FreeCreditReport.com commercials have been lying to people for a while now - offering a "free credit report" when in fact you have to sign up for a service first... well - after going to the site and seeing this logo... I now understand.
If you own a blog, a forums, or are a webmaster of a social-interaction (web 2.0) site... you're going to want to read this.
Hell hath no fury like a blog comment spam engine unleashed upon your site(s). Trust me, I know.
As I was digging through my comment spam which now numbers in excesses of 1,000 spam comments/day on my "Following the White Rabbit" blog I noticed something. In the spam flood I would occasionally get an advertisement for the spam engine that created the mess. Interesting, I though - let's see how bad this thing is. Little did I know that what I was investigating was one of the nastiest, ugliest things I've ever laid eyes on as a "good guy" in information security.
The tool is called "X-Rumer" and it's developed and maintained by a Russian Federation-based organization that is known as "BotMaster Labs" -a fitting name to be sure. X-Rumer is a highly-effective tool which can very quickly over-run even the most hardy blogs, forums or other Web 2.0-style media sites.
What really started to open my eyes wide when I looked at X-Rumer 5.0 "Palladium" is the ability to breeze through CAPTCHAs... it's incredible how many different types of CAPTCHA systems this tool can break using its internal automation. Not only can it breach a CAPTCHA but also many of the more advanced pictocode types of systems (for example, identifying the picture of a non-smoking sign among other signs). Palladium treads the line of SPAM carefully by condering itself as a "correct spam" engine - which is interesting enough in that it generates fake responses, and text for the links that is drops into comments and posts.
X-Rumer is an incredible feat of code development... and sadly it's not used for the good of mankind - but for other nefarious purposes... most commonly link-spam. You don't want to have to square off against a tool like this - because odds are you'll lose. The only effective tool against something like this is reCAPTCHA (but it's rumored that even that will be broken by the tool soon). Not only can this tool auto-register itself on sites where registration is necessary, but it's also content-sensitive! If your blog is about football, there are link-spam comments that are tailored to football, so evading spam-detection engines is almost a certainty.
If the forum has more than one category, the software chooses the one most suitable for the message, otherwise it sends the message to off-top, flame sections or the like, and in case those do not exist - to the most visited category on the forum.This juggernaut is impressive, for a piece of nasty software that's sole purpose is to spread links and ... spam... to the world of Web 2.0.
http://www.netragard.com/pdfs/research/NETRAGARD-20090506-AIRCELL.txt
If you need to know how to write a completely laughable, published security advisory... look no further. This is basically a 'how to' for not being taken seriously... ever again.
This is an oldie... but still a goodie that will forever hang on my "wall of shame". Those SNOSoft people sure can release some quality stuff huh?
That is all.
I've been using the identity theft and credit protection services offered through my bank for a couple of years now. Recently I noticed a new menu option for Internet Surveillance which caught my attention. Apparently, this service (which comes with the ID theft prevention/insurance) is one that scours the Interwebs trying to find the credit card numbers and associated data that you enter in it.
This got me thinking... 2 things struck me as wrong.
First off... do I really trust my bank with every credit card number I own? Maybe it's not so bad since I'm just putting in the name on the card and the full card number (no CVV/CVV2, or Expr Date) and even IF someone stole that data - what good would it be to them?
Second, given that Google (whom I presume they'll be using) and most other search engine's queries can be "read" from your history (or from their cache)... I really want my credit card number as a search string floating around somewhere?
How do those two things balance against my need to be free of ID theft ... on the black market? I'm leaning towards putting in a few card numbers just to see how it goes... do any of you have any thoughts on the matter? Pros? Cons? Have you tried this before (do I need to give a link to the service vendor?)
Soliciting your thoughts, either publicly or privately... thanks!
{ Update }
-- As promised, I went to put in a fake American Express card number (see pasted below) which follow the AmEx algorithm. Immediately, a JavaScript snip flagged the card input as "possibly incorrect" but let me continue anyway. Odd behavior, don't you think? After ignoring the warning I went ahead and hit accept, retyped (same error again, in JS) and then voila! my card was added for monitoring. I have pasted it below just to see if the fake card number gets picked up!
=-=-=-=-=-=-=-=-=-=-=-
--Test--
378511096516050 - Rafal Los - FAKE AmEx card number (not following algorithm!)
--/Test--
It never ceases to amaze me how much InfoSecurity folks depart from conventional wisdom when it comes to "hacking".
A few weeks ago I was sitting in a meeting room waiting for the folks who would be listening to me talk about App Security to come in. As people funneled into the room I overheard 3 QA guys talking about "understanding the application"... to which one of the security guys looked at them funny and said "we do black-box testing, we don't care to know the application".
Whoops, you fail.
It's not just that these security guys were going to be missing a huge chunk of the application- which they likely will - but it's in their ignorance of the actual application logic and flow that they will fail entirely. Thinking about that, and how to fix the problem, brought me back to DFDs and how useful they were to me when I worked on web application security testing back in the day. You know, I just don't think people just don't do enough intelligence gathering before diving into an application security test. Understanding the beast is fundamental to conquering it, and security folks have have a disctinct advantage over "hackers" (usually) because they have access to the actual inner-workings of the web applications they'll be testing. Being able to build, read, and understand a DFD is so fundamental to web application security testing that I'm putting together a new paper which will be released later this month (in collaboration with Richard Baker).
DFDs (Data-Flow-Diagrams) are so fundamental to understanding web applications (and any application or system) that I honestly can't imagine someone sitting down to test a web app without having a DFD in front of them. Of course, let me make sure I put it out there that this is mainly valid for internal testing teams but if you're an external tester and can get your grubby little hands on a proper DFD for the app... you can celebrate a little!
First, in case you're reading this and wondering what a DFD is - here is what the WikiPedia tells us about Data-Flow Diagrams:
DFDs are particularly valid for penetration testing because you have a black box in front of you which takes in, processes, stores and often returns data. It is in the understanding of that flow-model that you can begin to find potential weaknesses in the application. Testing randomly through the application may get you some results but knowing where to test (where data is processed, stored and returned) will yield crucial nuggets of knowledge for focused testing.A data-flow diagram (DFD) is a graphical representation of the "flow" of data through an information system. DFDs can also be used for the visualization of data processing (structured design).
On a DFD, data items flow from an external data source or an internal data store to an internal data store or an external data sink, via an internal process.
"Data Flow Diagrams (DFD's) are an invaluable aspect of an application security strategy. DFD's allow organizations to target their strategies to properly address high priority aspects of their applications. Furthermore, remediation efforts can be prioritized based on the visibility of different segments of an app. based on the mapped information found in DFD's." ~Michael Montecillo, Principal Analyst, EMA Security and Risk ManagementIf a DFD is so fundamental then why don't the people who do penetration testing and AppSec use these ingenious devices more? See... Michael's though directly reflects why I think this issue needs more attention - people just don't know/get it.
Something stranger than usual happened today.
I read a piece in Ars Technica today that would ordinarily make me want to cry, scream, and then run off into the woods. This piece was entitled "New altorithm guesses SSNs using date and place of birth". Well crap in my cereal... that's no good.
The more I thought about this very interesting algorithm that can guess your SSN using information gleamed from your FaceBook profile - the more the problem seemed to widen. Following the rabbit down the hole I realized something when I hit the dead end.
Over the years we've all been racking our brains trying to figure out how to protect our SSNs, encrypt and tunnel and such... but to what avail? What's been the point when even if you somehow manage to get through life without someone snatching your SSN along with your full medical history from a doctor's office dumpster, or the same information from the website of one of the "big three" credit reporting agencies (you know why I say that...)... so what? Someone can now come along and guess your SSN based on the information you're publicly providing to the badguys for ... free.
My favorite paragraph is this one because it puts things into perspective for the reader...
"That may still seem moderately secure if it weren't for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute."Even a moderately large botnet (and there are many, many more out there larger than 10,000 machines kids) would be able to pick apart a moderately large state in a few days - that should worry the wrinkles right onto your forehead. But wait - there's more...
I was sent this link today because I think someone really wanted to start my weekend right. As if there weren't enough ways to make use of the PDF format, now here's a very simple (and quite cool) way to embed files inside a PDF and effectively hide them from the casual passer-by.
Great post from the author, and a neat little python script is posted as well - try it... it's fun!
Makes you wonder, doesn't it? What sorts of things are hidden inside the PDFs you pass around and forward?
Go read: "Embedding and Hiding Files in PDF Documents" and Didier's full blog with other interesting stuff at http://blog.didierstevens.com/.
You know how much I hate these things...
You also know how much I hate it when these people sell "security" carefully wrapped in bullshit and smoke... under the pretense that their "scan" will actually do anything to achieve some measure of security.
While looking for some new hockey pants (yes, I have destroyed my current ones) on HockeyMonkey.com I saw this interesting seal. Clicking on it made me cringe even more. This is a measure of PCI Compliance? ... and this is supposed to make me feel good about the actual security of the site? Clicking on the damn thing brought up the "Site Certificate" which should be an immediate red light for anyone looking to do business on this site.
First off, this is a quarterly certification... holy crap! The last "Certification Date" is shown as May 14, 2009... which immediately makes me worry since I can't recall the last time I saw an e-commerce site that stayed static for almost 45 days... but let's move past that because after all, compliance is a point-in-time thing... right?
Alright, this next part really gets my blood pumping and feeling like a bull out of the chute... read the first sentence of the text dead center of the Site Certificate carefully..."On May 14, 2009 www.hockeymonkey.com met the PCI dada security requirements by passing a Securitymetrics Site Certification vulnerability scan"
Come again? Maybe I read that wrong. Nope... read it again and it still sounds just as idiotic.
So, let me get this straight... SecurityMetrics has managed to figure out how to achieve the full spectrum of PCI-DSS Security Requirements via a vulnerability scan? How is that even possible? Since SecurityMetrics is scanning the site from the "outside"... how do they know if the various sections are all met properly? Are desktops being equipped with properly updated anti-malware agents? Are default passwords not used? Something smells like a steaming pile of bullshit.
At least these guys don't make outrageous claims such as that they are "Hacker Proof" or "Hacker Safe"... and instead do say that the scan "significantly reduces the risk that this site will be compromised..." and while I wouldn't give them significantly, I may agree that it does reduce overall risk but only as much as me wearing goloshes in the rain reduces my risk of catching the H1N1 (Swine Flu) bug.
So let's investigate this genius PCI Compliance scanning service that will magically achieve PCI Compliance for their customers a little further, shall we?
From the Site Certification Overview page...
Is Site Certification Easy? It is easy. Site Certification does not require any software installation, software configuration, training or costly maintenance. All your technical support is included and there are no hidden fees. SecurityMetrics does not require confidential system information or access to your systems. You simply enroll and the service is scheduled to run at your convenience.D'oh! I'm going to ask again... how do they determine any measure of PCI-DSS compliance without access to merchant systems?! Are we doing Scanless PCI again?
I love it! Take a look at this for 5 seconds and tell me this isn't a blatant rip from the Nessus results reports? Take that back... Nessus looks much better these days than this poorly-constructed "report". My guess... they're just Nessus scanning sites and calling them PCI Compliant. [bangs head on keyboard].A while back Jim Manico (@manicode) of the OWASP Podcast series emailed me and aske me if I'd be willing to do an interview for OWASP.
"BROOMFIELD, Colo., June 18 /PRNewswire/ -- Aircell, the world's leading provider of airborne communications, announces that it has received full FAA certification (STC and PMA) for its new High Speed Internet system in the business aviation market and that shipments have commenced three months ahead of schedule. The system's first installation has been completed by Midcoast Aviation aboard a Bombardier Challenger 605 operated by a Midwest-based flight department." (linked here)
What better way to test the effectiveness of a malware scanner than to go download random binaries from the dirtiest part of the Internet... the P2P networks. Even worse, to really test Microsoft's Security Essentials I decided I would download, install and run LimeWire... and download binaries (.exe files) that I would normally avoid like the plague.
It's simple to find malware on the 'net these days... pop open LimeWire and search for something like "Photoshop crack" or "{random app here} keygen"... you'll find all the malware testing you could ever want.
As a control to Microsoft's Security Essentials I used VirusTotal.com. If you've never used VirusTotal it's a service that uses the major scanners out there (~40'ish or so) to scan your uploaded file and give you a verdict... pretty neat utility. Since not every Anti-Malware (A/M) program catches all threats it's best to run the binaries I've harvested through this handy-dandy little tool to ensure that I have a good idea of what the competitive products are finding on the binaries I'm working with.
I will admit the results are a little... shocking, even for Microsoft's standards.
Let the games begin!
-----
Testing Method: Download random [suspect] binaries from LimeWire
Keyword Search: "keygen" "crack"
File Types: Windows .exe files
Control: VirusTotal.com
-----
Hey folks, in case you were living in a cave, Microsoft's Security Essentials (formerly code-named "Morro") is now live and available for download.
As it went live at 11:00am Central Time I couldn't help but snag it the minute it went live... and wanted to throw out my first impressions and continue to update this post as I put the free anti-malware client through its paces in my lab.
Lab Configuration:
Looking at the settings one thing did strike me though... the participation in Microsoft SpyNet (which is apparently a carry-over from the Windows Defender tool) has a Basic or Advanced membership. I can't quite tell exactly what the advanced membership buys you (the user) or why it shouldn't be the default... as it appears that it would help the SpyNet folks pin-point the malware more closely. One thing I did notice is that there is this interesting clause, which I can't imagine worrying anyone..."In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you, or to contact you."That unintentional gives away something that I think needs to be further investigated. What types of information is being sent over? How can analyzing malware unintentionally lead to disclosure (or harvesting, accidental or not) of your personal information? I'd venture a guess that as malware collects information on YOU, it may inadvertently pass that information on when it's captured, but I can't say for sure.
As if we needed another reason to dislike the Microsoft Windows OS... then this happens. Windows-based ATMs in Russia and the Ukraine are apparently being trojaned, quite cleverly may I add, to become silent theives!
"What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street." (Paul Marks, NewScientist, June 17, 2009)That's just incredible. What makes this even more crazy-sounding is that it's not like you can walk up to an ATM and insert a USB key, or point to some shady URL... this has to be an inside job. Criminals are getting to the people who engineer and/or services Automated Teller Machines [ATMs] and having them insert these little "digital skimmer" trojans.
"Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves." (Paul Marks, NewScientist, June 17, 2009)Crooks have really thought of everything. I know I've agrued for a long while that targeted malware is reaching a point in the evolutionary cycle where "anti-malware" programs as we know them may as well not even be installed. It's crazy to think that these pieces of software are so optimized, so well-hidden, and so well constructed that they can not only hide inside a system undetected - but they can also modify themselves (as this article suggest) in order to further evade detection! What's next... I'm almost afraid to ask!
So now you have an inside job, run by someone with access to incredibly sophisticated programming talents, deep pockets and henchmen who are willing to do the dirty work. Well, if this doesn't immediately scream organized crime to you - you've got to open your ears. We've had more than ample evidence over the last several years that organized crime is more and more interested in computer crime - and this takes it to levels previously unseen. I think, quite honestly, security is now at least 2-3 steps back behind the "bad guys"... sounds like there is quite a problem brewing."The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible." "
I'm lazy, and getting lazier these days.
Posts
All Comments
