[SecurityRatty] tag: vary

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

10 More Dead as Drone War Over Pakistan Continues

Fri, 07 Nov 2008 12:34:00 +0000

At least 10 people are dead after the latest U.S. killer drone strike on the border region of Pakistan. Four missiles slammed into a suspected al-Qaida training camp in Kumsham village, in North Waziristan province. Casualty counts vary.

Security behavior varies by country, Cisco finds

Mon, 13 Oct 2008 20:00:00 +0000

The risks taken by employees with company data can vary by nation and culture, a Cisco study has suggested.

Mainframe Mindset

Wed, 13 Aug 2008 17:18:17 +0000

You might think a mature industry like mainframes means low growth, but IBM is still selling mainframes like hotcakes. IBM said its mainframe business rose 32% in the second quarter compared to overall sales growth of 13%. How many 1960s technologies are putting up these numbers in 2008? The reality is that what mainframes do, they do well. While some companies invest 8 figures in moving to a supposed latest and greatest ERP or CRM solution, many would be better served by putting a Web services gateway in front of the mainframe to address the mainframe's chief weakness - distribution.

From a security point of view, mainframes are interesting because they were designed for a closed environment. Their advocates generally talk about the beauty of RACF and so on, and that is all well and good until people go and put them on the web! Approaches vary, but it usually amounts to MQ Series with not authentication, sitting in front of the mainframe with a J2EE server talking to the queues. What happens then is a major shift, because the mainframe security model is designed (rightly for its time) to be focused on the resource owner (remember the R in RACF). There is a minimal effort on securing the subject, the claim and so on.

Again the mindset is fine when its your own employees in a room using a terminal, but its another thing altogether when you are integrating with a distributed system. This is where we need more focus on securing the subject and the claim, not just the resource. This is of course where new standards and technologies such as SAML and Information Cards come in. Its not enough to protect the object resource and assume a benign controlled (or controllable) subject and claim, you have to add layers of protection to the subject and claim as well.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

Open Wireless Networks on University Campuses

Thu, 31 Jul 2008 09:30:21 +0000

Open wireless networks raise privacy issues and entail increased risk of malicious attacks and illegal downloading activities. Such networks are nonetheless attractive—particularly to universities—because they enhance usability and thus expand access to nonsensitive system resources. At universities, such access brings numerous benefits to students, faculty, and the surrounding community alike. Here, the authors describe the challenges of removing individual user authentication requirements at the perimeter of a university network in which mobile device users access system resources over wireless links to the wired infrastructure. The authors discuss how to mitigate the security and privacy risks entailed in an open network of this sort, and also describe how IT departments can vary the network's degree of openness.

Metrics for security and performance in low-latency anonymity systems

Mon, 21 Jul 2008 04:16:12 +0000

In Tor, and in other similar anonymity systems, clients choose a random sequence of computers (nodes) to route their connections through. The intention is that, unless someone is watching the whole network at the same time, the tracks of each user’s communication will become hidden amongst that of others. Exactly how a client chooses nodes varies between system to system, and is important for security.

If someone is simultaneously watching a user’s traffic as it enters and leaves the network, it is possible to de-anonymise the communication. This could occur if the first and last node for a connection is controlled by the same person. Tor takes some steps to avoid this possibility e.g. no two computers on the same /16 network may be chosen for each connection. However, someone with access to several networks could circumvent this measure.

Not only is route selection critical for security, but it’s also a significant performance factor. Tor nodes vary dramatically in their capacity, mainly due to their network connections. If all nodes were chosen with equal likelihood, the slower ones would cripple the network. This is why Tor weights the selection probability for a node proportional to its contribution to the network bandwidth.

Because of the dual importance of route selection, there are a number of proposals which offer an alternative to Tor’s bandwidth-weighted algorithm. Later this week at PETS I’ll be presenting my paper, co-authored with Robert N.M. Watson, “Metrics for security and performance in low-latency anonymity systems”. In this paper, we examine several route selection algorithms and evaluate their security and performance.

Intuitively, a route selection algorithm which weights all nodes equally appears the most secure because an attacker can’t make their node count any more than the others. This has been formalized by two measures: Gini coefficient and entropy. In fact the reality is more complex — uniform node selection resists attackers with lots of bandwidth, whereas bandwidth-weighting is better against attackers with lots of nodes.

Our paper explores the probability of path compromise of different route selection algorithms, when under attack by a range of different adversaries. We find that none of the proposals are optimal against all adversaries, and so summarizing effective security in terms of a single figure is not feasible. We also model the performance of the schemes and show that bandwidth-weighting offers both low latency and high resistance to attack by bandwidth-constrained adversaries.

Compliance is critical

Tue, 15 Jul 2008 11:25:12 +0000

Compliance has been getting a bad rap lately, and I’m here to set the record straight… compliance is CRITICAL.

Now, those of you who know me are probably picking your jaws up off the floor and asking whether I’ve suffered a stroke, have started drinking heavily, or have a gun pressed to my temple by a regulator or someone from the PCI lobby. Nope. I still have my full mental facilities (such as they are), and I make the statement without duress — however…

There’s compliance, and then there’s compliance

As usual, our profession tends to not be specific in our use of terms, which sets us up for confusion, inconsistency, and a host of other problems. When I say “compliance is critical”, I don’t mean compliance with some external standard like PCI, ISO, or some hypothetical “best practice”. I mean compliance with an organization’s own policies and standards. Compliance with external standards has its place too (unfortunately), but we’ll pick that up in another post.

Think about it…

In most cases, if an organization was completely, 100% compliant with its own policies and standards, it would almost certainly have a much lower level of risk exposure than most other organizations. In fact, in many cases a 100% compliant organization would be too secure to operate effectively. In other words, the more significant problem isn’t typically a matter of how strong a policy is, it’s the variance from intended/desired state that’s described by policy.

In a perfect world…

The illustration below is intended to represent a “perfect world” condition, where all of the assets/systems/whatever are compliant with an organization’s policies/standards. It also reflects the fact that there is no perfect security, and that the organization has wisely established its policies/standards with an acceptance of some degree of vulnerability (and thus, risk).

The real world tends to be much different

The illustration below represents a more likely condition, where controls applied to a population of assets/etc. tend to vary from what policy calls for. It also reflects the effect that has on vulnerability, which in turn affects risk.

But we knew this already, right?

Yes, it’s true that 99.9% of us already know that variability exists and that it’s bad from a risk perspective — so what’s my point? My point is that variance is one of the most important risk-related metrics we have available to us. Here’s why…

As we see from the illustration above, variance from policy can be a strong indicator of an organization’s risk exposure. At the same time, it’s also a marvelous indicator of an organization’s ability to manage risk (i.e., decision making capabilities and/or the ability to execute against decisions). A little root cause analysis of a highly variant asset population can provide critical insights into what’s not working, which can lead to far more cost-effective risk management measures.

One example of where this could be applied is in the evaluation of a third party’s risk posture. Rather than send a 60 page questionnaire, why not evaluate the organization’s compliance with its own policies across a cross-section of its information risk landscape. I submit that it would provide a more accurate and useful picture of risk exposure and risk management capabilities than the typical questionnaire, at less cost/effort to both parties.

Q&A with Doug McClure: Is BSM Lite the Answer?

Mon, 14 Jul 2008 20:02:59 +0000

We had the opportunity to chat with Doug McClure, who is currently the Senior Managing Consultant for Business Service Management (BSM) and IT Service Management (ITSM) for the IBM Software Services for Tivoli (ISST) team at IBM Tivoli (part of Software Group (SWG)). He currently leads the Virtual BSM Practice within IBM Software Services for Tivoli.

ScienceLogic: What is “BSM Lite” and how is it different from “heavy” BSM?

Doug McClure: I think the concepts that Peter Sevcik from Net Forecast initially outlined in his blog post sum up what “BSM Lite” is all about: a simpler, less expensive, more responsive way of achieving the goals and objectives of Business Service Management (BSM). He’s contrasted this nicely against what he termed “BSM Heavy” being the larger investments in time and resources to deploy domain specific tools and solutions each providing a view into the business service delivery with some aggregation and consolidation to tie up all of the disparate tool’s information into a concise end-to-end business service management story.

I’m pleased that he leveraged some of my thinking around a better working definition of what BSM really is from the BSM Defined page on my blog. Of course, these definitions are going to vary depending on whom you talk with and how they see the overall BSM Maturity Model. I’ve created a BSM Maturity Model that aligns with the famous Gartner IT maturity model. I’d like to think that a “BSM Lite” solution is one attacking the low hanging fruit, enabling one to achieve value quicker, and in a more tactical manner. The “BSM Heavy” solutions are capable of the same, but span all along the BSM Maturity Model by adding additional point solutions, products and technologies from their broader portfolio.

ScienceLogic: Does “BSM Lite” just refer to the tools, or can it refer to the process and methodology as well?

Doug McClure: I think that BSM is as much a philosophy as it is technology, process, people and methodology. If we can get people to think, operate and respond differently than they do today with a focus on the business, customers, quality, revenue, or whatever else is most important to their business goals and objectives, than that is Business Service Management and could be “BSM Lite” if you will.

Being that I work for IBM Tivoli, one of my personal objectives is to identify ways to use our key BSM enabling products in a more efficient, effective and BSM centric way. This was a huge driver for trying to hold DevCampTivoli focused on “Collaborative Development of End-to-End BSM Solutions”.

In my opinion, we don’t make things very easy for our clients and the answer can’t be to “buy this product, module or widget” to fill in the gaps. In my opinion, we must establish a BSM overlay within IBM Tivoli’s development and product management organization that ensures that we have clearly thought about how to enable BSM with the hundreds or products that we sell. In my opinion, every product release must incorporate the fundamentals of enabling BSM in addition to the core domain specific functionality intended. I hope to keep this spirit alive and get our smartest IBMers and clients thinking about the best way to take a “BSM Heavy” solution and make it “lighter”. I hope to share more about my plans here and guidance for the industry in general soon.

That said, I am always interested in consulting with clients and collaborate with peers in the industry to figure out how to get the focus on the people, process and technology as key components of their BSM strategies. I am absolutely convinced that without a documented BSM strategy, roadmap and top level sponsorship within the business and IT, the chances of BSM success greatly diminish.

ScienceLogic: Given the complexities involved in implementing a BSM strategy and dealing with the people and processes components of any business, how does “BSM Lite” really work? Should the expectations and outcomes be “lite” as well?

Doug McClure: Time will tell if “BSM Lite” will work. I’m seeing emerging companies that are already breaking down some of the barriers to BSM success. I do not expect that those choosing to begin with a “BSM Lite” approach should expect “lite” outcomes.

The outcomes are the same regardless of the approach IF you’ve got a documented BSM strategy, roadmap and top level sponsorship in place before you begin. New features, capabilities and technologies will be needed as the needs of the business change and companies mature in BSM and fundamental IT management. This will likely force companies to move in more “BSM Heavy” directions to fill those gaps.

In my opinion, this is the ideal scenario now as it gives “BSM Lite” vendors opportunities to grow their products and solutions. It also GREATLY improves the chances for success with a “BSM Heavy” solution because the organization would have already had matured enough to approach a “BSM Heavy” solution than if they hadn’t done a “BSM Lite” solution in the past.

ScienceLogic: Is “BSM Lite” more appropriate for a small or midsized organization, or does it apply equally to large companies? Is there an ideal profile for a company that can successfully implement a BSM strategy? Is there a different profile for “BSM Lite”?

Doug McClure: From an economic perspective, the concepts of “BSM Lite” are appropriate for all companies. Remember, with “BSM Lite” we’re focused on identifying ways to make the goals and objectives of BSM easier to implement and in a more cost effective way. Any company concerned about their IT cost overhead should care about this, especially when the risks of starting out with a “BSM Heavy” type deployment are much greater and the time to value generally much longer.

The “ideal” profile for any company is one where the BSM initiative begins by establishing top level buy in through creation of a formal BSM strategy for the company. This BSM strategy personalizes how the company defines what BSM is, what value the company expects from it, and how it will use BSM as a competitive differentiator for delivery of its business and IT services, products, etc.

The organizational “profile” I’ve seen most successful is when implementing a BSM strategy originates from within or actively includes a group that many companies have now that serves as a liaison or relationship management role between the various lines of business and IT. Sometimes this group is often seen as the gatekeeper to filter (and hinder) business driven requirements into the IT organization. In the ideal scenario, this group works very closely with the business and IT (usually staffed by business people and not IT people) to understand both the business side and IT side of complex business services and applications.

Apart from the traditional IT components, what this group can do is help IT really understand the business perspective. Analysis of the impact on the business in business terms is only possible by collaborating with a group such as this. True value oriented BSM becomes attainable when we get to this level of IT and business alignment, cooperation, collaboration and communication.

If BSM is an IT only initiative, this will likely result in an IT centric perspective severely lacking in the necessary business perspective. In these cases where IT doesn’t invest their BSM efforts with the business as an equal partner, the implementation ultimately becomes a “CYA” tool for IT and not achieve the desired value oriented expected.

To some degree “BSM Lite” may have an entirely different profile. If we see the price points, complexity and time to value change significantly we may see these types of deployments originate exclusively within the Line of Business. The possibility may exist where large enterprises operating in a shared IT services or IT outsourcing type model that the Line of Business brings in a “BSM Lite” solution to gain the visibility, checks and balances needed to ensure that the LoB’s needs are being met from the internal/external provider. I’d envision that “BSM Lite” may even be capable of operating within a “SaaS” model or other managed service type offering where the price points are below the signing levels triggering broader IT involvement and review.

To Be Continued…

ShareThis

The 802.1X Hat-Trick

Sun, 29 Jun 2008 22:39:27 +0000

Well my recent blogging, or lack there of, may have clued you in on my recent hectic travel schedule. It’s June, and that means the end of government’s fiscal year, so we’ve been busy little bees at the office. (Read my primer on 802.1X here.)

For June, we have an 802.1X hat-trick to blame for my slack blogging habits. Over the past few weeks, I’ve had back-to-back 802.1X implementations, one wired, one wireless and one with both. Two government customers and one commercial, not in that order. And I even did one semi-training-slash-semi-implementation-quick-start for another customer.

It’s been fun, but 1X is always challenging. The variety of components, the nature of the interactions and the ‘newness’ of actual implementations make it difficult to work from any type of cookbook or implementation guide. There are just too many variables.

When will it be easier? I think as 1X is more widely implemented in the real world, customers will become more familiar with the concepts and integrators will have more experience to make it go smoothly. For now, everyone has to just take it one step at a time and address issues as they arise. And, for now, I’ll enjoy the job security that 1X offers ;)

Luckily, I’ve had the opportunity to work with a variety of customers and a variety of environments and equipment while hammering out 802.1X. The experience and exposure has certainly given me a unique insight into the issues, complications and solutions that come along with a 1X project.

At present, I think we’ve successfully configured 1X on about a dozen different types of equipment, both switches and wireless APs and controllers, from a variety of vendors. It may not sound like much, but in the world of 1X, that’s quite a variety when you consider each manufacturer has their own ‘system’ for configuring 1X and the commands and procedures can vary greatly even from product-to-product from the same vendor.

Is the 1X streak over? Not at all. We have several customers with NAC and 802.1X projects that we had to queue up for after June 30. I’ll keep you posted!

# # #