[SecurityRatty] tag: click

SmartPhones Just One More Spam Vector

Thu, 09 Oct 2008 07:03:56 +0000

The Apple iPhone has another vulnerability, one that shouldn’t surprise you if you’ve been paying attention.

The news of the latest problems surfaced after Apple allegedly ignored researchers’ reports to them and the researchers decided to go public with the news :

In Mail, users can hover over an embedded hyperlink to see the URL, but these URLS get cut off due to the small screen. Users might see a trusted domain, but when they click it, find that the link actually resolves to an untrusted site.

The second vulnerability is that Mail automatically downloads images, leaving users open to malware.

It’s “a pretty dumb design flaw” says the researcher who discovered the problem.

Cybercriminals Abusing Lycos Spain To Serve Malware

Thu, 09 Oct 2008 00:28:17 +0000

Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept of abusing legitimate web services for infection and propagation isn't new, what's new is the fact that the FTP access is efficiently abused.

Here's a description of the link generator :

"Download the program and run it asks for an ID (identifier), then copy it and paste it there, then press' Create Installer 'and the program will create the Installer! (this program to run a simulation that is installing the Adobe Flash and indicates to our page that "has been installed Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file tie it in with your server! and what flames or Installer Setup (simulating being an installer)! Now you need to upload that file you've joined an FTP, click Next and put the path of that file in the next step!"

Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign itself, the recent blackhat SEO campaign relying on pre-registered Windows Live Spaces and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious attacker's capabilities of efficiently abusing legitimate services. And with the process of bogus accounts registration performed automatically, or outsourced entirely, malicious services aiming to automate the abuse process are only going to get more efficient.

Why Risk Management Doesnt Work (?!)

Wed, 08 Oct 2008 13:15:14 +0000

Several folks (Hi Daniel, Brent, David!) sent email & twitters asking us our opinion on a Dark Reading article called “Why Risk Management Doesn’t Work” which if you click on the link should come up for you after seeing someone’s advertisement for a few seconds.

I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.) THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed. It is well worth your time as it’s chock full of interesting information. As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept seems just to rehash the old GIGO argument regarding risk analysis. Great. Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you - is this really a problem common in your analysis? Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!” Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about? See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report. It’s just that I don’t see what the big deal is. This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool? I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria, and then correlated to the frequency and magnitude of real-world losses across the aggregate sample. In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.) THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward. Why is this news? Now as I read the article it’s not clear if:

The RSA Council is claiming that the CISO’s office should be the ones determining reward. Absurd.

Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter. So I’m pretty sure (good) businesses do a good job at estimating reward. Businesses I’ve been a part of? We LOVE(D) estimating reward. We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market. So what could the problem be that this RSA council is trying to address? Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless. It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later). It also gave you the ability to build workflow quite nicely. But it measured NOTHING. There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff. So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting. I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath. The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be. Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure. And maybe we’re infantile in our ability to describe our problem space. But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

No skills

and/or

No resources

Any ancillary “cause” can be mapped to one of these categories. You could have significant resources but crappy models, and have conversations like our imaginary CSO, above. You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Clickjacking

Mon, 06 Oct 2008 09:45:02 +0000

Good Q&A on clickjacking:

In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.

"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread.

Change your passwords with your smoke detector batteries

Sun, 05 Oct 2008 08:26:43 +0000

If you’ve changed your smoke detector batteries more recently than you’ve changed your passwords, then you should think about changing some of them now. If you can change passwords more often, great. But I realize that some of us have upwards of 25 passwords to manage on a regular basis (click HERE). It’s not fun having [...]

When Psychology Meets Network Administration

Tue, 30 Sep 2008 11:17:09 +0000

The library comic Unshelved has a fun strip today…where the new library intern announces she will reconfigure the network to correct the librarian’s snarky attitude. But can computer administrators really control their users’ behavior? Our fearless young librarian Dewey doesn’t seem too worried.

Luckily we do have some technologies to warn users who still haven’t learned to stop opening spammy attachments, click pop up ads and so on…but I don’t think they’d help with the snarky attitude problems. I’m not sure I’d want my computer network to try doing that anyway.

Speaking of Security Podcast #123

Sun, 28 Sep 2008 20:00:00 +0000

Click to Download/Listen (07:03)

Recent updates to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 mandate that U.S. financial institutions and creditors must comply with the Identity Theft Red Flag provisions by November 1, 2008. Amanda Van Veen speaks with EMC's resident FACTA expert, Dennis Mayer from EMC Consulting about the upcoming deadline and what it means to those who must comply.

Gambling Domains Seized by Kentucky

Sun, 28 Sep 2008 03:32:49 +0000

From reports, it appears that Kentucky Governor Steve Beshear has attempted to seize 141 gambling-related domain names under a state law that allows for seizure of items used for illegal gambling. It appears that the seizure order (click here for a copy of the initial order) was signed by a circuit judge, but later reports indicate that the judge is holding further hearings and seeking further arguments. A hearing will be held Oct. 7, according to TheDomains. See page 4 of the seizure order for a complete list of the 141 domains. Here are some of them:

123bingo.com
777dragon.com
indiancasino.com
jackpotcity.com
powerbet.com
crazypoker.com
vegaslucky.com

That sort of thing. According to DomainNameNews, several of the domains are for popular sites, including PokerStars.com, FullTiltPoker.com, BodogLife.com, GoldenPalace.com, Bet21.com, DoylesRoom.com and IndianCasino.com. It also reports that at least one registrar (Enom) has transferred domains pursuant to the order, including one whose registrant died of a heart attack this summer. The seizure order says that the domains are to be transferred by any registrar to a plaintiff's account at that registrar (the plaintiff being the Commonwealth of Kentucky), but that the domain names' configuration will be otherwise unchanged. This means that any gambling sites run on those domains or, for that matter, anything else on those domains, such as PPC ads, would remain functional. All things considered, this seems like simple-minded grandstanding without any good law behind it. The Constitution vests Congress with power to regulate interstate commerce, which the domain name market clearly is. In fact, these businesses are truly international. And it's a safe bet that none of the gambling companies or registrars operates in Kentucky, perhaps not even any of the domain name holders. That the state argues that residents of Kentucky engage in illegal gambling doesn't give the state jurisdiction. The Internet Commerce Association, a domainer lobby, has weighed in on the matter in opposition to the state's move.

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.