Sunday, April 15, 2012

Sales People and Social Engineering

Had an email exchange with an unknown sales person from a company I have never heard of before:

Email 1:
PSG: We are blah blah managed security provider doing SIEM, IPS monitoring, etc. Do you have 15 minutes for a call?
Me: No. We do these inhouse and have no need for your services.

Email 2:
Thank you for the feedback. Generally, when a client has an in-house SIEM tool, I like to always ask the following questions to help better understand if the tool is effective.
  1. What are you doing for alerting for all your critical device?
  2. If you had a breach, how quickly would you know about it? How effectively would you be able to react?
  3. Do you feel that you have it fully deployed in your environment for all your critical devices?
  4. Do you have a dedicated staff to support this tool effectively?

I know these are tough question to address over an email. Would you be available for a 15 minute call this week?

Me: No. This is information I would not discuss without an NDA and a legitimate business reason.

Email 3:
PSG: You are right. Here is our mutual NDA--please sign an send back and then we can discuss.
Me: No. I have no "legitimate business reason" to discuss this with you. Please take my name off your list.

Emails are a bit abridged except for email 2, which is a copy-paste of the original.

I could answer 4 I suppose, but 1-3 would be considered highly confidential information.

Perhaps my first mistake was engaging with him in the first email, but I sympathize with sales people and wanted him to use his time efficiently by knowing that he will not make a sale here.

But the subsequent emails, apart from putting himself firmly in my blackhole list, got me thinking.

How much does it take to set up a website, print some business cards and get a 800 number? I think $1000 is adequate. Even better--invite a number of local security people to a lunch-and-learn. At about $50/head (3 course meal at mid-range steak house in the Metro Boston area), an attacker can get pretty good information by asking just one question: "What keeps you up at night?"

I've been to area meetups where security people describe internal controls or security problems in front of a room full of strangers.

We do awareness training for general users. Is it time to do a specialized awareness training for security people?

Friday, January 27, 2012

LinkedIn's sneaky privacy policy change

[Only relevant if you are on LinkedIn]

While the world is railing against Google's privacy policy change, LinkedIn has quietly opted in its members to a policy that says they can use the members'
name/photo in advertisements.

Forwarded email below:
Some simple actions to be considered:

1. Place the cursor on your name at the top right corner of the screen. From the small pull down menu that appears, select "settings"
2. Then click "Account" on the left/bottom
3. In the column next to Account, select the option "Manage Social Advertising"
4. Finally un-tick the box "LinkedIn may use my name and photo in social advertising"
5. and Save

I normally cringe when I see "tell all your contacts" but in this case I guess it is justified. So tell all your contacts.

Monday, January 17, 2011

Malware kits becoming professional, with a ton of metrics

Krebs on Security has posted an image of the administration dashboard of 2 malware kits

Here is one:

Apart from the interesting background and the mis-spelled 'Unics' the analytics is very nice. After all, every cybercriminal businessman needs metrics!

Here is the full post.

While Brian talks about these being Java exploit packs, I am more alarmed by the professional (for lack of a better word) look of the kits. This is geared towards someone who wants to see what works and what does not so attacks can be fine-tuned or changed. And I am afraid it is going to get workse

Tuesday, June 29, 2010

Russian spies and adhoc wi-fi

On June 28, 2010, the FBI arrested 10 Russian spies. The complaint against two of them, Anna Chapman and Mikhail Semenko is fascinating. Instead of dead drops at cemeteries or brush-passes at crowded restaurants, these spies set up adhoc wireless networks between 2 laptops and exchanged information.

The complaint first describes what an adhoc wireless network is:

and then cites many examples of how when Anna Chapman opened up her laptop, and when a certain Russian government official was nearby (in a van outside a coffeeshop or standing outside a bookstore), an ad-hoc wireless network with the same two MAC addresses sprung up.
Semenko used the same technique. In one instance, he was sitting in a restaurant, while a car with diplomatic plates (issued to the Russian embassy) entered the parking lot and sat there for 20 minutes and then left.

Further down, Semenko described to an undercover FBI agent posing as a Russian diplomat how he zipped up the files, opened up his laptop to set up the adhoc wifi and transferred the files.

A number of questions and thoughts:
- Because the FBI knew enough to pose to undercover agents as Russians and arrange meets with the spies, they had penetrated the ring for a very long time. Other documents mention search warrants against safe-deposit boxes as early as 2001.
- Which brings up another question. Why did Russian agent and FBI counter-intelligence honcho Robert Hanssen, not warn them? His position in the FBI should have guaranteed he knew about this.
- Or did Hanssen, who was arrested in 2001, give them up?
- But if Hanssen knew about this team, why didn't the Russians pull them out?
- Anna Chapman must have smelled a rat, and that's why she bought a disposable phone (to call Russia?) and did not show up for the meeting the next day (June 27)
- Which must have led to the arrests on the 28th because the FBI decided the spies were on to them.

Thursday, May 6, 2010

What Virustotal says about a suspicious attachment and AV products

I received a $50 iTunes gift certificate today as a zip file. Yay!

I uploaded it to Virustotal, and the result is below. If the formatting is lost, you can see the report here:

First, Virustotal told me that they already have seen this file. Next, very few AVs identified it as a threat. And at the risk of beating up on McAfee again, their gateway version with a May 6 def identified it, but their regular (?) version with a May 7 def did not! In all, only 8 of 41 identified it.

AVG, which is on my laptop, did not identify it either.

My question: what happened to AV companies sharing knowledge? I would
have thought in 24 hours at least all the big boys would have shared the
signature. A 20% detection rate is pretty bad. But as McAfee's left hand
does not know what its other left hand is doing, I guess I should not be
too surprised.

Antivirus Version Last Update Result
a-squared 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 2010.05.06 -
Antiy-AVL 2010.05.06 -
Authentium 2010.05.06 -
Avast 4.8.1351.0 2010.05.06 -
Avast5 5.0.332.0 2010.05.06 -
AVG 2010.05.07 -
BitDefender 7.2 2010.05.07 Gen:Variant.Bredo.4
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 2010.05.06 -
Comodo 4783 2010.05.06 -
DrWeb 2010.05.07 -
eSafe 2010.05.06 -
eTrust-Vet 35.2.7472 2010.05.06 -
F-Prot 2010.05.06 -
F-Secure 9.0.15370.0 2010.05.07 Gen:Variant.Bredo.4
Fortinet 2010.05.05 -
GData 21 2010.05.07 Gen:Variant.Bredo.4
Ikarus T3. 2010.05.06 -
Jiangmin 13.0.900 2010.05.06 -
Kaspersky 2010.05.07 -
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.06 Artemis!ECB1C56D7D93
Microsoft 1.5703 2010.05.06 -
NOD32 5092 2010.05.06 -
Norman 6.04.12 2010.05.06 -
nProtect 2010-05-06.02 2010.05.06 Gen:Variant.Bredo.4
Panda 2010.05.06 Suspicious file
PCTools 2010.05.06 -
Prevx 3.0 2010.05.07 -
Rising 2010.05.06 -
Sophos 4.53.0 2010.05.07 Mal/FakeAV-BW
Sunbelt 6272 2010.05.06 -
Symantec 20091.2.0.41 2010.05.06 -
TheHacker 2010.05.06 -
TrendMicro 2010.05.06 PAK_Generic.001
TrendMicro-HouseCall 2010.05.07 -
VBA32 2010.05.06 -
ViRobot 2010.5.6.2304 2010.05.06 -
VirusBuster 2010.05.06 -

Saturday, April 10, 2010

Cheapest 419 scam ever

Received this just now.Are they just giving up now? Or is it some sort of ultra-soft-sell?

Also notice that they are not sure about my religious affiliation


Dearest one,

I greet you in names of our almighty allah? however let me give you brief introduction myself, My name is Aliman Keita the only surviving daughter of Mr &Mrs Sadiq Keita, he deposited ($6.5) I will give more details concerning me and the transaction.

Miss Aliman.

- Keita Sadiq Aliman

Saturday, January 30, 2010

A "safe" handgun or a $9700 design fail waiting to happen?

Wired is reporting that Armatix introduced a Euro 7000 (US$ 9700) handgun that can only be fired if it is armed via a wristwatch worn by the shooter.
This year, the highest-tech gun belonged to Armatix. The German firm has an electronic safety that automatically disables the pistol when it’s not within a few inches of a custom wristwatch. The watch sends a wireless arming signal to the gun. If the gun is picking up a signal from the watch, a green LED on the back lights up. Try squeezing the handle without wearing the watch, and you will see a red warning light. Anyone can pick up a limited edition version of the pistol for about 7,000 euro, which is pretty steep for a .22cal plinker. They start shipping next month.

Few inches, eh? Smells like RFID. Then we found this on Armatix's website:
The benefits of biometrics (sole allocation to specific people) are also combined with those of Radio Frequency Identification ( split- Seconf activation, hands-free operation.

"Seconf" above should be "second", but that might be the least of their problems. My problem is, given the many, many security failures I have seen in basic authorization/authentication schemes, I anticipate a slew of them in this handgun. Here are some of them:
  1. It's not like RFID has been read or cloned. Oh wait!
  2. RFID can be jammed. For that matter, any RF can be jammed.
  3. Forget hightech.. throwing a bucket of water at the person holding the gun at you might work. I see a Rush Hour sequel where Chris Tucker almost gets Jackie Chan killed by spilling coffee on his wrist and rendering his gun into a paperweight.
  4. The flip-side of jamming is arming. People have read RFID passport numbers and cloned them. Then it is just a matter of playing that back, from a more powerful transmitter, and suddenly the "safe" gun will fire a bullet.
  5. And then ofcourse, the same RFID scanners can be used to identify who is carrying those guns and wrist-watches.

One can only hope that this gun will be completely safe because there are no morons who will pay that kind of money for a .22