Phishing

Tuesday, 25 May 2010

Tabnabbing - a new variation on phishing

Aza Raskin, the Creative Lead for Firefox, (via Ajaxian) describes a new variation on phishing called "tabnabbing," the "process of replacing the entire contents of a page while it's on a background tab." This is another example of malicious Javascript in action. Does your Secure Web Gateway vendor block this attack?

Posted at 05:26 PM in Malware, Phishing | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 10 May 2010

Facebook board member's account hacked - used for phishing attack

From PEHub:

Sunday morning, some of the 2,301 Facebook friends of venture capitalist and Facebook board member Jim Breyer received a message from him, through Facebook. “Would You Like a Facebook Phone Number?” it asked, presenting a link to “see more details and RSVP.”

While no one would be surprised by a service that allowed users to call friends from their Facebook accounts, the message was a hack. “This was a phishing scam and Jim’s account appears to have been compromised,” says Larry Yu, a Facebook spokesman, late yesterday. “The issue has since been resolved and we’re actively trying to block this activity.”

Breyer, a partner at Accel Partners, didn’t respond to questions relating to the message.

At this point there has been no detailed explanation from Facebook explaining how this happened and what steps they are taking to reduce the likelihood of it happening again. Compare Facebook's approach to this breach to Apache's approach to their recent breach which I wrote about here.

Given Facebook's approach to privacy, I doubt anyone is surprised.



Posted at 08:18 AM in Breaches, Phishing, Privacy | | Comments (0) | TrackBack (0)

Wednesday, 28 April 2010

Blippy's security/privacy strategy - do they deserve to survive?

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our services in a manner that does or is intended to mislead, confuse, deceive, or harass others.

Serial Accounts: You may not create serial accounts or relationships in order to evade the block tools or to otherwise disrupt the Services.

Name Squatting:You may not engage in name-squatting (creating accounts for the purpose of preventing others from using those account names or for the purpose of selling those accounts). Accounts that are inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link to malicious content intended to damage or disrupt another user.s browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a variety of ways for users to interact with one another. You may not abuse these tools for the purpose of spamming users. Some of the behaviors we look at when determining whether an account is spamming include:

  • The user has followed and unfollowed people in a short time period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

Posted at 08:58 PM in Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management | | Comments (0) | TrackBack (0)

Tuesday, 26 January 2010

Operation Aurora analysis

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management

Posted at 08:17 AM in Advanced Persistent Threat (APT), Breaches, Data Loss Prevention, Database Activity Monitoring, Malware, Next Generation Firewalls, Phishing, Secure Browsing, Security Information and Event Management (SIEM) | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 16 January 2010

Google discloses breach and new threat type from China - Advanced Persistent Threats

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and any espionage attack) lies with the tether that connects the victim with the attacker. Advanced Persistent Threats (APT), like their bigger and more visible brother “botnets”, are meaningless without that tether – which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.


Posted at 08:43 PM in Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft | | Comments (0) | TrackBack (0)

Technorati Tags:

Tuesday, 05 January 2010

More details on the security risks of IDNs

A few days ago I wrote about the risks of non-ASCII domain names, i.e. International Domain Names (IDNs). Trend Micro's security research group, TrendLabs, has just released a detailed analysis of the security risks of IDNs.

Posted at 08:19 AM in Malware, Phishing | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 02 January 2010

New non-ASCII domain names increase risk of phishing attacks

An article in the London-based Times Online last week pointed out the security risks, particularly phishing, of the recent ICANN expansion of domain names to non-Roman characters. Here is the key quote from the article:

The problem for Western users is that the internet addresses of many well-known companies, such as Apple, Yahoo, Google and PayPal, can also be rendered to look identical in Cyrillic scripts, such as Russian.

To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash.

There are two key reasons for ICANN's expansion decision (from the TechNewsWorld article):

  • Not introducing international domains would mean that alternate root servers will be set up around the world because the demand is so high," Tina Dam, senior director for IDNs (international domain names) at ICANN, told TechNewsWorld.
  • It is definitely timely to make the IDN TLDs (top level domains) available, and we have also seen a demand from Asia and other parts of the world for quite some time," ICANN's Dam said. "The fact that you have to use a Latin character Web address on a site where the entire content is in Russian is not fair for Russian Internet users and does not make sense," she added.

There are some good comments on the Times Online article regarding how this type of phishing attack could be blocked. I'm sure most of the email, browser, and URL filter vendors will be responding soon.

Posted at 02:26 PM in Phishing | | Comments (0) | TrackBack (0)

Technorati Tags:

About

Subscribe to this blog's feed

Recent Posts

My Favorite Books on Risk and IT Security