[SecurityRatty] tag: genuine

Another link spammer

Sun, 23 Nov 2008 16:45:45 +0000

Yet another link spammer is cluttering up my in-box. You’d think that after exposing this one, and this one, and this one, they’d know better.

The latest set of miscreants operates under the brand “goodeyeforlinks.com” and claim to “use white hat SEO techniques in order to get high quality, do-follow links to your website”. They also claim to be “professional” which in this case must mean you pay for their services, since sending out bulk unsolicited email is anything but professional.

Nevertheless, although their long term aim may indeed be to make money from legitimate, albeit foolish, businesses seeking a higher profile, the sites they have been promoting so far are anything but legitimate. In fact they’ve been fake sites covered with Google adverts (so-called “Made for AdSense” (MFA) sites).

They started by asking me to link to “entovation.net” which they claim is “page rank 3″. In fact it is page rank 3 (!) and a blatant copy of http://www.acentesolutions.com which appears entirely genuine (albeit only page rank 1). They have also been promoting “poland-translation-services.com“, which claims to be a site offering “A large team of 2,500 translators specializing in each sector, located in over 30 countries” …

However, this site is clearly fake as well. I haven’t tracked down where it all comes from, but much of this page comes from this Argentinian page, the text of which has been pushed through Google’s Spanish to English translation tools… which sadly (for example) renders

Comentarios: Se considera foja al equivalente a 500 palabras. Si el documento a traducir es menor a una foja, se lo considerará como una foja.

into

Comments: foja is considered the equivalent of 500 words. If the document is translated to a lesser foja, we will consider as a foja.

which makes the 2500 translators look more than a little bit foolish!

The fake websites are hosted by EuroAccess Enterprises Ltd. in The Netherlands (which is also where the email spam has been sent from). I’m not alone in receiving this type of email, further examples can be found here, and here, and here, and here, and here, and here, and even here (in Spanish).

EuroAccess have a fine ticketing system for abuse complaints… so I’m able to keep track of what they’re doing about my emails drawing their attention to the fraudsters they are hosting. I am therefore fully aware that they’ve so far marked my missives as “Priority: Low”, and nothing else is recorded to have been done… However, the tickets are still “Status: Open”, so perhaps a little publicity will encourage them to reassess their prioritisation.

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.

A Change of Plan For Your Spam

Wed, 13 Aug 2008 11:42:23 +0000

Someone really has to reign me in with these titles. Anyway, you may or may not have heard that the CNN spam mails have now morphed into mails that appear to come from Msnbc.com instead. The titles of the emails are still as insane as ever:

......uh, wow. The email will take you to a fake Flash download, just like the previous efforts:

Click to Enlarge

Obviously, they haven't gotten around to making fake Msnbc pages so for now we're still stuck with the fake CNN pages.

An odd side-effect of these emails is that they're likely lowering subscriber numbers for CNN and Msnbc, because the emails contain genuine unsubscribe links at the bottom:

I doubt the creators of these scam mails intended that - they're just wanting to make the mails look realistic - but I could imagine disgruntled subscribers wondering why CNN and Msnbc keep sending them these things then reaching for the "no more, please!" link...

CNN Custom Alerts Spam

Sun, 10 Aug 2008 13:28:40 +0000

In general, my anti-spam filters and tools are pretty effective. So when I start to see something like this....

....it's obvious that a huge spam wave is underway. These are, of course, related to the fake CNN Spam from a few days ago. Here, the emails take the form of "custom alerts":

Click to Enlarge

I've seen two types of this mail - one links to a genuine CNN article from the headline text (with the smaller link underneath leading to an infection site), the other simply links to the infection site from both clickable links. As before, deleting these Emails is the best course of action. Interestingly, the format of these mails might not be working to the spammers advantage. Lots of people I've talked to who had one of these mails sent through simply deleted them without a second thought, thinking it was merely something on the real CNN they thought they'd signed up to and didn't actually want.

E-Passports Can Be Hacked and Cloned in Minutes

Thu, 07 Aug 2008 09:30:03 +0000

A computer researcher proved it by cloning the chips in two British passports and then implanting digital images of Osama bin Laden and a suicide bomber. Both passports passed as genuine by UN approved passport reader software. The entire process took less than an hour.

Phishing Messages on XBox Live Network

Tue, 05 Aug 2008 12:24:21 +0000

You may or may not have come across these before, but there seems to be a fresh set of phish messages (most likely from compromised accounts) being fired around XBox Live using the lure of free Microsoft points as bait (gamers can use these points to buy games, amongst other things).

Consequently, if you happen to be sent something like this by one of your contacts:

...then run away very quickly. In this case, the website was made to look like a genuine login page - of course, when you entered your details you had been phished and would be returned to the real XBox page as if nothing untoward had happened.

The phishing page above is currently offline, but may well return (and obviously it's the easiest thing in the world for the scammer behind this to simply change the URL being sent out by hijacked accounts).

Certificates - secure a. identity b. encryption c. both d. neither

Wed, 09 Jul 2008 04:44:01 +0000

With the release of Firefox 3.0 there has been a bit of controversy over how it handles self-signed certificates. It seems that Firefox makes it difficult to use self-signed certificates and some people are complaining about it. Here at StillSecure we use self-signed certs in our products and we had to change how we do things to make it work. However, there are than people like Lauren Weinstein who says that this is a step backward for Firefox because it makes it harder to send encrypted traffic. While I understand that it does make it harder, I think Lauren misses the forest for the trees here. The whole point of certificates are to prove identity. In fact they are called identity certificates.

The underlying reason for certificates is to ensure that the identity of the person or entity sending it is in fact genuine. It enables the the encryption function. In Weinstein's rant, somehow he has this bass akwards. Identity is secondary to encryption. He says, "Firefox is now putting so much emphasis on identity confirmation". For good reason I say! If we allow the whole idea of identity certs to be subverted for ease of encryption we are opening ourselves up to a whole range of bad things like phishing attacks, man in the middle, etc..

I say in our fervor to encrypt everything, lets not forget the importance of trust of identity that certificates enable. Without that the whole system crumbles. Now that being said, I agree that Firefox's GUI around handling these certificates could be better. It appears to be confusing to say the least. But again we can fix that without sacrificing the validity of certificates.

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy.

Certificates - secure a. identity b. encryption c. both d. neither

Wed, 09 Jul 2008 03:55:45 +0000

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy.

1st Source Bank reissues all debit cards in response to breach

Thu, 05 Jun 2008 05:09:56 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
1st Source Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Debit card information including Track 2 data contained on magnetic stripes and some PIN numbers

Breach Description:
"South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion"

Reference URL:
Digital Transactions News
WSBT TV News
South Bend Tribune
The Journal Gazette

Report Credit:
WSBT TV News

Response:
From the online sources cited above:

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data.
[Evan] I wonder how many debit cards are in its "entire portfolio". I'm guessing that the number is in the tens of thousands.

a hacker broke into the system from the outside and compromised the system.

No fraud has been discovered as a result of the intrusion

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. "We immediately saw that and shut it down," says Seitz.
[Evan] It appears as though the bank employs a managed security services provider for intrusion detection monitoring and alerting (and possibly more). Using a third-party provider as a part of information security strategy is probably a good idea for organizations that do not have, cannot afford, or do not want to build in-house expertise. Managing third-party service agreements can sometimes be quite a challenge.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

"The server that holds our debit card information they were in there and they transferred information out. But we can't really tell if it was 10, 20, or 30 percent of our card holders," said Seitz.

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Exactly how the hackers tapped the server isn’t publicly known.
[Evan] This will be determined as part of the forensic investigation, but publicly this may never be known. We can only speculate. The information that was compromised is very sensitive and should have never been accessible from the "outside". Who knows if the server was actually compromised directly or through another avenue of attack. See, I am speculating. Thankfully, the bank had detective controls in place.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity.
[Evan] As people should anyway.

"Out of an overabundance of care, we’re reissuing new debit cards to all our customers"
[Evan] We could argue "overabundance".

the bank is reissuing all cards, which are MasterCard-branded, as a precaution

1st Source also is offering customers free credit-report monitoring for a year.

He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.
[Evan] The Visa U.S.A. Cardholder Information Security Program (CISP) "List of Compliant Service Providers - All" is here (a little different, but good information nonetheless).

"We are working with law enforcement to find these bad guys, and we didn't want to tip them off," said James Seitz
[Evan] Chances are that the "bad guys" already know what the have.

"Our number one priority is our customers. We shut everything down right away and hired the best people we could get our hands on to see what happened here and to make sure it doesn't happen again," said Seitz.

1st Source began working with law enforcement and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.
[Evan] 1st Source should be commended for not hesitating to bring in outside help.

It has taken a while to get all the information out about the breach, Seitz said, since the bank had to spend time going through all of its laptops and computer systems.

"You've got to understand what you have," he said.
[Evan] A high-priority task for information security governance is to understand what you have. During an incident response is not a good time to figure out what you have.

Though the breach is something rather new for 1st Source, Seitz said these types of breaches seem to be hitting businesses in general more and more this day and age.

"Certainly, it's never happened to us before," Seitz said. "But it's becoming more prevalent. Daily, banks are going through this."
[Evan] Breaches are as prevalent or more prevalent than they have ever been. I agree with Mr. Seitz. Recognizing this fact, what excuses do organizations have for not investing in and properly managing information security programs? I am not saying that 1st Source does not, I am writing in general terms.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach. Seitz called it a "considerable cost."

"Actually, our customers have been very understanding," he said. "Obviously, this is something that puts a little stress on that relationship."

Customer Reactions:
"My main worry is that my money is going to be gone tomorrow when I got to my account," said Jeremy Reinke, a 1st Source Bank customer.

"Is my money still in my account, and can they correct this so it doesn't happen again?" asked Chris Stump, another customer who hadn't heard about the May 12 security breach. "I guess in some ways I would have liked to know by now."

Commentary:
Judging from the customer comments I have read, people are concerned about the breach, but not angry with 1st Source Bank. I think this is because they perceive the bank's response to be open and genuine. The bank did employ proper controls to identify this breach early on and provided notice to customers in a timely manner. The fact that the bank took additional steps like re-issuing cards and providing credit monitoring only adds to the favorable perception.

I am still interested in knowing more detail around how an unauthorized outside entity was able to access this sensitive information in the first place.

Past Breaches:
Unknown

FBI Freaks Out and Mixes Up Issues, but There Is a Valid Point in There

Mon, 02 Jun 2008 07:16:35 +0000

An FBI PowerPoint deck on the threat of getting counterfeit routers and such was reportedly found via an Internet search and posted here. The FBI (allegedly) makes the case that buying counterfeit network gear and getting your network gear with a trojan installed by a foreign power are linked.

Counterfeit gear has nothing really to do with having a backdoor installed. Having counterfeit gear can increase the likelihood of having some kind of rootkit or malware, but only in a general sense. If a foreign power wants to get you, it will do so on what looks like genuine gear in the original packaging - it doesn't need knock-off gear to do that (see the public domain examples listed in the article).

Creating a homeland security nexus is a good path to funding, albeit not always a legitimate case. There are too many examples of this bad behavior to list. The deck contains a point about vendors needing to link government sales and brand protection - instead, the point should be that government sales need to link to a trusted supply path.

Getting a trojan in new network gear is a big concern for very few people, and those few people may want to consider buying direct, rather than through resellers/channels.