[SecurityRatty] tag: senders

Have CrackBerry, Will Travel

Thu, 25 Sep 2008 04:45:34 +0000

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training. Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

Spammers Successfully Avoid IP Address-Based Reputation By Using Free E-mail Providers

Fri, 18 Jul 2008 18:20:39 +0000

Roaring Penguin Software Inc. analysis shows that spam coming from top free email providers (Gmail, Yahoo Mail and Hotmail) is increasing. Three weeks of spam data research between June 13 to July 3, 2008, reveal that spammers are abusing Gmail’s privacy preserving feature of not including the sender’s original IP in outgoing emails. Spammers are increasingly [...]

Money Mule Recruiters use ASProx's Fast Fluxing Services

Fri, 18 Jul 2008 02:23:49 +0000

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc. ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail

Sun, 13 Jan 2008 21:56:47 +0000

New Video:Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail
This tutorial will show how to use GPG and the FireGPG plug-in to encrypt and decrypt messages in Gmail. GPG is an open source implementation of OpenPGP (Pretty Good Privacy) , a public-key-encryption system. With public key encryption you don’t have to give away the secret key that decrypts data for people to be able to send you messages. All senders need is the public key which can only be used to encrypt, this way the secret key never has to be sent across unsecured channels.

Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail

Sun, 13 Jan 2008 21:56:47 +0000

Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail

Sun, 13 Jan 2008 21:56:47 +0000

New Video:Using GPG/PGP/FireGPG to Encrypt and Sign Email from Gmail
This tutorial will show how to use GPG and the FireGPG plug-in to encrypt and decrypt messages in Gmail. GPG is an open source implementation of OpenPGP (Pretty Good Privacy) , a public-key-encryption system. With public key encryption you donât have to give away the secret key that decrypts data for people to be able to send you messages. All senders need is the public key which can only be used to encrypt, this way the secret key never has to be sent across unsecured channels.

FaxBox: the latest in password scams

Mon, 07 Jan 2008 15:09:34 +0000

Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox

Ratul asked you a question. View the question and answer it.
FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.
This email was sent by Ratul while using the Question It application on FanBox. Go here to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA

For most of the well-known marketing profiling--oops, I mean social networking--sites, I've enrolled my email addresses in their opt-out mechanisms (I simply don't care about LinkedIn, Plaxo, Facebook, MySpace, and so on). But this one seemed suspicious. I don't know anyone named Ratul, and everyone who wants to ask me questions certainly knows my email address. It raised my bullshit detector.

So after a bit of foraging I found this: http://spamhuntress.com/2007/12/15/smsac-turns-into-fanbox/. Seems like the company running FaxBox got in trouble for doing this crap once before. Funny, isn't it, how you can just change your name and suddenly all your past sins evaporate! Well, not on the Internet, apparently. Your past sins can and do come back to haunt you.

When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems). To do this, of course, FanBox needs your password. Most people, sigh, willingly supply their passwords to any seemingly innocuous service. We all know that these services really are vile disgusting filth, the very embodiment of whatever nefarious supreme being you now strongly wish would unleash itself on FaxBox and their ilk.

So in this case, I'm certainly not going to click on the link to stop receiving more emails. Rather, I'll put fanbox.com, fanboxapps.com, and while I'm at it, sms.ac in my blocked senders list. I recommend you do the same, and get the word out to your friends, too. FanBox--and anyone else who asks for your password--is evil, eeeeeevil I say.

66.1 Host Locked

Wed, 28 Nov 2007 13:13:28 +0000

Having found a static pattern for identifying a Rock Phish domain a couple of months ago in the form of the bogus "209 Host Locked" message, the Rock Phishers seems to have picked up the finding and changed the default domain message to "66.1 Host Locked" as of recently. Here are the very latest Rock Phish domains using this :

business-eb.bbt.com.4rrt.es

ntu3ot1.com

nikogonet.com

ne5oe.com

nod-for-pc.com

sparkasse.de.4rrt.es

marip.com.es

Moreover, a recently released survey results by Cloudmark, whose study into the Economics of Phishing is also worth going through, indicates that current and prospective customers of a certain brand lose trust in it, if they're exposed to phishing emails pretending to be from that brand :

The survey revealed that:

- 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand

- 41% of those surveyed felt that their trust in a bank would be greatly reduced if they received a phishing email claiming to be from that company, compared to 40% who felt the same for an ISP, 36% for an online shopping site and 33% for a social networking site

- 26% of those surveyed feel that they are the party most responsible for protecting themselves from phishing attacks, with 23% believing their Internet Service Provider (ISP) or email service provider is the most responsible and 17% thinking that the sender’s ISP and email service provider holds the greatest responsibility

The last point is perhaps the most insightful one, given it has to do with self-awareness and responsibility, forwarding the responsibility to the provider of the email service, and best of all, seeking more responsibility in fighting outgoing phishing and spam compared to incoming one.