Just ran across a blog post that goes through the process of how to image an OLPC device. If you are into forensics then this post is worth reading and taking notes from.
I have some requests to keep this blog up and running. So I will make a better attempt to update this blog on a regular basis.
Thank you Blue Zoo.
To all you online bill payer users using the CheckFree systems out there, you may not know who you are (check with your financial institution). There was a successful attack against them on Dec 2nd that modified their DNS records pointing their sites to a server in the Ukraine.
So whats the scope here. It seems that someone out there took over the DNS settings for CheckFree and redirected, high jacked, the CheckFree online bill pay sites to another web site. From what we are told, when a user attempted to access a checkfree bill pay site through their financial institution they were directed to a blank screen. How ever if you went directly to the online bill pay from check free you were directed to another site that was a replica of ChekFree’s that also attempted to install password-stealing software on the victims machine.
You can read more from Security Fix here and here.
In addition CheckFree has started to send out emails to users that they fell “could” have been effected by this attack.
December 7, 2008
First Initial, Last Name
Address
SAN DIEGO, CA Zip CodeDear First Initial, Last Name,
We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may be infected with malicious software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.
The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:
* You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
* You were using a computer with the Windows operating system, and
* You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
* After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.If all four of the conditions above are true, your computer may be infected. We have arranged with McAfee, the world’s largest dedicated security technology company, to provide you with an assessment of your computer’s hard drive and remove any malicious software. Please contact us at 877-800-4864 for further instructions or 800-564-9184, Option 1 for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.
We value your business and your trust, and we apologize for any inconvenience this recent incident has caused.
Thank you,
Art D’Angelo
Vice President, CheckFree Customer Operations
If you feel that you may have visited the Check Free site during those times or are just worried. Update your virus scan software and run a complete scan. You can also visit various AV vendors web sites for online virus scans of your computer.
Does this mean you should stop using online banking? No of course not, however you should look into browser toolbars that can help in identifying sites that are Phishing or just plain wrong. One of my favorites is the Trace tool bar from TraceSecurity. Most security tool bars out there only use what is called a blacklist, know bad sites, this is a method that is always reactive in nature (one step behind, like Antivirus vendors). The Trace tool bar using a whitelist. This method is more ideal in that it keeps a list of know good, and can alert you to any change in the location of your financial instutions web site. In the case of Check free DNS highjack, it could have alerted the user that the checkfree web site was no longer loading from the know good location. Read more about and download the Trace tool bar here.
Well it has been awhile since CSRF has made the headlines. But here we go again. There was a paper publish by Ed Felten and Billy Zeller within the past few days that describes CSRF attacks in 4 major web sites, ING Direct, Youtube, Meta Filter, and New York Times. The wost of the attacks, ING Direct, would allow an attacker to tranfer funds out of a users account or open additional accounts on behalf a user.
Source: http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
White Paper: http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
SOTD – Spam of the Day
In one of my spam traps I ran across and email and, Oh no Someone at the “ICS Monitoring Team” (not to be confused with ISC at SANS.ORG) is going to kill my internet connectivity.
This email also came with an attachment: user-EA49943X-activities.zip
It seems to have pretty good coverage at virus total
File user-EA49943X-activities.zip received on 09.12.2008 18:02:31 (CET)
Current status: finishedResult: 24/36 (66.67%)MD5: 92d9f920d470e3bc12a33768893fd734
Size: 33690 Bytes
Below is the message
Your internet access is going to get suspended
The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.We are aware of your illegal activities on the internet wich were originating from
You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.
Sincerely
ICS Monitoring Team
Over the past few months we have noticed a rash of Fake Antivirus running around the internet. This stuff is typically called XP Antivirus 200(8)(9) etc..
Personally I have cleaned around 15 systems from this infection and it is not easy. Once infected it is easier to just wipe the system than it is to clean it. This virus typically downloads other malware such as Keylogger’s, Browser toolbars, etc..
The writers are putting out new variants of this malware every couple of weeks, so what we have here is a virus that the real antivirus companies are having trouble keeping up with.
You can read more about the new variant here and here. Do not download and run the malware unless you know what you are doing.
Wake up America, the banks, retailers, utilities, government agency’s and the like are not doing enough to keep our personal information private and secure.
The other day Verizon business released a study of 500 forensic investigations that shows how much cooperations and governments are out of touch with the reality of the underground.
Some key findings:
Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:
- Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
- Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
- Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
- Nine of 10 breaches involved some type of “unknown” including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
- In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don’t know where data is, you certainly can’t protect it.
The also have some good information on the black market for identities stolen and some recommendations for enterprises.
All I have to say is wake up people. It is time to start doing what is right for the people and not what is right for the bottom line.
I will post some more info on what we as consumers can do to help protect our information in a later post.
Form the Mozilla blog. FireFox 3 will be available on June 17th.
Check it out and remember to download Firefox 3 when it’s available on June 17th to be a part of our world record attempt!
Safe Surfing.
RedNeck
Here recently we discovered a web site, that contained PII, in which you could conduct directory browsing on it. So here is my question. Is it really a vulnerability when you can browse the directories on a web site.
I can hear it now, most everyone is going to say “May Be”, with that I agree. It does depend on what is contained in the directories that are browsable.