Sunday, June 29, 2008

"Zlob" trojan OR DNSChanger - Same thing

Use default passwords, get hijacked

As the title says, use default password on your wireless/wired routers and wait for the new variant of the "Zlob" trojan to infect you, it will then try every default router username/password combinations from routerpasswords. Or even check this text file, search for your current user/pass to make sure they are not in the list.

Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.

Countermeasures against DNSChanger:
  • Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.

  • Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.

  • Update the current firmware to fix any security issues.

  • If possible, change the management port to something else. (e.g, port 80/443 to 555)

  • Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.

  • Rename the admin account on the router, Or see next.

  • Disable/delete admin account, and create another one with different name and password.

  • Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads )

  • Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs.

  • Disable UPNP on your router, becuase it's not secure anymore. check here

  • Block access to these IP's (85.255.116.164 / 85.255.112.81)

  • Use Purenetwork Security scan for wireless networks, check here.

  • Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system.

  • Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from
    untrusted sites.
    check here.

DNSChanger Hack

New DNSChanger "Hacks" Router In Mac?

As we all know, DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. This threat has been around for quite sometime, but there’s nothing exceptional until last week a new variant captured TRUSTEDSOURCE's attention. [Read WashingtonPost blog]

A new EXE variant of DNSChanger is capable of changing users’ DNS settings by hacking the configuration page of the wireless router. Is this true ? Yes, it’s targeting a list of routers and performs dictionary attack.


Is there similar variant affecting Mac? Let’s check the latest downloadable DMG file, courtesy of several PornTube sites roaming around the net. Read iThreatsBlog

Thursday, June 26, 2008

ID Theft ruins credit history

ID theft – steals more than money

A guy went to buy a car, but his credit application was turned down. He was shocked when he called the credit reference agency and was told that he had too many credit cards and other loans outstanding to qualify for any more credit. His credit file had fraudulent loans and store cards, as well as three credit cards taken out in his name. It all added up to over seven thousand pounds/dollars. His local police did give him a crime number, but he has been left trying to sort out the mess.

He found it hard to know exactly what to do. It is now over eighteen months later. A guy still has not been able to get all those fraudulently created entries off his credit record.

All in all he had to contact different companies, write over a 100 letters and make as many phone calls. It is not just the time and money that is difficult for victims, it is the stress. A guy have to deal with debt collectors, been turned down for mortgage and he still cannot get credit to buy that car.

Unfortunately, this guy’s story is common. Victims often find it difficult and time consuming to get their good credit re-instated. They have to deal with many different companies.

What should we do in order to protect our self?

First of all we should use little bit of our common sense. At least, once in every 3 months get a copy of your credit history so you can monitor any unusual credit inquiries. Keep track of your credit applications so that you can match it with the report you get. Last but not least, make sure you give your personal information to right people or organization. Your identity means alot to yourself - it just doesn't ruin your credit history but it also affects your personal life.

Monday, June 23, 2008

Fraudsters pool data to beat plastic fraud checks

How to fool address verification system (AVS) in Credit Cards purchases?

Credit Card fruadsters have come up with another
cool idea to trick the AVS in credit card purchases. Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street). I qoute from the article:

However fraudsters have begun exploiting the fact that many addresses can have the same AVS code. By making sure billing addresses and delivery addresses used in scams have the same code they make it more likely that purchases will go through.

In order to perform fraudulent transactions all fraudsters would need to have is your name, address and credit card number. This information is usually obtained through e-commerce database compromises, phishing scams, key-loggers and hacking into co-operates databases. The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street). This could work for one account number. If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming.

How to become Qualified Security Assessor (QSA) ?

Certified Payment-Card Industry Security Manager (CPISM)

Many of my friends asked me how they can become a Qualified Security Assessor (QSA)? Here is the answer provided by Society of Payment Security Professionals.

The Certified Payment-Card Industry Security Manager (CPISM) is the de facto certification for those within the payment-card industry who want to prove their security and industry knowledge. To prepare for this rigorous exam there are a few documents
available online to assist you.

First there are the CPISM Knowledge Domains.

* Payment card industry structure
* Payment card structure and data
* Payment card transaction processing
* Compromise fraud statistics and trends
* Merchant risk analysis
* Laws and the regulatory environment
* Payment card security programs
* Third party relationships

Check online for the following documents at the
Society of Payment Security Professionals(SPSP):

* CPISM Overview Document
* CPISM Bibliography
* CPISM Study Guide

I am not in a big favour of certifications. I believe in technical experience, skills and knowledge of the individual. But, if you don't have a platform to start with then certification would be the right way to step into that particular domain.

Friday, June 20, 2008

Australia's most gullible

Top victims of cybercrime?
Australians experience one of the highest levels of cybercrime in the world, according to a new survey — but are Aussies really such easy targets?
A survey of computer users in Australia, the US, France, Germany, Italy, Sweden, Spain, Czech Republic and Brazil ranked Australia as having the "highest incidence of cybercrime in the world" only a week after the Federal government launched its Stay Smart Online campaign.

Results of the study — which surveyed 1000 users from each country — showed that just over 39 per cent of Australian respondents identified themselves as victims of cybercrime, ahead of Italy (32 per cent), the US (28 per cent), Czech Republic (24 per cent), Brazil (22 per cent), Germany (20 per cent), France (19 per cent), Spain and Sweden (14 per cent each).


The study, commissioned by security vendor AVG, found that Australian's were most likely to be victims of online crimes such as fraudulent email scams (14 per cent), phishing (10 per cent) and credit card fraud (5 per cent).

Wednesday, June 18, 2008

Home computers hacking risk

Who to blame, Hackers or Home Users?
HOME computer users are leaving themselves open to cyber attack by failing to take basic security precautions, researchers warn.
HOME computer users are leaving themselves open to cyber attack by failing to take basic security precautions, researchers warn. A survey found one in 10 never updated their anti-virus software and 25 per cent of computers were infected by malicious programs.

Also one in three home users admitted clicking links on spam emails which could open them up to hackers.

The study, by the University of Queensland's Computer Emergency Response Team, sparked concerns over unsafe computer use.

Audit tool for Linux and Unix

Lynis

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Examples of audit tests:-
  • Available authentication methods

  • Expired SSL certificates

  • Outdated software

  • User accounts without password

  • Incorrect file permissions

  • Firewall auditing

For further information please click here.

Monday, June 16, 2008

How easy is to create fake accounts and SPAM!

CAPTCHAs aren’t working

Rsnake's blog actually pointed me to a pretty interesting websites called allbots and imagetotext.

According to these websites, you can buy bots which can break CAPTCHA ( For that you have to buy third-party service) and create fake accounts for you. They have pretty interesting price list as well:

MySpace Accounts Creator with Picture Uploader, Profile & Layout Manager - $140.00
MySpace Accounts Creator with Picture Uploader, Profile & Layout Manager -$320.00
YouTube Accounts Creator - $95.00
Friendster Accounts Creator - $95.00


And the list goes on...

They also claim on their website:

*Note: All bots are undetectable and they all have built-in proxy support. They randomly change referrers, user-agents and other headers to remain undetectable. Thanks!

Now you can see, Spamming is so easy! We really need to use good spam protection and also need to make sure who we add in our Myspace, Facebook and other social networking websites. My suggestion to all the social networking users - please take extra precautions in using your accounts and make sure you are sharing your information with right people.

Changing Admin Password - Windows XP

If you forgot your password - Follow the below instructions

I know a lot of people know how to do this? A good friend of mine, he is not computer savvy asked me this question so i thought of posting for all of you guys who need help in this section.

  1. Place your Windows XP CD in your cd-rom and start your computer (it's assumed here that your XP CD is bootable and as it should be - that you have your bios set to boot from CD)

  2. Keep your eye on the screen messages for booting to your cd Typically, it will be Press any key to boot from cd.

  3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

  4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

  5. The Licensing Agreement comes next - Press F8 to accept it.

  6. The next screen is the Setup screen which gives you the option to do a Repair.It should read something like if one of the following Windows XP installations is damaged, Setup can try to repair it. Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

  7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

  8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically - you will see a progress bar stating Your computer will reboot in 15 seconds.

  9. During the reboot, do not make the mistake of pressing any key to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

  10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

  11. At the prompt, type NUSRMGR.CPL and press Enter. Bingo! You have just gained graphical access to your User Accounts in the Control Panel.

  12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you have made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

  13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.

This security hole allows access to more than just user accounts. You can also access the Registry and Policy Editor, for example. And its gui access with mouse control. Of course, a Product Key will be needed to continue with the Repair after making the changes, but for anyone intent on gaining access to your system, this would be no problem.

Note: you cannot cancel install after making the changes and expect to logon with your new password.

Ok, now that your logon problem is fixed, you should make a point to prevent it from ever happening again by creating a Password Reset Disk. This is a floppy disk you can use in the event you ever forget your log on password. It allows you to set a new password.

Here's how to create one if your computer is NOT on a domain:

Go to the Control Panel and open up User Accounts.
Choose your account (under Pick An Account to Change) and under Related Tasks, click "Prevent a forgotten password".
This will initiate a wizard.
Click Next and then insert a blank formatted floppy disk into your A: drive.
Click Next and enter your logon password in the password box.
Click Next to begin the creation of your Password disk.
Once completed, label and save the disk to a safe place.
How to Log on to your PC Using Your Password Reset Disk

Start your computer and at the logon screen, click your user name and leave the password box blank or just type in anything. This will bring up a Logon Failure box and you will then see the option to use your Password Reset disk to create a new password. Click it which will initiate the Password Reset wizard. Insert your password reset disk into your floppy drive and follow the wizard which will let you choose a new password to use for your account.

Note: If your computer is part of a domain, the procedure for creating a password disk is different.

Friday, June 6, 2008

Welcome To Untrusted Computing

Enjoy Free WIFI Now!!

I am at Hongkong International Airport. I know, pdp from GNUCITIZEN, has raised this issue couple of times. Okay, before i start commenting, have a look at this picture first:



Of course, they have clearly mention under their terms and conditions that:

PCCW and/or the Airport Authority of Hong Kong does not warrant that the Service will be uninterrupted, error-free, or free of viruses or other harmful components.

My favourite part:

You expressly acknowledge that there are and assume all responsibility related to the security, privacy and confidentiality risks inherent in wireless communications and technology and PCCW and/or the Airport Authority of Hong Kong does not make any assurance or warranties relating to such risks.

If you will look bit closer at the above picture, you will notice they also have secure wireless connection known as Extra-Shield PPTP. They are not recommending users to go through secure wireless connection infact letting users to use untrusted Internet connection.

I have a stay here for 8 hours. I have seen huge list of users using this excellent service including students, tourists, business men, etc

Now, do i have to explain to you guys what can be done if someone is connected with insecure network connection? Na, leave it - you guys can figure out yourself !

All my advice to users and people who travel frequently. Please make sure you are connecting via secure network connection. Not everyone is nice like me :)

Tuesday, June 3, 2008

Selling Security

How to Sell Security

Very good article by Bruce Schneier on how selling security is difficult and fraught with cognitive bias. A recommended read to anyone that has to sell security service both to other customers or internally in their own organizations.

Metasploit hacked

Interesting




How to check if a system has been hacked?

Use Built-in Windows commands

Ed Skoudis, has recently posted an interesting article to help users to find out if there system has been hacked or has been malware/virus infected.

According to Ed Skoudis, the following five commands are useful and interesting starting point to find out whether your computer has been hacked or infected?

  1. Windows Management Instrumentation: Windows XP and Vista include a command-line utility (Wmic.exe) to access Windows Management Instrumentation (WMI). Previously, an end user would generally write a script to gather information by means of WMI. Wmic.exe can only be used by the local system administrators regardless of WMI namespace permissions on the local machine.

  2. NET commands: They are commands that use the NetBIOS protocol in Windows. They are a simple and easy way to utilize network resources and, in some instances, can make certain tasks easier than if you had used a GUI (Graphical User Interface). Keep in mind that NetBIOS is a non-routable protocol and thus you will not be able to use these commands with machines on subnets other than your own.

  3. Openfiles: Many Windows administrators are unfamiliar with the powerful openfiles command built into Windows. As its name implies, this command shows all files that are opened on the box, indicating the process name interacting with each file.

  4. Netstat: It is a great tool that allows you to get a quick overview of different aspects of your networking setup. The Windows netstat command shows network activity, focusing on TCP and UDP by default.

  5. Find: The find command has the ability to count. Invoked with the /c command, it'll count the number of lines of its output that include a given string. Users often want to count the number of lines in the output of a command to determine how many processes are running, how many startup items are present, or a variety of other interesting tidbits on a machine. To count the lines of output, users could simply pipe their output through find /c /v "". This command will count (/c) the number of lines that do not have (/v) a blank line ("") in them. By counting the number of non-blank lines, the command is, in effect, counting the number of lines