Tuesday, May 29, 2007

Phishing email

I recently received a phishing message that looked like this:
Dear National City business client:

The National City Corporate Customer Service requests you to complete the National City Business Online Client Form.

This procedure is obligatory for all business and corporate clients of National City.

Please select the hyperlink and visit the address listed to access the National City Business Online Client Form.


Again, thank you for choosing National City for your business needs. We look forward to working with you.

***** Please do not respond to this email *****

This mail is generated by an automated service.
Replies to this mail are not read by National City Corporate Customer Service or technical support.


Of course, the actual link points to http://session-9681849.nationalcity.com.userpro.tw/corporate/

The site 'userpro.tw' is being used for malicious purposes. The other hidden component of this message was below the dashed line, "hidden" by setting the font to white: (or near white -- FFFFF3, FFFFF6 and FFFFFF were used)
interface: 0x36, 0x1, 0x63, 0x6256, 0x988, 0x2572, 0x80, 0x7637, 0x57264282 end, SGK, include, B870, K8H, WV5O, UK5, create. 0x6, 0x8549, 0x119, 0x8820, 0x402, 0x81, 0x31 8XU: 0x873, 0x5224, 0x2, 0x2, 0x9, 0x8, 0x080, 0x515, 0x43, 0x96767749, 0x88, 0x340, 0x25 0x2, 0x49725777, 0x56099999, 0x29944557, 0x7245, 0x725 M06D: 0x02484306, 0x7392, 0x33, 0x538, 0x525, 0x67920133, 0x3282 XLM: 0x4 2PEU: 0x014, 0x48384334, 0x1, 0x1, 0x11505955, 0x9691, 0x63, 0x189, 0x85388483, 0x113, 0x81125589, 0x0528 0x081PZ: 0x10, 0x7513, 0x410, 0x0375, 0x134, 0x5 CRA: 0x16, 0x58937392, 0x181, 0x27551688, 0x026, 0x5300, 0x45, 0x427, 0x41491833, 0x43275927, 0x9, 0x2, 0x7, 0x462 0x33, 0x0589, 0x771, 0x69, 0x3, 0x96524563, 0x588, 0x8388, 0x3, 0x17, 0x8769, 0x137, 0x4, 0x2211, 0x30 engine KMY9 engine stack: 0x0016 tmp: 0x43286114, 0x88, 0x04, 0x2, 0x095, 0x65, 0x79461383, 0x18078378, 0x65882286, 0x1, 0x6, 0x06 CHA start: 0x3520, 0x1064, 0x69, 0x047, 0x214, 0x062, 0x678, 0x227 0x91708961, 0x0625, 0x2, 0x0, 0x278, 0x2, 0x0, 0x7, 0x09339745 2TWO: 0x14, 0x1, 0x90402223, 0x572, 0x1980, 0x4, 0x9, 0x6377, 0x6914, 0x43462100, 0x848, 0x26 Q8BE: 0x37865183, 0x11, 0x06, 0x2, 0x2132, 0x3, 0x70656885, 0x3758 HKU: 0x1114, 0x1914, 0x2, 0x45, 0x263 0x4, 0x3930, 0x3, 0x4, 0x3, 0x4, 0x0, 0x79365666, 0x4856, 0x57, 0x0, 0x77, 0x4, 0x10401843, 0x6317 0x11658786, 0x0, 0x5 YTIZ, Z5JV, WOJ, api, create0x14424486, 0x17907803, 0x590, 0x13855537 0x591, 0x6, 0x22, 0x2126, 0x81675440, 0x67351277, 0x6, 0x1 serv: 0x36026386, 0x6, 0x7, 0x772, 0x64, 0x8180, 0x9701, 0x50750989, 0x7, 0x9, 0x87, 0x3058, 0x5, 0x263, 0x23 7Z1 common KXLL hex 0x0071, 0x63
I'm curious about the code: do you think the hex was used to defeat Bayesian SPAM filters, a programming mistake by the Phisher or something else?

Thursday, May 24, 2007

Pain relief for SOX audits

Got this note from a colleague today:
THERE IS HOPE :).. Here is what we turned up.... reading through the details to see what it REALLY means!:

The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.


And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."

Looks like the PCAOB has also done extensive work to allow the auditors more latitude to scale the their work to match the size and complexity of an organizations -- Great news for smaller public companies.

Hello and a Question for Michael

My beautiful espousa forwarded this message to me from a friend:
Something came up today and I have a quick question for Michael: In a nutshell, someone online accessed my checking account (with Washington Mutual) and drew out 500.00 from USAA (the bank with which I have a savings account, a credit card and renters' insurance.)

I recently did an online electronic transaction from USAA, telling them to remove funds from my Washington Mutual account (like I do every month) to pay off an insurance premium.

Between last night and this morning, a transaction took place whereby 500.00 was transferred via a "USAA Internet Chk" from my WaMu account to an alleged USAA accont somewhere, or probably, just through USAA and out a back door. I have both USAA and Washington Mutual investigating it, but boy, it's a rude way to start someone's morning!

Anyway Michael, if you have a view of what may have happened, I'd love to hear it. The only thing differently I've done recently is to reset my DNS server numbers in my wireless router to those of openDNS.com, a free service that supposedly prevents phishing, etc. I've since reset the router to just get DNS numbers automatically (I'm with Verizon).

Sorry to bother you with this, but you're probably much savvier than any of these folks and might have some insight. As it is, I'm grateful that ------y keeps her money with a separate bank, though we do have other WaMu Joint accounts... Makes us gunshy to use the internet for banking transactions (emphasis is mine) - or at least to maybe designate just one, and then to feed it funds for electronic fund transfers at the time bills come due...

All the best,

This sort of thing is very uncommon, but we always jump to the conclusion that we've been hacked by a criminal. This is the email I sent back to my friend last night:

Hello N------,
  1. Go to a friends house or a system at work and change all of your passwords! Don't use your computer, it may have been compromised.

  2. Never re-use a financial site password with any other site.

  3. Change the password on your router and other network equipment.

  4. Have an expert look at your computer, if it has been compromised you'll need a professional to get it fixed. If it were me, I would back up my data and reinstall from secure media.
If you were not phished then your bank may have been pharmed.

It is very unlikely that an outsider directly compromised the the bank. If you used a unique id and password, a random hacker would not gained access by guessing your password.

There are many possible explanations for your problem.
Someone you know compromised your access:
  • They knew enough about you to access your account. If this is true the bank will be able to follow the money to them.

Some stranger compromised your access:
  • If you used your bank password at a secondary web site the secondary web site might have been compromised, leading to a compromise of your bank account.
  • Your system may have been compromised through an attack launched by a web site that you have visited. These days criminals compromise you via the web and install a program to record the web sites and passwords you use (keystroke logger). Once they captured your bank password they would have set up a transfer to withdraw money from your account.
  • You may have been phished or pharmed. Catbird Pharming ShieldI doubt you were phished, but pharming is very hard to detect. In a pharming attack the criminals impersonate your bank web site by hijacking the infrastructure the site relies on. You think you're visiting WAMU or USAA but in reality you have been redirected to a fraud site.

An employee at one of your banks has exploited a flaw in the bank's security:
  • Banks have several layers of protection to prevent this, but criminals are very creative at exploiting loopholes or flaws in network or web application security.

Either USAA or WAMU has made a transaction error:
  • This doesn't happen often, but it does happen. Personally, I have had my bank process duplicate transactions on more than one occasion. The situation you describe is very suspicious but it may turn out to just be a simple mistake.

Take care and feel free to contact me directly.
So what do you think, did I give my friend good advice?

Tuesday, May 22, 2007

Top 10 Reasons Why You Might be a Domestic Terrorist

  1. You believe the Constitution is the highest law of the land.
  2. You believe that absolute power corrupts absolutely.
  3. You believe that all governments regardless of their construction are subject to corruption and abuse of power.
  4. You believe everyone has the right to bear arms.
  5. You believe that everyone has basic rights that may not be infringed.
  6. You believe all persons have equal protection under the law.
  7. You believe the State can not unfairly confiscate your property.
  8. You believe that the State shall not force people to testify against their will.
  9. You believe that you have the right to publicly complain about the government and its policies.

And the number one reason why you might be a home-grown domestic terrorist:

1. You might disapprove of what I have to say, but you will defend my right to say it.

My thanks and appreciation to the Founders, Locke, Hobbes and to the many others who contributed to this list.

Edited to add:
Another Enemy of the People?

Friday, May 4, 2007

Pen testing

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?


(name withheld)

Well, like everything, that will depend on several factors.

  • Is this an external attack only, or internal, external and wireless?
  • Is social engineering involved, will a physical penetration be attempted?
  • Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

  1. Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
  2. Robot master, someone looking for bots to add to their army
  3. Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.