[SecurityRatty] tag: email-address

Links for 2008-11-20 [del.icio.us]

Thu, 20 Nov 2008 21:00:00 +0000

Got SIEM? - Part IV « eIQviews
Customers tend to use SIEM technologies for more reactive efforts, such as post-event forensics, rather than as a true correlation solution to determine unusual behavior or policy violations before they have a chance to affect systems and data.
SIEM Blog » Unrestricted Data Collection for Maximum Compliance and Forensic Visibility
Beast Or Buddha » Blog Archive » So we own your client database and everything important to you…
Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!” SG dude: “Well more than likely, others have….we didn’t do anything fancy…”. Web Developer: “Well nothing has ever happened so it’s just you guys!” SG dude: “You have no logging”. Web Developer: “We’ve never been hacked!”
On Data Loss Prevention (DLP) » My Wife Finally Knows What I Do
The Two Kinds Of Security Threats, And How They Affect Your Life | securosis.com
We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email).
Marcus Ranum on Network Security - CSO Online - Security and Risk
The real best practices have been the same since the 1970s: know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to "need only" and segment your networks.

Just Love This: Noisy vs Quiet from Rich

Thu, 20 Nov 2008 14:50:00 +0000

OMG, some people (usually ex-Gartner... for whatever mystical reason) have this uncanny ability to present information in a way that just triggers an avalanche of insight. Here is an example: "The Two Kinds Of Security Threats, And How They Affect Your Life " from Rich Mogul.

Some quotes: "We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email)."

and

"Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater."

and

"The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature."

Overall, a MUST read.

God, please, send us some credible security metrics... please.

Raffys Visualization Book

Thu, 20 Nov 2008 11:40:00 +0000

Here is my long-overdue book review for “Applied Security Visualization“ by Raffy Marty.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

“Amazingly useful (and fun to read!) book that does justice to this somewhat esoteric subject - and this is coming from a long-time visualization skeptic! What is most impressive that this book is actually 'hands-on-useful," not conceptual, with examples usable by readers in their daily jobs. Chapter 8 on insiders is my favorite!”

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization. As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

BTW, I am posting it at Amazon as well.

Dissecting the Latest Koobface Facebook Campaign

Thu, 13 Nov 2008 05:08:12 +0000

The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (79.132.211.51)
off34 .com/go/fb.php (79.132.211.51)
youtube-spyvideo .com/youtube_file.html (58.241.255.37)
ahdirz .com/movie1.php?id=638&n=teen (208.85.181.69)
top100clipz .com/m6/movie1.php?id=638&n=teen (208.85.181.67)
hq-vidz .com/movie1.php?id=638&n=teen (208.85.181.68)

The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (79.132.211.51)
youtube-spy .info (94.102.60.119)
youtubehof .net (218.93.205.30)
youtube-spyvideo .com (58.241.255.37)
yyyaaaahhhhoooo.ocom .pl (67.15.104.83)
youtube-x-files .com (94.102.60.119)

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Teaching the Elderly about Scams and Security

Tue, 11 Nov 2008 11:54:46 +0000

People were being scammed long before email and malware entered into daily use — and it’s still happening offline as well as online. So what to do if you know that someone you love is being victimized and scammed?

That’s the question the Consumerist asked readers today, with a story about a Florida grand-dad whose gardener is supposedly fleecing him for over $10k / month, allegedly to help an ailing friend:

Shaun says his 80+-year old grandfather, Steve, is being scammed out of over $10,000 a month. It seems Steve recently hired a female gardener who introduced him to a “wealthy friend,” and now he’s loaning them money to pay for groceries, cable, home upkeep, and, get this, bodyguards to protect her from an ex-husband and son who to want to kill her. When the family tries to intervene, Steve says the family is trying to put him in a nursing home and steal his money. Shaun is at a loss. How can he help his grandfather, who doesn’t want to be helped?

Another question that might be relevant in the IT Security community is, are the elderly more prone to these scams, and if so why? In the tech world it’s widely assumed that the older generation just has a harder time learning and grasping how to use technology so may not understand what is risky and what isn’t.

But perhaps there’s a deeper problem, either with some form of dementia and paranoia in the older years, or just a purer vulnerability associated with being alienated from the new, cutting edge and modern world as we age, or some kind of unwillingness to be suspicious because of the need to have caring people around you?

White House Network Hacked By Chinese On Multiple Occasions

Fri, 07 Nov 2008 21:03:27 +0000

According to Demetri Sevastopulo from Financial Times, Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials. US officials say Chinese hackers have raided White House email archives multiple times. The Financial Times reports some people it describes as “US government cyber experts” suspect the raids were [...]

Speaking of Security Podcast #127

Mon, 03 Nov 2008 21:00:00 +0000

Click to Download/Listen (07:52)

It's election day in the US, and today's Speaking of Security Podcast focuses on the notorious breach of Sarah Palin's email account on Yahoo. Satchit Dokras, a Director in RSA's EMC Product Security Office, talks about Palin's exposed email and how all of us can better protect our online accounts.

Undetectable Sinowal/Torpig Trojan Steals More Than 300,000 Bank Accounts

Fri, 31 Oct 2008 17:12:57 +0000

Security researchers at RSA’s FraudAction Research Lab have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts. The Sinowal (AKA Torpig or Mebroot) trojan has also stole email and FTP account login details. Previous attempts to track the source of the Trojan were unsuccessful. The haul [...]

Pseudo Email Marketing Tools Empowering Spammers

Wed, 29 Oct 2008 16:28:30 +0000

Largely ignoring its real life applicability, a vendor of "email marketing" tools continues the development of a DIY spamming tools, whose features greatly evolved throughout the last couple of years. Originally released in 2004, the vendor appears to have been actively improving the real-time metrics of the campaigns, next to building interactivity into the spamming process through the WYSIWYG editor.

For better or worse, despite that these applications are empowering spammers and lowering down the entry barriers into spamming, the tools have gotten largely replaced by the increasing number of managed spamming services, whose quality assurance features of bypassing spam filters act as a main differentiation factor. Here are some of this tool's features :

"- High speed distribution - 200,000 letters per hour.
- Contains an embedded SMTP server that allows you to send letters directly to the recipient's mailbox without using your provider's SMTP server.
- If you are accessing the Internet via modem, and distribution using the SMTP server, you do not fit - also allowed to send mail through any number of remote SMTP servers (relay), or via SMTP server provider.
- Support for SMTP authentication.

- Supports up to 500 concurrent streams to send to each mailing.
- Automatic caching DNS requests to speed up distribution and reducing the load on the DNS server.
- Ability to run multiple independent shots at the same time.
- Ability to suspend delivery and continue later with a point.
- All modes distribution - TO, CC, BCC and PersonalCopy. In the latter case, the program generates a personal letter to each recipient.

- Ability to specify the size of BCC package regimes TO, CC, and BCC.
- Ability to specify the TO: field for mailing regimes and CS BCC.
- Full emulation signature letters Outlook Express to increase cross-your-mails through spam filters.
- Support for distribution via a proxy server.
- Automatically detect the bad (non-existent) and not by E-Mail addresses directly in the process of distribution based on a flexible, user SMTP rules. Thanks SMTP rules achieved a very precise definition of bad addresses virtually no false positives.

- Ability to create lists of addresses, depending on the specific responses of remote servers for SMTP commands.
- Organize automatically subscribe / unsubscribe to the mailing addresses.
- Perform any processing of existing lists.
- Develop a letter to the powerful WYSIWYG Html editor.

- Automatically apply to each recipient by name, as well as paste in a letter to a specific, personalized information through powerful Mail Merge templates.

- Set the calendar to automatically launch shots at the right time.
- Quickly send out mail."

With managed spam services' on-demand, risk forwarding and completely outsourced processes, they're not only going to replace such DIY tools, but also, position them as a dynamically evolving cybercrime platforms.

CSI 35th 2008 Discount Passes

Wed, 29 Oct 2008 11:08:00 +0000

Since I am speaking at CSI 35th Annual Conference (on SIEM, believe it or now), I can again give out discount conference passes:

"The passes cover the full conference, Monday–Wednesday, November 17–19, 2008, for a 55% discount! To pass along your discount passes, send your guests to CSI 2008 Registration to register for a CSI 2008 Conference Pass and have them enter the below Priority Code in the box provided: SPK73

*Please note: This offer is only for new registrations, we cannot re-price current registrations."

UPDATE: THE OFFER BELOW HAVE BEEN TAKEN AS OF 5:00PM Oct 30th.

For those rare people who read all the way to here :-), I can also give our 1 (one!) FREE CSI pass; please email me for it as it will be given on "a first come, first served" basis and can only be used by my loyal blog readers :-)