25 errors and how to fix them. It’s been said that around 85% of criminal activities on the net stem from the current crop of Top 25 flaws. The Top 25 list is divided into three broad categories namely: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses.

The PDF version of the Top 25 is available here.

The Software Assurance Forum for Excellence in Code (SAFECode) has made two publications available to help eliminate the Top 25 errors, its Guide to the Most Effective Secure Dev Practices in Use Today, and Software Assurance: An Overview of Current Industry Best Practices.

---

Social Engineering
A rehash of old tactics can be seen in an E-mail purportedly from Northwest Airlines (but actually carries a zipped trojan file), and malware spreading websites that claim US President elect Obama won’t be taking the oath of office on the 20th. This just strengthens the argument that your personnel and their security awareness training are now your first line of defense, and not your perimeter firewall.

This is related to the fake Christmas and holiday greetings that been sent every year for the past few years, which was seen again this past Christmas.

---

Malware
The Downadup (also known as Conficker) Worm versions A, B and C that exploits what Microsoft released an out of band patch for in late October ’08, and weak Admin passwords, is said to have infected an “amazing” 9 million PC’s according to F-Secure researchers. If you’re wondering how they got to this astonishing figure, check out F-Secure’s Blog.

(PC World) UK Ministry of Defence Stung by Rapidly Spreading Virus

---

Secure deletion, reuse or disposal
According to new research led by Craig Wright, it just takes one re-write to securely wipe the data from a hard drive. This talks about a complete sector by sector overwrite of a hard drive.

Articles on this can be found on Heise Security and SecurityFocus. The paper was presented at the Fourth International Conference on Information Systems Security (ICISS) in Hyderabad, India and can be purchased here.

---

Encryption
Heise Security has published an in depth article on how modern cryptological attacks are done in their article, “Cheap Cracks“.

---

Patches and Change Management
Oracle released fixes for 41 different flaws this month and Microsoft released a single patch that closed three flaws.

(Heise Security) Numerous security updates from Oracle
(Heise Security) Microsoft closes three holes in Windows
Microsoft issues patches for ‘nasty’ Windows bugs

A vulnerability in SAP GUI has also been found and a patch has been released and is available to registered SAP users.

---

Other InfoSec News:
In relation to the Anonymization article I wrote about a few days ago, the makers of Tor has announced that their software has zero known bugs.

(Computerworld) Two big, bad botnets gone, but replacements step up

(Computerworld) Critical security projects escape the budget ax

(Heise Security) Banking details can be stolen through a new JavaScript exploit

(Computerworld) Six Worst Internet Routing Attacks

(GO San Angelo.com) US Air Force planning to train hundreds yearly in cyber warfare skills

(Information Week) Thief Steals Sony Ericsson Prototypes

The Windows 7 Beta Team has removed the 2.5 million download limit as stated in the Windows 7 Blog. People can get the Beta until January 24.

Secunia Advisories

---

Tips:

(Computerworld) How to Secure your Vista PC in 10 easy steps

(Computerworld Blog) Removing malware from an infected PC

The Windows Security Blog has announced a new Beta called Sundance that could help secure Windows and Office 2007 installations.

In relation to what I wrote about around a month ago regarding wireless networks, the crack in the WPA protocol only affects the TKIP version and not AES, so the solution is to simply switch from TKIP to AES as is detailed in this article from Search Security.com, “Cracks in WPA? How to continue protecting Wi-Fi networks“.

(PC Magazine) The Top Tech Tips of 2008 Part 1

(PC Magazine) The Top Tech Tips of 2008 Part 2

Happy New Year to All :)

A lot of people in the Philippines are probably still hungover from the long vacation from Dec 25 to Jan 4, unless of course they were part of sales, or a BPO… anyway, on to the news:

OpenVAS 2.0 was released around two weeks ago, and a respected security expert (who wishes to remain anonymous) thinks it is, “fast approaching the maturity level needed to truly compete with Nessus in the vulnerability assessment area.”

The OpenVas 2.0 press release states that:
OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server administrators and for developers of Network Vulnerability Tests (NVTs).

---

Some of the Philippines’ high ranking government officials may want to look into cellphone voice encryption (as mentioned in this SecurityPark.net article) before calling some other high ranking government official so that they wouldn’t need to give a televised public apology (wink).

---

Speaking of mobile phone security, there was a DOS vulnerability found in Nokia Series 60 cellphones just before new year’s eve called the “Curse of Silence”, which either stops the cellphone from receiving SMS until a factory reset is done (Series 60 2.6 and 3.0 devices) or not all SMS’s are received (Series 60 2.8 and 3.1).

This is done via the following steps (check out the demo video link below):
For Series 60 phones v2.2, 2.3, 3.0 and 3.1 attack target phones
1. create an email that has an e-mail address with more than 32 characters followed by a space.
2. set TP Protocol Identifier of SMS Message to Internet Electronic Mail
3. send message to target (eleven times to Series 60 v 3.1, only one message is needed for all other versions)

There are currently no client side workarounds published as of the moment. If ever you work for Smart Communications, Globe Telecom or Sun Cellular maybe your network team can take heed of the suggestion in the document that “network operators should filter messages with TP-PID ‘Internet Electronic Mail’ and an email address of more than 32 characters or reset the TP-PID of these messages to 0”. I also do not have a Series 60 phone mentioned in the list so I cannot test if it can affect cell phones here in the Philippines. Kindly drop me a line in case you were able to test this.

Phones affected:
S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

More details can be found in a must see video (21 MB) and a document (6.8 KB) on the website of Tobias Engel, who is a member of the Chaos Computer Club.

---

Microblogging site Twitter had a major breach and has phishing problems reports HeiseSecurity, SCMagazineUS, and SecurityFocus. Apparently, US President elect Barack Obama’s and Britney Spears’ accounts were compromised.

In related news, (The Register) Bogus LinkedIn profiles punt malware to fools.

A security update for the popular email client Mozilla Thunderbird was recently released. (Heise Security report, SCMagazineUS report)

The recently found MD5 vulnerability links:
(SCMagazineUS) MD5 insecurity affects all internet users
(SCMagazineUS) Hackers find hole to create rogue digital certificates
(Heise Security) Verisign/RapidSSL close 25C3 MD5 vulnerability
(SecurityFocus) Survey: One in seven SSL certificates are weak

Info Sec News: Nov 18, 2008

BBC Click on Biometrics

A few weeks ago BBC News Click published How biometrics could change security. The week after, they then published, “The pitfalls of biometric systems“.

Since its somewhat related to physical security, A UK fingerprint developer can read a letter from its envelope.

More news about the keyboard electromagnetic sniffing that was making the news last month:

From The Register Swiss boffins sniff passwords from (wired) keyboards 65 feet away

From BBC Keyboard sniffers to steal data

Video on keyboard sniffing from the very people that did the experiment can be found at COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS.

---

The Register gives a tutorial on encrypting e-mails in, “Still sending naked email? Get your protection here“.

---

Pretty sad that a UK Anti-Fraud site has crashed due to DDOS attack.

The popular and free AVG Anti-virus has once again identified a trojan that isn’t one.

A Vulnerability has also been discovered in the SSH Specification.

The New York Times reports that Privacy Laws Trip Up Google’s Expansion in Parts of Europe

The Federation of American Scientists (FAS) Secrecy blog, reports that terrorists can presumably use twitter, instant messaging, etc. The article Spy Fears: Twitter Terrorists, Cell Phone Jihadists by Noah Shachtman on Wired talks about it more.

If you’re interested on the pdf exploit (also see below in other news), Didier Steven’s Blog, talks about Shoulder Surfing a Malicious PDF Author.

Other News:

Email ruse uses Federal Reserve Bank name to drop PDF exploit

Cybercrime expected to ramp during holiday season

New attack targeting Windows Mobile phones

Apple issues 11 security updates for Safari browser

How Outsourced Call Centers Are Costing Millions In Identity Theft

Although somewhat unrelated, InfoSec Professionals might also be interested in this article on airport security, The Things He Carried

---

White paper on Designing and implementing malicious hardware presented at the LEET ’08

White Hat World Webinar on 10 Reasons your Existing SIEM Sucks! This will be held on Thursday, November 20, 2008 4:00 am Philippine time.

Wireless Hacking part 2

Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

Recent Whitepapers on the Net

Secure Mobile Computing Using Two-Factor Authentication with VPNs and Disk Encryption – sponsored by Alladin

ABSTRACT:
This paper highlights the risks that organizations run in allowing mobile users full access to the enterprise network, data, and applications through VPN. It takes a detailed look at how making sensitive corporate data available in this manner, creates security gaps with passwords and encryption keys stored on the hard drive. Aladdin focuses on successfully addressing these issues with strong two-factor authentication, reviewing the broad range of easy to deploy, easy to use, and low cost two-factor authentication devices available that meet the needs of organizations today.

---

Web Application Security: Too Costly to Ignore sponsored by HP

Posted: 24 Sep 2008
Published: 24 Sep 2008
Format: PDF
Length: 8 Page(s)

ABSTRACT:
Web application security is crucial to mitigating the risks of attack and attaining regulatory compliance. The number of web attacks is on the rise and is exponentially more cost effective to remedy those flaws early in the development process. There is an enormous chasm between where application security should be and the sad shape of application security today. Download this free whitepaper from HP Software to learn about the gaps in most application security programs and how to incorporate application security across the lifecycle.

---

Oracle Advanced Security TDE (Encryption)

Posted: 15 Jul 2008
Published: 01 Jun 2007
Format: PDF
Length: 19 Page(s)

ABSTRACT:
Encryption is a key component of the defense-in-depth principle and Oracle continues to develop innovative solutions to help customers address increasingly stringent security requirements around the safeguarding of PII data. Retailers can use Oracle Advanced Security TDE to address PCI-DSS requirements while university and healthcare organizations can use TDE to safeguard social security numbers and other sensitive information. Encryption plays an especially important role in safeguarding data in transit. Oracle Advanced Security network encryption protects data in transit on the intranet from network sniffing and modification. Oracle Advanced Security TDE protects sensitive data on disk drives and backup media from unauthorized access, helping reduce the impact of lost or stolen media.

---

Data Center TCO – A Comparison of High-density and Low-density Spaces sponsored by Intel

Posted: 24 Jul 2008
Published: 01 Jan 2007
Format: PDF
Length: 12 Page(s)

ABSTRACT:
One of the most common misconceptions in this period of growth is that the total cost of ownership (TCO) of a new data center is lower with a low-density design. In fact, the most efficient new data centers are those with high-density designs, which leverage virtualization to reduce TCO by millions.

This white paper explains why and offers suggestions for successful operations in the high-density data center. Key considerations include:

* Airflow distribution challenges
* Server uniformity
* Airflow velocities
* Hot aisle temperature