Email security

Hacking Skills Challenge - Level 5

So far, we’ve explored the first 4 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy.

Today, we solve level 5:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

If you try the same tactic we used to solve level 4, you’ll get the error message, “Invalid referrer. The requested URL /missions/basic/5/level5.php will not be loaded.” You get this because the script checks the HTTP headers to see where you are viewing the page from. If the url is not /missions/basic/5/ or /missions/basic/5/index.php then it will give an error. Since you’re viewing it from a local file, the script fails.

There are two approaches we can take here: 1. Change the email address in the script using some form of code injection; 2. Use an online monitor/debugger that allows us to edit a page on the fly.

For the first approach, Javascript injection allows us to change the email address using the following code: javascript:alert(document.forms[0].to.value=”put_your@email. here”); Enter that in the address bar, hit Enter, and you’ll be greeted with an alert box show the email address you entered. If you then click the “Send Password to Sam” button, the password will be revealed. Copy the password, paste it into the password field, click Submit and you’re in. Like the last exploit, the page won’t actually send the password to the email address. In fact, you don’t even have to change the email address in the code; it will work as shown.

For the second approach, if you use Firefox, you can install a cool add-on called Firebug. This powerful tool allows you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. I installed it, went to the challenge page and used the “Inspect Element” feature to see what was behind the “Send Password to Sam” button. Then, within Firebug, I changed the email address. When I clicked the “Send Password to Sam” button, the password was revealed.

Either way, mission accomplished!

(In a future post, I’ll show you how to hack any stored password using a similar javascript approach. And I’ll make sure you adopt a policy to never used a “remember me on this computer” check box on a publicly accessible PC ever again!)

Gmail Vulnerability Points Up the Need for Strong Password Policy

There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Real Spam Statistics

Depending on whose reports you view, spam accounts for from 85 to 95 percent of all emails sent. This may hold true over the Internet at large, but as with any other statistical data, there are local and regional variations. My own inbox is an exception to the general rule; I get far more legitimate emails than spam.

The company I work for provides spam filtering for several SMBs, so I have to hand real data that I can evaluate. Based on last week’s numbers, we processed nearly 100,000 messages in our filters. Of those messages, nearly 70,000–70%–were spam; nearly 30,000–30%–were accepted as legitimate. Our data has its own wild variations: one set is very low with only 18% spam; another set reaches a high of 92% spam.

I’m not a statistician, but it’s easy for me to see how big a problem spam has become. I’m not ready to say email is dead as a business communication medium, but it certainly needs an overhaul.

Swine Flu Breeds Spam

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Beware U.S. Tax Phishing Scams

It’s tax time in the U.S. and with that generally comes an increase in the number of phishing scams directed at taxpayers. The IRS, whether we like them or not, has an excellent anti-scam/anti-phishing web site. One key thing to remember is that the IRS does not initiate taxpayer communications through e-mail. Here’s an excerpt from their site:

The IRS does not initiate taxpayer communications through e-mail.

* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links…

Additional information is provided by the IRS in a recent press release:

Beware of IRS’ 2009 “Dirty Dozen” Tax Scams

IR-2009-41, April 13, 2009

WASHINGTON — The Internal Revenue Service today issued its 2009 “dirty dozen” list of tax scams, including schemes involving phishing, hiding income offshore and false claims for refunds….

The IRS urges taxpayers to avoid these common schemes:

Phishing

Phishing is a tactic used by Internet-based scam artists to trick unsuspecting victims into revealing personal or financial information. The criminals use the information to steal the victim’s identity, access bank accounts, run up credit card charges or apply for loans in the victim’s name.

Phishing scams often take the form of an e-mail that appears to come from a legitimate source, including the IRS. The IRS never initiates unsolicited e-mail contact with taxpayers about their tax issues. Taxpayers who receive unsolicited e-mails that claim to be from the IRS can forward the message to phishing@irs.gov. Further instructions are available at IRS.gov. To date, taxpayers have forwarded scam e-mails reflecting thousands of confirmed IRS phishing sites. If you believe you have been the target of an identity thief, information is available at IRS.gov.

I highly recommend you visit the IRS site and heed their excellent advice: How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites

Software for Secure Computing: Easy Email & File Security with AxCrypt

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.

Security Resolutions for 2009

We’re nearly two weeks into the New Year and how many of those resolutions we made during the glow of the holiday season (and maybe some martinis) have gone off with the Grim Reaper? We all make them and break them; it wouldn’t be the New Year without making resolutions, after all. Lose weight, quit smoking (or drinking), start exercising, all are fine resolutions, but how about making a couple security resolutions that will help keep you safe on the Wild, Wild, Web? Here’s a list that you can pick from. Choose one, two, or all of them and pledge to yourself that whichever of them you choose, you won’t break them.

• I will never view, open or click on an email attachment unless I know who sent it, why they sent it and what it is.
• I will never click on a link in an email without knowing exactly where it will take me.
• I will never send sensitive personal or financial information to anyone via email.
• I will download and study Recognizing and Avoiding Email Scams provided by US-CERT.
• I will also download and study Avoiding Social Engineering and Phishing Attacks.
• I will install security software on my computers and keep the software up to date.
• I will set up and begin using a backup plan to protect my data.
• I will use only WPA2 encryption on my wireless access point and a strong password.
• I will review all my passwords, change them regularly, and use strong passwords where sensitive information is at stake.
• I will keep up with security issues by reading Security Corner on a regular basis (shameless plug!)

Any one or more of these security resolutions will get you off to a good start in 2009. I recommend you adopt them all.

Happy New Year!New Year Resolutions Graphic

Beware of E-Mail Scam Targeting Microsoft Customers

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.

Nine Steps to System Security - 2008

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.

In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security - 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.

Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:

1. Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
2. Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
3. Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
4. Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
5. Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
6. Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
7. Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
8. On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
9. Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.

While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.