Web-Based Email Attacks

… are rapidly becoming a serious threat. These are based largely on social engineering — so the only defense is to be alert and extremely cautious about any email you receive that is not from a well-known source like a personal friend. Brian Krebs has some analysis and practical advice:

(…) This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.

(…) Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

If I see any emails purporting to be from the popular services like LinkedIn, Facebook, Twitter — I just delete. I don’t even bother to scan the content. As you will see from Brian, the quality of spoofing keeps getting better – so that you have to pay very close attention to discriminate an attack email (most non-geek users cannot safely discriminate). E.g. Brian discusses the following bad news:

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

My view is “Why bother? Just delete”. The above are examples of an escalating war mounted for profit – it is just going to get worse.

Important final note: If you use Gmail you should really consider switching to 2-step authentication. With 2-step enabled you will not have to worry about a hijacked email account again (unless you give the bad guys your credentials). Brian recommends 2-step, as did we in this earlier Gmail post.

InsecureID: No more secrets?

Yikes – I thought RSA’s SecurID was um… secure. We have one of their tokens attached to our PayPal security. So this is not happy news from Bob Cringely:

Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”

Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.

Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

Read the whole thing »

Mac security alert: ‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

Seekerblog will be running a series of security alerts for Apple Macintosh users. The good news is that Apple’s Mac OSX sales continue to grow much faster than the market for Windows-based computers. The bad news is that we have been expecting the invasion of Mac malware to take off when the Mac market penetration grows to around 10%. The OSX market share isn’t to 10% yet, but the relative growth is rapid, and this is very obvious to the MBA’s working for organized crime. We will not know until the damage has already happened — that the return-on-investment computations told them to put big bucks into Mac OSX attacks.

Here’s another Brian Kreb post which examines one of the first ‘script kiddie’ toolkits for Mac OSX malware.

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

(…)

Read the whole thing. Brian’s website is a good candidate for your RSS feeds to track the development of Mac security threats.

Mac security alert: scammers Swap Google Images for Malware

Seekerblog will be running a series of security alerts for Apple Macintosh users. Security blogger Brian Krebs has an excellent description of a nasty malware attack propagated through Google image search. If you read this carefully you will see how easily many users will be tricked into inviting malware into their computers (Mac or Windows).

A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are using weaknesses in Google’s Image Search to foist malicious software on unsuspecting surfers.

For several weeks, some readers have complained that clicking on Google Images search results directed them to Web pages that pushed rogue anti-virus scareware via misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus sites. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content.

A Firefox add-on in development shows malicious images in dark red.

Google’s Image Search bots eventually will index this bogus content. If users are searching for words or phrases that rank high in the current top search terms, it is likely that thumbnails from these malicious pages will be displayed beside other legitimate results.

As SANS handler Bojan Zdrnja explains, the exploit happens when a user clicks on one of these tainted thumbnails. “This is where the ‘vulnerability’ is,” Zdrnja wrote. “The user’s browser will automatically send a request to the bad page which runs the attacker’s script. This script checks the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script…[that] causes the browser to be redirected to another site that is serving FakeAV. Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links.”

Denis Sinegubko, a Russian malware researcher who has been studying the fake anti-virus campaigns, called this tactic “the most efficient black hat trick ever,” and said it is exceedingly easy to set up.

(…)

Read the whole thing »

How to Backup your Gmail Account Online?

You can of course just use POP3 on your favorite mail client. I decided to create a hotmail.com mirror of each gmail account. Trueswitch.com makes it easy to do the email backups cloud to cloud. There are other “cloud backup” suggestions at Digital Inspiration.

Why do your care? See Gmail accidentally resetting accounts, years of correspondence vanish into the cloud? (update). And there are the hack risks such as James Fallows reports this week. My speculation is that Deb Fallows was hacked by reverse engineering of her password. It isn’t a good idea to taunt spammers or hackers.

UPDATE: today I did a serious lockdown on our Gmail accounts using two-factor authentication. The second factor being a six-digit verification code sent to our mobiles via SMS. Google calls this 2-step verification. The implementation is very well thought out, covering practical solutions for fallbacks to your mobiles, and for applications, iOS apps, etc.

UPDATE: also have created a cloud-cloud backup of Gmail via Trueswitch to a hotmail mirror address.

“Fluffy is puffy” is a secure passphrase?

Yes, according to Danish blogger Baekdal. Check out Baekdal’s extremely widely-read “The usability of passwords“.

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

This approach to passphrases looks right to me, and timely — as today I wanted to change our Gmail passphrases, prompted by James Fallows’ recent experience. Most of our critical security codes are auto-generated pseudo random strings kept in 1Password. But for Gmail/Google account we need credentials we can remember. Similarly for the 1Password master passphrase.

I’ve not had time to research the Fallows Gmail issue. At first I thought he was misled by email-sender spoofing, but he says not. We’ll see. Hopefully Fallows has misdiagnosed his wife’s email issue and it proves not to be a compromised Gmail account. Or if it is, the fault is with a guessable password or similar.

See his first post on 31 April for a possible cause for his problem (taunting spammers).

If you wish to torture yourself with more commentary on password security, see How I’d Hack Your Weak Passwords and Allen Ludden never got cracked, where you can get right into the equations to compute how many centuries it will take to brute-force crack your new passphrase.

The only secure password is the one you can’t remember

You need only remember one secure password – the passphrase that unlocks your password vault. This Troy Hunt essay is very worthwhile – Troy explains in detail the bad things that can and will happen to you by using the same simple passwords across all those Internet accounts.

(…) And this brings me to a neat philosophical conclusion; security is all about risk mitigation -you never actually become “secure”, you merely decrease your risk. On balance, the risk of your account details sitting out there in even a very secure website is significantly higher than having them sit there in your 1Password file.

But beyond just security, the password manager route is a very handy solution. Having all your accounts handy on all your devices and being able to simply logon with the once strong password is a very convenient route indeed.

And finally, when the time comes that you realise one of your accounts has been breached (and trust me, it will come), it’s no good thinking about password security then – it’s too late. So put aside a few hours one afternoon, spend just a few dollars and get yourself organised. Either that or start developing a taste for acai berries!

Troy recommends the same solution we prefer, 1Password on Dropbox. For that solution you need two strong passwords, one each for Dropbox and your 1Password file. Then all your very-strong-passwords are available to you on all your devices (computers, smartphones, iPads, …).

How to keep your customers safe at your business' hotspot

Glenn Fleishman’s short ars technica article on wireless security will help the growing number of businesses that offer free WIFI. These networks can be easily secured from common attacks without administrative headaches.

Public WiFi is insecure. But it doesn’t have to be. If you own or manage a venue, like a coffeeshop or restaurant, and provide free and open WiFi, you can help protect your customers without having to provide technical support or waste money. The new reality is that you can offer “open” access without having an open network.

Set you network to WPA with an easy to remember/type password (like wireless). That will stop the Firesheep hacks and make your customers like you even more.

How secure is your computer: not as good as you think

Bruce Schneier has an excellent article on how passwords are cracked. Much of the content relates to the techniques used by AccessData, a company that sells Password Recovery Toolkit, or PRTK.

…So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Even something lower down on PRTK’s dictionary list — the seven-character phonetic pattern dictionary — together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in. (PRTK can test only 900 Password Safe 3.0 passwords per second.)

PRTK seems to be Windows-only and application specific. That raises at least one question: if you are protecting an Apple Mac OS X computer, what is the most dangerous software which can be used to attack it?

Technorati Tags: