The Security Skeptic

Poor PayPal seems to be the most popular lure among phishers these days.

I receive phishing emails almost daily warning me that my PayPal account is under review for security reasons. The most recent spate of these uses HTML in a particularly insidious manner to deceive even those recipients who are savvy enough to be wary of embedded hyperlinks.

Many antiphishing resources, including my own, warn people to make use of the browser status bar to assure that they are visiting the same URL they "see" in an email, by hovering the mouse over the hyperlink in the message, which will show the "real" URL they will visit should they click on the link.

The new phishing method uses HTML form to prevent recipients from availing themselves of this antiphishing method. The raw HTML for this deception is reproduced below:

<FORM target="_blank"  ACTION=http://rds.yahoo.com/*http://www.google.com/url  METHOD=get>
<INPUT TYPE=HIDDEN NAME=q VALUE=http://rds.yahoo.com/*http://www.securityskeptic.com/%6D%61%6E%75%61%6C/webscr/>
<input type=submit style="color:#000080; border:solid 0px; background:#white;" value=https://www.paypal.com/cgi-bin/webscr?cmd=_update>
</form>

I've substituted my own domain name, hhi.corecom.com, where the phisher typically puts his deception web site. What recipients see when this is used follows.

Try hovering over the hyperlink. Nothing happens. Now click it, and you'll reach my 404 Error page - of course, in a phishing email page, you'd end up at a deception web page.

Increasingly, too, PayPal phishers are including many legitimate links to real hyperlinks at PayPal, e.g.,

To receive email notifications in plain text instead of HTML,
update your preferences <a href="https://www.paypal.com/us/PREFS-NOTI" target="_blank" > here</a>

This is all part of selling the deception.

HTML is a really wonderful and powerful language, but it is so easily manipulated for malicious purposes that you should really consider whether you need your email to be "pretty".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID382 by Dave Piscitello  

I've been experimenting with content filtering associated with the HTTP-Proxy at my firewall, to see what if any additional measures I can take to block malicious content from infesting my hosts. I began with a conservative list of allowed content types - text, image, pdf, xml - and a "suspect it's spyware and explicitly block it" list of undesirable body content types - zip archives, Windows exe/dll and CAB archives, and Java bytecode.

I slowly began adding types that are arguably not absolutely safe, but absolutely necessary if you expect to enjoy the richness of the web, especially its entertainment aspects. These included application/x-javascript, application/x-shockwave-flash. Life was good on all the PCs - no user complaints.

About 10 days into my experiment, my kids complained that the TV program listings no longer displayed on my ReplayTV. Visiting my firewall log, I discovered that ReplayTV uses its own content types - application/vnd.replay.cg and application/vdn.replay.headend - which my firewall was dutifully blocking. Adding these to the allowed list solved the problem, and my ReplayTV disk is once again filled with Japanese anime cartoons.

The experience illustrates how content filtering adds another dimension to security policy maintenance. It also illustrates how firewall admins are forced to keep current with application development at so many different levels - transport encapsulation, port and bandwidth utilization, protocol composition, network protocol, addressing, NAT and naming dependencies - that it's easy to overlook when a developer elects to create new content type rather than use an existing one.

And the developer probably did so because content filtering proxies were blocking the type he originally chose:-)

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID381 by Dave Piscitello  

Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution. More...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID380 by Dave Piscitello  

Most people who read my blog are familiar with the SANS Top 20 Vulnerability list. Trend Micro, Vexira, and in fact, most antivirus companies host lists of the current most prevalent malware. PC Pitstop hosts a similar list of the Top 25 Spyware.

The rankings are derived from results of approximately 50,000 PCs that visit the site to run a signed ActiveX control spyware scanner (signed, how refreshingly unique!).

PC Pitstop acknowledges that their Top 25 rankings are biased. PC users who visit frequently to test for and remove pests based on the scan results will have less spyware than a randomly sampled population (the site apparently doesn't weed out repeat visitors). Still, it's an interesting list.

I ranted earlier this week about informed consent and disclosure. Legislators ought to study PC Pitstop's privacy policy and the excruciating detail they provide regarding cookie use, information collection and use, and "what they do to your PC". They tell you what they do; how they do it and why; how you can review what they do; and give you the opportunity to decline. Legislation doesn't have to be any more complicated than insisting that advertisers be as diligent as PC Pitstop. Well done...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID379 by Dave Piscitello  

If you visit www.senate.gov, you'll read that "To balance power between the large and small states, the Constitution's framers agreed that states would be represented equally in the Senate and in proportion to their populations in the House."

In a March 14 2005 New Yorker Magazine Talk of the Town comment, "Nuke 'em", Hendrik Hertzberg explains that state representation in the modern millenium may not exactly work out to the balanced power the Constitution's framers sought. Hertzberg explains that, as composed today, "Fifty one senators - a majority - can represent states with as little as seventeen per cent of the American People."

Numbers like these aren't much fun. The Bush administration declared that winning 51% of the vote in November 2004 gave them a mandate for the President's 2^nd term. Now we see that 17% of the states - probably red ones - can vote on a bill, and declare that the passage should be viewed as a mandate.

If you're not happy with these figures, consider that to obtain the sixty votes necessary to override a veto, you need only obtain votes from both senators of twenty-four percent of the states.

Sigh...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID378 by Dave Piscitello  

Mitch Wagner, my editor at SecurityPipeline.com, wrote an editorial recently about the fuss adware vendors are making over the fact that their ware is really not spyware. Whether their ware spies or not is quite honestly irrelevant to the vast number of users (and SecurityPipeline readers). Choose any name you wish, adware is unsolicited, unwanted, and intrusive. But, for the sake of a blog entry, let's find an appropriate name.

So far, "scumware" is the most generic, appealing, and accurate label. SearchSMB.com defines scumware as "any programming that gets on your computer from Internet sites without your consent and often without your knowledge. Scumware is a general term that encompasses spyware, adware, annoyware, malware, parasiteware, unwelcome cookies, and various forms of viruses".

This definition works for me and everyone I asked today:-)

Why do the FTC, state and federal legislators insist on trying to narrow the definition of spyware, when most of the affected population would prefer to leave it as broad as possible? Users want to know what is being installed on their computers, and for what purpose, and want the right of informed refusal and consent. And make the default selection "refusal". This is exactly the opposite of what occurs today with all scumware.

You want effective legislation? Focus on informed consent. Force software vendors to a pure "opt-in" model, something that never materialized in postal delivery. Identify what constitutes deceptive and unauthorized use and installation of software. Make it illegal to install software without expressed user approval, and make vendors write intelligible terms of use and scope of application. With legislation of this kind, most folks will make intelligent opt-in decisions when asked whether they want Windows update or WhenU. Which ,of course, is exactly what adware vendors are most fearful of.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID377 by Dave Piscitello  

This is the week of learning how to recover lost passwords. The staff administrator at my daughter's school asked if I could show her how to password-protect files on her PC. I explained how to create a compressed (zip) file and password protect this in Windows XP. She asked if I could help her create a really strong password. I explained that there were many ways to do this but that it was equally important that she create a password that she would remember. She nodded in agreement, and I suggested ways she could also write it down so that she could recover it if she ever had a momentary (or longer) memory failure.

Showing novice PC users a new security measure is like lending someone Breck shampoo - tell two friends, who tell two friends, and shortly, I'll be hearing from a panicked individual who's protected a zip file and can't recall the password. Preparing for the worst, I decided I'd poke around for a program that cracks password-protected ZIP files.

I found lots of buy-ware and share-ware, and a few frankly dreadful freeware. I am tinkering with one promising utility, PDG ZIP Finder by Astonsoft, Inc. I need to play more with this freeware "beta" from 2001, and didn't find a privacy policy at the company site, so I won't include a link until I am convinced it's "really free" ware. I didn't see any obvious backchannels in my firewall log, but haven't sniffed the wire yet. They do include a self-promotion to try/buy Astonsoft commercial ware but I can forgive this if it's all they do.

I'll keep you posted.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID376 by Dave Piscitello  

I use the CIS Security Benchmarking tool to harden all the PCs in my home office. One of the benchmarks is effective password management. I impose password complexity requirements, age passwords, and impose an account lockout policy. So it's not surprising that every so often, one of my family forgets an account password, is locked out, and needs administrative assistance.

Last night, my son locked himself out of his PC. His account had local administrator permissions so he could install games, music software, etc. To my embarrassment, I could not recall the administrator password, and I hadn't saved this password in my PasswordSafe database.

The only password recovery utility I had ran on a floppy, and my son's PC doesn't have one. I visited a few sites that described password cracking and recovery tools. The first tool I considered was XP Password Recovery. With this tool, you create a bootable image (floppy or CD) that contains utilities to copy the SAM from the troubled PC onto the floppy. You then take the floppy to an Internet-connected PC, and upload the SAM for cracking at a server, which then returns all the accounts and passwords it's cracked from the SAM. Try as I might, I could not feel comfortable with this process, especially given that the offline processing of the SAM is estimated to take several hours.

I next tried NTPassword, by Petter Nordahl-Hagen. NTPassword boots off floppy or CD. This is a sort of Swiss Army Knife of password utilities. NTPassword can reset the passwords of local user accounts (it modifies the encrypted password in the SAM). It detects and unlocks locked or disabled accounts. It is not thwarted if you've used SysKey encryption to (ahem) strengthen the SAM hash against attack. Best of all, it is unbelievably fast - as in less than 5 minutes! - to reset the admin password to blank, unlock the troubled account, and reboot the PC to XP SP2.

Password cracking is not a recreational activity. This is an easy tool to abuse. But if you impose password and account policies on PCs you administer, you'll probably need a recovery tool, and NTPassword one is pretty impressive.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID375 by Dave Piscitello  

In the 1990s, everyone apologized for delays and inconveniences by saying, "sorry, the network's slow". Post 9/11, apologists blame delays and inconveniences on The Patriot Act.

Airlines, hotels, and other travel industries generally understand the concept of proof of identity.

"Checking in? Can I see your driver's license or passport, please? It's for The Patriot Act."

Certain banks, unfortunately, haven't quite explained the nuances that distinguish transaction processing from identity verification to all their employees. I visited a bank to get an Debit/ATM card for my son, who never carries cash and is always running out of gas. Before the service assistant could begin processing my request, she asked me, "Can I see your social (security card)? It's for The Patriot Act." I use this number so infrequently, and was so astonished that this information was to serve as credentials to verify my identity that I suffered a momentary brain freeze and transposed some of the numbers.

"Hmmm... that's not the right 'social'. Can I see your ATM or Check Card? Great, thanks. I can look up your account directly. Do you live at 3 Myrtle Bank Lane? Wonderful. So, how can I help you?"

I explain what I want. "I'm sorry, the person applying for an ATM card must apply in person. Sorry, it's The Patriot Act." Honestly, I am not making this up.

"The card is for my son, who never carries cash and is always running out of gas. He attends High School off the island and can't get here during bank hours, " I reply.

"Oh, that's terrible. Let's see what we can do."

Fast-forward to the last page in the episode. I succeed in getting an ATM card under *my* name, for my son's UGMA account. As the custodian of this account, I can have one, but my son can't because he's not yet 18 years old. Of course, issuing me the card gives me the opportunity if not license to let my son use it at ATM machines, which only care that you hold the card and know the PIN. For now, at least. How long before ATMs use facial recognition? After all, it would be "for the Patriot Act".

Has "It's for The Patriot Act." become an interjection? According to the always amusing definitions at http://www.cs.cf.ac.uk/fun/welsh/Glossary_main.html, an interjection is defined as an ejaculatory utterance usually lacking grammatical connection. So I suppose "It's for the Patriot Act" isn't really an interjection. It's an ejaculatory utterance, for sure, but most parties who utter it have no idea what it means or implies.

Sad and deplorable? More like "sad and dangerous".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID374 by Dave Piscitello  

Apologies to those of you who receive my monthly digest email. I migrated my blog software from one PC to another, and in the process failed to import my old .ini file, where I had increased the default length of the blog summary length from 30 to 80. Thirty is simply too few characters to spark interest in a blog entry, even a rant.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID373 by Dave Piscitello