Wednesday, March 30, 2011

Messages from the (purported) Comodo Hacker

The purported Comodo hacker has posted a number of documents on pastebin. The hacker claims to have used API access to generate the certificates mentioned in

Comodo has also recently announced that two additional resellers were also breached.

The documents are well worth a read to understand how web based infrastructure services might be breached, and where we might expect to see attacks in the future. API accessibility and vulnerable servers make for a nasty combination when a trust based infrastructure is in play.

Monday, March 28, 2011

How to Spot a Liar

Forensic Psychology's "How To Spot A Liar" infographic is a great overview of what research shows liars do - and don't when asked questions.

Sunday, March 27, 2011

Anatomy of a Scam - Secret Shoppers

Here's a recent example of a secret shopper scam. Like many scams, this one attempts to lure people who think that accidentally receiving a secret shopper invitation is a way to free money. In the end, it is merely an attempt at identity theft - though it may also involve a fee scam as well!

If the recipient bothers to check who it is from, it purports to come from Dow Chemical, with an email address that is recruit@hsbrv.net, with a cc to david212@blumail.org. The hsbrv.net domain points back to a Betty Prevo, with an email address listing mark212@blumail.org. That sounds suspiciously like our david212 address as well. The whois results are below:

Administrative Contact:
Prevo, Betty mark212@blumail.org
1368 X W. Estes Ave
Chicago, Illinois 60626
United States
For those who are interested, that address points to an apartment building in Chicago. Interestingly, Betty Prevo apparently exists and does live in that area in Chicago, but she'd probably be interested to find out that she's running various domains.

Blumail? Well, it's a free email service that, "provides global e-mail accounts, educational content, employment needs, entrepreneurship, networking, story / experience sharing, mentoring and volunteering opportunities to youth and others who are coming online in developing countries." In this case? It's a great place for a scammer to get free email hosting. It's also a well known 419 scam domain. Blumail is a legitimate service, unlike the hsbrv.net domain we first looked at.

Now, the actual scam letter:

Hello there,

My Name is David Anderson and I am your group regional Instructor from within the USA.Henceforth you will be working with me on the completion of your Mystery Shopper's Position application. Like you already know, your weekly per assignment is $300:00 Flat for working with us and will come in payments of $300 each per assignment you complete for the company.
Note that the name actually somewhat matches the email address - that's often a missed detail for our scammers.
PAYMENT TERMS:
Your payment would be sent ($300) per assignment , Also the company is in charge of providing you with all expense money for the shopping and other expenses incurred during the course of your assignment.All the tools you will needing would be provided to you with details every week you have an assignment.

JOB Description :
1} When an assignment is given to you,You would be provided with details to execute the assignment and in a timely fashion.
2} You would be asked to visit a company or store in your area and they are mostly our competitors as a secret shopper and shop with them to know more about their sales and stock , cost sales and more details as provided by the company then report back to us with details of whatever transpired a the store. But anything you buy at the shop belongs to you,all we want is an effective/quick job and reports.
Free money, and what sounds like a somewhat reasonable reason why the company would want you to do this. The grammar is even better than most letters of this type.
ASSIGNMENT PACKET :
Before any assignment we would provide you with the resources needed {cash}Mostly our company would send you a check which you can cash and use for the assignment. Included to the check would be your assignment packet .Then we would be providing you details on here. But you follow every single information given to you as a secret shopper .
It starts to fall apart here with lines like "Then we would be providing you details on here".

And now for the meat of the scam:
KINDLY RECONFIRM YOUR INFORMATION BELOW TO PROCEED ON FIRST ASSIGNMENT:
Full Legal Name :
Full Physical Address :
City :
State :
Zip code :
Age:
Nationality :
Home and Cell # :
Present Occupation:
Email:

Thank you for reading.
Yours sincerely.
Contact Person: David Anderson
Time: 24 Hours daily by e-mail
And that's the anatomy of a secret shopper scam. A simple way to hook the gullible into providing details for identity theft.

Friday, March 18, 2011

RSA Hacked - SecurID Information Exposed

EMC's RSA division announced that they had been hacked and it appears that they're doing the right thing for their customers by telling them. From their announcement:

"Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
If you're a current SecurID customer, you'll likely want to keep track of this as further detail is released. RSA notes that they expect to release details to the community -
"As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat."
I'll post further detail as it becomes available.

Caribou and Cardkey Door Control Systems

Caribou is a proof of concept exploit application that targets cardkey systems like the prox cards that you're likely familiar with from parking lots, apartment complexes, and possibly your entry access system at your employer.

Per the site and demo:

"By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system."
While the proof of concept code isn't provided, the speed with which is unlocks the door indicates that the keyspace for the pin is likely relatively small, and the author provides a series of tips on securing HOA and other common spaces that use devices of this type. The most important item is the common sense (but often ignored) need to place the entry access system on a private network so that it can't be brute forced via open wireless or wired networks.

Wednesday, March 2, 2011

Android Malware in the Android Marketplace - the dangers of free

Android Police today reports that 21 applications (which have since been pulled) in the Android market, with between 50,000 and 200,000 downloads included malware, with capabilities including the rageagainstthecage or exploid root exploits, and that they upload data including "product ID, model, partner (provider?), language, country, and userI". Worse, their analysis shows the ability to self update.

Most of these apps appear to have been copies of existing apps, made available for free. This points out both the danger of the relatively open Android Market, and of uncontrolled app downloads for your users.

The original article is worth a read, and includes a list of the malware laden apps.

Tuesday, March 1, 2011

Free Mac Antivirus from Sophos

I often recommend AVG to Windows users looking for a free antivirus product, but I haven't had a good recommendation for Mac users - until now.

Sophos makes their Mac Home Edition antivirus software available for free at http://www.sophos.com/products/free-tools/free-mac-anti-virus/

Sophos has impressed me in the past, and this looks like a very nice solution for Mac users.