.:Computer Defense:.

I have to say that I was completely shocked when I read this (via SpywareGuide)yesterday... the first thing I did was send it to everyone I was talking to on IM. Write to help protect people from phishing sites and have a complaint filed with the FBI? There's something seriously wrong with this picture.

PayPal seems to be stepping all over themselves lately, they completely stall HFC (thankfully resolved now) and now this. I just can't imagine what goes through someone's head that they send a letter to the ISP and file a complaint with the FBI... did they even have any idea what they were looking at? Did they understand that the site was helping people not hurting them?

I could continue to rant on this, but mainly I just wanted to make sure as many people as possible saw and read it. Though it should be noticed this isn't the first takedown request with the threat of legal follow-up based on a screenshot, FailBlog was hit with this not too long ago. Although Guiness Book of World Records didn't go to the FBI.

I was reading about the Gmail Labs option to display a key icon if the sender's domain is signed using DKIM and the sender is eBay or PayPal. This allows you to quickly verify if the email is legitimate by looking at the icon.  Now it apparently takes some work for a domain to be "super-trustworthy", so this key can't just work for any domain. (I suggested two types of keys, one for all DKIM emails and one for these "super-trustworthy" DKIM emails -- almost like SSL vs EV SSL (it kinda hurt to say that though))

Anyways, to get back on track, as I was reading some of the comments on the Google Group, I came across this one, 'Censoring my Email'. It actually made me stop and think for a second. One one hand Gmail is indeed censoring the email you see, however they're doing it to filter spam... is it really censoring at that point?

I think we first need to consider what's being filtered. Any email from paypal.com or ebay.com (or their international counterpart domains) must be signed with DKIM. If Gmail can verify the DKIM signature, it delivers it to your inbox, however if they can't they send it to /dev/null. How much spam does this filter? Well, basically anyone who's set their own 'MAIL FROM' response to paypal.com/ebay.com.  People who set their name to 'PayPal Support' with an email address of paypal-support@gmail.com will not be filtered and will show up as just 'PayPal Support', unless the recipient clicks 'Show Details'.

Now imagine that you're a non-technical Gmail user who's read an article that says paypal.com/ebay.com emails aren't even delivered to you if they are spam (that wasn't quite the wording Gmail used, but it's not hard to imagine it happening). You see an email that says 'PayPal Support' and you're going to click on it (after all, users are trusting... that's why phishing works in the first place). This could cause a lot of problems (maybe this is why the idea of showing the key for "super-trustworthy" domains came along even). So Gmail responds by introducing this key icon... and when you look at it this way, it almost seems required. Yet it was this introduction that made the filtering more evident to people and which prompted the commented that sparked this blog post.

So, back to the original question... is filtering spam and phishing emails the same as censoring email. I definitely don't think so. I applaud Gmail for making an effort to limit the spam that appears in a persons inbox (if only they were filtering my personal and work email ). However, I disagree with their approach and I see two problems with it.

The first is that they waited over a year between filtering email and providing verification for valid email. This could have lead to many cases like the scenario I described above and since the feature is only in Labs, not everyone will use it and it could lead to many, many more cases like the that.

The second is that they filter anything not signed via DKIM from ebay.com/paypal.com. After reading about this I went and setup DKIM on my server to get a better understanding of how it works. It requires a trust in two protocols that can't necessarily be trusted, SMTP and DNS.  What happens when eBay/PayPal have  a DNS issue and restart DNS and it doesn't start immediately... how many potentially valid emails could be dropped? What happens if someone gets it in their heads attack Gmail with DNS Cache Poisoning? What if someone at eBay/PayPal adjusts a mail server rule and the DKIM header stops being sent?

It's entirely possible that this email is "super-trustworthy" because work arounds have been implemented for every issue I've mentioned above, that still doesn't protect users that don't have the key icon yet. At this point, I guess the best we can hope for, is that this feature spends very little time in Labs before being implemented across Gmail.

So in the end... (Spam|Phishing) Filtering != Email Censoring and we should be thankful for it, not fighting it.

Quite a while ago I modified an instance of sshd to log the client version and password for every attempted login. I then set it listening on a seperate interface that I never log into. I finally got a chance to parse the logs (3 grep lines to dump data from the auth logs and 27 lines of python to generate a CSV to load in excel). The result was 12,214 attempts from 27 different source addresses.

The top 10 offending IPs were:

On the username side, root came in at number one (did anyone not see that coming?) and the top 10 usernames accounted for roughly 1/3 of the attempts:

I also don't think that there's much of a surprise with the top 10 passwords:

I will most likely post the file going forward or release additional numbers (I'll admit that I'm kinda curious to read through all the usernames used),  either way, there will be more data.

There's an interesting post on VitalSecurity.org by paperghost. He's talking about a feature in Gmail that allows you to see all IP Addresses logged into your Gmail account and even sign out all other users. He has two interesting thoughts in the article. That there's now a privacy concern if an attacker is in your account and that password protecting this information may be a valid counter measure. The second thought is disregarded in the same sentence on the basis that the attacker has the password, however if you're the victim of sidejacking, perhaps this is the perfect defense.

I want to discuss the other point... that it's time to be paranoid, throw up the proxies and worry that your IP is being stored. I wonder if your IP Address is even an important piece of information these days? I'd prefer if not everyone knew my IP but at the same time, does it matter?

We mask packet captures because quite often those contain private IPs that could contain information on infrastructure and available resources. After all a host named dc.example.com or exchange.example.com probably tells you it's exact function. Should we worry as much about public facing IPs?

Let's picture the attacker and the victim. The victim is likely to log in from one of four places... Work, Home, Mobile, Free Wifi. Let's take a look at each of these.

Work - The attacker has access to your email and quite possibly targeted you. This means they're likely to know where you work. A simple search on a site like ARIN Whois will tell me all the public facing IPs... Sure this may speed things up... but I'm an attacker, I've got more than enough time.

Home - How often is your home IP targeted by an individual these days? Sure it may be scanned by bots and sure you may be targeted by malware, but an individual attacker? Unless they really want something specific from you, your home IP doesn't matter to them. Even if they do want it, having it shouldn't help them, a simple home router for $39.95 from Best Buy is going to keep those open ports from facing the internet.

Mobile - Since this is probably a NAT'ed IP Address what are they going to get... your cell provider?

Free Wifi - The attacker may now know where you are located if you are out and about, but twitter, Facebook and everything else under the sun already tells them that information.

So is an IP Address important private information these days? Maybe if you're breaking the law... but otherwise I don't think it matters.

I fully support the idea of adding password validation to the details section (perhaps even a different password than your login) but I definitely wouldn't want the feature going away... I love it.

The bigger issue will probably come when you can assign names to sessions ( and have it link that IP to the session for future ease of use). If your spouse happens to log in and sees another session open and it doesn't have 'Office' next to it like your previous ones, especially after you said you were going to be working late... well then you might have problems.

I wanted to write a quick little post to let everyone know about a new blog that they should keep an eye on. The Forage Security Inc. blog contains posts from a former colleague....  someone I consider to be a good friend and one of the brightest guys I know. I expect that you'll see a lot of really cool things on the blog and highly recommend adding it to your favourite feed reader ASAP.

Randy Abrams (who's a great guy to share a beer with if you ever have the chance) of ESET briefly mentioned the impact that Microsoft Security Essentials (MSE) will have on the AV market in a blog post a couple of weeks ago.

A commenter mentioned that MSE meant that his father would now install AV. Randy's response was question if he would given that there are already free AV offering available.

This got me thinking about when I stopped using AV on my home systems. I was a huge AVG 6 fan, I recommended it over everything and was fairly certain it was the best AV available to the end user. Minimal footprint, good results and not intrusive. The day that AV died for me was the day AVG 7 came out. I wasn't a fan that support for my product was discontinued and that it wouldn't autoupdate. I had to download the new version and install it, I also had to register for a serial. That wasn't free anymore, I had to provide my email address to a spam database. I did indeed download and install AVG 7, it had a larger footprint and I noticed an increase of spam (this could be coincidence but I don't believe in coincidences). I uninstalled it less than two weeks after installing it and decided to go without AV.

It was at this point that the real problem occured to me. I had set up the computers of many of my family members and on every one I'd installed AVG and set it to auto-update. They were now without AV protection. I wasn't in the same city as many of them, so I had to walk them through the upgrade on the phone (a very painful process for anyone who's ever tried it).

Why does this story matter? If there's one thing that Microsoft is good at... it's pushing updates. I, for one, will install MSE on the systems of all my family members that ask for assistance and recommend it to anyone that asks for a good, free AV solution. I may even recommend it to those willing to pay (I've always found most of the other offers in commercial AntiMalware suites to be unnecessary) if I have a good experience using it. I know that as long as the software exists they will have updates and ease of use (Microsoft is good at both in my opinion).

So in the end I actually think that MSE will steal a large chunk of the AV market, however they'll steal it from the other free vendors (AVG, Avast, etc)... the commercial vendors won't have to worry for a long, long time.

Tonight I started thinking that one of the biggest problems affecting IT today is the lack of a clearly defined terminology (both terms and acronyms). Sure certain things have had standardization (CPE comes to mind as a great example) but generally terms are not common across the board. Let's consider a few examples.

VM - Do I mean Vulnerability Management or Virtual Machine? Depending on the industry it could mean either or both.
FP - Do I mean Fingerprint or False Positive? Again, the industry dictates the meaning or both meanings.

There was a period of time where people referred to Cross Site Scripting as CSS... occasionally I still see it places. How about RE? I'm sitting here looking at the spine of 'Reverse Engineering Code with IDA Pro'. The spine says 'RE Code with IDA Pro' but RE commonly refers to regular expressions as well. The list goes on and on, and I think it is a problem that hurts us across the industry. Now miscommunication may not occur because there's generally context around the term but it can happen. I think the bigger issue is misrepresentation outside of the industry. This could be outside of IT, or could be within disciplines of IT.

Take, for example, this blog post on the SecuriTeam blog. The title is 'Mysql authentication bypass'. I was rather excited when I saw the title in my feed reader, I thought that someone had found a way to bypass authentication and access the MySQL database directly. It turns out this wasn't the case. Instead it was talking about a method of SQL Injection that will bypass many filters/IDS and works only against MySQL, it was also a discussion that was 6 months old. A comment pointed out that this wasn't a MySQL Authentication Bypass and I tend to agree, the author disagreed in the comments.

As I see it, an Authentication Bypass is when you are bypassing the authentication process into software or a website. Prefixing it with MySQL leads me to believe we are bypassing the authentication process in mysqld. SQL Injection is so much more than simply bypassing authentication, and at the same time bypassing a filter/IDS is so much less than SQL Injection. The author of the blog post was fairly insistent that he'd titled the blost properly yet I think this is a prime example of terminology failing us.

Is there a way for us to work around this issue, or will it always exist?