Monthly Archives: January 2008

One Time Passwords…

  By amen940 | January 13, 2008 - 18:47 | Information Security, Passwords, Phishing
Leave a comment

I’m going to keep this article from the Miami Herald, so I can forward it to anyone who complains about needing a One-Time-Password to remotely access their employer’s network.   I encourage everyone to program a red flag to pop up in your head whenever anything asks you for username/password.  Ask yourself…

  1. Do I believe I can trust this physical location
    1. Is it shared internet and/or computer access?
    2. Do I trust who had access before me?
  2. Do I believe I can trust this virtual location?
    1. Is it HTTPS with valid certificate?
    2. Did I get here from a reliable source?
  3. What would happen if these credentials were compromised?
    1. Remember many sites will allow a password change while relying on nothing but the belief that only you know the password to your web-mail.

Of course almost all of the long term risk posed by these threats can be mitigated by using a one-time-password.  Next time you have to use one thank an Information Security Administrator instead of complaining to one.

No Clicking for You…

  By amen940 | January 5, 2008 - 19:17 | Information Security, Phishing, SPAM
Leave a comment

Please don’t be that guy, you know the one who posts fake Credit Card data to a phishing site because they believe it’s some how “fighting back.” BAD IDEA folks. I’ve seen this error in common sense, if you will, because of IPS filters that use Reg Ex to catch such SB1386 type data being sent over HTTP not HTTPS, a clear sign of either a company that doesn’t deserve your business or Phishing. So here are the top 2 reasons why such a thing is bad for the Information Security weekend warrior.
1. Once you’ve clicked on the Phishing link in email they have won.
You just validated your email address is monitored by a human; it’s now worth 10x as much to SPAM gangs. Who are they? Click here. Those SPAMMed HTML links often have code behind them that has been dynamically generated to contain the recipient of that particular SPAM imbedded in them. So when you click the Phishers link it’s like saying, SPAM ME please, I read and click on anything!
2. You will most likely get malware sent to you.
OK so the goal of people behind this organized crime is to get credentials (username and password) they don’t care how that is done, they don’t even care what credentials they get. It’s cheap to try them at every bank, ecommerce, and webmail site out there. You don’t reuse passwords do you? So whether you fill out their fake form with all your personal information or they can implant a Trojan on your machine and keylog that info a week from now, what’s the difference? As soon as the site comes up expect to have many invisible iframes pointing your browser to all kinds of obfuscated scripts trying to exploit application vulnerabilities (not just OS stuff anymore my friends) as well as trying social engineer you to download a much needed codec or the like.
So moral of the story is you’re only tempting fate, should you try to clog the bad guys database with illegitimate info. In the end you may very well get owned faster then your grandma who just got a popup asking her to “CLICK RUN” to get a free virus scan on her Win98 machine. The real experts (one of whom I don’t claim to be) use completely sandboxed virtual machines with many safeguards for them and the Internet to do this kind of stuff. I suggest anyone who doesn’t reverse engineer malware on a weekly basis leave such things up to them. And luckily for the average ecitizen there are many very intelligent people who do just that. Suggested Links Below….
PS Don’t expect your shiny new <insert AV vendor> 2008 to protect you 100% either, AV is a necessity for the average user on Windows but isn’t an invincible shield against foolish bravery.

http://www.secureworks.com/research/threats/

http://isc.sans.org/  (do a search for Tom Liston, then click the links for “Follow the bouncing Malware” very well done albeit a few years old now.)