08.27.06
Posted in Phishing / Scams at 3:44 am by Tyler Reguly
Shocking...
Mind-blowing...
Ridiculous...
These are the words that came to mind today while reading the Saturday edition of the Toronto Star. Half the front page was dedicated to introducing a story... a story that took up 2 pages inside the paper... a story that made me think those words. An 89 year old man was the victim of title fraud... The first thing I asked myself was, “What is title fraud?” The answer to that question is why I'm posting here... Title fraud starts with Identity theft... Most people are well aware of identity theft these days.. Someone steals your identity, obtains a credit card in your name and runs up bill. However it can be much more serious. Generally with credit card companies, since it wasn't actually you, they forgive the debt... making that form of identity theft the least of your problems. Identity theft involving title fraud can leave you homeless.
First, I steal your identity... remember that email you received last week from your bank asking you to confirm your account details.. Gotcha! So now I can pass myself off as you. Now I, acting as you, go with my buddy to a lawyers office and sign a deed over to my buddy. The lawyer checks out our ID and notarizes the deed for a couple hundred bucks. Now my buddy walks down to the local bank and applies for a mortgage. The bank does a quick title check and sees that indeed my buddy does have the title to that land. They give him $300,000 and he walks out. We then make a run for it and look for another city and another victim.
So you're sitting there thinking big deal, it's the banks fault... well then, the jokes on you. Given current Ontario law the bank owns your house. That's right... the Ontario Court of Appeal decided that a fraudulent mortgage is valid. The bank can kick you out, and sell it. The ran a title search and my buddy was the owner according to the title search. You are left without a house and there's not a whole lot that you can do. You can attempt to obtain your money via the Land Titles Assurance Fund,however they are backlogged with claims and it could take years (in addition to thousands of dollars) before you see your money again. In the mean time I bet the back seat of your car looks like a wonderful place for your family of four to sleep.
This has been happening for years, however with recent increases in identity theft, there are increases in title fraud. The government keeps saying that they are trying to help the victims but they still haven't stepped in and changed the laws or amended the Land Registry Act. In the mean time, you may want to look into title insurance but even that won't save you now, thanks to the Ontario Court of Appeal many insurance companies are refusing the claim because the mortgage is valid, even if the title was forged.
So remember... the next time you're sitting back in your chair, enjoying a a steaming mug of mocha java... that knock at your door, it might not be a visitor. It might be the bank informing you that you no longer own your home. You can thank the government and the system for not feeling the need to protect you, perhaps the Prime Minister will let you sleep on his couch while they sort this out and do the right thing.
Peace,
HT
Permalink
Digg this post
Digg this story ?
08.26.06
Posted in IT, Security at 12:59 am by Tyler Reguly
Lately I've become more and more interested in policy type stuff (Yes, that's the technical term 
). Plenty of people use plenty of different policies... It's common to develop your own in house security policy based off of basics that are common knowledge, however "common sense" may be a better term to apply. There are also several groups that make available various Policies, Standards and Guides that you can implement.
The Center for Internet Security (CIS), for example, provides many benchmarking documents as well as various scoring tools to accompany the documents. They include various operating systems (Linux, Windows, OS X) as well as applications (BIND, Oracle, etc).
There are also the Security Configuration Guides provided by the Systems and Network Attack Center (SNAC) at the NSA. While all of these are worthwhile reads, one document that everyone should read, regardless of their corporate tasks, job duties or position, is The 60 Minute Network Security Guide. It's a great example basic policy that can be easily built upon. I feel that this should be required reading (and comprehension) for all end users (It's a dream). (For you web designers always interested in a web developing goof, check out the page for the Router Guides page [This may be a Firefox only thing].)
Lastly, there's the Information Assurance Support Environment (ISAE) at DISA and their Security Technical Implementation Guides (STIGs). Like the CIS and NSA, they provide documents that layout Frameworks and Guides for various system configurations and policies.
There are differences between each of these three groups... CIS provides a checklist for IT Professionals but also provides details that are written fairly simply so that a home user could understand them with little effort.
The Security Configuration Guides from SNAC provides a few things that home users may be interested in, Outlook Email Security in the Midst of Malicious Code Attacks, for example. However most of these are technical walk-throughs for a specific administrator (DB, Network, Windows, Unix, etc). The documents are usually big and bulky, but very thorough. There are some smaller, lighter documents however, The Cisco Router Guides includes a 2-page Executive Summary, this serves as a great checklist for the seasoned network admin, or as a great handout to begin lectures with students in networking and network security.
The DISA STIGs are more of checklists, however the do have an interesting Biometrics STIG. The reason I say that they are more like checklists is due to the manner in which they are written. Here's an excerpt from the UNIX STIG that may help you to better understand what I mean:
3.6 User Files
User files are files owned by a user, except for the possibility of some user local initialization files that may be owned by root, and maintained by the user in the user’s home directory. User files will have an initial access permission of no more permissive than 700 and will never be more permissive than 750. All files in user home directory will be owned by the user with the possible exception of local initialization files that may be owned by root. The SA and the user, as well as application developers, will be responsible for maintaining these requirements.
• (GEN001540: CAT III) (Previously – G067) The user, application developers, and the SA will ensure files and directories (excluding a limited set of local initialization files) in user home directory trees will be owned by the user who owns the home directory.
• (GEN001560: CAT II) (Previously – G068) The user, application developers, and the SA will ensure user files and directories will have an initial permission no more permissive than 700, and never more permissive than 750.
As you can see, they give you specific examples of policies (or policy checks) that you can put into place.
So I've droned on for a bit... but what's the point that I'm getting to... why am I mentioning all of this when the title of the post is CCE. I wanted to share some background before I went into my discussion on CCEs. What is a CCE? Let's answer that before we tie the two together.
Many of the readers of this blog will have heard of CVEs before, many of you may have also heard of CWEs. Recently The MITRE Corporation added a new section to the site... CCEs. These focus on configuration issues, and what defines configuration (besides business needs [to an extent])... Policy. CCEs will give a centralized naming scheme and point of reference, much like CVE and CWE have done before it. A commonality that vendors and users alike can use to refer to problems. It will be a great way to avoid miscommunication in the security industry and more specifically, the policy compliance industry. There's a preliminary draft available that references 560+ CCEs all related to Windows 2K, XP and 2K3. Each of these have references back to where they are identified in various documents provided by, you guessed it, CIS, NSA SNAC and DISA STIGs. The CCE Draft list is in Excel format, Linux users can use OpenOffice or Gnumeric. Windows users without office can obtain the Excel Viewer free of charge.
I'm very interested to see how this proceeds and look forward to following it as it progresses towards finalization. Hopefully your head isn't mashed against the keyboard and I didn't bore you too too much.
Peace,
HT
Permalink
Digg this post
08.25.06
Posted in SpamMailBag.com at 7:26 am by Tyler Reguly
I find it rather interesting that even though I said no newsletters when subscribing to ZDNet.com with the spammailbag.com address I still managed to get newsletters from them... Newsletters with such horrid HTML that they actually fubar'd the site to the point where I had to remove one of them... The other I have left and after following the unsubscribe link it now says I'm actually not getting newsletters... I'm curious to see what will show up in my mailbox tomorrow. I've submitted this story to digg -- http://digg.com/security/SpamMailBag_com. Feel free to jump over there and bump up the level on it. I want to see how many people are harvesting addresses from digg. I'm also looking for other places to sign up / place addresses so if you have any ideas... please let me know.
Peace,
HT
Permalink
Digg this post
08.24.06
Posted in SpamMailBag.com at 3:10 am by Tyler Reguly
So, I decided to get it up tonight. SpamMailBag.com is up and running. I'm going to sign up a few addresses (unless I go pass out) so we'll see what happens with it. I had to muck up the blog page a bit in order to get it to print what I wanted printed... but it's working so that's all that matters. I've setup some cron jobs... hopefully they're working, if not I'll manually run the email fetch and set it up to be automatic in the near future.
Anyways... Feel free to check it out.... SpamMailBag.com.
Peace,
HT
Permalink
Digg this post
Posted in IT, Phishing / Scams, SpamMailBag.com at 1:24 am by Tyler Reguly
I'd like to introduce my latest project... SpamMailBag.com. Here's the plan:
Using domain/task specific email addresses, I will be signing up for various services, websites and posting on various forums. I'm also hoping to pull some favours and have some fellow bloggers do blog specific ones.... For example I will be setting up computerdefense.org@spammailbag.com. I would give other examples but that would negate the effort. All emails will automatically be posted to SpamMailBag.com.
What is the goal? Well, for me it's simply a social project. I'm curious to see which services and websites requiring sign-ups sell your information and who they sell it to. I'm curious to see which blogs are harvested and which aren't, I'm curious to see which forums are harvested. I may even ask users to create contacts for certain addresses in outlook and outlook express or maybe gmail or hotmail to see if those addresses end up elsewhere.
For me, it will be a fun project... Maybe I'll even email The Colbert Report, or take out custom ads in the paper to see if anyone harvests from TV and Newspaper/Magazine ads.
Additionally, as the addresses become more popular, I may end up with a bit of a honeypot for new email malware... Maybe I'll catalogue phishing attempts or scams... and maybe I'll see viagra advertisements so often that I'll end up buying some...
It my flop... but it may work out really well and if it does I may be calling in favours as far as hosting goes, I'm not sure just how much I'll be able to effectively handle.
Those of you eager to check it out... I've yet to deploy the site... it currently points to a VERY old domain that until recently was hosted elsewhere... I'm hoping to have the SpamMailBag.com blog up before I go to bed and if not, then in the very near future.
Peace,
HT
Permalink
Digg this post
Digg this story ?
08.23.06
Posted in Python at 10:27 pm by Tyler Reguly
As many of you know I participate regularly on AntiOnline (an online IT/Security Community). Recently, someone was looking for a connection stress tester... There are many available.. Blast by Foundstone comes to mind. I decided that they needed something simpler, all they wanted to do was test the number of connections a server could handle. The result was a little script that I wrote up. It's fairly basic but it does the trick. I've added some basic error checking (let me know if you want specific errors caught) and a usage function and now I'm putting it here for all of you to download (should you desire to). You can download it from here. Let me know what you think and if you want to see any additions... or a tutorial on the subject.
Peace,
HT
Permalink
Digg this post
08.18.06
Posted in IT at 1:34 am by Tyler Reguly
So I've decided to coin a new term that I'd like to see used more frequently... PnCHd (Pinched)... You would say "That website was pinched" or... "Those skiddies pinched my network"... Pinched (or PnCHd) stands for "Point 'n Click Hacked" maybe not grammatically correct on it's own but it works well in a sentence...
I suggest that everyone start using it where appropriate and we get a movement on... I'll be using it for sure... and Remember..I coined the term
Peace,
HT
Permalink
Digg this post
Posted in Phishing / Scams at 1:26 am by Tyler Reguly
I actually had to go and double check my wallet tonight after receiving an email from PayPal to one of my accounts... It's not an account I use a lot, and I didn't remember having a PayPal account linked to it so I doubted it was real, however it was interesting.. It was the one legit email that you do get from PayPal... the Credit Card expiration reminder... I actually had to get my wallet and double check that it wasn't the last four digits of my CC that were showing...
Here's the email:
Dear
,
Your credit card ending in 3812 will expire soon.
To avoid any interruption to your service, please update your credit card
expiration date by following the steps below. If you do not update your credit
card expiration date
- You will no longer be able to fund payments with this card
To update your credit card expiration date:
1. Log in to your PayPal account
2. Go to the Profile subtab
3. Click on the 'Credit Cards' link in the Financial Information column
4. Choose the radio button next to the credit card you would like to update and
click 'Edit'
5. Enter your credit card verification number
6. Enter the new credit card expiration date
7. Click 'Save'
Thank you for using PayPal!
The PayPal Team
----------------------------------------------------------------
PROTECT YOUR PASSWORD
NEVER give your password to anyone, including PayPal employees. Protect yourself
against fraudulent websites by opening a new web browser (e.g. Internet Explorer
or Netscape) and typing in the PayPal URL every time you log in to your account.
----------------------------------------------------------------
Please do not reply to this email. This mailbox is not monitored and you will
not receive a response. For assistance, log in to your PayPal account and click
the Help link located in the top right corner of any PayPal page.
----------------------------------------------------------------
PayPal (USA) Limited is authorized and regulated by the Financial Services
Authority in the United States as an electronic money institution.
PayPal Email ID PP031
So yeah.... it's getting more and more difficult to distinguish the real from the not-so-real... Had this been a real account and I not been up on phishing and not checked my real credit card for comparison (or paid attention to the domain being used) I may have been taken in by this
Peace,
HT
Permalink
Digg this post
08.14.06
Posted in IT, Security, Uncategorized, Vulnerabilities at 1:29 am by Tyler Reguly
For those of you that haven't patched yet... a worm (a variant of MocBot or a 'new' virus according to MS named Graweg) is circulating for MS06-040... it's fairly standard.. exploit, install a service.. service connects to IRC to wait out commands..
LurHQ has a great analysis of the virus
| quote: |
| Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.
Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.
Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. Primarily Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems.
This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.
Mocbot can also use AOL Instant Messenger to send instant messages using the victim's account. This could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP. Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445. This underscores the danger of allowing unrestricted external instant messaging in a corporate environment, as it often introduces malware directly to users, bypassing perimeter controls.
At the time of this writing, anti-virus detection is not especially broad, with only 1/3 of all anti-virus engines tested reporting the file as malware or flagging it as suspicious. None of them recognize it as a Mocbot variant. |
They also have snort signatures available on their site which they've submitted to bleeding snort.
The MSRC blog is reporting this:
| quote: |
| Hey everyone, it’s Adrian. Wanted to drop in and let you know where we are in our investigation of Win32/Graweg. As I’m sure you’ve seen by now on our AV partner sites, this is rated as a low threat and doesn’t at this time replicate automatically from machine to machine. So it’s impact in terms of infection base appears to be extremely small. We’ve updated the security advisory related to MS06-040. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions. We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available. |
Keep the bolded portion in mind as you read this next writeup (the original from ISC):
| quote: |
| Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion. |
Microsoft has updated Advisory 922437 due to this activity.
My current goal is to obtain a copy of this worm for further analysis and to play with (I have a few cool ideas to log data) so if anyone has it come across could you please quarentine a copy and send it my way... ht[at]computerdefense.org
Peace,
HT
Permalink
Digg this post
08.12.06
Posted in Phishing / Scams at 10:03 pm by Tyler Reguly
I recently received yet another phishing attempt, this time to my email address associated with this site, from one Mr. Lord Freeman. I decided that for a change... I would reply and see what happened. I was rather impressed with how bold the individual was and how quickly they asked for information without any attempts to build comradery or familiarity. I'm interested to see how the individual will respond to the most recent email, and will keep you apprised... In the mean time.. here's how quickly it happens.
Original Email:
>From Mr Lord Freeman
P.O Box 3038,
57 victoria Street,
London SW1H,
LONDON.
Hello
in order to transfer out (Twelve million, five hundred
thousand British pounds) from our Bank. I
have the courage to look for
a reliable and Honest Person who will be capable for this Important
business Transaction,believing that you will never let me down either
now or in Future.
The owner of this account is Mr. David Hagen
foreigner and the Manager Of petrol chemical service,a chemical
engineer by Proffession and he died since 1990.the account has no other
beneficiary And my Investigation proved to me as well that his company
does not know anything About this account.
I want to transfer this
money into a safe foreign account abroad but i Don't know any
foreigner,
i know that this message will come to you as a surprise as
we don't know ourselves before,but be sure that it isreal And A Genuine
business.
I believe in God that you will never let me down in this
transaction,at the conclusion of this
business,you will be giving 30%
of the total amount, 70% will be for me.I look forward to your
earliestreply by email for more details.
Best regards
Mr. Lord
Freeman
My Response:
Hello,
I apologize for the slow response, I've been busy lately.
How can I assist you?
I then received:
| From: |
Mr LORD FREEMAN < mrlord_freeman2@yahoo.co.uk> |
| To: |
XXXX |
| Subject: |
send to me as a matter of urgency followings for the claim in your name! |
| Date: |
Sat, 12 Aug 2006 22:01:59 +0100 (BST) (17:01 EDT) |
|
Thank you for your prompt response to my mail, The content therein is well understood. However, I quite appreciate your situation of been skeptical since we have not meet each other before and also because of too many bad people that one encounter with this days one do not know who to trust, But I thank you for seeing the sincerity in my mail as I have good intention for both of us. Be that as it may, One must trust each other some how because "There is no way you can identify an angel without having an encounter with one" So it is always good to have an open mind in what ever your dealings are.
Nevertheless, I can read from your mail that you are a truthful person like my self because there is this saying that "from there words we shall know them" So I can identify you even without meeting you, This is spiritual because I always trust my spiritual instinct and I do listen to it, I have feelings that we can do this transaction together if we understand our self.
Subsequently, Having accepted the above, Please let me have this from you so that we can commence the process of arranging the documents of claims of inheritance in your favor after which we will submit to the bank for approval of claims on your behalf. Modalities would be worked out at the highest levels at the Department of Justice for the immediate notarization and procurement of all needed back-up legal documentations. The process of funds transference would be concluded within 14 working days subject to your satisfaction of the stated terms. My assurance once again is that your role is risk free. To accord this transaction the legality it deserves and for mutual security of the fund, the whole procedures will be officially and legally processed with your name as the Bonafide beneficiary. This is the most important aspect of the project because it is at this stage that all important and vital back-up legal documents would be procured. Substantiating our claims with this document, we would await further fund release Approvals/Recommendations. Once they are issued, it means that the greater tasks of the processes of the fund transfer have been concluded. To proceed in earnest send me one of your personal checking accounts, You can either provide us with an existing bank account, or to set up a new Bank account immediately to receive this money, Your account details should go like this i.e. (a) BANK NAME
(b) BANK ADDRESS
(c) ACCOUNT NAME
(d) ACCOUNT NUMBER
(e) SORT CODE OR ROUTING NUMBER This is to enable the attorney draft an application, which he would be sending to the bank for claims on your behalf. The information as requested below would also be used by the attorney to raise legal back-up documents that will substantiate your claims.
1. Your Full Names:
2. Your Occupation:
3. Date of Birth/Age:
4. Marital Status:
5. Your Telephone/Cell Phone and Fax Numbers for effective communication between us.
6. A scanned copy of your ID, preferably your International Passport or Drivers License is as well needed to enable me set my eyes on the face of my partner. On my receipt of the above information and a strong assurance from you that my trust and confidence in you is never misplaced, I will then start to process the transfer of the fund to your account without further delays. The attorney with my assistance will forward an application for the release of the said amount on your behalf to the bank. He will also forward your account detail to the bank and to the H.M Treasury Department for foreign transfer approval in your favor. As soon as the fund is approved for transfer to your account, you as the foreign beneficiary of the fund will be required to go to the bank's offshore payment center closest to you for the signing of the Final Fund Release Order. You can see you would not necessarily come to London, as the attorney here would represent you down here. After the signing, the fund will be transferred to your account in your presence while you are still in the payment office and you will call your bank to confirm the receipt of the fund in your account.
At the moment, you should not tell your bank that huge amount is to be transferred into your account until after you must have signed the Final Fund Release Order Form (M) in the bank's foreign offshore payment office closest to you, because that will be the only time all the documents to back up the transfer as a legitimate fund which did not originate from drug, money laundry, terrorism or any other illegal act will be ready in your name and will accompany the fund to your account so that your bank or your government will not question the transfer. This information is highly confidential and you should always keep it only to yourself. I would like to receive in return your acceptance to proceed as suggested. Urgency is indeed needed. I am also looking forward to a mutual beneficial partnership with you. Call me at + 44 7040 111 132 for us to talk more on this transfer which we shall all benefit from. On my next email to you, I will send my international id to you as sign of good faith and any other clarification you may require as i will have to renuew my passport so that i will send it to you in my next mail hoping to see yours in your reply. Your Partner and Friend,
Mr.lord freeman
My final response to date:
| To: |
Mr LORD FREEMAN < mrlord_freeman2@yahoo.co.uk> |
| Subject: |
Re: send to me as a matter of urgency followings for the claim in your name! |
| Date: |
Sat, 12 Aug 2006 22:45:30 -0400 |
| Mailer: |
Evolution 2.6.0 |
|
 |
G'day sir,
I look forward to doing business with you and am glad to have received
your contact. I am however worried. A friend at work was recently
telling me about something called fishing... I'm not exactly sure what
it is... but it sounded a lot like this... How can I be sure that this
is indeed legit? Perhaps, since you contacted me, as a sign of good
faith you could provide me with a copy of your ID first? I've found I
can tell a good deal about a person by looking at their person and am
curious to see your picture to determine if I can trust you.
Thank you...
I have not yet recieved anything else, however as soon as I do, I will update this blog.
Peace,
HT
Permalink
Digg this post
« Previous entries