Next month we will take part in several events related to security.
On February the 2nd, Leonardo Nve, Senior Security Auditor will give a conference on "Playing in a Satellite Environment 1.2" at Black Hat DC 2010, in Arlington, Virginia, USA. More information about inscriptions is available here.
One week later, we'll be in Leon at the event Trust in the Information Society, which will be held on February 10 and 11. Daniel Brett, International Account Manager, will take part in the session "International Cooperation on Trust and Security Research".
Also, we will be sponsoring the I Encuentro Internacional de Protección de Infraestructuras Críticas de Información (1st International Meeting on Protection of IT Critical Infrastructures), organized by the CNPIC (National Center for the Protection of Critical Infrastructures), held by the Ministry of Internal Affairs. Our role will be to moderate on the panel “Visión de los Gestores IC”.
If you intend to attend any of these events, don’t hesitate to come and say hello!
If you can’t find a job, it’s because you don't want one
Because of these difficult times, many people have lost their jobs. Losing your job is hard. Finding a new one can be hard too, and the need to find a new position can force us to accept any kind of offer.
In this context, there have been many spam campaigns lately offering the most peculiar positions.
Generally, the pattern is always the same; make money working from home, only four hours a day, very well paid. The job consists of making bank transfers. The employers label the position as “financial agent”.
Well, as many of you already know, these offers are completely fraudulent. In reality, the aim of these transfers is simply money laundering, specifically money from phishing activities. This means that the applicant who accepts the job is actually committing a serious crime. Therefore, when the victim realizes the fraud and reports it to the police, the "financial agent's" bank account will be blocked, and the stolen capital will be required to be paid back. Then, at that very moment, the “financial agent” will be promoted to scapegoat, a position of high responsibility in the organization.
The recent evolution of these types of e-mails has been remarkable. At the beginning they were just plain text e-mails, very often badly translated, but they’ve become increasingly well presented and successful at masquerading as job search sites, or even charitable organizations.
As an example, here is a fake job offer from Monster (a job search site I haven't signed up for) that arrived at my inbox a few days ago:
So, you've been warned. Be careful with these e-mails, they can get you into real trouble!
Asier Marruedo
S21sec e-crime
Social engineering in YouTube
I was looking for a movie trailer in Youtube a few days ago, and I came across some strange search results. The movie had just arrived to theaters, but apparently someone had already uploaded parts of it to YouTube. This aroused my curiosity and I decided to follow the link. Instead of a video, it was a black screen with the message "I can't upload this on YouTube as it will get deleted! Click the link on the right to watch!”
That was suspicious. Also, there were no comments about the movie, because the user that uploaded the video wouldn’t allow it. Needless to say, the link takes you to a fake player that installs a Trojan on your computer.
On the day of the investigation, the video had been visited by 10.000 users. Of course, surely not everybody took the bait, but assuming that one in every twenty did, the result is 500 computers infected...
Jozsef Gegeny
S21sec e-crime
Alarm! Alarm! There’s been a problem!
Incident management is never easy, and it varies greatly depending on the type of incident and available personnel when the problem arises. We all know how incident management groups are formed, and the theory is all very good, but it fails 90% of times. The group is almost always formed with the people available at the moment when the problem takes place. Detecting a problem at 4 a.m. on Sunday is very different from detecting it on Tuesday at noon, when the whole staff is at work. Best of all, that passer-by who has to stand shoulder to shoulder with the rest of the team, even though he or she is not involved at all.
Now that we have our group, it’s time to solve the problem. An incident in control systems cannot be addressed in the same way as one in the corporate network. In the latter, the most important thing is that the problem is solved before it can affect the whole company. Therefore, isolating the problem is essential. How should this be done? Easy; we disconnect the infected machines from the rest of the network. However, availability is the first priority in the control network. We cannot just disconnect a machine and go home, because if that computer happens to control the reactor – let’s assume we're dealing with a problem in a nuclear plant – you end up with a new Chernobyl. The equipment must stay on and working for as long as possible, at least until there's time to stop the systems that rely on the infected computers. Therefore, time management, preparation before the incident, backup copies, etc, are extremely important here to minimize the damage.
The contingency plan must begin from the time of the installation/implementation. It might seem tedious and probably it will never be used, but it is important to document and register the steps in the installation of the equipment (configuring the operating system, installing software, importing applications, etc) and measuring the time required for the task. This way, we’ll always know the time needed to recover the system from a complete disaster - if we have the appropriate hardware. More often than not, something as trivial as a backup copy is not always done, or is not correctly documented. It is of great importance to keep track of backup copies and the history of changes in them. Maybe the problem can be easily solved just by going back to a previous stage of the system.
Having spare computers for critical equipment can seem useless and unnecessary (control equipment is expensive) if we think that “our company never has had any problems”. We all know that accidents happen sooner or later, and we’d better be prepared. Returning to the example of the nuclear plant, a failure in a program, due to an update that happens to be incompatible with some function, can be easily solved by replacing the computer with another one that doesn't have the update. This way, the availability is not seriously compromised. We can recover the infected/problematic computer later. This measure, combined with regular copies of the data, should be enough to avoid major problems with control systems.
What always fails after solving an incident is usually the documentation process. Since the problem has already been solved, the team that’s been working on it goes back to their everyday tasks and forget about writing reports about what they did, and what steps they took to address the incident. If something similar happens again, we can save time if we have everything on writing and we can read it beforehand, so that the solution doesn’t depend on chance or a brilliant idea. Maybe the first time, the brilliant idea proved good, but that might not happen the next time, and the consequences will be disastrous.
We must remember that an incident in a control network can have grave effects on the environment, people and infrastructures, and nothing should be left to chance.
Jairo Alonso
S21sec Labs
Now that we have our group, it’s time to solve the problem. An incident in control systems cannot be addressed in the same way as one in the corporate network. In the latter, the most important thing is that the problem is solved before it can affect the whole company. Therefore, isolating the problem is essential. How should this be done? Easy; we disconnect the infected machines from the rest of the network. However, availability is the first priority in the control network. We cannot just disconnect a machine and go home, because if that computer happens to control the reactor – let’s assume we're dealing with a problem in a nuclear plant – you end up with a new Chernobyl. The equipment must stay on and working for as long as possible, at least until there's time to stop the systems that rely on the infected computers. Therefore, time management, preparation before the incident, backup copies, etc, are extremely important here to minimize the damage.
The contingency plan must begin from the time of the installation/implementation. It might seem tedious and probably it will never be used, but it is important to document and register the steps in the installation of the equipment (configuring the operating system, installing software, importing applications, etc) and measuring the time required for the task. This way, we’ll always know the time needed to recover the system from a complete disaster - if we have the appropriate hardware. More often than not, something as trivial as a backup copy is not always done, or is not correctly documented. It is of great importance to keep track of backup copies and the history of changes in them. Maybe the problem can be easily solved just by going back to a previous stage of the system.
Having spare computers for critical equipment can seem useless and unnecessary (control equipment is expensive) if we think that “our company never has had any problems”. We all know that accidents happen sooner or later, and we’d better be prepared. Returning to the example of the nuclear plant, a failure in a program, due to an update that happens to be incompatible with some function, can be easily solved by replacing the computer with another one that doesn't have the update. This way, the availability is not seriously compromised. We can recover the infected/problematic computer later. This measure, combined with regular copies of the data, should be enough to avoid major problems with control systems.
What always fails after solving an incident is usually the documentation process. Since the problem has already been solved, the team that’s been working on it goes back to their everyday tasks and forget about writing reports about what they did, and what steps they took to address the incident. If something similar happens again, we can save time if we have everything on writing and we can read it beforehand, so that the solution doesn’t depend on chance or a brilliant idea. Maybe the first time, the brilliant idea proved good, but that might not happen the next time, and the consequences will be disastrous.
We must remember that an incident in a control network can have grave effects on the environment, people and infrastructures, and nothing should be left to chance.
Jairo Alonso
S21sec Labs
10 fraudulent uses for Twitter
Following the thread Networking hacks: Top 10 Facebook and Twitter security stories of 2009. Twitter, with more than 44 million unique users, is a juicy channel where individuals and organizations dedicated to on-line fraud co-exist in a varied ecosystem.
We think it would be interesting to highlight some of the fraudulent uses for Twitter:
hxxp://secure-login.twitter.verifiylogin.com/twitter/
hxxp://videos.twitter.secure-logins01.com/
2) Social engineering: Social engineering is one of the most dangerous weapons of cyber-criminals, and also one of the most efficient. Koobface jumped into Twitter in July 2009. Tweets with random strings started to appear, like: "WOW", "LOL", ":)" with links to download an update for Flash player. Of course, this “update” had malware. The situation gets worse with URL shortening, which can also be used for hiding the URLs. The clickjacking vulnerability used this weapon too.
We think it would be interesting to highlight some of the fraudulent uses for Twitter:
1) Phishing in Twitter: Phishing not only targets banking and payment services, like Paypal. Any popular service can be exposed to this threat, not only to get the Twitter account, but also to get a chance to access other services using the public profile.
Advice: give to the credentials of all services the same importance as to on-line banking credentials. Do not use the same password for more than one service, and pay attention to the log-in page URL.
Advice: give to the credentials of all services the same importance as to on-line banking credentials. Do not use the same password for more than one service, and pay attention to the log-in page URL.
hxxp://secure-login.twitter.verifiylogin.com/twitter/
hxxp://videos.twitter.secure-logins01.com/
2) Social engineering: Social engineering is one of the most dangerous weapons of cyber-criminals, and also one of the most efficient. Koobface jumped into Twitter in July 2009. Tweets with random strings started to appear, like: "WOW", "LOL", ":)" with links to download an update for Flash player. Of course, this “update” had malware. The situation gets worse with URL shortening, which can also be used for hiding the URLs. The clickjacking vulnerability used this weapon too.
RSA-768, factorized
We spoke some time ago in a previous post about cryptographic keys AES and RSA, and how long it would take to break them. The arrival of the New Year brought news regarding this subject. An international team of scientists from EPFL (Switzerland), INRIA (France), NTT (Japan), CWI (the Netherlands) and the University of Bonn (Germany) managed to factorize a 768-bits number (232 digits), known as RSA Challenge RSA-768. Despite the challenge being stopped for years, some researchers are still paying attention to this project. The previous record was that of the 663-bit, established on May 9, 2005. More than two years and many hundreds of machines were needed to achieve the factorization of RSA-768, an activity equivalent to that of one processor working non-stop for 1500 years.
The fact that the factorization of RSA-768 has been completed doesn’t mean that the RSA keys are useless; it means that, if we decide to protect our data with RSA-768, it would take an attacker about the same time to illicitly access this data – or even less, with the appropriate supercomputation infrastructure. Therefore, if we want to properly protect sensitive data, it would be advisable to use longer encryption keys. In a similar way, the authors of the article say that factorizing an RSA-1024 is about one thousand times harder than RSA-768, but surely the factorization of these RSA-1024 keys will be completed if the same effort is made than for breaking RSA-768. Therefore, if we want to protect relevant data with RSA, we’d better start thinking about using RSA-2048 keys, although, as we have stated before, it will come the time when these keys will be compromised too. It's just a matter of time, and also a matter of knowing whether the encrypted data is worth all the effort.
Guzmán Santafé
S21sec labs
The fact that the factorization of RSA-768 has been completed doesn’t mean that the RSA keys are useless; it means that, if we decide to protect our data with RSA-768, it would take an attacker about the same time to illicitly access this data – or even less, with the appropriate supercomputation infrastructure. Therefore, if we want to properly protect sensitive data, it would be advisable to use longer encryption keys. In a similar way, the authors of the article say that factorizing an RSA-1024 is about one thousand times harder than RSA-768, but surely the factorization of these RSA-1024 keys will be completed if the same effort is made than for breaking RSA-768. Therefore, if we want to protect relevant data with RSA, we’d better start thinking about using RSA-2048 keys, although, as we have stated before, it will come the time when these keys will be compromised too. It's just a matter of time, and also a matter of knowing whether the encrypted data is worth all the effort.
Guzmán Santafé
S21sec labs
Poisoned truth
Psyops is a term from military jargon to describe the strategies used in an armed conflict that aim at influencing the enemy, usually in an attempt to demoralize it or make it support our cause. It could be described as social engineering applied to the battlefield.
From Genghis Khan’s tactics to the aggressive and complex defacements characteristic of current cyber-wars, history of warfare is scattered with attempts to psychologically change the enemy’s mind by manipulating the perception of the facts. In order to achieve this, it is necessary to modify the information received by the enemy. The only difference with the strategies of the past is that the battlefield has changed.
At first glance it might seem that a decentralized structure like the Internet, which is based on scattered sources of information, should be extremely difficult to poison or manipulate, since it is impossible to take control of all sources of information available to the users. However, a series of incidents throughout 2009 have demonstrated that this hypothesis is far from being accurate, and that the Net is terribly vulnerable to a well-crafted lie. In fact, to conduct a successful attack we could imagine a two-stage strategy:
A sufficient number of astroturfers can decide what makes the headlines or bury important news in media like Digg or Menéame, vote videos in Youtube, keep alive false entries, write their own version of the facts in Wikipedia and even influence Google searches.
We have seen in the last years numerous examples of astroturfing with a diverse range of targets, from ridiculing political campaigns to improving the sale of a product. In fact, the governments of China and Israel have acknowledged having used groups of astroturfers – as volunteers and paid staff respectively – to flood politics and human rights advocates’ forums with opinions favorable to their political agenda.
Javier Barrios
S21sec e-crime
From Genghis Khan’s tactics to the aggressive and complex defacements characteristic of current cyber-wars, history of warfare is scattered with attempts to psychologically change the enemy’s mind by manipulating the perception of the facts. In order to achieve this, it is necessary to modify the information received by the enemy. The only difference with the strategies of the past is that the battlefield has changed.
At first glance it might seem that a decentralized structure like the Internet, which is based on scattered sources of information, should be extremely difficult to poison or manipulate, since it is impossible to take control of all sources of information available to the users. However, a series of incidents throughout 2009 have demonstrated that this hypothesis is far from being accurate, and that the Net is terribly vulnerable to a well-crafted lie. In fact, to conduct a successful attack we could imagine a two-stage strategy:
- First, we should analyze the information available about the targeted subject until we find a reasonable number of key sites, from where our lie will "propagate itself" after being injected.
- Once these sites have been located, it’ s the turn of astroturfing, which basically is the spreading of false information – better said, misinforming – making it look as if it came from many independent sources. By fooling others into thinking that there’s a wide support for a cause, the attackers can encourage a favorable opinion about it. The key to success is making the public believe that all opinions come from a large number of independent individuals, not organized and geographically scattered, which is easy to achieve with the appropriate means.
A sufficient number of astroturfers can decide what makes the headlines or bury important news in media like Digg or Menéame, vote videos in Youtube, keep alive false entries, write their own version of the facts in Wikipedia and even influence Google searches.
We have seen in the last years numerous examples of astroturfing with a diverse range of targets, from ridiculing political campaigns to improving the sale of a product. In fact, the governments of China and Israel have acknowledged having used groups of astroturfers – as volunteers and paid staff respectively – to flood politics and human rights advocates’ forums with opinions favorable to their political agenda.
Javier Barrios
S21sec e-crime
Harassment without a face
After becoming familiar with the word bullying, a term used for describing psychological harassment among minors at school, a new neologism has appeared, i.e. cyber-bullying. Cyber-bullying applies to the use of telecommunication means – mainly mobile phones and on-line games – to psychologically harass, annoy, threat, vex, humiliate and/or bother someone in a deliberate manner. If any of the people involved – victim or attacker – were not minors, then we would use the term Cyber-harassment. In the case of an adult attempting to lure children or teenagers into sexual encounters, the authorities call it Cyber-stalking.
Cyber-bullying can manifest itself in various forms, depending on the attacker’s computer skills and imagination. One of the most common practices is the sending of compromising information through instant messages (SMS, Skype, Messenger…).
Similarly, posting offensive comments regarding the victim (or in his/her behalf) on blogs, forums and websites is another way of harassment. Cyber-bullying also involves stealing user names and passwords to e-mail accounts in order to change the latter to prevent the legitimate user to access his/her own account, or to read his/her private messages. The attacker can go further, sending messages on behalf of the victim. The same would be achieved by creating a new account using the victim’s personal information. In addition to text, the attacker can also send images through SMS or e-mail.
Cyber-bullying can manifest itself in various forms, depending on the attacker’s computer skills and imagination. One of the most common practices is the sending of compromising information through instant messages (SMS, Skype, Messenger…).
Similarly, posting offensive comments regarding the victim (or in his/her behalf) on blogs, forums and websites is another way of harassment. Cyber-bullying also involves stealing user names and passwords to e-mail accounts in order to change the latter to prevent the legitimate user to access his/her own account, or to read his/her private messages. The attacker can go further, sending messages on behalf of the victim. The same would be achieved by creating a new account using the victim’s personal information. In addition to text, the attacker can also send images through SMS or e-mail.
One can suspect that someone is being subjected to cyber-bullying when they don’t use the Internet as frequently as before, or when they “left” constantly the mobile phone at home – because they’d prefer not to have it with them.
Normally, on-line harassment doesn’t have grave consequences. Fortunately, in most cases it is a temporary phenomenon that fades away with age. However, there have been cases that ended up in suicide. As an example, there are about 38.000 Japanese websites that, in addition to having pornographic or extremely violent content, can be used by Japanese secondary/high school students to publish threats, offensive messages or compromising pictures of their classmates. Cyber-bullying became famous in the media on July 2007, when an 18 year-old boy committed suicide after his classmates posted a picture of him naked on an unofficial site of the school.
There’s not much teachers can do against cyber-bullying, since it mainly occurs outside the school facilities/hours. This is why it is necessary to educate parents about how to stop and correct these situations, so that they can teach their children basic ethical principles concerning the use of the Internet. Teaching basic rules could help in eradicating the problem, like being cautious with the personal information shared, being kind and respectful with others, not being vindictive or aggressive, defending threatened people by reporting the facts to parents and teachers, reporting abuses to e-mail , telephone, instant messaging, social network providers or any other on-line service involved in the harassment.
Due to the nature of this type of harassment, which is only apparently anonymous, gathering evidence to find the attacker wouldn’t be too difficult, since it is easy to store documents, pictures or conversations that can be later used as evidence, and also because everything we do on the Net leaves traces behind.
To find out more on the subject (Spanish):
www.internetsinacoso.com/
www.ciberbullying.net/
www.ciberbullying.com/
www.laflecha.net/canales/seguridad/noticias/consejos-para-proteger-a-los-jovenes-del-ciberbullying
Amaia Urtasun
S21sec e-crime
New trends, old tricks: Google Nexus One
The fact that fraudsters take advantage of the latest on-line trends is by no means new. But this case is particularly significant.
Google has recently launched Nexus One, a phone created by Google itself that’s sold exclusively through their own website. For the moment, the device can only be purchased in certain countries. If we try to access the website from Spain, this is what we'll find:
But if we’re not happy with this answer and we’re determined to find alternative ways to get the phone, it might occur to us to google buy nexus one.
The surprise comes when, in a splendid and easily clickable 5th position, we come across a link that takes us to this:
After analyzing this binary with Virustotal, we'll learn that it was uploaded for the first time on 12 January 2010, two hours before drafting the first Spanish version of this article. Also, only 8 out of 41 anti-virus engines could detect it as a Trojan/suspicious file.
This should make us reflect on the real power of the infrastructure used in on-line fraud, which is perfectly able to put a fraudulent website in the 5th position of Google - by far the most popular search engine - and on top of that, lure victims with a smartphone manufactured by Google itself.
The link ranks even higher than the official Nexus One website in that search.
Update 13 January 2010, 4:49 p.m.
At this very moment, the first four entries that appear after searching "buy nexus one" in Google are also links to copies of the same fraudulent website mentioned above.
Jose Alemán
S21sec labs
Google has recently launched Nexus One, a phone created by Google itself that’s sold exclusively through their own website. For the moment, the device can only be purchased in certain countries. If we try to access the website from Spain, this is what we'll find:
But if we’re not happy with this answer and we’re determined to find alternative ways to get the phone, it might occur to us to google buy nexus one.
The surprise comes when, in a splendid and easily clickable 5th position, we come across a link that takes us to this:
After analyzing this binary with Virustotal, we'll learn that it was uploaded for the first time on 12 January 2010, two hours before drafting the first Spanish version of this article. Also, only 8 out of 41 anti-virus engines could detect it as a Trojan/suspicious file.
This should make us reflect on the real power of the infrastructure used in on-line fraud, which is perfectly able to put a fraudulent website in the 5th position of Google - by far the most popular search engine - and on top of that, lure victims with a smartphone manufactured by Google itself.
The link ranks even higher than the official Nexus One website in that search.
Update 13 January 2010, 4:49 p.m.
At this very moment, the first four entries that appear after searching "buy nexus one" in Google are also links to copies of the same fraudulent website mentioned above.
Jose Alemán
S21sec labs
HaztePre, new awareness campaign
Last 4 December 2009, the Consejo Nacional Consultivo de Cyberseguridad (National Consultative Committee on IT Security, or CNCCS, partially founded by S21sec) together with the Instituto de Tecnologías de la Información y la Comunicación (Institute of Information and Communication Technology, INTECO) and the Oficina de Seguridad del Internauta (Office of security for Internet users, OSI) started a new awareness campaign called HaztePre. The campaign, hosted at http://www.haztepre.es/, targets people of all ages with basic knowledge of the Internet, and gives information on using new technologies in a responsible and safe manner. It offers not only educational material, but also advice, guides and free tools. Its motto is: “En Internet, como en la vida, hay que SerPRE: ser precavido, estar prevenido y preparado”, which means : in the Internet, as in real life, we must be cautious, careful and ready.
The campaign deals with the most important good habits for using a computer that should be taken into account by Spanish Internet users. It also gives some tips on how to stay safe and act cautiously: detailed instructions about the threats circulating on the Internet, guides on how to browse safely on the Net - safe behavior in social networks, on-line shopping, etc -, a customer service number of the Oficina de Seguridad del Internauta, some free security tools and many more resources.
The reason driving this campaign is the lack of awareness of the average computer user in Spain about on-line security problems, which has been observed in various studies. One of the main reasons for this poor security practices is that the expansion of the Internet in Spain has been too quick. Currently, seven out of every ten people consume digital content. Due to this quick success of the Internet in the country, many users browse the web without knowing enough about IT security. Thus, 56.2% of computers in Spain are infected, a figure that puts our country in the 12th position in number of computers infected.
The majority of infections are caused by the users’ lack of knowledge about the threats on the Net and how to counter them. For example, according to a survey, although 96% of Spanish users are protected by some kind of security software, barely 30% has a security suite and only 34% have something as basic as a firewall. Also, more than half of the users have only an anti-virus application.
Regarding Internet browsing habits, the results reveal that users fail as well in this area. 64% of Spaniards claim to use on-line banking services, but 32% admit that they don’t take any extra precautions to use them, even though more than 1300 cases of Phishing targeting financial institutions have been registered since the beginning of this year.
Let’s hope that these campaigns can encourage the use of safe environments, so that the citizens can be more protected in their everyday digital life.
María Asín
S21sec
Information leakage through Trojans
According to the most optimistic estimates, one in every three computers is infected by some kind of malicious software/Trojan/virus, or whichever sensationalist name you prefer to put to these little naughty programs that control our computer with premeditation and deliberation. Actually, there are reasons to think that the real percentage is higher than one third, and that it affects equally all conceivable human profiles: clients, entrepreneurs, civil servants, home cinema users, internetized grandpas and grandmas, teenagers immersed in social networks, etc.
Of course, information leakage can be regarded as more or less critic depending on the nature of the stolen data, but the modus operandi is generally always the same: infection, information theft and unauthorized use of the computer, and finally the stolen information is sent to a remote site of dubious reputation.
The first step is infection. To do this, there are various options available; from classic attachments received in our e-mail inbox, USB drives given by a friend containing documents of photos of our last holidays, downloads from P2P networks, all the way to the most common and powerful infection vector, i.e. a visit to the web site of one of our providers, our children’s school, a friend’s blog or our travel agency.
Once infected, the Trojan has three main objectives, precisely the same as a parasite: first, to go as unnoticed as possible; then, to steal important information, and finally to use the host computer for all kinds of activities. In the case of home users, the most sought after data are access credentials to bank accounts, personal and corporate e-mail addresses, contacts (to attack them too), information from social networks – in order to send credible e-mails or impersonate the victim – or any other type of useful information.
Of course, information leakage can be regarded as more or less critic depending on the nature of the stolen data, but the modus operandi is generally always the same: infection, information theft and unauthorized use of the computer, and finally the stolen information is sent to a remote site of dubious reputation.
The first step is infection. To do this, there are various options available; from classic attachments received in our e-mail inbox, USB drives given by a friend containing documents of photos of our last holidays, downloads from P2P networks, all the way to the most common and powerful infection vector, i.e. a visit to the web site of one of our providers, our children’s school, a friend’s blog or our travel agency.
Once infected, the Trojan has three main objectives, precisely the same as a parasite: first, to go as unnoticed as possible; then, to steal important information, and finally to use the host computer for all kinds of activities. In the case of home users, the most sought after data are access credentials to bank accounts, personal and corporate e-mail addresses, contacts (to attack them too), information from social networks – in order to send credible e-mails or impersonate the victim – or any other type of useful information.
Heuristic methods for Phishing detection?
Some days ago, I came across an interesting article on Phishing detection tools. It is an analysis of the various functions featured by different tools; some of them use black lists, whereas others go beyond that, using heuristic methods for detecting fraudulent websites.
According to the study, the use of heuristic methods to determine whether a webpage is actually a Phishing site allows to uncover it from the very moment the webpage is visited, without the need to include it into the URL black lists provided by security vendors. At the same time, including a new entry in a black list requires the confirmation of the black list providers or their partners, which increases the length of the risk period.
The report also points out the short life of Phishing campaigns: 66% are over after 24 hours, so anti-Phishing bars have to be fed very quickly to avoid attacks. The vendors are trying to counter this with heuristic techniques.
Then, why only two out of the eight black lists use heuristic procedures? According to the study, one of the analyzed products detected 70% of fraudulent websites since the beginning of the campaign, which helped avoiding the majority of attacks.
For the moment, vendors are not inclined to go for heuristics techniques due to the large percentage of false positives yield – although these false positives are attributed to the eight competitors. On top of it, fraudsters know about these heuristic methods that are based on web contents, URL and HTML signatures, etc. Therefore, they already know how to counterattack and render useless these measures.
However, given the data set presented in the report, I wonder if there are other reasons for the lack of use of the correlation of rules for Phishing detection. Maybe the vendors who use it know something new since, were the rules of heuristic methods known by fraudsters, they wouldn’t allow such a quick Phishing detection.
Here is a link to the article:
http://www.ceas.cc/papers-2009/ceas2009-paper-32.pdf
Miguel López-Negrete
S21sec labs
SCADA Lab
Aiming to support research and development of projects related to security in SCADA, and to meet our clients’ internal and external needs, S21sec has recently inaugurated a laboratory with the most appropriate resources, technology and tools.
We mentioned it some months ago, without entering into details. Sporadically, other posts of this blog have also made reference to it. Now, we wish to officially introduce some of the goals with which the project began:
- Assessment of the security status of on-site equipment and SCADA software. It is important to have an in-depth knowledge of the previous state of our clients’ equipment and applications in their facilities. Performing this type of analysis directly on the environments and devices is very often impossible – we promise you a post with real results very soon. The lab conditions provide us with a realistic work model and the guarantee that no damage will be done to the real infrastructure. Also, the client finds this procedure much safer and productive. For us, the assessment process is much easier, since:
- Physical risk elements present in the environment are notably reduced. One example is connecting inside an energy plant in maintenance mode, which is not easy at all.
- Risks for the original infrastructure are diminished.
- It allows empirical studies in real time of various configurations to obtain different security assessments.
- Development and parameterization of security tools. To assess the security status of control equipments and applications, it is necessary to have a wide range of tools available to detect and deal with vulnerabilities. This is an expanding field in the world of control systems. There are dozens of different IT tools for auditing hardware and software. However, many of these tools are highly intrusive and therefore unadvisable for these environments, as we point out below. In the same way, some security issues cannot be assessed on-site due to a lack of specific tools. Thus, having an environment where we can, not only observe, but also manipulate the equipments’ configurations puts us in an advantaged position over other procedures, which must be developed using static elements that cannot be manipulated. The lab allows us to re-enact the targeted part of the client’s infrastructure and have preliminary configurations for those security tools that will be used during the analysis, as well as some preliminary results that can help us reshape the objectives before starting auditing.
- Security assessment for third parties. With the intention to offer a high quality service to our clients, this third objective aims to give them an impartial perspective of the benefits of the solutions advertised by the vendors. Knowing first-hand the new technologies is key to choose the best security control implementations. The main advantage of the lab is that we can go beyond the mere analysis of the functions and test them in a realistic environment. This allows us to know the limitations of the product before considering it as a solution, or before guaranteeing that it can be suggested to other clients.
Cheers!
Elyoenai Egozcue and Iñaki López
S21sec Labs
Subscribe to:
Posts (Atom)