Blackhacker

Netcraft: Google Fixes Gmail Cross-site Request Forgery Vulnerability
Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.

First …

Fresh Security Breaches at Los Alamos - Newsweek National News - MSNBC.com
In late May, a Los Alamos staffer took his lab laptop with him on vacation to Ireland. A senior nuclear official familiar with the inner workings of Los Alamos—who would not be named talking about internal matters—says the laptop’s hard drive contained “government documents of a sensitive nature.” The laptop was also fitted with an encryption card advanced enough that its export is government-controlled. In Ireland, the laptop was stolen from the vacationer’s hotel room. It has not been recovered.

And then…

Then, 10 days ago, a Los Alamos scientist fired off an e-mail to colleagues at the Nevada nuclear test site. The scientist works in Los Alamos’s P Division, which does experimental physics related to weapons design, a lab source says. The material he e-mailed was “highly classified,” the same source says. But he sent his e-mail over the open Internet, rather than through the secure defense network.

How can one of the most important and sensitive military research facilities have no clue about data security? Reporting about Los Alamos security breaches, is almost not news anymore. I mean did we become the most powerful nation on Earth by accident? Are we really THIS stupid?

SIMPLE things could have stopped these breaches. Policies that once implemented would have required no thought by the participants.

1. ALL EMAIL SHOULD BE ENCRYPTED
   Why this has not been adopted at east as a defense industry standard is beyond me. There must be several COTS solutions that could be used if they don;t want to use OSS, which is also available. This is important because even if sensitive email, is sent over the internet, it can not be read except by the intended recipients.
2. DON’T TAKE WORK DATA HOME
   15 or maybe even 10 you might have had to have that data physically on you PC if it was large, and if you r deadline was tight enough that might require you to take it home for you take it home. (AFAIK there are laws , and rules about where you can store classified information. Even if the laptop was cleared for such use, his home and car must also be cleared for such use if he is going to leave it unattended for any length of time) But that is no longer necessary. High speed networks and encryption technology has made working from home easy and secure, without actually having the data on your local machine.

RSA Security - Press Release - RSA Alert: New Universal Man-in-the-Middle Phishing Kit Discovered
BEDFORD, Mass, Wednesday, January 10, 2007 — RSA, The Security Division of EMC, (NYSE: EMC) announced today that its 24×7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters.

This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims’ personal information in real-time.

Who ! This hacker is impressed. Even though phishers are becoming more sophisticated, You should remember that in order for a phisher to get you must access HIS fraudulent site. As a long as you don’t do that he can’t get you. A while back I posted some tips to keep you safe from phishers. They still work.

This doesn’t make sense to me. The United States of America is the universally accepted model for modern democracy. We Where the first modern Nation to allow it citizens to CHOOSE its leaders, instead of that mantle being inherited, or won in a bloody war of succession. We have sent monitors, to watch and safe guard the elections of fledging democracies, yet in Wired I read a story about Congressman Vern Buchanan (R) from Florida. He is being sued because of the software running the electronic voting machines.

Wired News: House Seat Hangs by a Byte
As the 110th Congress settles into the Capitol building this month, one congressman won’t be able to get too comfortable in his chair, with a controversy over the electronic voting machines that put him in office boiling down to a battle over the source code.

Republican Vern Buchanan claimed Florida’s 13th Congressional District seat last November by fewer than 400 votes, while some 18,000 ballots cast in Sarasota County mysteriously contained no vote either for Buchanan or his Democratic opponent Christine Jennings — an anomaly that prompted Jennings to challenge the election results in a lawsuit against state election officials, Buchanan and the company that makes the machines.

Three things :

1. If the software used had been open source there would be no need for a law suit. The approved version could simply be compiled, and the binaries could be signed with a private key held by the Lt. Governor, or who ever is responsible for running the Election.
2. Its not the source code that need to be examined, it the VOTES. It is for this EXACT reason that some many people ALL OVER THE COUNTRY have been calling for a paper trail for evoting. What is looking at the source code gonna do? If I was gonna rig an election I wouldn’t do it by injecting something in the source code. Assuming that I was able to slip malicious code by any type of code review that any responsible software company would have for an application this sensitive and important, it is still a bad idea because I would get caught. You see the new code is evidence and in a situation like this one, eventually malware would be discovered, and if they have ANY type of decent source control, the identity of tho one who added the code would be revealed.

   Boys and Girls, The way to rig an election is to intercept the data, (i.e. the votes) before they get counted and and added to the official totals. Assuming this can be done, simply blanking the votes, that come from a district that poles heavily for your opponent, would have the desired effect.

3. I hope that this Congress will institute universal standards for Federal Elections so we don’t have a hodge pogde of Elections where some work and other don’t. I wonder… if such legislation where introduced, anybody have any guesses as to how Mr. Buchanan would vote?

A wise man once said :

One might note that easiest way to “prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes” is to NOT PUT IT ON THE CARD.

This was in reference to the Federal Government’s decision to use RFID, as part of the Government Issue IDs that comply with the REAL ID act.

I hate to say I told you so but …

BBC NEWS | Programmes | Click | ePassports ‘at risk’ from cloning
It will, we are promised, keep the unwanted and dangerous outside our borders, while streamlining entry for those welcome to come and visit.

But as the implementation of the scheme gets underway it is becoming clear that there could be serious problems with it.

Dap: Wiki News

Netcraft is reporting an ongoing phishing attack against Citibank customers that use Two Factor Authentication. You have to admire the elegance of the attack. The article does a good job of describing the attack, so i won’t do it here. But I will add the most successful data security breaches focus on the weakest part of any security system … the human element. Phishing is no different. Here are some tips to keep you safe from phishing:

1. Be wary of emails that ask you to update user information. Most legitimate financial sites, like banks and credit cards have disaster recover plans. Information is backuped daily, and shipped off site for safe keeping. They will NEVER have to ask you to update information because of “computer failure.” It is unheard of in the industry these days. In fact it is against the policy of Ebay, to even send such a message. So when you receive such and email reporting to be from Ebay, or Paypal, simply forward it to spoof@ebay.com or spoof@paypal.com respectively and then delete it.
2. Don’t click on links in emails to websites where sensitive info is stored. That is exactly how phishig is accomplished. Instead bookmark for easy access the sites where sensitive personal data or finances are stored, like your bank, credit card, and paypal accounts.
3. Download and install the Netcraft Security Toolbar. It displays a risk ratings of every website you visit. And warns you when you try to access a suspected phishing site.

One if my favorite series of commercials are the Citibank ones that show the victims of ID Theft talking in the voice of those who have stolen from them.
The NY Times has an interesting piece about a real serial ID Thief. While this peace does a good job of Chronicling, the perpetrators, history as an ID Thief, and covering the motivations, or at least what he tells us where is motivations, this being the NY Times and not a publication more technically oriented, it only glosses over the how. Basically the guy said he just used phishing. To get the needed data, or bought data from online brokers of stolen data. I’m more interested in some of the social engineering, beyond phishing that would be necessary, for him to pull of some of his scams. Or how he would be able to show up at a dealership with 27,000 in cash, in cash i mean actual currency, And him being able to walk out with a vehicle no questions asked. In order for someone his age, to live such an expensive life style, with perceivable source of income, he has got to be part con artists. I want to know about that. Knowledge about the con is the only way we can craft policies, and procedures to defend against them.

CNN is also reporting that the SSNs have not been accessed since the robbery. Not sure how this could be verified, but I do recall that file creation, modification, and access date & times of each file is maintained by the file system. It been a minute since I did any REAL work with a PC so I’m not sure. But I think that the more interesting stuff is at the end of the piece:

According to the documents provided to The Associated Press, the analyst, whose name was being withheld, had approval as early as September 5, 2002, to use special software at home that was designed to manipulate large amounts of data.

A separate agreement, dated February 5, 2002, from the office of the assistant Veterans Affairs secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans.

A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.

“These data are protected under the Privacy Act,” one document states. The analyst is the “lead programmer within the Policy Analysis Service and as such needs access to real Social Security numbers.”

The department said last month it was in the process of firing the analyst, who is now challenging the dismissal.

It is not the analysts fault for being robbed. It is the VA’s fault for having insufficient procedures for handling personal data, the analyst apparently followed established procedures for taking and handling the data. This is not just a problem with the VA but with corporate and government organizations all over.

PGP Came out 15 years ago. Ever since their has been cheap, effective security tools available to the masses. To make it easier, WINDOWS ALLOWS YOU TO ENCRYPT FILE SYSTEMS. We should ALL be using some sort of encryption to lock down out sensitive data but yet we have the VA theft and now this …

BetaNews | Laptop Theft Exposes 243k Credit Cards
The theft of a laptop out of an Ernst & Young employee’s car has turned into a massive data breach affecting hundreds of thousands of users of the travel-booking site Hotels.com. Altogether, the names and credit card data of some 243,000 customers have been compromised.

If you are going to take work data home encrypt it !!!

UPDATE: If you have need of an encrypted filesystem but are worried about MSFT’s <sarcasym>steller</sarcasym> record on security you can checkout True Crypt a utlity that provides “on the fly” encrypted file systems. Dap for this goes to Travis Taylor

For the past couple of weeks Bob X has been talking about phishing this week he poses a solution:

The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!

Let’s change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything — name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?

This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.

No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.

Are you in?

If you ask me thats a bot waiting to be written.