I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:
Leo: Oh, boy.
Don’t tell me I didn’t say so. Turn that interface OFF!
Sounds funny, doesn’t it? But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:
This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats. The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?” It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.
One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.
What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.
The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.
Fellow security professionals, we have our work cut out for us.
Bruce Schneier’s June 19, 2009 post Fraud on eBay stands as a testament to the fact that all is not well with the online auction giant.
I expected selling my computer on eBay to be easy.
Attempt 1: I listed it. Within hours, someone bought it — from a hacked account, as eBay notified me, cancelling the sale.
Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then — near as I could tell — immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying “I paid you, now send me the computer.” But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn’t ship the item until the investigation is complete.
That’s one example of eBay fraud. Another report in The Consumerist, “It’s Now Completely Impossible To Sell A Laptop On Ebay,” shows another variation, clearly a Nigerian scam:
So I re-listed the item. This time, I lowered the minimum bid and paid for the ‘featured item’ option (which I thought was a stupid idea, but the only way to get my auction seen by any appreciable audience). This time, the auction ended without incident. I got an email from the bidder telling me that he was glad to have won the auction, and was excited for me to ship it… To Nigeria.
Let it be known here that though I may not be the smartest person in the world, I’m not stupid. His email went on to explain (in poor English) that he was ‘on business trip to the Nigeria,’ and that he was willing to pay me $1000 through PayPal for the laptop. Shortly thereafter I received an email from ‘PayPal’ (who is now apparently sending out their customer service emails from gMail), stating that I had received a payment, but that it would not show up in my account until I emailed them back the tracking number for the parcel. Very clever, but once again, I’m not stupid.
While I haven’t had this type of problem on eBay, I have experienced similar fraud on Craig’s list. Here’s a short excerpt from one of the emails I received from the fraudster (reportedly sent by USPS):
Thanks you for using Postal Money Order, The payment for your merchandise has been paid for,we have your $500:00USD money order sent to you by the buyer of your item Lewis Jack in our database, as soon as the item is shipped, please forward us with the shipping tracking number, so your $500:00USD money order can be mailed to your address, your money order is secure and save.
We will be glad to inform you that the payment sent to you by Lewis Jack has been processed and verified, your payment is now on hold for 48 hours from the period of time you recieve this email, we will be sending you a shipment notification email as soon as we recieve the shipment tracking number for the item your buyer purchased.
Based on the blatant outpoints in grammar and punctuation, it’s pretty obvious that this didn’t come from the United States Postal Service. It’s clearly a scam and I would never see payment if I were stupid enough to ship the item.
I’m about to list a rather expensive router on eBay and if I have any experiences similar to those of Mr. Schneier and the other gentleman, I’ll post details here.
It appears, though, that unless you’re selling low value or garage sale class items, the watchwords are: “Caveat venditor” (let the seller beware).
When I turned on my laptop this morning, I was greeted with a red X on the Panda icon in my system tray. When I clicked on it, the program informed me that my beta version would expire in 10 days and I should download the latest release. I was ready for a sales pitch; I’m happy to say there wasn’t one. Apparently, CloudAntivirus is still free (it’s also still Beta) and will remain so.
The latest release is dated 6/30/2009, Version 0.08.82. That number seems far removed from V. 1.0. I can’t imagine what more the program needs—it works very well now with no intrusive behavior. I’ve tested it with some real malware and it works as advertised. I trust it enough to recommend it to everyone I know.
If you missed my previous article on this nifty security tool, read Panda’s Cloud Antivirus (Beta) is a Winner! Be sure to watch the video I have linked in that article, too. Besides just being cool, the video will give you a new viewpoint on emerging security technology in the Cloud. While you’re at it, this Panda Security video ad’s also worth a look. (Check out the threat characters—very catchy.): Viruses pwned by Panda Antivirus [HQ].
Anyone interested in seeing a security video of the week (or month) column on this blog?
The Hacker Highschool project is the development of license-free security and privacy awareness teaching materials and back-end support for teachers of elementary, junior high, and high school students.
Today’s kids and teens are in a world with major communication and productivity channels open to them and they don’t have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.
In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. All lessons work with a free “live linux” CD which will boot off any PC with a CD-rom drive to perform the lessons. HHS is a great supplement to student course work or as part of after-school and club activities.
I checked out some of the lesson transcripts and I have to say that I plan to do them all myself. This is great stuff and while I’m no slacker at being a hacker, there’s a lot of great information to be had. Not only that, but I think it’ll be fun to pretend that I’m 16 in this day and age.
The first lesson (they’re in PDF format on the website) is aptly titled “Being A Hacker” and the first paragraph of the lesson starts out with this:
This lesson is about how to learn – a critical skill for a hacker. Hacking, in reality, is a creative process that is based more on lifestyle than lesson. We can’t teach you everything that you need to know, but we can help you recognize what you need to learn. This is also true due to the constant advances in the computer sciences.
They go on to say that hacking is a life skill that can be applied to other fields, too.
I suggest you check it out for yourself and if you have teenagers still at home, get them going on these things ASAP.
Physical security is something we often take for granted, but it can be just as important as cyber security. One of my clients recently called to say that some suspicious files had suddenly appeared on one of their servers. Naturally, I investigated, but I couldn’t find any breach in the firewall or any indication in the IDS logs that the network had been hacked from outside.
After spending a couple of hours digging around in the server logs, I finally dug into the registry and found that the files had apparently come from a USB device that had been plugged into the server around 9:30 pm on the day in question. Since only three people have access to the servers–myself, the IT Manager and the Controller–and none of us were guilty, I had to suspect that someone had gained unauthorized access to the server room.
Sure enough, the IT Manager recalled leaving early on an emergency the day of the incident and with a sheepish grin told me, “I guess I forgot to lock the door.”
We now have an electronic combination lock on the door and only the three of us have the code. The door automatically locks itself three seconds after it’s opened, so “forgetting” isn’t an option.
Lesson learned. Fortunately, the files were benign.
June is almost over and none to soon. I’m not one for wishing the time to fly, but in this case, I’m glad it did: It has been a very stressful month. Security can be a tough gig. So, it’s time to lighten up a bit with some geeky computer humor I found at http://www.gdargaud.net/Humor/QuotesComputer.html:
Users /nm./: collective term for those who use computers. Users are divided into three types: novice, intermediate and expert.
Novice Users: people who are afraid that simply pressing a key might break their computer.
Intermediate Users: people who don’t know how to fix their computer after they’ve just pressed a key that broke it.
Expert Users: people who break other people’s computers.
— From the Jargon File.
Password: i dont have one
password is incorrect
“Morons. These people who live in my apartment complex are connected to my wireless. They must think they’re super-cool hackers by breaking into my completely unsecured network. Unfortunately, the connection works both ways. Long story short, they now have loads of horse porn on their computer.” — Mootar from bash.org.
Helpdesk: Double click on “My Computer”
User: I can’t see your computer.
Helpdesk: No, double click on “My Computer” on your computer.
Helpdesk: There is an icon on your computer labeled “My Computer”. Double click on it.
User: What’s your computer doing on mine?
I’ll leave you with this one (I’ve actually pulled off a similar prank with backups):
“Whenever my Boss pisses me off, I secretly change the password to his e-mail account.
When he can’t log on, he’ll piss and moan for 5 minutes, cursing the computer. Then he’ll come groveling to me for my help. Once he’s groveled enough, I re-enter the right password from my office, go to his and watch him look like a dummy while I log-on easily.
I just love it. Heh, heh, heh.”
Here’s to a great rest of the summer!
I’ve been using Panda Security’s free Cloud Antivirus for awhile and I must say I’m impressed. It’s there, but you’ll never know it unless you look (the little panda icon in the system tray). I rarely get malware of any kind, but Cloud AV has caught a couple of things that were probably drive-bys. It’s so transparent that I actually had to go check on it before I noticed that malware had been caught. This is a perfect set-it-and-forget-it AV for the regular user. It’s free, self-updating and doesn’t require any decisions on the part of the user. You can believe what they have to say:
Panda Cloud Antivirus protects you while you browse, play or work and you won’t even notice it. It is extremely light as all the work is done in the cloud.
Panda Cloud Antivirus is truly install and forget. Don’t worry about updates, configuration or complicated decisions ever again.
Panda Cloud Antivirus provides you with the fastest protection against the newest viruses thanks to its cloud-scanning from PandaLabs’ servers.
But the great part about it is how it works. Watch the video. It’s really slick, blocking malware within 6 minutes when encountered by anyone who has it installed; it’s truly real time updating.
That’s my two cents. You be the judge and try it for yourself.
Once again, I’m behind on the news. This Security Fix report is almost a week old:
Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.
Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.
Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.
BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks. Look for a more regular posting schedule next month.
Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.
Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.
They’re all from scammers (criminals) either trying to steal your money, your identity or both.