[SecurityRatty] tag: recipient

Identity-Based Encryption

Sun, 16 Nov 2008 21:00:00 +0000

Public-key cryptography offers very strong protection for electronic communications. Much of its strength comes from the use of paired keys, which are separate (but mathematically related) codes that encrypt and decrypt a message; one key is public and one is known only to the recipient.

Targeted E-Mail Attacks: The Bull's-Eye Is on You

Wed, 12 Nov 2008 21:00:00 +0000

Far more dangerous than a normal e-mail attack, targeted attacks choose a particular person as the prospective victim and tailor their message to that recipient. Since their creators craft the messages carefully (with few spelling and grammatical errors, for example), these attacks lack tell-tale indicators and thus stand a far greater chance of snaring a victim.

Pseudo Email Marketing Tools Empowering Spammers

Wed, 29 Oct 2008 16:28:30 +0000

Largely ignoring its real life applicability, a vendor of "email marketing" tools continues the development of a DIY spamming tools, whose features greatly evolved throughout the last couple of years. Originally released in 2004, the vendor appears to have been actively improving the real-time metrics of the campaigns, next to building interactivity into the spamming process through the WYSIWYG editor.

For better or worse, despite that these applications are empowering spammers and lowering down the entry barriers into spamming, the tools have gotten largely replaced by the increasing number of managed spamming services, whose quality assurance features of bypassing spam filters act as a main differentiation factor. Here are some of this tool's features :

"- High speed distribution - 200,000 letters per hour.
- Contains an embedded SMTP server that allows you to send letters directly to the recipient's mailbox without using your provider's SMTP server.
- If you are accessing the Internet via modem, and distribution using the SMTP server, you do not fit - also allowed to send mail through any number of remote SMTP servers (relay), or via SMTP server provider.
- Support for SMTP authentication.

- Supports up to 500 concurrent streams to send to each mailing.
- Automatic caching DNS requests to speed up distribution and reducing the load on the DNS server.
- Ability to run multiple independent shots at the same time.
- Ability to suspend delivery and continue later with a point.
- All modes distribution - TO, CC, BCC and PersonalCopy. In the latter case, the program generates a personal letter to each recipient.

- Ability to specify the size of BCC package regimes TO, CC, and BCC.
- Ability to specify the TO: field for mailing regimes and CS BCC.
- Full emulation signature letters Outlook Express to increase cross-your-mails through spam filters.
- Support for distribution via a proxy server.
- Automatically detect the bad (non-existent) and not by E-Mail addresses directly in the process of distribution based on a flexible, user SMTP rules. Thanks SMTP rules achieved a very precise definition of bad addresses virtually no false positives.

- Ability to create lists of addresses, depending on the specific responses of remote servers for SMTP commands.
- Organize automatically subscribe / unsubscribe to the mailing addresses.
- Perform any processing of existing lists.
- Develop a letter to the powerful WYSIWYG Html editor.

- Automatically apply to each recipient by name, as well as paste in a letter to a specific, personalized information through powerful Mail Merge templates.

- Set the calendar to automatically launch shots at the right time.
- Quickly send out mail."

With managed spam services' on-demand, risk forwarding and completely outsourced processes, they're not only going to replace such DIY tools, but also, position them as a dynamically evolving cybercrime platforms.

Assets Good Until Reached For

Mon, 15 Sep 2008 05:41:43 +0000

A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised? Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.

Charlie Munger, as he is wont to do, went a bit further (from 2004):

I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis

It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.

What can we learn from all this?

Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):

It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.

There are some clear lessons for us in Information Security, err I mean Information Risk Management.

Margin of safety Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.

Don't fall in love with abstractions

If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.

Ian Grigg commented on an earlier post

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

So you have to remember that top down and bottom up need to be combined.

Design for failure

Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.

Keep it simple.

They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.

So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.

Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later

Scammers Avoid Spam Detection By Using Redirection In Adobe Flash Files And ImageShack.com Free Hosting

Thu, 04 Sep 2008 15:59:04 +0000

Anti-spam service MessageLabs reports a new way found by scammers to bypass anti-spam filters. This time scammers are utilizing Adobe Flash files and free websites hosting services. Spam messages with harmless-looking content contain links to Flash-based files on free image hosting services like ImageShack.com. The commands embedded in flash files redirect the recipient to sites that [...]

Don't put your foot in it, Mr. President

Fri, 15 Aug 2008 16:57:00 +0000

Watching the beginning of the Olympics, I was surprised to see the way President Bush was sitting.

The First Lady was on one side of him (thankfully) and a Chinese looking gentleman was on the other side. The President had his right foot resting on his left knee, thereby exposing his shoe sole. That is a huge "no no" in Asia and the Middle East.

As I said, thankfully the First Lady, Laura Bush was the recipient of the President's sole-waving but it made me wonder if he changed legs at a later stage and "flashed" the Chinese official. I figure it was a high ranking official or else he would hardly be sat next to the President of the United States.

What has this to do with security? It is one of the topics we teach to our budding bodyguards during our intensive Executive Protection course in the United States and abroad. You could have a very successful business meeting or trip, either overseas or at home, but ruin it by insulting (albeit unintentionally)a foreign guest. It is very important for those wroking around forein nationals to be aware of their customs and traditions.

This is not that difficult these days with all of the materials available. One of the best books I have found is; "Kiss, Bow or Shake Hands". This book and others like it, will advise the reader on the correct course of action to take when dealing with people from a host of different countries. Not that I expect the President to read the book, afterall, he must have Protocol officers to keep an eye on him. My question is, were they brought to China?

For the rest of us who are not lucky enough to have our own Protocol officers to keep us out of trouble, we'll just have to read the book.

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Money Mule Recruiters use ASProx's Fast Fluxing Services

Fri, 18 Jul 2008 02:23:49 +0000

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc. ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

Severance and personal details of GlaxoSmithKline employees exposed

Fri, 13 Jun 2008 09:10:18 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
GlaxoSmithKline

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
"more than 500"

Types of Data:
"names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts"

Breach Description:
"GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site."

Reference URL:
North West Evening Mail
Fleetwood Weekly News

Report Credit:
North West Evening Mail

Response:
From the online sources cited above:

GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site.

The emails contained information such as names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts, of more than 500 employees.
[Evan] Have you ever received or sent an email to an entire group of people on accident? It is embarrassing. Add to fact that 500+ of your co-workers were just put at risk of identity theft, and now how do you feel. Chances are greater if you use mail client programs that automatically guess the recipient after only typing a few letters. I wonder if this email was sent by a person or programmatically.

A reliable source, who wishes to remain anonymous, says GSK staff from across south and west Cumbria are up in arms.

They fear the information has been sent out to all 110,000 employees in the UK and US.
[Evan] Glaxo officials claim that this was not the case.

And some feel they could become victims of identity theft by cash-strapped workers facing redundancy.

The mails sent out all with attachments on the intranet

When they were opened up they gave details of all 540 or so workers. It had such details as their names, address, position and if they had put in for redundancy what figures they could expect.
[Evan] Wow! The redunancy (or severance) payout information adds a twist to this breach. Not only can the personal information be used for identity theft, but a person getting a larger payout can be targeted specifically. Bad.

For instance one of the bosses is getting £200,000 redundancy and then a £40,000 a year pension.
[Evan] That's a helluva payout. That's almost $400,000 and $80,000 US.

A few days after this happened a letter saying sorry was sent out to all employees.
[Evan] "Sorry" reminds me of what my children say to me when they do something they shouldn't have done.

GSK has apologised to staff, saying it regrets the incident and has made steps to make sure the breach is never repeated.
[Evan] How will GSK ensure that this breach is never repeated?

The firm claims only Ulverston workers had access to the information.

Ulverston site director Richard Pamenter say in the letter to Glaxo employees, obtained by The Evening Mail:

"I wanted to make sure you were made aware that information has been inadvertently released on both the GSK e-mail and intranet systems, which if used inappropriately, could permit access to certain personal information for staff.

"If any of these documents are used inappropriately, this could allow access to information on individuals’ date of birth, job grade, National Insurance number and home address.

"Additionally, for some staff, information on pensions, quotes and redundancy payments could be accessed. We have removed the information source from the intranet and are currently progressing the removal of documents and relevant attachments from the company email.

"We very much regret this incident has occurred and I would like to apologise unreservedly for any embarrassment or inconvenience caused."

Commentary:
This breach was not widely covered in the press and the information we know is very limited. I'm going to presume that this breach was the result of an employee mistake.

Past Breaches:
Unknown