Category Archives: Security

Ann: AntiCSRF – Cross Site Request Forgery protection

Microsoft Developer Security MVP, Barry Dorrans has been busy preparing content for his Wrox Press book and in doing so has developed a Cross Site Request Forgery HTTP Module.

AntiCSRF slots into your web application and takes the worries away. The module automatically takes care of token generation and checking for every page on your web site, assuming it inherits from System.Web.Page and contains an ASP.NET form.

It’s worth reading Barry’s original announcement/blog post, it has some further information.

Technorati Tags: , , ,

Antivirus 2009 seems to be doing the rounds…

A colleague brought his XP-based laptop into the office today. Through a quirk of fate, Antivirus 2009 had managed to install itself. It’s a pretty swish looking piece of malware that looks very much like leading anti-virus programs, even giving you the feel-good factor that it has found infected files and has cleaned them for you. It is, of course, a confidence trick, smoke and mirrors.

It’s most likely to have come from the same stable as WinAntivirus did, as noted here.

I’m repeating myself, however my advice is simple: if a web page pops up a dialog box telling you that your computer is infected and offers a free clean-up, ignore it. Never install software that offers itself via a web page pop-up, go to a reputable download site (ideally a vendor site) and download from there.

Or, if you are in any doubt, use a search engine to get some more information. Here’s what Google returns for Antivirus 2009 and here’s what Live Search returns. These result should be the first clue that Antivirus 2009 isn’t all it’s cracked up to be.

I still promote the use of these tools for cleaning up: Crap Cleaner, Spybot and HijackThis.

[Update 03/12/2008]
As part of this infection Spybot discovered Win32.TDSS, which includes a rather invasive rootkit. I used ComboFix.exe and Smitfraudfix.exe as discussed over in the Spybot forums.

Technorati Tags: , , , ,

Passwords alone, are not enough. Even if they were, are they hard to break?

[As quoted in the Guardian: http://www.guardian.co.uk/technology/blog/2008/nov/23/technology-letters-blogs]

Relying on a single password for more than one purpose, e.g. logging on to your web-mail, instant messaging service, Facebook, Bebo, etc. is probably very commonplace.  Indeed, exposés such as Twitterank, and even it’s parody site TwitterAwesomeness, highlight the ease at which folks will essentially surrender their username and passwords.  Twitterank didn’t just catch the unsuspecting Internet user, they also caught a number of people who really should have known better. 

Sites that do need your Twitter username and password, such as BrightKite, use it in order to post tweets on your behalf.  In BrightKite’s case, it tweets each time you “check in” to their “where am I” service.  The check-in process involves you telling BrightKite where you are, it then sends out a Tweet telling the world.  Such sites make their intentions very clear in the Terms Of Use, Code of Conduct and Privacy pages. 

However, so did Twitterank. The site made it clear what it wanted you to believe it was doing with your username and password.  Even if you didn’t read the Twitterank terms of service or FAQ, it was embedded within the source code, as Barry Dorrans carefully points out.  The speed at which the Twitter population flocked to Twitterank suggests that were there any ulterior motives, the site would be well placed to exploit a significant portion of the Twitter accounts that it had opportunity to harvest.

Twitterank was different.  It relied on our instinctual want to graded or rank ourselves amongst our peers.  No matter how hard we try, we’re all competitive by nature.  We want to know where we stand/sit in relation to our peers.  Some services, such as Twitter Grader have managed to achieve this without the need for a Twitter password.  Granted there’s only so much Twitter Grader can do, however it’s a polite service that has introduced me to a number of Twitter users in Scotland – users that I may not have discovered.

There was little indication whether a Twitterank of 100 was good or bad.  Some users reported ranks of over 200, others, as we’ve seen already, received a rank of zero.  The mathematics behind the site were reported via a comment in this blog as being “Real Math(tm)” and were comparable in accuracy to Google’s PageRank mechanism.  I’m not a mathematician so I won’t be debunking any formula, algorithm or approaches.  Well, not just yet at least.  For Twitterank to have been useful, it would need to allow us to determine whether our rank was better or worse than other Twitterankers (there it is again, I do apologise).

Twitterank didn’t really try to hide its intentions, however because of the the site’s ease of use, instant gratification and rapid publicity, its uptake was huge (it trended TweetStats and Twitter Search, and at the time of writing, continues to do so – outdoing “Obama” and “James Bond”).  The publicity was part of what made it so popular – it sent out a Tweet announcing your Twitterank, including a link back to the site thus encouraging users to discover their own ranking.  In most cases, this would probably be fine, however spare a thought for the Twitter folks who received a ranking of zero – and there where many of them!  Indeed, many Twitterankers (can I really get away with saying that?  Too late now!) tweeted their dissatisfaction at their ranking. 

Amusingly, Twitterank’s creator (@ryochiji) reported on his Twitter feed that low rankers should try again tomorrow.  Oh, so that’s how it works – everybody’s Twitterank will improve over time, that’ll work, great system, yes?  Further information may be found on the Twitterank blog, assuming WordPress haven’t deemed it necessary to close it down.

It’s not all about gullible users though
This morning, at the time of writing, a few hours after Twitterank was exposed for the social experiment that it probably is (or was), saw me reading Bruce Schneier‘s Read me first column in the Technology section of The Guardian.  Bruce writes a great piece explaining how passwords don’t need to be broken per say, but that they are inherently easy to guess.

Without spoiling the article too much, assuming that you are going to read it, Bruce highlights our password selection techniques.  One such method, and one that is certainly very familiar to this writer in his corporate environment, is the keyword+appendage approach.  Users often take their child’s name, their dog’s name, etc. and add a numeric digit or two after the name, e.g. frank01 or rover12. 

Today’s processing power means that software can intelligently guess huge combinations of keyword+appendage passwords in a relative short and acceptable period of time.  Gone are the days when passwords would take days or weeks to crack.  If you need more convincing, think about how long it takes the average WiFi hacker to crack your wireless router/modem WEP encryption keys.  Or even your WPA encryption?

Bruce makes the suggestion of using a personal sentence as your password.  Not the sentence itself, but an obfuscated version of the sentence.  His example (yes I’m spoiling the original article, sorry) uses “This little piggy went to market” – it creates an obfuscated password of tlpWENT2m.  Such as password would take a significant amount of time to be guessed using processing power alone.  Just in case you were tempted, Bruce rightfully advises that we don’t use tlpWENT2m ourselves…oddly enough.

Increasing security, some options
With the ease at which Twitterank coaxed visitors into typing in their username and password, it seems the days of the password as a single source of authentication are numbered.  We need to be considering more secure alternatives that involve “levels of authentication”.  Usablity is the key to widespread acceptance, any product in this space must be easy to use; its interface must be fundamental such that selection of a secure-level authentication token requires little more effort than offering a basic-level token. 

With Twitterank-like incidents becoming more common, I predict that during 2009 we will see the general acceptance and widespread uptake of such authentication mechanisms such as OpenID, and CardSpace (further reading here and here).  You should familiarise yourself with these mechanisms because major web-sites such as Yahoo are gradually introducing them as part of their login process.  Indeed, even the likes of Facebook, where you can be whoever you want to be, may have to succumb and implement a more secure user registration and identity verification process.

Beyond authentication into verification
Going beyond authentication, we need to consider verification, particularly of identity.  The internet has little in the way of process that can help us confirm an individual’s authenticity and identity – how do you know that the person your are tweeting with or Facebooking is the person they say they are?  Twitter had the great fake Sarah Silverman incident of October 2008.  Facebook has many impersonation cases, a few of which I discuss in elsewhere on this blog

Firms, such as NetIDme are well placed to take advantage of the needs of the authentication and identity verification marketplace.  Identity verification through NetIDme processes involves a combination of stages, if you’re in the UK or US they boast a 95% “automatic verification” rate. The remaining 5%, or if you are a child, requires some form of personal contact with the NetIDme team – whether it is a fax or a phone call.  However, prior to the personal contact, you are invited to provide such things as your Driving Licence Number, National Insurance number, Social Security Number or Passport number in order for third party checks to take place.  Obviously this is much more involved and potentially more invasive than a simple username/password combination. The fact we are now able to authenticate and verify who we are, including how old we are, is a key step forward in the growth and maturity of the Internet.

And finally…
At the time of writing Twitterank is still up and running, whilst there appears to be no malicious intent on the creator’s part, the whole debacle in the social engineering space has left a bitter taste in the mouths of many people.  I am sure that no ill intent was ever on the cards, however Twitterank has proven that everybody needs to think about their own on-line security and the implications of password surrender. 

Just think what might have happened to your Twitter feed? “Ah,” you say, “but it’s just my Twitter feed, I don’t really care if somebody hacks it and owns it.”  That’s fine, but a lot of users have a single password, and that is where the problem stems from.  Identity theft often starts from the smallest thing.  I have a colleague whose identity was stolen simply because she left her name on the door bell of her previous house. The house had been sold to a gentleman who then let / rented the house.  The new tenants used the knowledge of the previous owner’s name to start off the identity theft process.  It is that simple.

I’ll leave you with advice that is mentioned elsewhere in this blog:

  1. Don’t use the same password for social networking sites and services that are more important to you such as your on-line bank or your web-mail.  If your password is harvested, as Twitterank could have done, you may find yourself compromised in more than one way.
  2. Avoid simple passwords such as “password”, “itsasecret” or “letmein”.  Amazingly, during my university days somebody actually told me their password was “itsasecret”.  Indeed it was…I logged in and was later accused of cracking the said password.  A little trouble ensued but it was soon dropped when I explained that i had actually been given the password in the first place! 
  3. Consider “upping” your levels of security your OpenID – there are plenty of providers.  Yahoo, MyOpenID and NetIDme to name just a few.  Any progress in this direction, is good progress. Of course, you could always demand OpenID!

Safe and happy surfing!

Further reading:

Password security – even big names fail
Twitterank – celeb or peon? @t_rank

Twitterank – celeb or peon? @t_rank

my Twitterank is 9999.99 http://twitterawesomeness.com/

Just a short post to remind users to be careful with their online credentials.

Twitterank appears to have grabbed the limelight (tonight, GMT) as one such web application that relies on folks wanting to be popular…or at least find out how popular (or not) they are in comparison to some metric that ranks them over other users.

However it’s basically a user-name and password harvesting mechanism. I have a suspicion that it’s a social experiment and all those passwords that were collected will not be used for anything dodgy. Whatever the truth, in the wrong hands the possibilities are endless – here are a couple to worry you: @blowdart and @camurphy

camurphy: @blowdart @dacort – true evilness would be to post random tweets from random victims…did I just say that out loud?

blowdart: @CAMURPHY @dacort Stuff like “I’m wearing my sister’s panties”. DO IT!

If you have received a Twitterank, my advice to you is that you change your Twitter password immediately. Once you’ve done that, any other places that you use that same password for, change it there too.

A safe parody of the site can be found here, courtesy of @dacort.

There’s more here:
http://blogs.zdnet.com/collaboration/?p=163
http://mashable.com/2008/11/12/twitterrank/
http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
http://www.guardian.co.uk/technology/blog/2008/nov/13/twitter-password-security

If you must rank yourself, check out twitter.grader.com – it doesn’t need your password to give you some feel-good factor!

Oh, @t_rank, I’m still waiting for reply to this polite request!

Cleaning up after the WordPresz 2.6.4 incident

As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential security upgrade to version 2.6.4. At the time, I was running version 2.5.1. You’re possibly wondering why I had not already upgraded to an authentic WordPress 2.6.x release…I am after all, supposed to be setting an example. Well, a number of factors delayed the upgrade – most notably lots of travel and a few time-consuming home-life issues meant the upgrade was back-burner-ed. Via The Register, Sophos picked up on hack, classifying it as Troj/WPHack-A. I managed to record a short video of the dashboard hack, notice that I’m at WordPress 2.6.3…

That being said, a small part of me always prefers to wait a while before upgrading, i.e. I don’t like to upgrade immediately. If memory serves me, I recall a WordPress upgrade that caused me a few minor problems because I upgraded the moment it came out – it was soon followed by a further release. Anyway, I’m digressing.

Since Monday, I have upgraded to WordPress 2.6.3, twice. Naturally I used the definitive link for getting my hands on the 2.6.3 zip file. On both occasions the WordPresz 2.6.4 upgrade advice was still appearing in my dashboard. I’ve also been liaising with the good folks over at WordPress and have followed as much of their advice as I can at this stage. Huge thanks to the WordPress chaps for picking up on this issue – whilst it hasn’t affected me, I’m sure some folks have accidentally installed the fake 2.6.4 release.

My second install of 2.6.3 saw me cleaning out the various wp-admin, wp-includes, folders and then FTPing a fresh 2.6.3 set of files. I then started poking around in the WordPress database – table wp_options caught my attention. Themes tend to leave a lot of fingerprints in wp_options, as do a number of plug-ins. I cleaned out around about 40% of the wp_options records that were related to themes I no longer have installed.

After further searching, I found the field dashboard_widget_options:

As you can see, the WordPresz 2.6.4 injection text, or at least part of it, is in there. In order to remove it from my dashboard, I simply removed the entire contents of the dashboard_widget_options field, i.e. its content is empty – I did not delete the entire record. WordPress was kind enough to recreate the contents of this record.

Further poking around in wp_options revealed an RSS record: rss_412e29f6467d015b137ccc293b42bdff. Its contents were familiar:

O:9:”MagpieRSS”:17:{s:6:”parser”;i:0;s:12:”current_item”;a:0:{}s:5:”items”;a:1:{i:0;a:4:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:11:”description”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;s:4:”link”;s:21:”http://wordpresz.org/”;s:7:”summary”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;}}s:7:”channel”;a:7:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:4:”link”;s:21:”http://wordpresz.org/”;s:11:”description”;s:29:”Just another WordPress weblog”;s:13:”lastbuilddate”;s:31:”Thu, 30 Oct 2008 02:29:53 +0000″;s:4:”docs”;s:34:”http://backend.userland.com/rss092″;s:8:”language”;s:2:”en”;s:7:”tagline”;s:29:”Just another WordPress weblog”;}s:9:”textinput”;a:0:{}s:5:”image”;a:0:{}s:9:”feed_type”;s:3:”RSS”;s:12:”feed_version”;s:4:”0.92″;s:5:”stack”;a:0:{}s:9:”inchannel”;b:0;s:6:”initem”;b:0;s:9:”incontent”;b:0;s:11:”intextinput”;b:0;s:7:”inimage”;b:0;s:13:”current_field”;s:0:””;s:17:”current_namespace”;b:0;s:19:”_CONTENT_CONSTRUCTS”;a:6:{i:0;s:7:”content”;i:1;s:7:”summary”;i:2;s:4:”info”;i:3;s:5:”title”;i:4;s:7:”tagline”;i:5;s:9:”copyright”;}}

I elected to remove (delete) that record (rss_412e29f6467d015b137ccc293b42bdff and rss_412e29f6467d015b137ccc293b42bdff_ts – I would imagine your field names might look a little different to mine).

My WordPress 2.6.3 install is now looking a little healthier. However there are still a number of unanswered questions. How did the 2.6.4 information make its way into the wp_options table? Was it a WordPress or a MySQL exploit or was it something else? Has my MySQL database password been comprised in some way? What about my FTP password? Was a malicious theme responsible for this compromise? I am very close to developing a theme myself, hopefully that learning curve will help me find answers to some of these questions. Who knows the answers to these questions? Hopefully over time the truth will out, I would certainly like to know.

Whatever the case, my blog hasn’t been visibly owned as yet…I suppose time will tell. In the meantime, password changes are aplenty!

WordPresz 2.6.4 – fake?

When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:

UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.

UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.

Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.

I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.

22:26 UPDATE
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.

Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

Item 3 – The real WordPress.org has a “Showcase” link included.

Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.

Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?

Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.

23:59 UPDATE
Via Clayton, this may well be part of the problem. There’s further comment on the WordPress support forum too. I’ve since upgraded to 2.6.3 via the WordPress.org download.

The moral of this story: keep on top of WordPress updates and security fixes.

**

Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: ,

The Fake Sarah Silverman Show @sarahsilverman @fake_sarah_silv @imKM

The Internet is awash with security issues, none more so than the social networking sites that so many users place considerable amounts of trust and belief. Today, users can sign up on such sites as Facebook and Twitter (to name two that I use) without any form of secondary credential check, i.e. you can sign up and be whoever you want to be. Evidence of this kind of impersonation can be found in my earlier blog entry where I discussed the “celebrities” who appear to be on Facebook.

From social networking to micro-blogging, the impersonation continues. During October the Twitter community was delighted to see Stephen Fry appear in the “Twitterverse”. Our delight continued when Stephen chose to follow a vast horde of us. John Cleese enjoyed similar celebrity status. However, Stephen and John were accepted into the Twitterverse without a second thought regarding their authenticity. It didn’t take long to spot that Stephen and John were standing on the “I am who I say I am” side of the fence. Their writing style is most eloquent and is rather recognisable.

Enter Sarah Silverman…on Twitter:

I read the Twitter stream reasonably carefully, checking a few things along the way. The stream mentioned London as a destination – true – the real Sarah Silverman did a gig at the Hammersmith Apollo last Sunday. A few other things checked out. What caught my eye was the fact that she was riled by the fact that she had lost a follower…so I suggested a web-site that might help her in the future. At that point the fake @sarahsilverman started to follow me, I was 1 of 23 folks she was following. And I remained 1 of 24 folks she was following whilst her followers grew from a handful to over 600 – this is most odd and served as a clue to something fishy.

The clue trail…
There’s not much to report about the profile picture or the user-name. Over the course the period 23/10/2008 to 26/10/2008, @sarahsilverman used at least two profile pictures – these were probably sourced from a variety of on-line photo repositories. If there were any clues to be found in the profile picture, I didn’t spot them.

Next up, the Biography and web-site details:

This is where it gets amusing. Silverman’s TwitterJacker made every effort to make the biography as real as possible. She (or he, more about why I say this shortly) even provided a link back to the real Sarah Silverman’s “Unofficial” web-site: http://sarahsilvermanonline.com/. Ironic, but still nothing hugely obvious there – anybody could obtain this information and set it up as it was here. However, even before I started following @sarahsilverman, I had my doubts about the authenticity of the textual content and writing style. I took the liberty of questioning the authenticity of celebrities in general. This prompted a rapid change in the biography text, previously it didn’t contain the text “and omfg i’m not going to say if i’m real or not”. OK, not really clues, however the use of “i’m” is a small clue. As is the use of “not” twice – the second “not” should really be replaced with “otherwise”.

I took the bait “Leaving for a bit. again! ~ as said ~ you should follow @imKM … see… isn’t that weird.” Prior to that bait finding its way on to the fake @sarahsilverman’s Twitter stream, a request for follow @imKM had arrived via a direct message: “…twitter friend ~ imKM?” What I found interesting about this approach was @imKM’s background image. I can’t be sure, but it does look like Sarah Silverman is in the background of this photograph:

I don’t know, perhaps @imKM happened to be using the cash point ahead of the real Sarah Silverman and decided to grab a photograph? Who knows for sure? Whatever the truth, when I mentioned this to the fake @sarahsilverman in a direct message, she responded “Yes, people say Photoshop but, he corrected me. It is actually faded with “LiveQuartz”. neat huh. say. are you not following my best… “

Connected to the background image challenge, during 25/10/2008, as the truth started to unfold, this tweet was a further clue to feathers being ruffled:

@imKM needs to stop using my photoshoped image. [http://www.youtube.com/videosbykm] he set it as his background.

Still at 24/10/2008, I had confirmed that both the fake @sarahsilverman and @imKM were using Apple Mac’s for their tweets. Both Twitter streams exhibited over-use of the tilde character “~”. Via a direct message, I challenged the fake @sarahsilverman about the use of the tilde – oddly I am unable to lay my hands on that direct message, I can’t see it in my sent items stream. However, the fake @sarahsilverman replied: “or a creative thing”. It’s a small thing to notice, however two people who instant message each other a lot will pick up on each other’s habits. Or, a single person using two Twitter accounts will make the mistake of following the same habits.

On Sunday 26/10/2008, it became evident through a self-confession that @sarahsilverman wasn’t the real Sarah Silverman. Prior to the self-confession, a few blogs picked up on it, here and here. The @sarahsilverman feed vanished and was replaced with @fake_sarah_silv. The first post truthful post announced:

“My name is Sarah Ascher, friend of @imKM; not @imKM. I am sorry. This started as a joke, I guess people can’t take it.”

For a few minutes the @fake_sarah_silv continued to use the same Twitter background. This was probably an oversight as he or she was too busy undoing the web of deceit that had unfolded so rapidly:

Very soon after the confession tweet, @fake_sarah_silv finally changed the background image:

Of course, at the time of writing, it hasn’t been confirmed that Sarah Ascher even exists. As many Twitter users predicted, @fake_sarah_silv and @imKM could be the same person. Whatever the case, it was a shameful cry to drive traffic to @imKM’s content. KM himself (we must assume that it is a he!) eventually wrote a lengthy piece attempting to distance himself from the whole quagmire. Amusingly, @imKM was rather quick to quash any thoughts that he had a crush on the real Sarah Silverman! I must admit, the crush thing was first on my thoughts once the @imKM follow request appeared – that and the fact it appeared to be Sarah Silverman in @imKM’s background image.

Anyway, not surprisingly, it seems @imKM was somewhat disturbed by some of the tweets he was receiving:

I hope your parents have a good lawyer little boy.

heaven forbid your take responsibility for your actions

I don’t imagine that this will go away in a hurry, there’s probably a few more days of fall out to be had whilst bloggers and Twitterer’s around the globe pick up on it. In the meantime, @sarahsilverman is at 23:22 in the UK on 23/10/2008 is strangely still available. If the real Sarah Silverman reads this (hey, it’s possible surely?) perhaps it’s time you grabbed your presence on Twitter before somebody else does this all over again? Other micro-blogging sites are available.

Your take-away…
@imKM was attempting to drive web traffic to his blog and video site by relying on the hard work and goodwill of other folks. Whether you like the real Sarah Silverman or not, it had an effect: 600 followers for the fake @sarahsilverman within a short space of time. @imKM received a few extra followers, however now his reputation has taken a serious beating. Small mistakes, and failing to follow accepted Internet etiquette and Twitterquette led to the downfall being as rapid as it was. If @imKM was patient and exercised some care, he could have kept this charade running for weeks or months.

The moral of this blog post is still the same as it was when I wrote about impersonation last year. There are many places on the Internet where it is necessary to verify who you are and in some way prove that you are who you say you are (authenticity), however very few places actually implement them – even some of the big banks struggle to do this properly.

It’s difficult to offer any guaranteed advice that can help you spot fakes, hopefully this post provided a few things to look out for. In social networking and indeed, in micro-blogging situations, it’s always worth checking out the friends/followers of the person you are about to connect with. Take a look at the people that person connects with, do they look like the kind of people who would connect with each other?

Oh, 23:25 in the UK on 26/10/2008 and http://twitter.com/fake_sarah_silv does not exist!

Finally, it was lovely to write this blog post as if I was on first name terms with Stephen and John. I am, of course, not and I will convey my apologies to Mr Fry and Mr Cleese when I next meet them.

Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: , , , , , , , ,

eCards linking to dangerous executable files…

In a previous post I mentioned that phishing and spoofing were still very much in the mainstream. There are many tricks that scammers use in order to convince the unsuspecting Internet user to part with their financial details. One such trick is to send fake e-mails inviting users to click on an “eCard”. In reality, clicking on the eCard link typically links to file that can be run on the victim’s computer – even though today’s modern browsers offer many levels of warning, users frequently click on yes or OK when asked “are you really sure?”

Most eCards are trojan horses – they lay in wait watching for useful information such as credit card details, passwords, etc. to be typed into reputable web-sites. They then capture that information and, more often than not, attempt to transmit it to a central source that is capable of making the most of stolen credit card information.

Here’s an example:

As noted in my previous posting, it’s always worth verifying the destination of any links found in e-mails (there are some good comments on that post, with tips worth heeding). However, link aside, the text of the e-mail has a few other clues that suggest it might not be authentic. Look for problems with grammar, spelling mistakes, incorrect spacing, etc. I’ve highlighted a couple in the e-mail above. Also look out for “odd” e-mail addresses that are out of character, e.g. Hallmark would never use a personal e-mail address (other card vendors are available!)

If you are feeling even more adventurous, you could take a look at the message itself. In Microsoft Outlook if you right click on an e-mail in the Inbox view, choose Message Options and you’ll see something similar to the text below:

Return-path:
Envelope-to: your.name@yourdomain.com
Delivery-date: Mon, 13 Oct 2008 15:30:19 +0100
Received: from dynamic-123-123.natpool.uc.edu ([123.137.123.123])
by pc1.yourmailhost.com with esmtp (Exim 4.69)
(envelope-from )
id 1KpOR9-0007BM-6h
for your.name@yourdomain.com; Mon, 13 Oct 2008 15:30:19 +0100
Message-ID: <09622.bamber@nolan>
Date: Mon, 13 Oct 2008 12:42:56 +0000
From: “123greetings.com”
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: “friend”
Subject: You have received an eCard
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=4.7
X-Spam-Score: 47
X-Spam-Bar: ++++
X-Spam-Flag: NO

A few things can be gleamed from the e-mail headers. Most reputable eCard web-sites wouldn’t use a client-side e-mail tool such as Thunderbird. Nor would they purport to be “123greetings.com” but actually be a personal e-mail address of a.bbbb@acccgggs.com. Similarly, “friend” isn’t something mainstream vendors would use. A closer inspection reveals that this e-mail appears to have made use of a .edu domain, i.e. an educational establishment may have been used in the transport of this particular e-mail. Indeed, it is this .edu domain that demonstrates the true nature of trojan horses – they don’t always steal your financial details, they sometimes enable your computer such that it can act as e-mail hubs whereby further propagation of the the same or similar eCard e-mail takes place. In other words your computer could be used to send out eCard e-mails.

Incidentally, this particular eCard hit my spam filter before I even saw it. However, whilst my e-mail host has good spam filtering, coupled with my local spam filter (MailWasher Pro), it doesn’t mean other e-mail hosts are doing the same, it’s still possible that an eCard could make it into your inbox.

Again, regular readers will be sucking eggs after reading this post, however these e-mails are still doing the rounds. I always find it handy having these real world examples handy as demonstrations when I’m explaining the less than salubrious side of the Internet to newcomers.

Technorati Tags: , , , , ,

Spoofing and Phishing: gentle reminder with PayPal example

I meant to write about this when it first arrived in my inbox a few years ago (ahem, sorry!) It has re-surfaced after a major inbox cleaning operation, so here it is now.

With the economy taking a downturn, spoofing and phishing are on the increase again. Spoofing – web-sites are setup to look as identical to reputable web-sites thus inticing you to part with your financial details or login information for the site that is be emulated. Phishing – you might receive e-mails that attempt to convince you to part with login details, personal data, etc. Plenty has been written about spoofing and phishing, I won’t try to re-invent the wheel here.

Anyway, here’s an example of a phishing e-mail that looks remarking like a real PayPal e-mail, including layout and graphics. Whilst the hyperlinks in this e-mail look genuine enough, hovering the mouse over the links reveals that they don’t lead to the real PayPal web-site, but to the site of a scammer. If you clicked on one of these links, you might not notice anything untoward as the scammer may well have done a good job spoofing the PayPal site look’n’feel.

Don’t be fooled – always check the ultimate destinations of links from e-mails. Better still, open up a browser window and physically type in the URL of the web-site that the e-mail claims to be from – in this case PayPal’s web-site. If the site in question really want to communicate with you, there will, more often than not, be a message waiting for you when you login using the correct channels.

I realise that I’m probably teaching a lot of readers to suck eggs. Sometimes these scams need concrete examples like this for demonstration purposes. I’ve certainly used this screenshot to help folks understand the “how do you know?” process, as noted here and here.

Technorati Tags: , , , , ,

Browser history can help determine rebuild vs clean up, but can be revealing…

Like a lot of folks in the IT industry, whether you’re a software developer or in an infrastructure/support role, I seem to find myself sorting PCs and laptops after they’ve been infected with malware, spyware and/or viruses.

It’s something that I’ve written about elsewhere in this blog: Confidence Tricks and It’s a scam, it’s a hoax, but how do you know?

Sometimes the cause can be obvious, but asking the question “have you been looking at porn?” directly can be a little awkward and embarrassing.

On one such occasion a few years ago, I knew that the PC had been used to view skin tones and the like, however I chose to ask the question anyway. The response that I got back then was a resounding “no”. This wasn’t the first time that I’d recovered this particular PC from viral infections after visits to the skin toned side of the Internet…so I wasn’t at all surprised to find the sites presented in the image below in the browser’s history. Incidentally, this is a carefully positioned view of the history list – there were some real shockers elsewhere in this history.

I suppose it helps us to see this kind content in the history, at least we then know what we’re dealing with. If the history had been wiped, we may have wasted time trying to perform a clean up instead of a rebuild. My threshold for rebuild vs. clean up is getting a lot lower. If it can’t be cleaned up within 45-60 minutes, the unit is flattened, paved, formatted and the re-installation process starts.

A PC rebuild was the order of the day in this case.

Technorati Tags: , , , , , ,