Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article

So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.

1. Never include links in any email you send to a customer
In my opinion it is enviable that banks will stop sending their customers emails full of links. And I mean ALL LINKS, including the ones in your logo, the pretty banner pictures of middle-class people enjoying their lives, the legalese footer that no one reads, and especially in the message you are sending to the customer. Do not even include your domain as a non-clickable link. Keep the HTML format though I think this adds defensive capabilities that you are currently not using but that’s for another blog post.  These extreme measures are needed because the average computer user is essentially helpless to see the danger as obvious it may be in hind-sight.  This is because they need to click on links on a day-to-day basis to interact with friends, co-workers, and websites, and indeed do so with no negative repercussions. Then all of a sudden they get a call from someone like me who says you shouldn’t have clicked that one link in that one convincing looking email. My point is training and retraining users to recognize the signs of a Phish or trying to explain SMTP headers to them just won’t work if banks continue to send them an email talking about the dangers of clicking on links by asking them to click on links! Instead the bank should simply tell someone to go to their bank’s site. Get all your separate departments that send email at their every whim and tell them to redesign all their templates they use and send to 3rd party emailers to use. This is not a panacea to stop phishing but it will go a long way to condition customers to not to click on anything in emails representing your bank. Limiting the current most common social engineering infection vectors as well as forcing current Phishers to change their tactics drastically.
So Mr. bank executive you can be a leader with this policy, get all the positive press for not only protecting your customers but proving to shareholders you are trying to limit the increasing levels of fraud robbing value from “their” banks bottom line or you can be forced to do it as an also-ran follower when your competitor beats you to the punch. After all each email is a permanent voicemail to your customer representing your brand, why would you continue to encourage risky behavior?

2. Default to Read Only account for all online banking, and for budgeting services

This is another inevitable must-do, why do I have to use my administrator level credentials every time I log into my bank to do anything?  How can I take advantage of cool services like Mint.com when to use it I must give my full account permissions to anyone working at Intuit? Admin credentials should only be needed for dangerous activities (i.e. potential for losing my money) for online banking such as transferring/withdrawing money, adding a bill payee, opening an account, etc. Once set up such dangerous activities are infrequently needed so I purpose you allow me to mark my current account read-only with all my desired “dangerous activities” requiring some sort of out-of-band authentication like SMS or Token verification, or if necessary (i.e. user can’t do SMS) separate pwd authentication. Using an account with reduced permissions is a fundamental security principal and would greatly reduce the attack surface from compromised customer computers. As it stands now you are making the decision for me, by not giving me the option to use an account with lesser privileges.

3. Let me configure email/SMS alerts when someone successfully authenticates

Even with all the above prevention techniques above you should still give me the option for getting an alert when someone auth’s successfully to either read-only or admin level access. Similar to the alerts I can configure now for large ATM or Check withdrawals. The information should include IP/User-Agent/Geo-location combined with time/date. Yes I’m well aware that information can be spoofed and/or misrepresented but it should be given to me none the less. You could easily massage the source information to make it more user-friendly, I mean if Facebook can do it for 840+ million users you really have no excuse.
So by your company’s own estimates you are losing millions a year because of this, I’d help you implement these for a million or so, sounds like an amazing deal to me. Pay the man. 

=======

PS. Disclaimer: I realize others may have put forth some or all of these ideas in the past, the following are just my thoughts and not meant to be some attempt to gain fame and fortune by plagiarizing others.  If these ideas have been submitted to the internets before please consider me in agreement with them, and put the flame thrower down.  Also some banks might even already employ one or more of these suggestions, all I know is the big national bank’s I’ve used don’t do any of these unfortunately.

Anyway, I enjoyed creating the site and .html form front-ended .php script to pull the user’s info from MYSQL which amounted to a poor mans API for the vendors. Even though I think it’s a good idea that will come to be in someway or another, I learned that I’m apparently not entrepreneur material. I lost much motivation after the technical stuff was minimized and I couldn’t get any real interest from ycombinator, users or vendors.  Not to mention I also found very little incentive to eventually become an accountant, employer, tax expert, and other such work that comes with starting a company.  And the biggest reason of all is that I actually enjoy my day job, as opposed to longing to be my own boss apparently I’m better off running the rat race.  Live and Learn.

The site is still active as I type this watching Broncos and Patriots January 14th 2011 but should be down soon. Here’s a screen shot of the homepage for a little taste for the curious.

HTML Source of UserFAQ

HTML Source of VendorFAQ

What would help is a way for the average user to see the difference between an externally sent email from your internal domain(s) and an internally sent email from your internal domain(s) BEFORE opening it. I’ve thought of a way to do this with Outlook Client rules and would like to share that here. So if your organization, especially small businesses and SOHOs are struggling with this, give it a shot and let me know how it goes. (The screenshot’s below are from Outlook 2007)

The rule will essentially look for messages with your internal domain(s) in the message from, then look for a special line that your SMTP gateways put in the Received Headers, then if found the rule performs some action. Because if your internet facing mail servers relayed the message it had to come from outside your organization, and hence somebody musta spoofed ya’. I will explain below.

A barebones rule, just to get the idea, will look like this… (just replace @example.com with your own work’s email domain)

Here’s what it does if not obvious…

1. Search for @example.com in the sender’s FROM address (not MAIL FROM:)
2. And then look for Received: from mail1.example.com in the message headers
   (you can add other servers separated by an OR, yes the colon and spacing are important!)
3. Assign the message to the “Spoofed” category.  (I made this up, you could also delete, or move the message to a separate folder, marking the subject unfortunately does not appear to be an option with client rules)

If you don’t know what “mailserver1.example.com” is at your workplace, the best thing is to ask your IT mail admin, if that’s you and you are still clueless (we’ve all been there) you can USUALLY get that information from the DNS MX records your company publishes on the internet.   The site http://mxtoolbox.com will allow you resolve those records.  Just enter your email domain where I have scottfromsecurity.com in screenshot below.  The info under the column “hostname” will be what you want to put in your rule, there will most likely be more than one.

If you want to categorize the suspiciously spoofed message like I did (because deleting or moving it can cause its own problems with lost mail and helpdesk calls) you’ll just need to create an Outlook Category, and choose a color (Red for example).  In Outlook main window click Actions…Categorize…All Categories…New…Add text that you want the user to see when they open the email.

This will allow the message to be categorized and will show a colored bar when opened.  To make it obvious to the user BEFORE the message is opened you’ll have to have them modify their current view.  The view will then color messages that are categorized with your new “Spoofed” category.  In Main Outlook and with your Inbox selected window go to View…Current View…Customize Current View…then click Automatic Formatting… Add,  name the auto formatting rule and set font to desired color, by clicking Font button, as shown.  Then click Condition button…More Choices Tab..Categories…and check off the “Spoofed. Please be CAUTIOUS of Web LINKS contained in this email.” category.

Death by Screenshot continues with some pics on the end result of the above configuration.

And here is the opened message showing the red bar with your category message at the top, in case the user does open it. Hopefully discouraging them from clicking any links the email may contain before checking with IT.

For the IT professionals here’s more along the lines of what the a fully functional rule would look like with more than one internet facing MTA, gives it low importance, and has some notable email address exceptions (ie. the good spoofing).

Caveats:

1. This probably won’t work if your external mail relays are also your internal mail relays, ie you don’t have MS Exchange or something to handle internally sent mail separately.  All mail will be shown as spoofed, unless you use separate interfaces and DNS names.
2. Far as I know GPO’s can not be used to push out Outlook client rules/configuration; you could potentially export the rule to a .rwz file and have users import it themselves. Tools…Rules and Alerts…Options(upper right)…Export or Import Rules button…navigate to .rwz file.   So deploying the config probably won’t be possible to do automatically, screen shots and a company wide email will most likely be required for the .rwz file import, category and view creation as well.
3. Also this is a Client only rule. As Outlook warns about when you go to save it.   That simply means if your Outlook client isn’t running the rule won’t take effect.  So on Monday you will need to launch Outlook and let it process your new email to see if it matches the rule.
4. It will be a window’s user profile specific setup, so might be something to add to the workstation build process or when desktop support delivers the box to the new user, after they log in for the first time.

I’m still in the planning stages of rolling this out at my current contracting position, so as I learn the positive and negatives around this approach I’ll be sure to update this post.

I was also toying with the idea, of using different actions such as “run a script” and “custom action” but they would further complicate what’s now is pretty simple. Also my current security monitoring analyst job does not get heavily into administration so can I  leave that up to the Exchange admins out there?  If anyone thinks up a better way to do this or anything cool (like marking the subject, so the category and view setup wouldn’t be needed) using a VB script or custom action with a .dll, feel free to leave a comment and share it with the 5 other people who read this blog.

___________________________________________________________________________
PS:  Lastly if all of the above is not appealing another blogger had a simpler approach involving tagging everyone’s email signature with some consistent text string and then writing a rule to filter on that.  This technique would identify the good (whitelist), where as mine identifies the bad(blacklist), why not try both and see which one works best for you? It also just occurred to me, with his approach, you might even want to make that text string white so it’s not overly obvious when the recipient sees it.  Read about it here… http://www.countryipblocks.net/training/the-cheap-way-to-keep-spoofed-email-out-of-your-inbox/

Good luck in your SPAM fight.

So I saw an interesting link on the interwebs, it is a packet analysis challenge with promise of invitations to  summer 2011 USCC Cyber Camps training in various locations (Delaware for East Coast folks, I believe) for the winners.  I registered and hope to complete the challenge this weekend; you have 24 hrs once you get the .pcap file to answer 30 questions about evidence of intrusion in the traffic.  You can read more about it here. https://quiz-uscc.cyberquests.org and http://www.uscyberchallenge.org The contest is over May 1^st 2011.

UPDATE:  I did well enough to be invited to the Virginia camps in early August, with full tutition, room, and board paid.  An awesome opportunity that I’m looking forward to.

I noticed an interesting feature yesterday that allows you to get an email when a computer that hasn’t been “authorized” authenticates to your account ( Click Account Button…Account Settings…Account Security). Facebook also allows you to see a log of the computers that have authenticated to your Facebook (security guys love logs) which is cool.  The log is weak on the technical side, no IP address, DNS hostname, or Useragent etc.  But it is an interesting feature that I believe banks should offer as well.

So I was about to Facebook post to recommend it to my friends when I realized I should Trust but Verify.   So I fired up RegShot, took a 1^st shot registered my laptop for the first time, and took a 2^nd shot.  No surprise there Facebook is using cookies at to keep the state of the registered computer.  I’m sure it’s a long fairly random string of characters that in no way have any login info in it.  Let me just open that file….  Oh Wait.  Is that my Facebook username which of course is also my primary email address in clear text? Now I’m no master web app designer but c’mon you are not supposed to put any part of the login in info in the cookie, OWASP agrees link (pg34).  XSRF and XSS are proven ways to steal cookies so they should not be considered secure.  SPAMMers would obviously pay more for confirmed facebook email addresses vs. the average SMTP Directory harvest attack. I’m sure bot net herders already parse their clients for such info and sell it on the black market.

To dig deeper I fired up WebScarab and intercepted the server response that sets the cookie. In checking security settings on that and several other cookies the web server sets.  I saw Http Only, expiration date/time as well as Domain and Path restrictions which are good and help defend against cookie stealing; but why wouldn’t they hash the userID by using SHA1 on the login info with time in milliseconds or something as a salt?  I admit this isn’t a HUGE deal but when you are in the top 10 websites by traffic in the world and your only “product” is other people’s personal info you’d think they would be pretty conservative when it comes to exposing 50% of the info needed to login.  Facebook’s history of coding errors and in general their opinion that data should be open to everyone is really becoming concerning.

They talk about the cookie exposing your username in their Privacy policy so there seems to be little concern on their side about it, because it’s “never your password”. I don’t agree.

http://www.facebook.com/policy.php

Cookie Information. We use “cookies” (small pieces of data we store for an extended period of time on your computer, mobile phone, or other device) to make Facebook easier to use, to make our advertising better, and to protect both you and Facebook. For example, we use them to store your login ID (but never your password) to make it easier for you to login whenever you come back to Facebook….snip….

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

I’m going to talk about Preparation and Identification today. See I enjoy the challenge of having a network and resources to protect.   Its funny to see how that translates into my non-work life, for example I always like RTS type games and often take a defensive posture by default.  Called turtling in the gaming world it’s more than likely to get you a loss because most games I played seem to favor the noob friendly kamikaze aggressive style, or rushing. However, that just makes me enjoy defense even more, who wants to take the uneducated inexperienced easy way out?  In the real world all out no fear, attack is not a legitimate info sec strategy for obvious reasons.

First it’s well documented how the “bad guys” have changed over the last 2 decades from notoriety seeking weekend hackers, to “hey I can make money at this” full time hackers, to organized criminal gangs.  What I don’t hear enough about is the current migration from gangs to an underground criminal marketplace, and that is just plain frightening.  Organized crime is dangerous and hard to stamp out but it’s a threat that can be met with equal good guy organization and cooperation.  Like when it took Elliot Ness and the federal government to stamp out the mobs and corruption of the 30’s.   Complicated Bad can be fought with complicated Good, hard but doable.  But how do you fight a decentralized economy of goods/service providers with a specialized skillset, profiting off loose, dynamic, and temporary connections to others?  That is really hard to do. Now throw in more recent fully state sponsored agencies targeting small subsets of the internet (Advanced Persistent Threat [APT] attacks on Google) and you’ll see why Information Security is so much in the news these days.

So here are some of my humble thoughts on how to counter act the new threats.

Preparation:

• Organization
  • Like having to streamline and color code you’re A/V cable connections, organization is a critical first step. To further the analogy just as your Stereo, TV, DVD, PS3 wires will still work in a rat’s nest, but troubleshooting/maintenance is a headache, and interference is more pronounced. Your network nodes need VLANS and subnets to be given out and arranged in such a way that traffic can be categorized for same reasons as stereo wires.  This does not actually provide security (i.e. reduce risk) but this preparation greatly enhances your ability in the identification and containment phases.

• Network Segmentation
  • Once your LAN is organized (NOT an easy thing to retrofit, everything just works on VLAN 1 right? you need to introduce the security (i.e. break things) by creating ACLs that actually limit traffic between groups that need to talk to each other.  This is where you get intimate knowledge of the network.  The thing that makes modern malware possible is the communication between it and its target, if every computer was an air gapped silo, you’d need sneaker net to infect them, then it comes down to Physical security which I consider out of scope of this discussion. So in my mind the Achilles heel of today’s threats is in their communication. After all w/o physical access, hacking can really be boiled down to this;
    • Black hat sends code to get data
    • Data is sent back to him

    That “sending” of code/data is were we have to strike for identification. With the current state of enterprise LANs you just can’t stop infections/targeted attacks 100% of the time.  While relatively old school blacklisting/reputation signature based techniques are needed (AV, IPS, URL and SPAM filters, DNSBL etc) I believe the future is in whitelisting inbound/outbound/internal traffic, in other words default deny.  The biggest advantage defenders have is that you can say almost w/o a doubt that the malicious code will come in and/or go out through your front door (inet connection). In other words you already know where the majority of attacks will come from, before you even start defending!

Indentification:

• Network Visibility

Once you’ve limited your attack surface with whitelisting filtering/segmentation, you need to monitor what traffic you do allow, but you can’t secure what you can’t see.  Which is why Network intelligence, next generation firewalls, log consolidation and correlation are all buzz words these days, they allow you to see so you can secure.  Principal of least priviledge FW controls are like boxing in the dark.  You can only protect (block) so much, and hope the hits don’t hurt.  See bad guys have to use your LAN to transfer the data; sending code in and then sending ill gotten data back to themselves. Yes they have encryption, custom protocols, obfuscation, seemingly infinite bot provided IPs\URLs so they can be very good at camouflaging their traffic. This is why network visibility must include a record of your past, present, and future traffic.

Because, the one thing they can’t control is what happened BEFORE they got on your network.  So if you can log, are able to data mine, and then alert on what is out of the historic norm along with common attack vectors/unexpected traffic patterns you bypass the bad guy’s above disguising techniques and at the same time the things that make the usual signature based detection so hard.  You are looking at the behavior of traffic not diving into the data is contains.  This is also where organization comes in, if I want to be alerted when any desktop client talks to a SQL server, or directly to a Server’s iLo port (everyone’s using the jumpbox right?), internet server on port 25 (Spambot), 31337(backdoor), or why is the DMZ web server suddenly getting inbound traffic to port 21 (Warez) how can I set that if all IPs are in the same or random subnets?  Individual alerts for every source and destination IP?  Ouch, that doesn’t scale well.  You need something like

• Desktop subnet:any to Server subnet:<choosen iLo port> alert
• Desktop subnet:any to !Rfc1918 subnet:25,31337  alert
• Desktop subnet:any to SQL DB servers subnet:1433,1434 alert
• !Your IPs:any to DMZ Server subnet:21

In summary, the steps above will take a strong stomach from upper management, committed and knowledgeable info sec professionals, and a change to the default enterprise network access model of filtered inbound, but wide open outbound, and internal traffic. Clearly this level of security is not for all companies, as it will break things and cause many complaints from userland trying to goto non-work related destinations.  But I honestly believe such defensive models will become what is required to keep the critical data safe as the internet becomes ever more embedded in human society it will increasingly be used as a vector to get the data needed by the bad guys. The sophistication of attacks will only going to get worse from here…

December 29th 2009  I noticed a story come across the wires about the singer Van Morrison and Gigi Lee having a baby. This was picked up by the Associated Press and many legitimate news outlets.  Turns out it was a carefully orchestrated plan to drive traffic for keywords already seeded on hacked websites that redirected to mostly known fake AV malware servers (more on that at bottom).  Not knowing this at the time I did a quick google search out of normal user interest and got these results…

Being the paranoid security guy I am, I immediately noticed the similarity in the URLs  and that they weren’t domain’s of news sites.  For example domain.com/xxx.php?=gigi%20… or domain.com/xxx.php?=van%20…  Hmmmm, those don’t look like legit results to me.  Welcome to the world of Blackhat SEO, I don’t presume to be the end all authority on this as Dancho Danchev and others Sophos have been tracking this for years. But this was a new twist, the bad guys were not grabbing the currently hot top search results (like when a celebrity dies) and competing with other pages to get their rank high, they INVENTED the keywords  and already had the seeded keywords in Google’s page rank before attacking Van Morisson’s website!  Gotta to respect the ingenuity, wish they were on the good guys side. Whatever Google is doing to counter the bad guys from gaming their page rank algorithm it isn’t working very well, although in this instance Google was working as intended.  If a malware author can poison a person’s view of the web (search engine results) then the average user doesn’t have much of a chance.  Turns out any one of the links redirected me to a known malware page. I followed them with Malzilla, here’s an example…

…. ALL LINKS CHANGED SLIGHTLY TO PROTECT INNOCENT….

1. First the click to Google’s search results
http [break] ://www.google.com/url?sa=t&source=web&ct=res&cd=17&ved=0CB8QFjAGOAo&url=

http%3A%2F%2Fxxxxx-law.com%2Fmvf.php%3Ft%3Dgigi%2520lee&ei=8K06S8yYFpS2swOKg_XBBA&usg=AFQjLNG7qREztsl9Fo0TC6RUCWNaB5Vp_A&sig2=48nUTmo26vz49MerFAydtg

2. Redirects to the search result

HTTP/1.1 302 Found
Location: http [break]://xxxxxx-law.com/mvf.php?t=gigi%20lee
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Dec 2009 17:04:04 GMT

Which is a .php script that looks like it’s taking an input of “t=gigi lee”  (the %20 is an encoded space) So I tried it w/o correct input and with “wget” default user-agent and was cleverly 301 redirected to cnn.com homepage, I thought that was a nice touch by the bad guys.

3. Continuing with the correct link gets me too, (hmmm  random .pl domain not a good sign.  No offence intended to Poland)

HTTP headers:

HTTP/1.1 302
Date: Wed, 30 Dec 2009 17:04:12 GMT
Content-Type: text/html
Server: Apache

Location: http [break]://vby1x4.xoeg .pl/in.php?t=cc&d=29-12-2009_tr2&h=xxxxxx-law.com&p=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3D…. snip….6vz49MerFAydtg

4. Then finally the below link which my endpoint HIPS stopped.  Just from the link you can tell it’s a fake AV Trojan and probably a couple exploits to go along with it (I didn’t go down the rabbit hole any farther).  Also I was impressed with Firefox WOT add-on (link) as I kept having to disable it to follow the redirects with FireFox.  Definitely recommend it, along with no_script of course

HTTP/1.1 302 Found
Date: Wed, 30 Dec 2009 19:08:52 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Location: http [break] ://createpc-pcscan-kokn .net/?uid=195&pid=3&ttl=e11476d0489

So I was intrigued by this .php file that they were able to upload to many websites like the example above which is a law firm in Boston Mass. I contacted several of them to tell of the infection and to ask if I could get a copy of that server side .php script, but none have done so.

So the whole thing was an elaborate scheme to get hits as it was most likely the same group of hackers that compromised the singer’s website and started the whole thing.  I was wondering how they knew to upload the files with the right keywords before the news broke and had figured they must have ongoing access to adjust the keywords or replace the .php depending on the current news story, which still could be true. The AP picking up the story must have had the bad guys celebrating for sure.

From BBC news site:

The Belfast-born 64-year-old said he had been the victim of an internet hacking attack that had placed “falsehoods” on his official website. BBC News was one of several outlets to report the hoax as fact.”The comments which appeared on my website did not come from me,” he [Van Morrison] said, in a statement issued to the media. The singer said he had asked his management team to carry out an immediate investigation, adding it was the second time his website had been hacked in the last three months.

Link to MTV talking about it.  They missed the point though it wasn’t an innocent hoax, it was motovated by the second oldest story book…..Money.

So what is the user/IT tech to do? Well there’s no easy answer, and in my humble opinion you have to trust but verify with research.  Check already trusted forums/websites of whitehats and coworkers along with other trusted IT user’s opinions.  In short, do your homework before installing any software on your machine.

Along these lines an interesting thing happened while I was dealing with a small outbreak of Vundo.Trojan at work. Our AV vendor didn’t detect the sample yet so I recommended for the IT staff to install update and run malwarebytes in safemode. For various reasons one infected computer had no immediately available IT rep so it was left up to the user.  When getting to the download link he was tricked by a deceptive (my opinion) advertisement on download.com (Right hand “Bad Link” in screenshot below) to install a “shades of gray” program called CyberDefender instead of malwarebytes (a trusted whitehat community supported malware scanner).

Tricky Tricky for the average user

Anyway, the latest scenario involved a city employee trying to get to a local high school’s website to get their layout.  The site was blocked with the category pornography, which seemed like a miscategorization.  After recreating the problem on my desktop I got a hunch, which leads me to the reason for this post.  I headed to google and searched “site:xxxxxx.edu nude”  and it came back with the results that would make any webmaster wince.  Pictured below (anonimized to protect the innocent)…

So that was quickly solved by making the school’s webmaster aware of the injected HTML SEO poisoning keywords and asking our vendor to re-evaluate the site once cleaned.  But more to the point such Google searches are a really cheap way to do some manual monitoring for websites under your protection. I personally do searches like these every few weeks, on the off chance one day I will get something other then no webpages found.  Don’t forget to submit requests to clear the major search engine’s cache if you’re hit or these results will stick around for a while.

PS I’ll leave it up to the reader’s imagination on which keywords to use.