Robert McArdle - Info Security / AV / Inane Ramblings

Sony think I'm a customer, apparently

2011-05-19T10:43:00.000+01:00

This morning I opened my gmail inbox to find quite an unusual email - one from Sony apologizing for the recent hack, and requesting me to reset my password.

That would be all well and good with one small issue. I'm not a Sony customer. Never have been, not really intending to be anytime soon. I've never owned a Playstation, or any of their online titles that might make me a "customer". The only thing that I can possibly think of is that I have bought some LucasArts titles in the past - which Sony also have an interest in - regardless of that though, I have never had an account on their site.

My initial thought was that this was a scam - but all of the links in the email seem to check out, as does the email headers. Perhaps I'm missing something though - so I'm posting the original email below. If you can tell me whats going on here - I'd love to hear your opinion

I also went to the site and asked them to send me my username, and reset my old password. With that done I gained access to "my" account. There is not history of me buying anything for them, and under subscriptions I have 3 inactive ones for Free Realms, Star Wars Clone Wars, and Pirates of the Burning Sea - none of which I have ever played or purchased.

My best guess is that my account details for some other service where passed onto Sony at some point in the past. Nice to know that even though I have never ventured near their site, they were nice enough to allow my email and an associated password to be compromised. Now obviously I used completely different passwords for every site, so that not an issue but still its a bit creepy (good old Ironkey - even I can't remember my passwords - one of my forum passwords is Ge0Q&f8VH#g7%Z4wqOB9s~2W*6EId$F5^CN1@SYx!3vn$Kkp~4MD~oLR9mJX0aUA4@PTuj@1rhR&7l^QW5cUF3!ZZ5!ZDib8!E0 apparently :) )

Heres the email - opinions welcome (comment or just tweet me on @bobmcardle)

Delivered-To: robertmcardle@gmail.com

Received: by 10.151.109.3 with SMTP id l3cs88112ybm;

Wed, 18 May 2011 16:58:30 -0700 (PDT)

Received: by 10.42.138.74 with SMTP id b10mr3139284icu.367.1305763109038;

Wed, 18 May 2011 16:58:29 -0700 (PDT)

Return-Path: <bounces@soe.com>

Received: from mx2.soe.com (mx2.soe.com [64.37.148.156])

by mx.google.com with ESMTP id z27si5054362ibz.40.2011.05.18.16.58.28;

Wed, 18 May 2011 16:58:29 -0700 (PDT)

Received-SPF: pass (google.com: domain of bounces@soe.com designates 64.37.148.156 as permitted sender) client-ip=64.37.148.156;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of bounces@soe.com designates 64.37.148.156 as permitted sender) smtp.mail=bounces@soe.com; dkim=pass header.i=@soe.sony.com

Received: from mx1.sony-online.com ([64.37.148.155])

by mx2.soe.com (StrongMail Enterprise 4.1.1.3(4.1.1.3-45945)); Wed, 18 May 2011 16:57:23 -0700

X-VirtualServer: NonActiveOptInsAndCS, mx2.soe.com, 64.37.148.156

X-VirtualServerGroup: NonActiveOptInsAndCS

X-MailingID: 1223562088::4721::4310::4617::179315::179315

X-SMHeaderMap: mid="X-MailingID"

X-Mailer: StrongMail Enterprise 4.1.1.3(4.1.1.3-45945)

X-Destination-ID: robertmcardle@gmail.com

X-SMFBL: cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20=

DomainKey-Signature: a=rsa-sha1;

c=nofws;

s=sm;

d=soe.sony.com;

q=dns;

b=c3aZ09N1NmXfJCyQ+3RfZqR5i1nX5baa91dAiJkd0p7N/Yo81PX4vJX4j/Vy110SZKoYmAj2QDe5/ON/YYASdbzH5UU++rZi1uxK/6msEefWCCKAS3tuBJeYJxNAmznwnM5Cg8ekaeqoz+QEqtXaDugixc4xmKO2J11fzWUm3mU=

DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=soe.sony.com; s=sm;

i=@soe.sony.com; h=Content-Disposition:Content-Transfer-Encoding:

Content-Type:Reply-To:MIME-Version:Message-ID:Subject:Date:To:

From; bh=r3wgLEpUMtFVSRs0E1DHAJJsx9g=; b=ilS4jQIgyD3fS+7wh4aeymH

YHJeg4Z87msbAk0k8yfEuRwRwyTkHdyBacokVDH0ZjN0c2Jgmb4hyiP3OULAC+65

Ihof95vftbSyMMzPpKKzVAwVpl7CIpRNryXGt89r8vsWu4TsPaMe57PDQ9PZcRlP

xTdkl6nl7VoEnKlakWKM=

Content-Disposition: inline

Content-Transfer-Encoding: 7bit

Content-Type: text/html;

charset="UTF-8"

Reply-To: no-reply@soe.com

MIME-Version: 1.0

Message-ID: <1223562088.179315@soe.sony.com>

Subject: Important Notice - SOE Game Services Resume

Date: Wed, 18 May 2011 16:57:22 -0700

To: robertmcardle@gmail.com

From: "Sony Online Entertainment" <info@soe.sony.com>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Customer Service Notification</title>

</head>

<body><IMG SRC="http://email.soe.com:80/track?enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnR5cGU9b3BlbiZzZXJpYWw9MTIyMzU2MjA4OCZlbWFpbGlkPXJvYmVydG1jYXJkbGVAZ21haWwuY29tJnVzZXJpZD0xNzkzMTUmZXh0cmE9JiYm" WIDTH="1" HEIGHT="1" BORDER="0" />

<table cellpadding="0" cellspacing="0" align="center" width="600">

<tr>

<td height="5"></td>

</tr>

<tr>

<td align="center" style="font-family:Arial, Helvetica, sans-serif; font-size:9px; color:#333333;">HAVING DIFFICULTY VIEWING IMAGES IN THIS EMAIL? If so, please add soe.com (<a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2000&&&http://www.station.sony.com/add_to_contacts.vm?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="color:#0066cc;">info@soe.com</a>) to your Address Book.</td>

</tr>

<tr>

<td height="5"></td>

</tr>



<tr>

<td>

<table cellpadding="0" cellspacing="0" bgcolor="#000000">

<tr>

<td><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2001&&&http://www.soe.com/?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_Logo.gif" width="206" height="50" alt="Sony Online Entertainment" style="display:block; border:none;" border="none"/></a></td>

<td><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_DSC_StockingStuffer/BG.gif" width="48" height="50" style="display:block; border:none;" border="none" /></a></td>

<td><img src="http://www.soe.com/newsletters/CSN_Emails/CSN_EuroRateChange/BG.gif" width="51" height="50" alt="Login" style="display:block; border:none;" border="none" /></td>

<td><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2002&&&http://www.soe.com/?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_Games.gif" width="59" height="50" alt="Games" style="display:block; border:none;" border="none" /></a></td>

<td><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2003&&&http://www.soe.com/community.vm?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_Community.gif" width="87" height="50" alt="Community" style="display:block; border:none;" border="none" /></a></td>

<td><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2004&&&https://account.station.sony.com/?theme=soe&cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_MyAccount.gif" width="85" height="50" alt="My Account" style="display:block; border:none;" border="none" /></a></td>

<td><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2005&&&https://account.station.sony.com/reg/registration.action?theme=soe&cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_SignUp.gif" width="64" height="50" alt="Sign Up" style="display:block; border:none;" /></a></td>

</tr>

</table>

</td>

</tr>





<tr>

<td>

<table cellpadding="0" cellspacing="0">

<tr>

<td width="1" bgcolor="#CCCCCC"></td>

<td>

<table cellpadding="0" cellspacing="0" width="598">

<tr>

<td><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_SuperFanPromo_TpGradient.gif" width="598" height="16" /></td>

</tr>

<tr>

<td height="5"></td>

</tr>

<tr>

<td>

<table cellpadding="0" cellspacing="0" width="558" align="center">

<tr>

<td bgcolor="#0e78c9" height="30">   <span style="font-family:Arial, Helvetica, sans-serif; color:#FFFFFF; font-weight:bold; font-size:15px;">Customer Service Notification</span></td>

</tr>

</table>

</td>

</tr>

<tr>

<td>

<table cellpadding="0" cellspacing="0" align="center" width="532">

<tr>

<td height="20"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">We are pleased to confirm that our services are now back online and more secure. We deeply regret the inconvenience this cyber attack has caused.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">We take this issue extremely seriously and want to assure you that the protection of the data you have entrusted to us is of the utmost priority. As a result, we require that you reset your Station Account password as an added security measure, and recommend that you do this immediately if you have not done so already.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td align="center" style="color:#4b4b4b;"><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2006&&&https://account.station.sony.com/cam/resetRequired/resetPassword!input.action?theme=soe&cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/CSN_Emails/CSN_WelcomeBack/PWResetButton.gif" width="256" height="52" alt="Password Reset" border="none" style="border:none; display:block;" /></a></td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">To show our gratitude for your patience and support, SOE is offering a Welcome Back program. As part of this program, you will receive <strong>45 days of game time (30 days plus 1 day for each day of the outage)</strong>, added to your Station Account. This game time applies to any game you have currently or previously activated on your Station Account.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">For those customers currently on an active paying plan, this time will be added to the end of your current billing cycle.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">For all other customers, your time begins upon your first login to each of the relevant games. Please note, you must log in to the relevant games by <strong>11:59 pm PST August 31, 2011</strong> to claim the game time.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">Should you require game software, visit <a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2007&&&http://www.soe.com/getthegame?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="color:#0E78C9;">www.soe.com/getthegame.</a></td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">Additionally, many games are offering a variety of items and special events to welcome players back. Get the <a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2008&&&http://www.soe.com/welcomeback/?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="color:#0E78C9;">Welcome Back Program</a> details.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">We continue in our commitment to deliver secure, stable and entertaining games for players of all ages, and again, we thank you for your patience and understanding during this difficult time.</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr>

<td style="font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#4b4b4b;">Sony Online Entertainment</td>

</tr>

<tr>

<td height="10"></td>

</tr>

</table>

</td>

</tr>

</table>

</td>

<td width="1" bgcolor="#CCCCCC"></td>

</tr>

</table>

</td>

</tr>



<tr>

<td align="center"><img src="http://www.soe.com/newsletters/SOE_SuperFanPromo/SOE_BtGradient.gif" width="600" height="29" style="display:block; border:none;"/></td>

</tr>



<tr>

<td height="20"></td>

</tr>

<tr>

<td>

<table cellpadding="0" cellspacing="0" width="600" align="center">

<tr>

<td align="center"><span style="font-family:Arial, Helvetica, sans-serif; color:#666666; font-weight:bold; font-size:15px;">THIS IS A CUSTOMER SERVICE NOTIFICATION.</span><br /><br />

<a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2009&&&http://www.soe.com/sonyonline/privacy.vm?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="text-decoration:none;"><span style="font-family:Arial, Helvetica, sans-serif; color:#666666; font-size:12px; text-decoration:underline;">SOE Privacy Policy</span></a> <span style="font-family:Arial, Helvetica, sans-serif; color:#666666; font-size:12px;">|</span>

<a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2010&&&http://www.soe.com/termsofservice.vm?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="text-decoration:none;">

<span style="font-family:Arial, Helvetica, sans-serif; color:#666666; font-size:12px; text-decoration:underline;">SOE Terms of Service</span></a><br /><br />

<a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2011&&&http://www.soe.com/?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank" style="text-decoration:none;"><span style="font-family:Arial, Helvetica, sans-serif; color:#666666; font-size:12px; text-decoration:underline;">www.soe.com</span></a>

</td>

</tr>

</table>

</td>

</tr>

<tr>

<td height="15"></td>

</tr>

<tr align="center">

<td align="center" style="color:#666666;"><a href="http://email.soe.com:80/track?type=click&enid=bWFpbGluZ2lkPTQ3MjEmbWVzc2FnZWlkPTQ2MTcmZGF0YWJhc2VpZD00MzEwJnNlcmlhbD0xMjIzNTYyMDg4JmVtYWlsaWQ9cm9iZXJ0bWNhcmRsZUBnbWFpbC5jb20mdXNlcmlkPTE3OTMxNSZleHRyYT0mJiY=&&&2012&&&http://www.soe.com/?cid=EM4721&_mid=4721&_rid=4721.4310.179315" target="_blank"><img src="http://www.soe.com/newsletters/station/soe_logo.gif" width="160" height="166" alt="Sony Online Entertainment" style="display:block; border:none;" border="none" /></a></td>

</tr>

<tr>

<td align="center"><span style="font-family:Arial, Helvetica, sans-serif; color:#333333; font-size:12px;">Sony Online Entertainment LLC<Br />8928 Terman Court - San Diego, CA 92121</span></td>

</tr>

<tr>

<td height="20"></td>

</tr>



</table>

</body>

</html>

Maltego talk at ISSA

2011-05-14T16:51:00.000+01:00

Hi Folks - its been a while (mostly because I've been tweeting instead, or posting over on blog.trendmicro.com)

Last week I ran a workshop on the awesome Maltego tool from Paterva at the ISSA Conference in Dublin. Overall a great conference, and really enjoyed delivering my 2 hour session. Also a big thank you to the folks in Paterva for letting us run this.

I promised to stick up my notes and graphs afterwards so here they are. If you have any questions or comments, tweet me

If you have not had a chance to try out Maltego I seriously recommend downloading it and giving it a go - it is hands down the best Open Source Intelligence tool you will come across. I've also included plenty of resources for creating your own transforms - and if you do, please wander by the Paterva forums and share them with the community

Links:
- Maltego Presentation
- Maltego Graphs
- Check Trend Micro SiteSafety Transform

Bob

SANS Dublin 2010 Reminder

2010-06-09T16:56:00.004+01:00

Hi everyone

I'll be teaching SANS GCIH course in Dublin in September - if you are interested in anymore information, just let me know.

The official SANS announcement is below

Bob

SANS is pleased to return to Dublin for another Community SANS event with two courses. Please join us 20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling and 27 September - 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.

SEC504: Hacker Techniques, Exploits & Incident Handling
20-25 September
Instructor: Robert McArdle

Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling
team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

SEC542: Web App Penetration Testing & Ethical Hacking
27 September - 2 October
Instructor: Owen Connolly

In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step
process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you
will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

For more details and to register please visit: http://www.sans.org/info/60323

About the Community SANS EMEA Program -
The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

Ebays Captchas appear to be broken

2010-04-27T08:35:00.004+01:00

Anyone else noticed this issue with Ebays Captchas - I hate Captcha as much as everyone else, but after 6 failed attempts in a row I started to think some thing was up.

Check this one out:

Now I think most people would agree that I should enter 707037 into the text field, right - wrong.

So after the aforementioned 6 attempts, I decided to try the audio option ("Listen to the verification Code") - and lo and behold, the audio read out a completely different number. In the case above the number was 150633 . I go back to my field and enter this number:

And bingo - Ebay allows me to send the message.

I reckon that someone in the Security department has messed up the capthca code so that the Images and numbers are out of sync with each other. Either way I don't think it will be long before this gets picked.

Maybe the guys over at Pramana.com have an interesting idea after all with their Captcha alternative. For some more details (not a lot) read the last few pages of http://bit.ly/bPpteR

Modern Malware Explained

2010-03-31T15:20:00.007+01:00

John sat down at this pc, and placed his coffee beside the keyboard. It was that crappy instant stuff - the good coffee had been one of the first things to go in the latest company cost-cutting blitz. Grimacing, he took a sip, and started the daily chore of going through his 100's of emails. Was the world more productive before we invented email he wondered? One email in particular caught his eye - looks like he had recieved a Tax refund. Finding it unusual for the government to actually GIVE him back money, John opened the attached PDF...

What follows next happens all around the world, every day, 1000s of times every minute. The PDF contained code that allowed it to take complete control of the machine, due to some faulty coding on the part of the PDF reader program. The actual malware name in this is Bredolab. Seconds after John had clicked the attachment the code was already pulling down updates from a URL on different compromised machine in China. These updates in turn downloaded more components - a rootkit called TDSS which made the malware invisible on the machine, a Zeus malware which connected John's machine to a botnet of several million other infected machines, and, in an ironic twise - John was now spewing out hundreds of emails per minute via the Cutwail malware, each helping to spread the same PDF attack he had just fallen for.

So what was John infected with - was it Zeus? Cutwail? Bredolab? TDSS? Something else entirely.

Well there are two answers to that question - the first is "All of the above". The second (and more accurate) answer is - "Who cares?"

Fact is John and the other thousands of people who get infected every day could not give a monkeys what the malware is actually called - they just want it stopped from ever running (or if worst come to the worst, at least removing it from the machine).

So remember that the next time you read through a PC magazine review all of the latest and greatest AV products - it does not matter how many files they correctly detect, or how many URLs they block, or how many emails they will drop. Look at the bigger picture - and pick the one that that offers the most complete solution. The more layers between you and the malware getting a chance to run the better. AV is not dead, as some people would tell you, but the days of file-scanning protecting you on it own are well gone - and they are never coming back.

Robert McArdle
-----------------------------------------------------------
http://www.linkedin.com/in/robertmcardle
http://robertmcardle.blogspot.com/
http://www.twitter.com/bobmcardle
-----------------------------------------------------------

SANS Dublin 2010

2010-03-29T11:13:00.002+01:00

Hi Everyone,

I will be running a 6-Day training course in Hacker Techniques, Exploits & Incident Handling in September - so I wanted to get some advance notice out there.

This is an excellent course - I first studied it myself back in 2006 and can honestly say it has been the most useful security course I have completed by far. Some other courses are all good in theory, but this couse from SANS really is a reflection of what happens in the real world every day (with lots of hands on exercises). If you want to get involved in IT Security (or are already involved and want to round out your skills) - this is course to attend.

All of the details of the course are up on http://www.sans.org/dublin-2010-cs/ but I'll go through some of the high level details here. If you have any other questions - just comment below or email me at RobertMcArdle[very obvious sign goes here][googles well known email service]

Day 1: Incident Handling - A simple effective step-by-step guide to Incident Handling
Day 2: Reconnaissance & Scanning - The first 2 steps of any attack (using tools like Nmap, Nessus)
Day 3: Network Level attacks - Netcat, Sniffers, Backdoors, etc
Day 4: Gaining Access - Password cracking, SQL injection, XSS, DOS
Day 5: Covering your tracks and putting it all together
Day 6: Capture the Flag :) Full day of trying to gain access to a number of machines - lots of fun, the highlight of the course!

Overall its a blast - I just wanted to give everyone plenty of time to add it to their calendars (its also up on the Security Calendar already)

Bob

-----------------------------------------------------------
http://www.linkedin.com/in/robertmcardle
http://robertmcardle.blogspot.com/
http://www.twitter.com/bobmcardle
-----------------------------------------------------------

3D Movies != Death of Piracy. Oppurtunity for malware

2010-02-01T09:13:00.006Z

Hollywood see 3D as a critical weapon against piracy, which I just don't understand. If we fast forward a year and early adopters have their 3D ready TV, 3D Blu-ray player etc - ultimately Hollywood needs to get the 3D movie to this person in a digital format, most likely on a Blu-Ray disk. The actual digital content is probably going to be close to 100GB.

What stops someone ripping this Blu-Ray and putting it on the internet for everyone to download? Sure there are some technical problems (encryption to break etc) but that has not stopped any other form of entertainment media in the last 10 years.

Hollywood seem to think this will stop the "Camera in the cinema" form of Piracy, but most piracy is carried out directly on Screeners. Interesting blog: http://greatunansweredquestions.blogspot.com/2009/06/3d-films-immune-to-piracy.html

In the mean time, there are social engineering angles attackers can take here.

- Advertising downloads that make a Laptop 3D ready so that you watch 3D movies (spot the trojan)

- Torrents of 3D movies including malware

- Links to sites that contain exploits, claiming to have torrents of 3D movies

- Site selling cheap 3D movies (please insert your credit card details here)

- Scams to win a 3D TV (text this number to win. Then we take $50 dollars from your account every month)

And a lot of others. Be on the watch out for these in the next couple of months, I'll be stunned if all of those 5 predictions to not come to pass

Bob

http://www.twitter.com/bobmcardle

Twitterbuilding.com - stealing your passwords one tweet at a time

2010-01-14T21:11:00.004Z

I like many others am a big fan of Twitter, although I'm fairly ruthless about pruning those I follow. Most of the people I follow are either other security professionals or close friends, and they normally tweet content that I am genuinely interested in. The first hint of someone going to the dark side i.e.

In McDonalds - should I get a cheeseburger or a big mac?
4 minutes ago from iPhone by InaneTwit

So confused - must decide soon - 1 person in front of me in Q!
3 minutes ago from iPhone by InaneTwit

I got the cheeseburger!
2 minutes ago from iPhone by InaneTwit

... and I will ruthlessly remove them. There is one exception to this however, one of my younger siblings who for some reason I let away with this kind of thing. So I was not too surprised to see the following tweet earlier today

This site is AWESOME!!! - http://TwitterBuilding.com
about 2 hours ago from API

Following the link I came to the following page

Suddenly my spider senses are tingling - call me paranoid, but that does not look particularly official. A quick search of the web show thousands of identical tweets from thousands of people who have gladly handed over their passwords to this website (which is most likely the same password they use for everything, including the holy grail, their email account - something I wrote about way back in Feb 2009)

What is the message here? Simple - "Think before you Click!"

Would you give your twitter password to a random person on the street? Of course not, so why would you give it to a random site on the web?? If nothing else it will save you time when, like my younger sibling, you have to now change your password on every site you use.

Follow me on twitter - http://www.twitter.com/bobmcardle

Social Engineering is Easy

2009-11-11T10:51:00.004Z

I had to cancel an account with a certain Internet Provider today for my parents and was stunned at how easy this was to do, even with minimal details about them.

On the first call I explained that I was not the bill holder but wanted to cancel on their behalf - no dice.

So I gave it 5 minutes, disabled Caller ID and rang back. This time I gave the name of my parent who was the bill holder. The friendly person on the other end of the line then asked me their standard security questions, which were:

1. What is the address on the account
2. What is the mobile number on the account
3. What payment method is being used.

Thats pretty scary. Getting someones name, mobile number and address are fairly trivial. For option 3 it is pretty much always going to be Direct Debit for a monthly bill.

After some standard questions about why I was cancelling the account, am I sure I did want to avail of their "awesome deal of awesomeness", etc - account closed.

And people think that Identity Theft is hard :(

More compromised Irish Sites

2009-10-23T15:42:00.001+01:00

Quick one before I head out of the office

An Irish domain, Ivote.ie is currently being used by criminal gangs as part of an SEO poisoning attack

Take the following two examples of popular search terms (I got these from Google Trends). Standard warning applies about visiting these sites (Here be Dragons):

SEARCH: steve phillips girlfriend picture:

RESULT:

http://www.gsarchives.net/index2.php?t=steve-phillips-girlfriend-picture

-> http://guardsyszone.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZ1bVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoGJdpqmikpVuaGdpZmxmbF%2FEkKE%3D

->-> http://www.ivote.ie/jjjr/Steve-Phillips-Girlfriend-Picture.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

SEARCH: explosion in puerto rico:

RESULT:

http://www.gsarchives.net/index2.php?t=explosion-in-puerto-rico

-> http://guardzone-sys.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoFerpXOWk5hvZWRsZnFqXpzEag%3D%3D

->->http://www.ivote.ie/jjjr/Explosion-In-Puerto-Rico.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

Same result with “steve phillips wife photos” and many other search terms which are popular in Google today

It appears that the IVOTE.IE domain has been compromised (similar to the Zdesign.com domain in the last post). Normal deal - most likely one of IVOTE’s employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third gang which upload the malware onto the site.

I've contact the host providers of IVote to have the page cleaned up

More AIB Scams

2009-10-23T09:03:00.004+01:00

WARNING: This blog contains some links to phishing sites.

I'm sure I was not the only person to wake up this morning to find this in my mailbox - a delightful little email informing me that my AIB account had been "temporarily limited".

As a concerned AIB customer I obviously have when my account gets "temporarily limited" (whatever the hell that means). Needless to say the email accounts@aib.ie looks legitimate, but changing any field in an email (especially the From field) is childs play. Also they specifically ask the victim not to reply to the mail (no need to let AIB know there is a new scam doing the round after all)

So lets take a look at the actual link I would need to click on to "resolve the problem"

http://zdesign.com/aibinternetbanking.aib.ie/login.htm

See what they did there? Clever eh... no not particularly.

Before we go look at the dodgy domain lets have a look at what the phishing site actually looks like - see can you figure out which is the real page:

Pretty well done isn't it - needless to say it is the one on the left (the one which does not warn you not to click on fraudulent emails). All of the images are loaded directly from AIB, and all of the links with the exception of the next button also point to legitimate AIB pages. I'm not sure if AIB monitors for external sites linking to their internet banking images, but it would certainly be a useful tool for identifying these types of phishing sites.

After a user enters their registration number, they are prompted for 3 digits of their pin number as is normal procedure for AIB logins. However instead of been logged into their account, they are then brought to a very non-AIB looking page which ask for all sorts of information including Credit Card details and the person's full pin code:

http://zdesign.com/aibinternetbanking.aib.ie/data.htm

Once you kindly provide the scammer with this information you are informed that someone may ring you shortly to confirm your details and to have your code card ready, before being redirected to the real AIB site. As I did not bother entering any real data (and I assume the scammer would check if my pin code worked before ringing me to grab all my code card details), I'm unsure if the attacker would actually really follow up with a call.

So there you have it - pretty standard phishing scam - lets looks at some of the details about the actual site used however.

First of all http://zdesign.com/ seems to be a legitimate design company, the wayback engine shows their sites existance since 1998. As such it looks like their site was compromised and the phishing scam was uploaded to their webserver. The webserver is not exclusive to ZDesign, there are plenty of other companies running websites on it, so it obviously a shared hosted server.

I had a look at some of the other companies to see if they had been compromised in a similar way, but none that I checked appeared to have been. What most likely happened in this case was that one of ZDesigns employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third phishing gang. Ah the joys of modern day criminal malware writers.

Anyhow - if you see one of these emails, ignore it or better yet delete it. In the mean time I've contacted AIB, ZDesign and IRISS (Irish CERT). I've also blocked the URL for any Trend Micro customers.

Happy long weekend everyone :)

Also available on Twitter

2009-10-15T12:38:00.002+01:00

Hi everyone,

Just a quick message to let everyone know that I am now also using Twitter. Feel free to follow me on http://www.twitter.com/bobmcardle . I will continue to use this blog (as well as the official Trend Micro blog) for articles that take longer than 140 characters to get the message across :)

Have not updated too much here in a while as I am currently doing so Web Application Security research, but once I have the results of that it will be going up here.

For anyone who is attending the IRISS conference in Dublin on the 19th of November I hope to see you all there.

Bob

Succeeding in IT Security

2009-09-30T09:48:00.002+01:00

I was interviewed recently for a jobs site (Odinjobs) asking what it takes to succeed in IT Security - the interview, along with those from other people is up at the following URL

http://www.odinjobs.com/blogs/careers/entry/it_security_what_it_takes

Attacker Mindset

2009-07-14T09:23:00.002+01:00

An unfortunate necessity of working in the security industry, and particularly in analysing malware / hacking attacks everyday is that you quite often need to put yourself in the mind of a criminal in order to properly understand the motives behind an attack. The downside is that it can be hard to turn this off. Its often been said that the only difference between a hacker and a penetration tester is "permission", as in permission to access the target you are testing. Well the only difference between a security professional and a hacker are "ethics". Both have very similar skillsets, and both are very good at spotting scams and flaws in systems - the difference is that hackers act on this information for financial gain, wheras security professionals generally try to fix the problem, or at the very least do not act on it (we'd all be making MUCH more money if we did :P )

So it was in this frame of mind that I visited one of Ireland biggest hardware stores at the weekend to drop back a couple of items that we did not need. While waiting for about 15 minutes at the customer service desk an idea hit me. I'd love to hear others feedback on this situation:

A scammer can walk into a store (in this case a hardware store but other stores would work). He goes around the shop and spends a couple of hundred (not too much or this would probably not work) on a variety of items.
Scammer comes back the following day, walks around the store and takes several of the same items of the shelves. They bring these items to customer service, along with their reciept, to "drop them back".
End result scammer spends a couple of hundred, gets the majority of it back, and keeps all the goods (which can then be sold on for a tidy profit.

There are couple of conditions for this attack to work:

Needs to be big busy store, otherwise it is easier to see the attacker is simply dropping back good from the shelves
Item must not have an electronic tag which indicates that they have been sold already (for example the tags you see in a lot of clothes stores).
Barcodes must not be individual. In other word all copys of product X should have the exact same barcode (otherwise the customer service can uniquely identify each item). TV Shops tend to have individualised codes.

Having said that there are a lot of stores that fall into this category (particually Hardware stores, where individual items can be quite expensive). I very much doubt that this is an old scam, but would love to hear peoples thoughts on it (or if you have worked in / ran a store, how did they address this issue)?

All feedback is good feedback

2009-06-23T14:37:00.000+01:00

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at AV companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

5 Must Have Tools (from ISSA Talk)

2009-06-12T13:25:00.003+01:00

On Tuesday I attended the very interesting talk held by the ISSA in Dublin, where several Microsoft employees spoke about Windows 7, their own internal IT security setup, and a good overview of the Conficker Worm by Elda Dimakiling and Francis Ten Seng. This was followed by 2 short presentations - Paul Collins, head of IT with Hypo Real Estate Group showed the capabilities of the very useful MSAT tool, and I demoed some useful malware analysis tools. Overall really enjoyed the event, and will continue to attend the ISSA events in the future.

I thought that I may as well stick up the tools in question on this blog post so that they are all linked in one location. I often get asked to fix friends computers, and always carry around a copy of these tools on a USB key - if you know what you are doing you can clean about 90% of all Windows malware with them. I'd advise any security professional to download all 5 and play around with them for 30 minutes, you'll be happy you did.

Ice Sword (Mirrored Download - Use This)
Ice Sword is a fantastic tool for Rootkit detection. It will allow you to see hidden processes, registry keys, services etc on the infected machine. In addition to this it will actually let you directly read and write areas of process memory, and includes a basic dissassembler. It also has another host of features such as inspection the systems SSDT and looking at Layered Service Providers. In any malware analysis Icesword is my first port of call, remove any rootkits from the system so that you can continue your analsis.

GMER
Gmer is another Rootkit removal tool, again with many other features built in. Personally I prefer Ice Sword, but you really should have both at hand - sometimes malware will successfully hide, or kill one or the other.

Autoruns
Now that you have removed the rootkits from the PC, Autoruns is Step 2. It is a fantastic tool which shows every singles system load point (i.e. All of the executable which will be started during Windows startup). As it returns quite a large amount of information, here are some tips on where to start looking (as you get more used to the tool, this will become 2nd nature):

Check the following Tabs first - Logon, Internet Explorer, Scheduled Task, Services, Image Hijacks, Winlogon.
Pay particular attention to any entries that do not have an associated Publisher or Description, especially anything in the System32 or Windows folders. There is a very nice Right-Click-> Verify function that will test the digital signature of the executable.
For executables you are unfamiliar with try the Right-Click->Search Online feature. Interestingly this uses Yahoo search - but I would not be surprised to see a Bing version in future.
Delete any suspicious load points and then refresh. If the value is being recreated thats normally a sure sign that its bad.

Process Explorer
Think Task Manager on steroids. Some tips:

Pay particular attention to Packed Images (highlighted in Purple)
As well as killing processes, you can also suspend them. This can sometimes be better as some malware will have a 2nd process or dll watching the first, and if it is removed from memory will automatically restart it - suspending the process means that it is still in memory, but not doing anything.
Most of the really cool stuff is in the Right-Click->Properties menu. The Thread tab is very powerful - allowing you to kill/suspend individual threads within a process. Malware likes to create remote threads in processes so if you are having difficulties removing it pay close attention to any threads injected into Winlogon, Explorer or IExplore.
The TCP/IP tab will show you any network activity of the process.
Strings is another excellent tab - showing human readable strings in a file. Note that you can look for strings in the Image (the file) or in Memory. Memory is normally more useful especially if the file is packed.

Process Monitor
A very simple, yet incredibly powerful tool. Every single File, Registry, Process and Network access performed on the system is intercepted and logged. You can use Filters to only see the details you are interested in. This is particulary useful if you are noticing certain registry keys, files or processes being recreated by a threat - as it will show you the process responsible for recreating them (quite often Explorer or Winlogon, which indiciates an injected malicious thread).

Oh and if you have spent the suggested 30 minutes mucking about with these and want to know where next to go on your quest to become a security tool guru - all of the Microsoft Sysinternals tools are now available in single download - http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx .

I know that I've lost all my street cred by actually praising a Microsoft product (none of the cool kids are returning my calls), but sometimes they really do get it 100% right

Pushdo Pushdo we all push for Pushdo

2009-05-22T10:43:00.002+01:00

Part 2 to 5 of the Pushdo articles are now on the web.

Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)

More Importantly our paper is now online, I know no one actually reads this blog (*Tumbleweed drifts by*), but if anyone has any comments (both good and bad) I'd love to hear them

Paper: A Study of Pushdo / Cutwail

Pushdo Blog Series

2009-05-12T12:42:00.004+01:00

WAY too long since I've updated this :(

Myself and my teammate David Sancho have created a series of 5 blog articles on the Pushdo malware family, which we've been researching for the last 2 months. They will be released today, Wednesday, Friday and the following Monday and Wednesday - culminating in the release of an indepth white paper. If you are interested in reading part 1, you can read it here.

I've also been informed that I got name dropped in one of PDP's latest blogs over on Gnucitizen, from a talk I did at Risk 2008 in Oslo (shockingly expensive city). Really good article talking about the underground exploit selling economy.

And lastly I was at ISSA's security event last week in Dublin. Very impressed by the speakers and interesting attendees, plus it was good to put some faces to names. They have a nice lightning presentation to wrap things off (5-10 minute presenations), that I'd be interested in giving a go next time - need to think of something interesting and snappy :) Was also great to see all the Symantec crowd.

Anyhow - hope people find the Pushdo series interesting - and feel free to post any questions here as it is not possible to comment on the Trend Micro blog itself

Largest Bulletin Board providers compromised

2009-02-04T12:41:00.003Z

I regularly contibute and help run a couple of Internet Bulletin Boards in my spare time, and it was while running one of these this morning that something quite interesting popped up. On this particular site I had installed PHPBB (which holds the largest Market Share for internet boards), and my version was a bit out of date so I thought it was time to wander over to http://www.phpbb.com and grab the latest update. To my surprise I came across:

Hmm - that can't be good was my knee jerk reaction, and judging from the waves of comments on other sites, everyone elses as well. Cries of "Oh Noes! De Interwebz is broken" or their equivalent where fairly widespread. Unfortunately a large chunk of todays internet users spend a very short amount of time reading a page before deciding to move on or read the rest. In the case of phpbb.com - its looks like this attention span lasted about 2 lines, as line number 3 clearly reads (in bold):

No vulnerabilities have been found in the phpBB software itself.

Excellent! It appears the internet has not come to a grinding halt after all (unlike last Sunday). Some further reading on the PHPBB support forums shows that the vulnerability is in an entirely different piece of software running on the site, PHPList - A newsletter manager which allows you to add and manage users along with creating and email newsletters. According to the Support Forums:

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

This database is from PHPBB3 which contains a much better form of encryption for password protection that PHPBB2 (MD5). Unfortunately any users who signed up to the support site back when it was still running PHPBB2, and have not signed in since the upgrade will still have their passwords in the older format - which is trivial to crack with freely available Rainbow Tables. Users have been advised to reset their passwords on all other sites that they also use it for.

Password Policy

I've already refered to Password Policy in a previous post, but heres another little tip - Pick and remember 3 different passwords (more on chosing strong passwords in the previous blog post).

1) Use the 1st one for all public sites that you sign up to - bulletin boards, social networks, and the vast array of other web sites that seem to need you to give them passwords details

2) Have another different password for your laptop/desktop itself, to protect against physical access to your system

3) Lastly pick a seperate password for your email account - the holy grail for password theives. Have a search through your emails for the words "Password" or "New Account" - scary the amount that will turn up. Compromise someones email and you compromise their entire online web activity.

Lastly - change these passwords every 6 months. If you do this you will have gone a LONG way to keeping your information secure online. Having seperate levels of passwords is key - the amount of people who blindly sign up for sites and provide both their email, and the password which is also used for their email account, as login details is scary. If you are not used to remembering seperate passwords, try and pick some have something in common. I'll end this with a simple easy to remember example (Note: Don't bother trying to access my email account with these :) )

Level-1 Password: aFiFuOf$$$
Level-2 Password: 4aF$$$Mo
Level-3 Password: ThGoThBa&ThUg

Clue: Spaghetti Westerns

NOTE: The Hacker who carried out the attack has posted a very interesting step by step here - http://hackedphpbb.blogspot.com/2009/01/place-holder.html

Security Policy 101

2009-01-16T14:24:00.002Z

Quite a few Security Websites and Media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. Whats noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak Company Security Policys.

Firstly DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000.

For its next trick DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated Autorun.inf file on these drives, so that the Worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file).

And then comes the icing on the cake - It first enumerates the available servers on the Network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm.

So why is this Worm so successful? Simple - poor security policies.

The first propagation technique is really exploiting Poor Patch Management. A patch for this vulnerability has been available since late last year, but still some companies have not properly rolled this out to all machines on their network. Remember even one unpatched machine is enough to have this Worm spread through the entire network. Patch Management is a critical component of any IT departments jobs today, and it is vitally important that it is applied in a timely fashion across ALL of the companies machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. Partner Companies, Contractors, etc). Like so many aspects of Security, it only takes one hole to bring down an entire network.

Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company NEEDS to have the ability for all Removable Drives and Network Shares to automatically execute code just by viewing them. Its ok I'll wait till you are done...didn't come up with one did you. Let me save you the pain of figuring out the next step - How to disable Autorun (more details here)

Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we've kindly made one available as part of our Safe Computing Guide . Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked "123456" as the default password on all of your machines and shared drives.

To quote my favourite sportsperson Roy Keane - "Failure to Prepare, Prepare to Fail"

Security in a Recession

2008-12-08T12:13:00.005Z

With the National Bureau of Economic Research in the United States announcing last week that the US has officially been in recession since Dec 2007, IT budgets are highly likely to be strictly controlled both in the US and in other parts of the world. I had a conversation with a friend over the weekend and he asked me did I expect there to be redundancies in the IT Security industry, as companies could not longer afford to have dedicated Security personal on their books.

To be honest, yes I think there will. However, I also think that the overall IT Security industry will continue to grow in 2009 - the bad guys are not going away anytime soon, and a lot of their existing scams work really well in this economic climate. The companies which take this course of action may well end up regreting it in the long term, and here is my thoughts on why.

All Security at the end of the day boils down to risk management, and the 3 core values every organisation needs to protect are often shown in the acronym CIA (Confidentiality, Integrity, Availability). Different organisation prioratise different areas, e.g. Military value Confidentiality highest, for Banks it is Integrity, etc. I think when it comes to economic downturn Confidentiality and Availability are the most obviously affected.

In terms of Confidentiality we are talking about an organisations private data being protected. I'm based in Ireland where we had 17000 people made redundant in November, but this is a drop in the ocean compared to other countries (particularly the half a million in the US). Insider threats have long been one of the largest risks facing organisations, and especially in the case of the so called "Disgruntled Employee". With large number of employees been made redundant, having their salaries cut, etc there is a lot of incentive for these same employees to engage in Data Theft. When people feel hard done by by their employers, they are more likely to relax their morales, and in a lot of cases would not consider taking confidential company information outside of the company stealing - they feel an entitlement to this information, after all they put X years of work into helping the company grow. The very fact that there are so many Data Leak/Loss Prevention (DLP) solutions on the market should give you an idea of just how big this problem is - and I think the risk of Data Theft/Loss is going to increase in the current climate

Which brings us to the other big one - Availability. Almost every company is currently engaged in examing their costs and reducing them wherever possible. Whether it is in terms of head count or even simply lowering all of the thermostats in their buildings by 5 degrees (my hands are going blue typing this), a lot of companies are walking a very fine line trying to keep afloat for the next 2 to 3 years - even the smallest misfortune could tip the ship.

This is where malware comes in. The recent WORM_DOWNAD.A attack was quite successful in infecting unpatched Windows machines, with a quite a few companies having 1000's of machines infected by the threat. Cleaning a threat like costs a lot of money. In a lot of cases a company may need to pay their IT staff overtime to fix the problem, or bring in external contractors. That's not where the real loss is however. Picture a company of 4000 employees. Now picture all of those employees being unable to use their machines for 3 hours while the systems are being cleaned, repatched and tested. That is 12000 man-hours of work which that company is paying for, and getting nothing in return. To put it another way thats about 6.5 peoples salaries for the year so around 200-250K . There are very few companies that have that kind of money to burn at the moment.

So to any organisations thinking of cutting their security budgets, think long and hard about weighing the short term savings with the potential losses. I wish I could say that there won't be companies that go under because of a malware attack in the next couple of months - but optimism is not exactly in large supply at the moment

Breaking the Internet 101

2008-12-03T09:38:00.006Z

I have not posted on here in FAR to long, apologies to my hordes of loyal readers (hi mom!)

I just wanted to bring 2 excellently written articles to people attention on the DNS Vulnerability discovered by Dan Zaminksy earlier this year. Unless you where hiding under a rock, if you are in anyway involved in the Security industry this is an attack you should know inside out (as well as DNS Cache Poisoning and RR attacks). This stuff comes up all the time when I am teaching SANS courses (GSEC and GCIH), and the students are always amazed at the simplicity of the attacks. If the students do not walk out of the classroom at the end of the day terrified that the entire Internet is based on such a horribly unsecure protocol, I have not done my job properly :)

Boing Boing has an excellently written article on Dan's discovery of the attack and the subsequent media storm that followed. It reads akin to the plot for a hollywood blockbuster (much better than Swordfish) and I found it hugely entertaining.

It is a bit light on the exact details of the attack, which are just as interesting - and can be found here. Incidently an exploit is available as part of the Metasploit toolkit over here.

As I said before - a must read for anyone involved in security - but Boing Boing have done a fine job of making the attack understandable for everyone

YAMSIA (Yet Another Massive SQL Injection Attack)

2008-07-28T10:50:00.001+01:00

Forgot to crosspost from TM Site

Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.

The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages - and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).

Figure 1. The modus operandi that has become more and more common.

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain (the first technique has been taught in Bouncing Malware 101). These domains are part of a fast-flux network hosted on the botnet itself (a technique widely used by another well-known botnet, Storm). The JS file name was originally b.js, but this has since changed and, in the latest wave, it is the highly imaginative ngg.js.

Figure 2. Sample of malicious script (with some parts removed)

As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.

Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.

SQL injection attacks can be very effective as they are normally completely hidden to the Internet user—everything is quietly downloaded in the background without their knowledge. We were sure this was a criminal act, and as such have added a detection for the threat, as well as the bouncing JavaScript (JS_IFRAME.ADN) itself.

Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.

Breaking News! Iran Invaded! Well…maybe

2008-07-28T10:48:00.000+01:00

Forgot to repost from TM Site

Picture the scene: You wake up in the morning and make your way on autopilot to work at your job in Tehran, then switch on your work PC to check your email. One in particular stands out as being a bit different from the others. You read it once, and then just to be sure read it a second time, then run to look out the window. Seeing no tanks in the streets and a significant lack of mushroom clouds, you return to your desk and take another look…

Anxious to find out what’s going on, you download the video and run it to find out more information.

Wrong move.

Now, longtime readers of this blog (well, most people to be honest) should look at that email and be immediately skeptical. They might even go check out a legitimate new sites like CNN or BBC. However, enough people will open your email inboxes this morning, download the video (hint: it’s not really a video, it’s just another Storm/Nuwar/Zhelatin/Peacomm variant detected by Trend Micro as TROJ_NUWAR.AB) and proceed to help the Storm gang’s authors make even more money. The Storm network may have decreased since its heyday — but its size still makes the approximately 20,000 soldiers seem small in comparison.

It’s a sad world we live in where we have to educate people to be careful of what they get in their email, to be suspicious of every site they visit, and to be constantly on the lookout for scams.

Needless to say, Trend Micro customers are protected from this threat, both with our latest pattern file, and in the cloud with our Smart Protection Network. For everyone else, think before you click.

Additional information — here are samples of spam pertaining to this attack:

Ultimate Travel Bag

2008-06-30T09:20:00.007+01:00

Not a security related post - but heres one that is close to my heart. Decided to put this question out there for anyone who can help.

I travel quite a lot for short trips (2-3 days) where I need to have my Laptop case. Personally airports annoy the hell out of me, especially going through security. The last time I was in the airport, standing behind a queue of people who took ages finding all of the metal objects in their pockets, forgetting to remove laptops from bags etc - an idea struck me.

There must be an easier way than this

And so I have started my search for the ultimate short trip laptop bag. The type of bag that has enough space for your laptop, and all of your clothes etc. I decided to start with a short list of the features this type of bag would need to have.

Needs to fit in an overhead compartment of an aircraft - by Aer Lingus's standards thats 56cms x 45 cms x 25 cms or 22in x 18in x 10in
The laptop must be easy to remove for airport scanners, not stuck somewhere in the depths of the bag.
Pouches at the front for passport/tickets
Compartment for metal coins and keys. Basically a small compartment that you can put toss all of your metal items. It would be even better if this was detachable
Enough room and compartments for all of your laptop stuff - chargers, dvds etc.
Enough room for 2 days worth of clothes, including shoes - and the option to be able to pack a suit.
Rollers & and a long handle. I'm over 6 foot so stooping while dragging a bag is a pain

All of that should not be rocket science. I would be interested in hearing what other people would have in their "ultimate" laptop travel bag, and of course any suggestions on existing bags I could get