Posts tagged ‘Spam’

« Previous Entries

Out of Office

June 30, 2010, 12:30 am

Are out of office (OOF) messages a security risk or a useful tool?   (Microsoft uses the acronym OOF for Out of Facilitiy.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.

Tags: , ,
Category: Awareness, Policy  |  Comment

Use Facebook Apps? Time for a Password Change

December 28, 2009, 1:45 pm

RockYou was hacked a couple of weeks ago and over 35 million passwords were stolen. RockYou may have your password if you’ve played any of their Social Networking Applications on sites like Facebook or MySpace. Their applications include

  • Slideshow
  • Uploadphoto
  • Photofx
  • Glittertext
  • Funnotes
  • Countdown
  • Superhug
  • Myspace layouts
  • Stickers
  • Superwall
  • Pieces of flair
  • Speedracing
  • Likeness
  • Hugme
  • Birthday cards

Pieces of flair seems like one I’ve seen my friends using. Depending on the application, RockYou may have had your Facebook or Webmail password. RockYou recommends that you change passwords for any online service where you’ve used the same password disclosed to them.
In the last day, I’ve seen a massive spike in the number of friends who have had their Gmail account hacked and spam sent to contacts in the address book. Its not necessarily connected to the RockYou attack, but its worth mentioning. The hacker briefly posted the full database online for anyone to download. So its not surprising that people would get hit.

Tags: , ,
Category: Hacks  |  1 Comment

AVComparatives Corporate Review

May 28, 2009, 9:31 pm

AVComparatives has posted a review of corporate products at http://www.av-comparatives.org/comparativesreviews/corporate-reviews. This test includes AVIRA, ESET, GDATA, Kaspersky, Sophos, Symantec and Trustport. No mention of McAfee or Trend Micro who I believe would both be in the top three deployed corporate endpoint protection solutions.
The report includes a detailed table comparing the available features of the products. It does not focus on detection rates for the most part. It does report on SPAM detection rates. Personally I think SPAM filtering belongs at the enterprise gateway not at the desktop.
As a Symantec Endpoint Protection admin, I loved one of the conclusions of the report, “The Symantec suite is, by far, the most mature and professional product tested by us.”

Tags: , , ,
Category: Antivirus  |  Comment

Virus Alerts and SEP 11 MR4

February 16, 2009, 1:06 pm

Since upgrading from SEP11 MR2 to MR4, my virus alert email to admins no longer works.
As a side note, SEP11 has never allowed me to include the path and file name in the virus notifications. They did allow that in SAV10 and earlier. This is a big step back.
Before the upgrade, the email was sent as system@servername. I believe my mailserver was helpfully making the servername fully qualified. The mail had no issues.
Since upgrading, the notifications are no longer getting through. According to the Symantec Knowledgebase, they did this on purpose.

As of SEP 11.0 Maintenance Release 3 (MR 3), a “.com” suffix has been addred (sic) to the “From:” address used by SEPM (SYSTEM@computer_name.com) which should help reduce rejections by the mail server.


Help reduce rejections? Help reduce rejections! How does sending mail as system@servername.com help? That is guaranteed to be rejected by anyone who verifies the sender is a valid domain name.
I’ve opened a case with support asking for them to fix this.
Symantec does not allow you to configure your own sender address in SEP11. They suggest you lower the security posture of your mail server by accepting email regardless of how invalid the From address is. Validating the envelope from domain is a common, easy antispam technique. I dont want to change it.
Looks like I need to add %Server_Name%.com to my internal DNS as a temporary workaround.
Another “improvement” in MR4.
UPDATE 2/17/09
See the comments, there is a way to do this afterall. I’ve asked Symantec to update the KB I referenced.

Tags: , , , ,
Category: Antivirus  |  3 Comments

Shmoocon 2009 Day 2

February 8, 2009, 9:01 pm

I really shouldn’t have to wake up at 7:30 am on a Saturday and take the Metro into DC. Fortunately I thought the 10am talk was worth it.
Phishing Statistics and Intuitive Enumeration of Hosts and Roles
by Sean Palka
This talk is about a tool he created/uses in corporate engagements. But as with most things developed on company time, its not free to be released. The presentation is to give you ideas. And it does make me realize that could be a fun side project if I can’t get money for Phishme and I cant get ahold of Lunker.
The motivation for this tool is to justify to clients that phishing is a useful exercise. He also wanted the tool to gather reliable stats for reporting.
When phishing a company you may find that distribution lists are hit. You may find email forwarded from one user to another. Just as with a marketing campaign, webbugs, images and unique identifiers in URLs are used to determine who is following a link. Most mail clients no longer load images by default, so that cuts down somewhat on the capability to determine a message was read but the link was not clicked on. However, some companies may whitelist their own domain name allowing images to load automatically.
A bad guy phishing doesn’t care who responds. He just wants the credentials. But whitehat phsihing needs reports and attribution. You want to know who just visited the site without providing the phished for information. Your phishing site could have contained a browser exploit just as easily.
Tagging or using unique identifiers in URLs does not solve the problem of message forwarding or when a single user has logged in at multiple locations. While time can be used to determine the person probably didn’t drive home, that person could have used remote desktop. You just dont know if the message was forwarded or if the user is going from computer to computer trying the URL.
An audience member pointed out that you could use images and the client cache to determine if the same computer visits more than once. (I’m not sure how that would work if a proxy is used).
You may be able to determine “important” systems by the responses as well. If one computer has a higher than normal amount of responses it might be a helpdesk or admin checking our user reports. Obviously if NAT is involved, you need to do your phishing from internal.
Additionally you can determine social networks by seeing to whom the email is forwarded.
When a internal system is used for a phishing attack the following are pros/cons
- The firewall prevents external connections. Email may be forwarded externally and responses cannot get to your internal site.
- People may trust the internal IP and act differently.
- You don’t have to worry about your other security filtering getting in the way. This isn’t a test of your spam filter.
- you can build focused attack on victims.
Whitehat phishing attacks where the website is external have little ability to get the client IP. He said he hasn’t had a lot consistent success using PHP. This limits reporting capabilities when NAT is used.
I didn’t ask if he did customization to use the users names in the target emails.
He doesn’t include training in the tools (as Phishme does) because the focus of his tool is pentesting not security training. While this is understandable given his role at BAH, I think most people looking to do whitehat phishing are going to want to provide the immediate user feedback/training that has been proven to be effective.
Stranger in a Strange Land: Reflections on a Linux guy’s First Year at Microsoft
by Crispan Cowan
A lot of the talk, I felt I’d seen in either the SDL blog or from Jeff Jones’ blog. Basically slides pointing out the success of the Security Development Lifecycle at Microsoft. Security at Microsoft comes down to before the 2002 Bill Gates Memo and after. For those who don’t know, Microsoft shut down coding for a month and re-trained employees in secure coding practices. They then followed up and made sure people did it.
One of the big problems that isn’t going away is legacy. There are a lot of applications that rely on doing dangerous stupid things that they have been allowed to do. There is so much breakage you can do before people start to push back. (side comment, it was a huge deal for Microsoft to disable IIS by default in a desktop operating system. Their application vendors expected it to be there). It is hard to fix architecture issues without screwing old applications. The application base is the value in Windows.
One of the big problems is the massive dependence on local admin. UAC is the stick used to cause programs to write their application so it doesn’t require local admin rights. Its not UAC that sucks, its the crappy application that needs admin rights just to run.
88% of users participating in the feedback program leave UAC enabled.
Another metric they use is sessions that are UAC prompt free.
In Vista RTM, this was 50%.
With SP1, consumer desktops were at 65% and computers joined to a domain (work computers) was at 80%.
I assume this means the applications are getting improved to not need admin rights. It could mean people stopped using the crappy app.
Middling Everything with Middler
by Jay Beale
Obviously MITM is nothing new. What this project does is

  1. Inject javascript into HTTP
  2. Store session ID
  3. Intercept logout requests (even if you think you’ve logged out you haven’t
  4. Replace https links with http links (your http bank site which only uses https for login is now logging in in clear text)

The purpose of the tool is:

  • Inject javascript into every page
  • inject temp or permanent redirects
  • Take over website with Browser exploitation framework
  • Compromise user with metasploit

Middler is available on the InGuardians website.
The Agreement
A group of friends set up a framework of rules to govern as they attempt to 0wn each others computers. When no one else will set up a capture the flag exercise for you, you hack on each other.
http://www.jointheagreement.com/
The Fast-Track Suite
by David Kennedy
The Fast Track suite will be available in Backtrack 4. Or check out the Fast Track website..
All I seem to remember is “pop a box.” ;)
Very interesting point and click hacking. As I understand it, some Metasploit attacks were only available for old specific service packs, he has made the attacks more universal.
In Pen Testing, I believe people use Windows debug to convert the uploaded hex into binary. There is a built in 64 kb limit. He automates a way to get around that by supplying a new debug util (at least that is how I understood it).
In the demos he’d run an exploit upload vnc server and connect to it.
I didn’t get a chair during this talk so I dont have a lot of notes.

Tags: , , , ,
Category: General  |  Comment

Shmoocon 2009 Day 1

February 8, 2009, 7:41 pm

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

Tags: , , , , , ,
Category: Antivirus, General  |  Comment

Moving

January 27, 2009, 10:36 pm

A little housekeeping blog post.
I’m moving webhosts this week. My old host is progressively more annoying. A few years ago the owners sold out to a company that operates many web hosting brands. After quite a bit of migration headache, things seem to have stabalized. Nevertheless, my contract is finally up, and I’ve decided to move on. I have a real problem with the attitudes displayed by the moderators on the hosting companys forum. It was once a place of help. Now all they do is quote “we are not $company employees, contact $company support.” So much for peer to peer help. The last straw for me was when many customers were hacked and the company didn’t communicate beyond forcing a mass password change.
The new host has SSH access which should make routine maintenance a bit easier. They also offer 50 GB of space off for non-website related things like backups.
During the transition, I decided to refresh my style a bit. (although I am worried that this one is used by too many people already). The new style caused my AJAX comments to not work. So we’re back to the default comment submission method. That means more spam in the moderation queue.
So pardon the dust as I find widgets to add/remove.

Tags: , ,
Category: Housekeeping  |  Comment

Can MessageLabs improve Symantec Antivirus

November 24, 2008, 8:45 pm

I rescued an old comment from Akismet (the spam filter I’m using on the blog) because it asked a interesting question. How can Symantec’s acquisition of MessageLabs improve their desktop antivirus.
My first reaction to this is that MessageLabs Antivirus can’t be duplicated at the desktop. They use multiple antivirus engines in addition to their own Skeptic engine – a collection of heuristic detections. Multiple scan engines work on gateway servers, and Microsoft Antigen/Forefront/whatever uses multiple engines on Sharepoint. But at the desktop performance is needed. Also don’t quote me on this, but I thought I’d read that the Skeptic database has a huge ruleset. That also doesn’t lend itself well to desktop performance.
Multiple antivirus vendors are now looking at implementing antivirus in the cloud. In this model, new/unknown files are sent to the cloud for analysis. Skeptic would fit in well in Symantec’s implementation of that model.

Tags: , , , , ,
Category: Antivirus  |  Comment

Abrechnung

November 24, 2008, 9:26 am

My Virus Alert folder is overflowing this morning with alerts.
One of the users got Joe-jobbed on a virus/spam run. It looks to be a German language attempt to get people to open a virus by making them think they have an unpaid bill.
One of the Subject lines is Abrechnung. Although since i”m seeing bounces the subject line is usually a delivery failure message.

Tags:
Category: Antivirus  |  1 Comment

Google Docs Viagra Spam

November 10, 2008, 2:42 pm

I was going through my Cox inbox and found Viagra spam with a link to http://doc.google.com/View?id=dfpqm7ft_0tt6xhdd2.
Its nothing new that spammers have been taking advantage of Google. Its just kind of annoying to me that this message was sent on October 30th, today is November 10th and the linked Viagra Google doc is still up (“consult a physician if the link stays up longer than 4 weeks”). Am I to believe that no one has reported this link to Google?
The paranoid part of me wonders if when I went to the link Google Docs helpfully checked my Google cookie and provided my Google email address to the spammer who previously only had my Cox email. Next time I’m clearing cookies and using a safer browser when following unsafe links. But I digress, the real point here is Google is woefully slow in responding to spam compared to Yahoo. What’s up Google? use some of that 20 percent time to stop hosting spammers.

Tags: , , ,
Category: Spam  |  Comment
« Previous Entries