If you're looking to phish UPS accounts…

 Uncategorized  No Responses »
May 272009
 

…they’re already training up their user base for you.  Here’s how you’d want your email to look:

ups_expiration_email1

Yeah, it’s a legitimate email.  It appears that after a year of inactivity, the “My UPS” service will disable/deactivate/expire/do-something to your account.  Are they trying to save a row’s worth of space in their database?  I don’t know.

The problem is that every time you send a legitimate email to your users asking them to update or log into an account, you’re conditioning them, and not in a good way.  Users who may normally be suspicious (and rightfully so) of emails asking them to update their account will be less cautious if it is known to them that the service normally sends out that kind of mail.  Phishers can cash in on this familiarity by mimic’ing real “update your account” messages, instead of having to make official-looking ones up out of thin air.

This is why myspace/facebook phishers are so successful.  You already get tons of legitimate email from them.  It’s easy to craft an evil one that slips right in with the rest.

In this case, UPS has made a wise decision in not directly including a link in the “simply log in to My UPS…” text.  This may condition users into going to the UPS site on their own to log in, rather than trusting wherever a link would send them.  However, with all of the other links in the email, an additional link to log in added by a phisher would not look out of place.

In conclusion: don’t help the phishers out by negatively training users in this way, especially without good reason.  It would probably be better to either keep the accounts around indefinitely, or delete them quietly.  After all, I’m obviously not getting a lot of use out of this one.

 Posted by wesley at 1:34 pm

Perl hacking is dead (lol)

 fun, skiddies  20 Responses »
May 262009
 

Script kiddie forum pic of the day:

perlhackingisdead1

Naughty avatar censored, but I kept the language in case you want to try and make any sense of this chunk of thread.  PsyKon-X’s contribution is particularly hard to read through:

Perl does indeed work my friend but the coders in which the perl hack was designed for are being patched faster than the hacker is making the perl scripts, and also depends on if the person using the script for example is using phpbb and hasnt patched it with the new version this is vulnrable

Diagram that sentence.

All of you whitehats posting scripts to milw0rm are killing the perl hacking scene ;-) .

 Posted by wesley at 12:22 pm

Tonight I'm gonna idle like it's 1995

 Uncategorized  No Responses »
May 252009
 

I’ve set up an IRC channel for McGrew Security on irc.freenode.net, and you’re welcome to join up and idle alongside me.  I’ve placed a more permanent link to IRC info on my sidebar over <–there–, but here’s basically what you need to know:

  • Server: irc.freenode.net
  • Channel: #mcgrewsecurity
  • I’m cs_weasel

It’s on freenode mostly because I’m already idling there in the local Linux User’s Group channel, #bullylug (slogan: “The LUG that takes your lunch money”), and the Exotic Liability podcast’s channel, #exoticliability.  EFnet is definitely more l33t, but I’m already on freenode, and I like not having to work hard to prevent channel takeovers.

I’m on IRC inside of a screen session, so if I don’t respond to you, it’s probably because I’m detached from it.  I’ll reattach and respond when I’m at-keyboard.

Feel free to idle, basking in pre-web-1.0 goodness, chat with others (and me), and just hang out.

 Posted by wesley at 4:02 pm  Tagged with:

Switching themes

 fun  No Responses »
May 252009
 
Hold on to your butts

This morning, I had the urge to change the look of the site.  I have changed the theme of the site (for the better, I think), and I’ve put some of my static pages under the control of WordPress so that I can manage them from its control panel. Things might be broken for a little while, but I think it’s already under-control.

 Posted by wesley at 12:08 pm

Download Stealing the Network's "The Final Chapter" for free until May 6

 book review, fun  2 Responses »
May 042009
 

If you read my review of Stealing the Network: The Complete Series Collector’s Edition, then you’d know that the only real additional content in the new edition is a new chapter by Ryan Russell: “The Final Chapter”.  I liked Ryan’s conclusion to the story, but I doubt that many people who already own the other Stealing the Network books would want to purchase the compilation just for that.

Now, and if you act fast, you won’t have to.  It turns out that the Windows Secret Newsletter is giving away a PDF which contains the entirety of “The Final Chapter” (preceded by a sample of 5 pages of text from another chapter).  It’s only available until May 6th, though, so you’ll want to go ahead and act if you want it.

All you have to do is subscribe to their newsletter, and you’ll be given a link to download the PDF.  They don’t even verify your email address before giving you the link, so I’d advise just punching anything that works into the field:

Enjoy!

 Posted by wesley at 7:17 pm

Book Review: Stealing the Network: The Complete Series Collector's Edition

 book review  6 Responses »
Apr 252009
  
Title: Stealing the Network: The Complete Series Collector's Edition
Authors: Johnny Long, Ryan Russell, Timothy Mullen (among many others not acknowledged on the cover)
Publisher: Syngress Publishing
Release Date: May 18th, 2009
ISBN: 978-1597492997

I have just finished a marathon session of reading “Stealing the Network: The Complete Series Collector’s Edition” and I have a very conditional review of it:  It’s a must-have if you don’t already own the previous editions of these guilty pleasures.  If you are already a fan, however, prepare to be let-down by the compilation.

The stories of the Stealing the Network series entertain in the same way that “war stories” from fellow hackers and security professionals often keeps a more intimate audience’s interest: by mixing intriguing situations with juicy technical detail that can serve as a useful take-away.  No one will accuse these books of containing fine literature, but that’s not really the point.  The stories are well written enough to keep you wanting to know what will happen next, while the technical information is as accurate as you’re likely to see in fiction.  Segments involving hacking are written and illustrated with enough attention to detail and length to serve as introductory educational tutorials for the topics (including web application hacking, reverse engineering, and wireless security).  Most of these scenarios are believable as parts of larger-scale operations.

The first book of the series consists of independent short-stories based around characters of the authors’ creation.  The other three books in the compilation tell an over-arching story of a larger “operation”, which involves many characters and their independent stories.  The second book, “How to Own a Continent”, is probably my favorite, along with the first (“How to Own a Box”), for keeping things simple, technical, and focusing on the individual stories.  The third book, “How to Own an Identity” suffers from having worse editing then the rest of the series, and may lose some readers’ interest.  The fourth book (“How to Own a Shadow”) reads a lot better, and wraps the overall story up well, however it focuses only on a relative handful of the series’ characters.

As a compilation, this Collector’s Edition leaves much to be desired.  While the original description for this edition described the books contained within as being “author-annotated”, this is not the case.  The individual books are reproduced exactly as they were in their original editions, with no additional commentary from the authors, and with all the same problems as the originals.  For example, screenshots in the first chapter of the first book are the same illegible black squares that were in the original edition of the book published 7 years ago.  The annotations along with other features described in the original description (emails, photographs) that would provide a lot of interesting background material, would have made this compilation a must-buy.

The extra content that you are receiving is a brief new forward by Jeff Moss, and a “Final Chapter” by Ryan Russell.  The new chapter is about 20 pages long, and gives the story-line a proper ending.  I won’t ruin anything about it, but I will say that I enjoyed it.  Syngress has promised in the description of the book to make this content available separately in electronic form in six months.

The included DVD is described on the back-cover copy as being “full” of behind-the-scenes stories.  In reality, you will only find 20 minutes of interviews with a few of the authors.  I enjoyed these interviews, however, much like the print companion, I felt like more should have been done.  Also beware that there are problems with the audio on the DVD.  When played on my MacBook, there was noticeable crackling/popping in the audio of the DVD.  The same noise was present, but less noticeable when played through a stand-alone DVD player through a television.

To summarize, I like the books, and find them as entertaining as I did when they were originally published, and I like the new hardcover binding.  I do think that it is unfortunate that the “Stealing the Network: The Complete Series Collector’s Edition” does not meet its potential to be more than the sum of its parts.  There seems to have been intent at some point to add value to the set, but it wound up simply being a rough concatenation of the individual books.

If you haven’t read these books, then I very much recommend picking up this set.  It’s 1,000 pages of interesting stories and technical material.  If you already have the previous editions of the Stealing the Network Series, however, you might find it hard to justify paying for them again.

 Posted by wesley at 11:42 pm

Skimmers on ATM Machines

 fun, hardware  1 Response »
Apr 062009
 

Lately, I’ve really enjoyed having The Consumerist in my RSS reader.  There’s always a lot of great stories about companies screwing over people, people getting in contact with the right people to straighten things out, and nice tips and tricks for when it happens to you.  It’s one of my favorite non-security-related blogs in my reader, however today it had a post that’s definitely of-interest for my security blog followers:

Take a look at that thing!  Very cool.  Has it’s own memory and a usb port to dump the data it records.  It would have been very tempting to keep it and reverse engineer it if I had found it :-) .  This sort of thing is definitely something the bank and police (not to mention bank customers!) need to know about, though.

 Posted by wesley at 4:17 pm

Conficker.C Lecture Slides (and a couple of comments)

 analysis, malware  4 Responses »
Apr 012009
 

I guest-lectured the computer security class here today, and with it being the day Conficker.C starts looking for a payload, I figured it would be an excellent opportunity to deviate from the normal lesson plan.  With the well-written Honeynet Project and SRI papers out there that describe the technical details of Conficker.C, it’s a great time to expose the students to malware analysis.  There’s some really interesting and clever things that this worm/botnet does, and discussion of it filled an hour’s lecture nicely.

As I promised to the class and to several people on Twitter, I’ve made the slides available here:

…although I fear it won’t be as useful without having been there.  It’s more visual aid and points for discussion than a standalone set of slides you can just read.  Either way, enjoy!

One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do.  The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”).  Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think.  It seems just as dangerous to completely dismiss it as it is to give it too much hype.

Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:

  • April 1st isn’t the only important day.  It attempts to find a payload every midnight (local time).  April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload.  He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
  • There’s no reason for the operator to walk away from it.  There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around.  A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
  • Chances are, it’s not going to be loud.  There’s no money in melting the Internet or indiscriminately destroying Windows installations.  This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself.  Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that.  The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue

So there you have it.  It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.

 Posted by wesley at 11:54 am

More links on the GE Fanuc iFIX vulnerabilities

 SCADA, vulnerabilities  1 Response »
Feb 122009
 

Yesterday, I posted a link to the advisory in GE Fanuc’s knowledge base.  For today, here’s some more links of interest regarding these vulnerabilities:

The latter two links actually credit us with discovering and reporting the vulnerability.

 Posted by wesley at 9:13 am

GE Fanuc releases info on iFIX vulnerabilities VU# 310355

 SCADA, vulnerabilities  2 Responses »
Feb 102009
 

If you’ve been looking for my slides from the SCADA Summit that included information on the GE Fanuc iFIX vulnerabilities that I discovered and reported, then you’re still out of luck, but this is just as good, really.  If you’re an end-user of iFIX, or a penetration tester/red-team member testing installations of iFIX products, this is really all the info you need:

It’s a pretty good prose description of the vulnerabilities, in more detail than I was expecting from them.  Boiling it down to a couple of bullet points, these vulnerabilities encompass the following issues (trying not to put it in more detail than their write-up):

  • Password storage is done in an easily reversible manner
  • “Network” authentication involves passing the file over Windows shares without additional encryption/protection
  • Authentication of users can be bypassed, as iFIX’s security measures for managing users’ access run in the context of the currently-logged-in Windows user that is running the iFIX system.
  • Features that prevent operators from exiting the HMI screen can be bypassed with an auto-run capable USB drive (such as U3).

There are some excellent suggestions for end-users that would allow them to mitigate the impact of these vulnerabilities until they are fixed in a future release of iFIX.  There’s good advice in there, even if you’re running something other than iFIX for your HMI.

Enjoy!

Edit: Quick edit for clarity.

 Posted by wesley at 11:05 pm
 Older Entries  Newer Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha