I've gotten a few of these over the past couple of weeks.  Everyone knows this is a phishing scam, right? How many phishing flags can you spot here?  Unexpected email:  Check.  Offering me money out of the blue:  Check.  Link goes somewhere OTHER than where it claims:  Check.  References bogus law (I'm pretty sure the 19th Amendment to the Constitution didn't address IRS refunds).  Bad grammar: Check.  Do we need a refresher on Phishing?

One of the more interesting talks given at last week's CSI NetSec in Arizona was conducted by CSI editorial director Robert Richardson.  He gave us a preview of next month's release of the annual cybercrime survey conducted jointly by the FBI and CSI. The survey shows a continued decline in the money lost by companies due to cybercrime.  Compared to 2005, losses are down 18%, and down 68% compared to 2004.  This metric has been declining for 4 straight years actually. So.  Does that mean we're winning?  Does that mean that all the money we're spending on security is actually bearing fruit? Well,...

A lot of noise has been made of the Choicepoint debacle of last year that exposed the personal records of, at last count, 170,000 individuals in America.  What you may not realize is that, for all the attention the incident garnered, it wasn't one of the top breaches of the year, based on the number of records exposed. The top 5 were all million+ records exposed, including the grand daddy of them all, Card Systems, with 40 million records exposed when hackers penetrated their systems in early 2005.  Next in line was Citi Financial, with 3.9 million records lost on a...

I've been thinking for a long time how to get security ingrained into the psyche of the average home user.  I've been half heartedly trying to “expose some content”, as some of my colleagues would say, to spread the message of why computer security is important to everyone. But I haven't really made any progress, and it was getting pretty frustrating for me personally.  The problem was that the project could be all-encompassing, especially when I started considering what a state agency could distribute to all its residents. So a couple weeks ago I decided that doing it on a small scale...

Back in March, I noted briefly that I had attended a “Google Hacking Contest” put on by the AGORA organizers.  I can't say much about what goes on at AGORA, but since this hit the wires, I guess it's ok. Well in the audience that day was a reporter from the Seattle Post-Intelligencer, one of the two major newspapers for the greater Seattle area.  And then it was picked up and ran on page B1 (above the fold!) in a subsequent issue of the Wall Street Journal (the WSJ is subscription only, so I am providing a very curious free link...

Back in April of this year, Washington became the 6th state in the Union to pass a law requiring the disclosure of events resulting in the exposure of personal information to unauthorized entities.  Similar, if not identical, legislation is making its way through the governing bodies of at least 28 other states as I write this. This legislation follows closely California's own SB1386, which came as a result of the well known breach of California's government systems, which resulted in the exposure of the employee files of every one of California's state employees. More famously now though, California's SB1386 is the reason Choicepoint was...

If you watch the news lately, you can't help but hear about some of the recent high-profile hacks of major information clearing houses. Choicepoint, the most publicized victim, announced a few weeks ago that sensitive information on 30,000 Californians was given to hackers who were posing as Choicepoint customers.  What they failed to tell everyone initially, was that number of people whose personal information was exposed is closer to half a million. Choicepoint is an information aggregator, and about the biggest one there is.  They have dossiers on 10 BILLION individuals and businesses, and those dossiers include social security numbers, credit histories,...

I recently had the privilege to witness an organized Google Hacking Contest, inspired by Johnny Long's new book “Google Hacking for Penetration Testers”. The contest pitted 8 teams of local security folks (including a team from Intel and a team from Qualys) against each other, and gave them 60 minutes to use Google to find as much personal information about people as possible. The results, frankly, were astounding.  I went into it knowing Google was a one-stop identity theft shop, but I still left shaking my head. The highest scoring team found over 2.5 million bits of sensitive information, including social security numbers,...

Cellphone anti-virus developer SimWorks is reporting (pdf) that 2 new cell phone viruses have been identified, and they can render a cell phone completely inoperable to the point of having to replace it. Gavno.a infects the phone when a user downloads and installs an infected software package onto their phone.  Gavno.b on the other hand, attempts to spread itself over BlueTooth.  Both files claim to be a patch in an effort to trick unwary users into downloading and activating them. Once activated, the viruses halt a critical process on the phone, preventing it from making any calls, and often causing it to constantly reboot. ...

Last month Forbes ran a story called Cyber-nightmare, about how Al Qaeda and other terrorist organizations are increasingly using the Internet to further their purposes. Interesting stuff.

(For previous entries regarding the looming disaster that is electronic voting, please see this post and also this post) If our ignorant (I'm being nice by not suggesting “corrupt“) state governments continue to fly headlong down this ill-advised and reckless path of electronic voting, it will no longer be a question of *if* an election will be hacked, but *when*. Let me bring you up to date, since a number of very serious issues have come to light in the past few weeks: Security experts recently discovered that the Diebold system (by far the most popular in the country) could be attacked at the...

According to this article in USA Today, 19-year-old Jeff Parsons plead guilty in a Seattle courtroom today, to charges of taking the original Blaster worm, modifying it, and re-releasing it back into the wild.  His variant infected an estimated 48,000 systems before it was contained. Young Mr. Parsons is expected to receive 18-36 months in prison, in addition to paying millions of dollars in restitution.  His life is ruined.  Hope he had a good time. Sound harsh?  Nope, not in my book.  We need to set a few examples.  Maybe the thought of a few years of “pound you in the ass” prison will make these...

According to this article at Information Week, phishing attacks have increased 500% since January, and a whopping 5000% in the last year. Email is evil.

Take a careful look at the following image: See the *almost* perfect white box with the “https...“ part in it?  It's a little off there along the bottom, but it's really plenty good enough to fool most users.  That, dear readers, is a chromeless window.  And unfortunately, this one isn't a demo.  This was found in the wild recently. This particular chromeless window is covering up the fact that the user is actually visiting “http://validation-required.info“ (terminated), which is scam website in Korea pretending to be US Bank.  Users were duped into going there by a fairly run-of-the-mill phishing email from (supposedly) US Bank...

The Register recently did a story on a growing industry based around renting out botnets to ne'er-do-wells who don't have the skills or time to collect their own.  You can rent botnets by the hour, apparently, to use them for spamming, DOS attacks, or whatever nefarious deeds strike your fancy. Remember, botnets are collections of hacked PCs, usually on cable modem, DSL, or other “always on” connection.  Some botnets have been discovered that contained over 250,000 hacked machines (zombies), waiting patiently for commands from the master.  The majority of recent worms and other large-scale viruses have been specifically designed to turn the infected systems into...

I got this phishing email in one of my test mailboxes overnight: Your credit card will be billed at $22.95 weekly and free 3 pack of child porn CD is shipping to your billing address. To cancel your membership and CD pack please email full credit card details to dnsadmin@tucows.com Ready to enjoy all types of underage porn? We have the best selection for every taste! Click the secret link below and have fun... www.[obfuscated].com Contact us: http://resellers.tucows.com/contact_service You can order by phone:1- 416-555-5555 (obfuscated) So, in order to avoid getting illegal kiddie porn in the mail, you have to send them...

There is an interesting book coming out next month called "At the Abyss: An Insider's History of the Cold War", by Ballantine Books.  It's written by Thomas Reed, who worked at varying levels of government, including a stint as Ronald Reagan's Secretary of the Air Force. What does a book about the cold war offer to interest my readers?  I'm so glad you asked! Indulge me for a moment, while I give you a little history lesson: In 1981 the CIA discovered that the Soviet Union was pillaging American (and other Western) technology at an alarming rate, starting way back in 1970.  They were...

A new virus broke on Tuesday, and quickly infected between 50,000 and 100,000 systems in the 4 hours prior to its source being quenched.  The virus has been dubbed Bizex. Bizex was well-crafted.  In fact, so well-crafted that some think it's the product of a professional virus writer.  It exploits a myriad of vulnerabilities, including a combination of ICQ and Internet Explorer attacks that remains exploitable.  It uses various attack vectors, including email and ICQ messages with embedded links.  It uses some techniques that had only been made public a few days prior, proving once again that the black hats are...

In late January, the FTC released a report entitled “National And State Trends in Internet Fraud and Identity Theft” (73 pages, PDF format). I was reading through this report today and some of the numbers are sobering: In 2003, Identity Theft was by a long shot the favorite crime of Internet hucksters, accounting for 42% of reported incidents.  The next most popular type of Internet Crime was Auction Fraud, at 15%.  Internet fraud now accounts for 55% of all fraud reporting in the United States, up from 45% in 2002. Seattle is 2nd only to Washington DC in incidents of fraud, per capita A whopping 81%...

According to a recent press release by antiphishing.org and Tumbleweed Communications Group, phishing incidents increased by nearly 50% in January compared to the previous month. I made a quick graph of the number of phishing incidents reported to antiphishing.org over the past 3 months, and the trend is disturbing: As you can see, scammers are really taking a liking to phishing as a means to bilk money from unsuspecting victims. It's interesting to note that 32% of the phishing attacks monitored during this period relied upon the recently-addressed IE feature that allowed web addresses to include user credentials in the URL.  Recent patches to Internet Explorer...

So an 18-year-old British hacker cracks his way into 17 servers at a government-run nuclear research facility outside of Chicago so he can use them to store warez and other pirated material.  The DOE had to shut down the network for 3 days as a result of the breach, costing US taxpayers nearly $30,000.  The kid was recently found guilty of Computer Misuse by the British courts, a crime which carries a maximum penalty of 5 years jail time. The punishment in this case?  Jail time?  Nope.  Fines?  Huh uh.  Surely he had to pay some restitution?  Zilch.  Did they take away his computer...

You have all been blessed with my fantastic theories about the real reasons the power went out in the Northeast last August, so I won't repeat them again. I have always found it curious though, how the primary alarm system and its backup both failed within 14 minutes of each other at the most critical time.  This was one of the primary factors of the blackout, as operators were not alerted to a catastrophic overload condition brewing until the failed alarm systems were discovered offline nearly an hour later.  Well, it turns out there was a bug in the software that runs those alarm systems.  (That...

SecurityFocus posted an interesting article about the increasingly complicated incident of Republicans stumbling over a host of unsecured Democrat memos that discussed the methods the Dems planned to use to thwart Republican judicial appointments.  The incident is being called “CyberGate”. The interesting thing though, is that there is some argument over whether or not the Republican intruders actually broke the law.  Technically, they were authorized to go where the documents were being stored, because their network access privledges allowed it.  Of course, nobody is saying what they did with the access to those documents was right (but let's also not forget that...

MSNBC is reporting on a new study that claims 30% of spam originates from hacked systems. Yep, I beleive it.  Actually I'm surprised the number is not higher. Spammers have increasingly relied upon the availability of hacked systems to obscure the source of their emails, especially as legislation seeks to penalize their spamming ways.  In fact, one of the growing concerns is the fact that a good number of recent viruses are engineered for specifically this purpose, to turn the infected system into a spam relay. And then there are smegheads like Send-Safe who make a business out of finding exposed spam relays...

The SANS Institute is giving a free webcast on Wednesday about how to hack-proof your identity.  It will be conducted by Cisco's Director of Corporate Security, John Stewart.  Don't miss this one!

I've made no secrets about my personal belief that the power outages of August 2003 were a result of cyberterrorism.  I have no facts to base this opinion on, aside from an avalanche of circumstantial evidence, and the fact that everyone acknowledged it was possible to conduct such a strike due to the insecurity of the SCADA systems.  And then there was that Slammer attack in January that forced the Davis-Besse nuclear plant offline. Well, the DOE has finally published their initial findings.  The thing is huge, and I haven't had a chance to really read it closely. The notable quotes so far from...

The fine folks at Send-Safe are now selling a new bit of software that reportedly detects honeypots set up to snare and harass spammers. From their website: “Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for so called "honey pots". "Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.” Haha, attempting to frame bulkers indeed!  If your clients were not aware of a particular system being a honeypot they obviously don't have permission...

Also on SecurityFocus is an extremely detailed analysis of a recent phishing scam targetting mostly Citibank customers.  This same ring of spammers also went after customers of Paypal, E-Loan, E-Gold, Wells Fargo, Yahoo, and eBay during an intense 3-week period of activity.  These folks were very organized, and very sophisticated.  The initial emails originated from a server in Italy that was likely compromised, and the links in the email directed users to a server in Russia.  Incredibly, the server recorded 200,000 hits on it as a result of the initial string of emails.  Which means 200,000 people responded to this...

SecurityFocus has an article about a pair of guys who hacked into a Lowe's home improvement store in Michigan and planted some credit card snatching software on the network. The noteworthy part is that they did it from the parking lot, while sitting in their Pontiac.  Seems the store was using a wide open wireless network to conduct business. Luckily, only 6 credit cards were captured by the rogue software before Lowe's noticed the Grand Prix with all the antennas sticking out of it and called in the feds. Too bad there's not a law against doing stupid things that might expose your customers' credit card information. ...

CNet's News.Com is reporting that large botnets are more commonly being used to blackmail Internet businesses into giving them money.  It's the age-old protection racket, using 21st-century technology. Basically, the bad guys grow a network of mostly home computers that have been hacked and sit on fat broadband connections.  Once the “botnet” is large enough, they point it at a victim site and pull the trigger.  The botnet, sometimes consisting of hundreds of thousands of hacked systems, then proceeds to overwhelm the victim's network with bogus traffic, effectively putting them out of business.  Once they make their point, the criminals turn off...

There is a good article on MSNBC right now about phisher scams that I wrote about (and demonstrated) recently on bmonday(dot)com.  They have some helpful tips about what you can do if you think you've been a victim of a phishing scam.

According to News.com, Microsoft and the FBI on Wednesday will jointly announce a $250,000 bounty for information leading to the arrests of the authors of the Blaster worm and the Sobig virus. This should be interesting.  Personally I hope the author of Blaster rots in jail for the rest of his natural life, once he's caught.  Maybe that would make a few miscreants think twice?

SecurityFocus is running a story about an unlucky phisher who unwittingly tried to scam an FBI agent.  Seems her cohorts rolled over on her at the earliest possible opportunity.  Good for them. She pled guilty on Tuesday, sentencing is in January.  She is 55 years old.

Let's talk a moment about the art of “phishing”, shall we?  This ain't your daddy's fishing, no sir.  Phishing is the term being used to describe theft of credit card information, username/passwords, and or identity information using a combination of email and bogus web sites. Consider, if you will, the following email from what appears to be Citibank: Oh crap!  They are going to cancel your checking account unless you clicky the linky!  So you do, and it takes you to something like this...  Looks like a Citibank page, doesn't it?  But is it really?  Where did I *really* send you?  Take a...

I ran across this on a security site yesterday, but now I can't find the source.  So I apologize for not giving props. PBS' Frontline did a feature called Cyberwar that was an hour-long show on the growing threats of cyberwar and what the US is doing about it.  If you follow the link you can watch the entire show in 6 segments. It includes an entire segment on how vulnerable the US power grid is to attack from the Internet.  And this was back in April, well before the big (still unexplained!) power outage in the Northeast. Very fascinating stuff.

Over on the Incidents mailing list there is quite a bit of discussion about a new variant of the CoreFlood trojan that seems to be cropping up lately.  This is classified as a trojan, not a virus, since it does not attempt to propogate itself to other systems. The interesting thing about this one is that it is designed to help spammers obfuscate the source of their emails.  Basically it turns the infected system into a mail relay for spammers. Here's how it works: The first time it starts, it attaches itself to every running process on the system so that it cannot...

Not sure how I missed this, but last month MSNBC did a feature on the war going on between spammers and blacklists.  Though they call them “block lists” in the article (PC much, MSNBC?). The article gives some good insight into what is happening to the people behind the blacklist sites, and why they have generally opted to surrender to the spammers instead of trying to ride out the attacks.

I recently ranted about a new law proposed by Senator Schumer of New York designed to do to spammers what the “Do-Not-Call” list is doing to telemarketers. Well, a bill containing the controversial proposal has passed in the Senate.  The House is currently considering the matter and hopes to have a bill on the President's desk by the end of the year.

The longer it takes the government to figure out what caused the Great Blackout of 2003, the more likely it is that it's what I have suspected all along: Cyberterrorism. No, I'm not saying it's a direct result of the Blaster worm, that's just coincidence. Blaster wasn't capable of this kind of targetted attack. On the contrary, actually. I think Blaster had a hand in limiting the attack to only the Northeast. Hear me out (I'm warning you now, you are going to be thinking "That Beau, he's one CRAZY mofo"): Follow me down the rabbit hole, for just a minute...

As Blacklists around the world are being systematically destroyed by spammers, the concept of "whitelists" has been growing in popularity.While a blacklist is a list of known spammer email servers that you deny email from, whitelists are servers that are known good and specifically authorized to send you email. If you haven't specifically authorized a server to send you email by including it on your whitelist, that email gets unceremoniously dropped. As opposed to blacklists, which have been traditionally maintained in centralized databases on the Internet, whitelists are maintained by each individual company. This makes them more...

It seems the esteemed gentleman from New York, Mr. Charles Schumer, is pushing for a new "do-not-spam" list, similar to the recently established "do-not-call" list that has been so popular with consumers.Yeah, let us know how that goes.Any time a US lawmaker tries to extend law into the Internet it displays their ignorance of the entire construct. The Internet is not a US-owned and operated entity that will suddenly come into compliance now that some random US law says it must. What if some spammer from Macedonia emails a US citizen that is on the "do-not-spam" list? ...

The State Department on Friday disclosed that for the first time, a number of web sites are on the US government's "Foreign Terrorist Organizations" list. This makes it a crime to "provide money or other material support to the designated Web sites".I got a question: If I were to, through the course of my research (I'm very interested in cyberterrorism, as my faithful readers know), visit one of these sites, am I guilty of a crime? If they have a banner ad on the site, and it generates revenue for the site owners (who are known terrorist...

Over the weekend spammers took out 2 more blacklist sites with DDoS attacks similar to those used to destroy Osirusoft and monkeys.com. The targets this time were the blacklist operators at SORBS and OpenRBL.Once again, law enforcement is nowhere to be found, so these attacks will surely continue until the spamming community has taken out all the blacklist servers on the Internet.

You probably don't realize it, but there is a full-blown cyberwar going on between the spamming community and blacklist services who are trying to keep them off the net. Blacklist services keep a list of email gateways that are known spam relays, and many mail systems can be configured to check the lists prior to accepting email from a server. These "blacklists" as they are called, have made life a little more difficult for spammers, forcing them to seek out and compromise more email systems to sustain their spamming needs.Several weeks ago, one of the most popular blacklists,...

My friend Steve had his new book show up on a warez site recently. This really bums me out. I know some of the sacrifices Steve made to make this book happen, and it saddens me to know that some miscreant warez pirate is stealing from him and his family. Authors are lucky to even break even on a book, much less make a profit. This is exactly why I don't participate in Kazaa and its ilk. Even though I detest the music industry with every fiber of my being, I recognize that the product they sell comes from people just like...

Another idiot who took the original Blaster code and tweaked it just enough to incriminate himself was arrested last week in Romania. Talk about a moron. Still no word on Blaster.A author.

If you've been paying attention, you know that I have a crazy theory that the recent blackout in the Northeast was a direct result of cyber-terrorists. And until someone proves me wrong, I'm sticking to my guns. However, according to this article in the WorldTechTribune Microsoft is working with the FBI to determine if either of the recent viral outbreaks (SoBig.F and Blaster) were also coordinated terrorist acts. Umm, no. Blaster was poorly written to begin with, and delivered no malware to speak of. And is a DDOS against Microsoft's Windows Update site really going to impact the world economy? Come on....

(Repost due to previously mentioned operator error):Yeah, I know I said I'd give it a rest for a few days, but READ THIS! Apparently the nuclear power plant had a T1 line to the Internet that was bypassing the firewalls (because firewalls get in the way, you know). The result: The systems monitoring the most critical aspects of the plant (core temperature, etc) were disabled for nearly 5 hours. On a side note, this plant is operated by the fine folks at FirstEnergy, who are now the focus of the investigation into the recent blackout in the Northeast. If anyone needs me,...

Paul over at E2kSecurity.com posted about the *really* big security story that was drowned out by Blaster. The fact that the primary distribution center for the FSF was compromised by a hacker who had full root access to it for up to 6 months. Now consider that this distribution site is where everyone gets Linux drops from. Even the mirrors ultimately get their bits from this site. A hacker may have implanted trojaned code on the site and had it included in nearly every distribution of Linux built over the past 6 months. For example, the gcc compiler, which is...

This is HUGE. The Register is currently running a story about popular anonymity site Java Anonymous Proxy (JAP) being secretly back-doored by a German court order (JAP is located within Germany). Apparently, a few weeks ago, JAP suddenly went dark. The site said they were upgrading server hardware, and would be back in a few days. They also said that once service was restored, a new version of the JAP client would be required in order to continue using the service. What they failed to tell the consumers, is that the new client was trojaned (by JAP), and contained a secret function...

Let me make one more point about this cyberterrorism issue, then I'll let it rest for a day or two (promise!). Fox News is reporting that sabotage cannot be ruled out as a source of the Blackout. The odd thing is, the government says terror *has* been ruled out, but the possibility that a hacker caused the damage cannot be so readily dismissed. Am I the only one who finds this disturbing? Has our government suddenly forgotten what "cyberterrorism" is? Computer + Terrorist = Cyberterrorism. If you cannot rule out a computer-based attack, you cannot rule out terrorism. Period. End of story. A...

I'm sorry, but they can't really expect us to believe that a lightning strike (*cough*clear skies in Niagra last night*cough*) hit at just the right place to knock out power to 20% of the population of the US? Is our power infrastructure really so fragile?? I don't buy it. I think what we have here, if the government ever comes to admit it, is the largest case of cyberterrorism in history. Frankly I'd rather it be that than know that our nation's power grid is so fragile that it can't survive a simple hardware failure without dousing an entire quadrant of...

According the British research agency Mi2g, for the second quarter of 2003 successful Linux hacks exceeded successful Windows hacks for the first time since they have been keeping score (since 1995). For the 3-month period of March-May, Linux was attacked successfully 19,208 times, compared to 3801 successful Windows attacks during the same time period. If you want to read the full report, you will have to buy it from Mi2g. However, The Inquirer ran a related story, as did Geek.com. Mi2g blames the problem on the misconception that Linux is secure "out of the box", which in most cases is simply untrue....

Quick: What is projected to be Nigeria's 2nd largest industry in 2003? If you answered "Nigerian Email Scam" (or "419 scam", or "Advance Fee Fraud"), you're correct! It is estimated that in 2003, the perpetrators of the scam will bilk about $2 Billion dollars from gullible victims around the world. It's gotten so bad that British intelligence agencies report seeing as many as 5 Americans waiting in hotel lobbies to meet people connect with the scam. Here's how it works:The scammer sends spam (either email of fax, or sometimes even snailmail) to prospective victims, promising them a 30% cut of some...

The Honeynet Project has recently published an interesting paper on automated credit card fraud, and how this particular underworld operates. Identity theft and credit card fraud are both booming businesses that have been helped enormously by the continued growth of online commerce around the world. But that's not the bad news. The bad news is: They're organizing.

I have to call "bullshit" on the report put out by the ICC recently, that claims 60% of cybercrime originates in the United States. Anyone on the front lines can tell you this is complete BS. The US may lead the world in *reported* cases, but that's because the US is becoming more strict about publicizing intrusions. I read IDS log files every day, and Asia and Eastern Europe top my list. Where the hell is Macedonia anyway?

Welcome to the party boys! Sorry, the beer ran out 2 years ago. It's about time the gubment start taking seriously what whitehats have been shouting from every available rooftop: Cybercrime/CyberTerrorism is a real threat to the security of this nation, and the private sector can't stave it off alone. Conducting acts of cybercrime isn't nearly as hard as hijacking 4 aircraft and flying them into a building. You don't need to recruit some extremist wacko who is willing to strap a bomb to his chest and die for the cause. Al Qaeda has already proven it has the skills...

Forgive me for not being encouraged by former presidential Internet security advisor (and now eBay's head security czar) when he goes on record saying (and I quote) "Soon we'll see a zero-day exploit". Uhh, where the hell have you been, pal? It should be common knowledge that black hats are often using expoits in the wild well before white hats have discovered them. In fact, a good percentage of zero-day exploits are discovered by honeypots and IDS systems as they are executed against target networks. eBay is so screwed.