Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says “This may seem like a logical stretch, and perhaps it is.” I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. “If all that’s protecting a bank’s Web site is a user name and password, that’s kind of like having a massive vulnerability in the core of the Internet,”
I’m not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means “ignore all updates except to turn off clientUpdate Prohibited”. That doesn’t sound like much defense.
While it is a reactive defense, it doesn’t cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.
Posts tagged ‘Phishing’
CheckFree Attack
Lunker
I’ve been looking forward to the release of Lunker, a spear Phishing toolkit for pentesters. It was originally reported to be part of the OWASP live CD due out this month. We just dont have the budget for phishme (although it is cheap).
Unfortunately according to a comment on this post over at hackyourself.net they are getting a case of the conscience. “Its too ripe for exploitation”. So they are going to take a couple months to make it less ready to go. The rationale is that with metasploit anyone can patch and protect themselves from that. You can’t patch the users against social engineering.
Vishing
I’ve noticed that the number of vishing attempts reported at work has been on the rise. Vishing like phishing is a socially engineered attempt to get your financial information. Unlike phishing rather than luring you to a website, it lures you to a phone number. This could fool some people who are aware of the danger of phishing websites but unaware that of the ease of setting up a number to collect financial info. When calling your financial institutions only trust the number on the back of your card and the number on the bill.
Here is the text of the vish:
In our terms and contidions you have agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that order parties may have tried gaining access or control of your information in your account.
Therefore, to prevent unauthorized access to your Old Point National Bank Internet Banking account,you are limited to five failed login attempts in a 24-hour period. You have exceeded this number of attempts.*
To reactivate your debit card , please call: +1(xxx-xxx-xxxx)
A Different Approach to Password Reset
Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..
Mother’s Maiden Name – public record
Street you grew up on – can be findable.
Place of Birth – discoverable
Name of Pet – guessable (top list of pet names on Internet, or just check their facebook)
Users “improve” on security by putting something else their. They’ve effectively created a second password when they couldn’t remember the first. Now its likely they’ll forget both.
In a discussion of users at a non-security forum where I’m a member, one user reports “I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor.”
Here’s another person’s response:
It drives me nuts. Stupid questions like the “favorite” stuff – what am I five years old? I don’t have a f&*(&*ng favorite color you stupid POS website!!! And then there’s the “What street did you grow up on?” “What was your Math teacher’s name?” “What is your childhood pet’s name?” ********. I’d moved six times by the time I got to high school. I didn’t grow up on ONE street, nor did I have a SINGLE math teacher and I didn’t have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them…
.
Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.
While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn’t need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.
I watched a video of the researcher’s presentation at Google.
I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can’t imagine doing that everytime I have to sign up for an account at a new site.
I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.
Interesting work on a real problem. Check out the video link
Iconix Phishing Protection
A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.
Corporate Fantasyland
Twice today I read “enterprises do this” statements that made me laugh.
Over at SANS the handler wrote “Corporates typically block outbound FTP” while describing Yahoo phishing that had FTP downloaded malware.
Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in corporate environments where “new software is rarely installed.”
I’ve been looking for reliable statistics about what percentage of companies currently allow a significant percentage of employees to have local administrator rights. When I see statements like the above I wonder if our policies which were once one of the more restrictive are now comparitively lax. Or is it that the authors are merely stating what they wish were true.
US Tax Court Phishing
MX Logic has a writeup on US Tax Court phishing emails seen today.
The email from noreply@ustaxcourt.org has a link to download “a Copy of the Order, Letter, Notice or Other Document Being Appealed”. The website was not online when checked on it.
Fighting Back Against Identity Theft
In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)
The Postmaster General’s letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.
So many times when dealing with users the response is “I’ve got nothing to hide” or “I wont be a victim” or “I’ve got nothing worth protecting”. The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.
The FTC brochure has a link to the FTC’s Identity Theft Site.
The brochure has three key sections.
Deter
- Shred financial documents and paperwork before you discard them
- Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.
- Don’t give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.
- Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information
- Don’t use an obvious password like your birth date, your mother’s maiden name or the last four digits of your social security number
- Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.
Detect
Be alert to signs that require immediate attention
- Bills that do not arrive as expected
- Unexpected credit cards or account statements
- Denials of credit for no apparent reason
- Calls or letters about purchases you did not make
Inspect your credit report (www.annualcreditreport.com) and your financial statements.
Defend
Defend against ID theft as soon as you suspect it.
- Place a “fraud alert” on your credit reports.
- Close any account that has been tampered with or established fraudulently.
- File a police report
- Report the theft to the FTC
Common Ways ID Theft Happens:
- Dumpster Diving.
- Skimming – skimmers are a special device that steals your credit/debit card numbers.
- Phishing
- Changing your address
- Theft of wallet/purse, mail, records
Shmoocon 2008 Day 1
I’m down at Shmoocon this weekend. I’ve been to two of the four Shmoocons. Apparently I only go on even years.
Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.
David Hulton, “Intercepting GSM Traffic”
As I understood it, this talk described a “known plain text” attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki
David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.
He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.
In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.
Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.
The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn’t tell anyone before doing it. He didn’t want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.
As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.
edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.
Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company’s internet portal.
Portals provide easy access to corporate data. They call also be huge threats to the internal network.
The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.
This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.
Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.
Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.
Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.
