Mal-Aware.org

Internet Explorer 7 is a long awaited browser with promised new features such as anti-phishing protection. The Beta can be downloaded here.

ChoicePoint Inc. will pay $15 million to settle charges that it failed to protect consumers’ personal information, the Federal Trade Commission announced Thursday. It is the largest civil penalty over data security in the agency’s history.

More at MSNBC

Jeffrey Brett Goodin, 45, has been charged for allegedly mass-mailing aol customers claiming he was from the AOL billing department. If convicted, Goodin could spend 30 years in prison.

The story is at http://www.techweb.com/showArticle.jhtml?articleId=177104450

An automated method of fighting phishing - phishfighting.com

A while ago I was thinking that someone should create a way to bombard or sabotoge a phishers drop site with loads of randomly created false data. Just when I started to think that I had really thought of something entirely revolutionary… well, I found that someone else has already thought of it.

www.PhishFighting.com - Developed by Robin Grimes, is a very noble attempt at employing the public at large with the task of fighting phishers. With currently 5,271,683 fake entries to 17,305 URL’s, I imagine it could be quite difficult for any phisher to sift through all the junk data trying to find his real victims.

The site basically works like this:
1. Enter the phishers URL
2. Click go
3. Watch the site appear with the false data automatically entered
4. Data gets submitted and proccess repeats every twenty seconds

I’ve tried the site and I was quite impressed. Although not everyone is as enthusiastic about it as I was when I found it. Various blog write ups have picked it apart and found ethical faults with the idea of what this site is trying to do. But I say give the guy a break, it’s obviously a work in progress and I think he’s on to something of a worthy cause.

-GK

The Register has a story covering the release of IBM’s 2005 Global Business Security Index report, stating that “Global malware outbreaks decreased last year only to be replaced by smaller scale, stealthier attacks targeted at specific organisations or individuals, and designed to extract sensitive information. Financial gain has become the number one motive for hackers.”

IBM also predicts that in 2006 “Criminals will focus their efforts on convincing end users to execute the attack instead of wasting time in lengthy software vulnerability discovery.”

The story from The Register can be found here and another good review of the report from Technology News Daily can be found here.

From SearchOpenSource

Phishers may not have won the game, but they’re definitely trammeling their opponents’ defenses, says Phishing Exposed (Syngress Publishing) author Lance James. James is the chief technology officer for Secure Science Corp., in San Diego, Calif. In this interview, he describes security failures and new anti-phishing weapons and justifies his book’s exposure of vendors’ security holes.

Are there any open source tools that help combat phishing?

James: Short answer, yes. WiKID Systems Inc. has an open source, two-factor authentication system that helps with aspects of phishing.

Long answer, yes and no. I believe people have written software that is supposed to help, but the rapid evolution [of phishing] requires in-depth, security solutions. That has yet to be seen in the open source world. There is no silver bullet for phishing.

In Chapter 5, “The Dark Side of the Web,” you mention that patches are only a cover-up for poor Web development practices. What are some examples of the latter, and what basic common-sense precautions can a user take to prevent these mistakes?

James: Follow the Comprehensive Lightweight Application Security Process or some similar framework for all operations of the software development lifecycle. If you can’t build a strong foundation, no matter how much patching you do, you’ll always keep doing that till the house just falls apart, eventually. Establish a security process from the beginning of your design phase.

SSL’s (Secure Sockets Layer’s) threat model is bad for the online banking scheme because it doesn’t address proper systems of trust to people who understand what trust is. Does a home user know what an SSL fingerprint is? No, of course not. That means that SSL was approved, deciding that that wasn’t important. Well, it is now with all this phishing going on, now, isn’t it?

How do you tell the difference between genuine software fix-its and patches masked as malware, such as a faux Red Hat patch?

James: You don’t. Trust is relative. Look at Sony and their rootkit problem. We all know Sony by name, but now we’re seeing they put a rootkit in there. [In its most basic form, a rootkit aims to disguise the presence or activities of a person or process on a target host while providing surreptitious access for later re-entry.] Validation services may help, but as I said in my book, browsing the Web is blind faith.

How do you establish trust? That [requires a] combination of trust metrics, cryptography, out-of-band communication and secure robust technology.

What are some two-factor authentication methods? How feasible or practical is this kind of setup?

James: Two-factor is coming out of the gate rather slowly. Malware will defeat it, and phishers have been using malware quite a bit now. The concept of two-factor is something you have and something you know. Your ATM card and pin code is a two-factor authentication — and, as you might have noticed, the ATM part of your card doesn’t seem to get compromised too often. The failure with that card is it usually acts as a credit card number was well.

The newer two-factor auths are designed to be moveable RSA secureID changes, thus the session gives limited access to an attacker. The RSA SecureID token — which is a 26 bit number that is appended to your password — rotates every 20 seconds, all the way up to a minute optionally.

RSA is not perfect. It’s a good start. But getting banks to deploy this to their customers doesn’t make sense. Banks don’t want to lose their customer base by adding yet another confusing thing to the already existing online banking. It’s a hard sale.

In your book, you describe exploitations of vendor vulnerabilities. Though vendors were notified of the breaches, some would claim that this crosses an ethical line. How would you respond to this?

James: Well, if they have decided not to adhere to the advisories they were given, what do I do? I believe it’s OK to apply pressure to a vendor to get them to do their actual job of protecting their customers. It’s the same as Bugtraq; in most cases, you report it to the vendor and hope they fix it and then release it. This book publicizes the vulnerabilities. I’m sure the vendors will be fixing them, if they haven’t. It’s better they were notified by someone doing good, rather than finding out in a phishing attack and possibly losing some of their customer base due to lack of confidence in their security.

What are the most effective ways to defend against phishing?

James: Common sense is the answer; but it’s not perfect. The standard answer is make sure you’re not running Windows 98 or ME, keep your 2000/XP boxes up to date. Trust your instincts. If an e-mail feels suspicious, don’t click on it. Run protective software that assists with keeping an eye on suspect e-mail. Keep your antivirus [program] up to date.

The truth of the matter is that users can’t prevent [phishing], because the ones that get hit never knew what the problem was in the first place. So, the problem can’t be dramatically reduced from their end.

Secondly, the attacks are getting way more sophisticated. Take a look at the recent .WMF exploit that is out there. A week goes by, and Microsoft just got a patch going. That’s a week where phishers probably made a lot of money, being that it’s a phisher that designed the exploit in the first place.

Demand that vendors, such as banks and e-commerce [firms], start getting smarter about phishing! They can reduce the e-mails they send that look like phishing e-mails. Something similar to eBay’s MyInbox is a great start. They should audit their Web sites for content and vulnerabilities that may lend a hand to a phisher. Stop reacting. Get proactive.

Here’s an interesting event going on from CSRRT-LU:

Sometime ago, we made the [[Honeylux]] contest and it was a very funny
and interesting contest. Now inside various projects at CSRRT-LU, we
are collecting a lot of undefined malware. We would like to give the
ability to all the people that are interested to better understand
what malware is doing. So if you want to give a try and maybe
win… just pick the following files and read the very basic rules.

=== The malwares to be analyzed ===

* Files X
http://www.csrrt.org.lu/wiki/mlcontest/edb2ade8bca0a6b82b9d160ca40db8e5
- Checksum MD5 edb2ade8bca0a6b82b9d160ca40db8e5 (from automatic
malware collection filename)
* Files Y
http://www.csrrt.org.lu/wiki/mlcontest/21dad79747a3293293366fe5234575eb
- Checksum MD5 21dad79747a3293293366fe5234575eb (from automatic
malware collection filename)
* Files Z
http://www.csrrt.org.lu/wiki/mlcontest/76d49cddb57ff0703db82158e900f245
- Checksum MD5 76d49cddb57ff0703db82158e900f245 (from a Luxembourgish
Honeynet)

=== Rules ===

You are free to use whatever tools or techniques you like, provided
that the jury is able to really interpret your results. Provide also
the name of the tools you used and how you used them. Nonetheless you
should explain your tools and techniques in your analysis and cite
references to resources to allow others to learn by example.

You can enter submissions as a team but there will only be one price
given to the team, so up to you then to decide how you share the
price. :-))

All submissions must be timestamped prior to 15 May 2006 00:00 CET.

Submissions must be sent to malwarecontest@csrrt.org

Entries must be written in English.

”’Please keep in mind that the files are malware so great care must
be followed when analyzing.”’

=== CSRRT-LU ===

CSRRT-LU is a computer security research and response team association
localized in the Grand-Duchy of Luxembourg. CSRRT-LU engages in
advanced computer security development and research projects in order
to increase security awareness and advancement especially in
Luxembourg but also on an international level. CSRRT-LU is in close
partnership with research institutes, the industrial sector and
governmental institutions.

CSRRT-LU provides a cooperative and virtual organization for working
with individuals, groups and industries. Everybody is welcome to
participate in the various research projects in computer
security. Please check the participation page for more information on
how to help.

CSRRT-LU is also organizing the hack.lu conference.

For all those who may write two versions of a document: 1) Nice and juicy with lots of toppings, including pepperoni, olives, mushrooms, and pineapple and 2) the sanitized version that is vegetarian with no toppings, a plain old cheese pizza, this NSA guide to redacting documents may be something for you.

http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf

InternetNews.com directs readers to Fiberlink Communications free on-demand video “Anatomy of a Hack“, which aims to show CIOs and CSOs the risks that threaten mobile workers every day. InternetNews.com’s David Needle writes, “‘The “Anatomy of a Hack’ video shows some of the techniques, skills and tools used by hackers to exploit vulnerabilities on mobile, notebook computers in order to gain access to corporate systems.”

Story here:
Security Tips From ‘Anatomy of a Hack’
InternetNews.com (01/03/2006) By David Needle

Jeanson James Ancheta, an indicted botnet programmer & spammer. has plead guilty to multiple charges. Original indictment papers found here

An article on News.com discusses how Yahoo! is spreading consumer miseducation for updates regarding the Yahoo! Mail subscription. Combine that with known vulnerabilities on their website, and this could be heading for disaster.

Yes, click on that vulnerable link and log in - it will only take you back to here! Can we say Session Riding!

A detailed forensic case of phishing, botnets and fraud, written by Michael Hale Ligh of mnin.org and Matt Richard of mullingsecurity.com. Also available are Parts 1 and 2.

http://www.mnin.org/write/2006_phish_3.pdf

A public service website (a blog, really…) that offers users some advice and tips on how to avoid being scammed when buying and selling online; through ebay, classified sites and buy and sell forums.

The website captures the names and email addresses of the fraudsters, (mostly from Nigeria) and explains the various methods used in their attempts to steal your goods, and your money.

http://www.fraudalerts.ca

Please visit!

According to data collected by the Anti-Phishing Working Group (APWG), a collection of over 2,000 companies, banks, ISPs, and government agencies, 16,882 unique phishing attacks were reported in November. That was a 6.7 percent increase over October’s 15,820 attacks, the previous record… more of the story here.

It appears that Microsoft is commending the Bulgarian Law Enforcement regarding the collaboration that led to the arrests of 8 members of an organized phishing group. The story can be found at http://www.linuxelectrons.com/article.php/20060121203119404.