Posts

Showing posts from 2011

NACHA Phishing Scam

Image
This phishing scam has been widely reported from as far back as Feb 2011. Today I received the email myself. The first warning sign was that there were approximately twenty other email addresses CC'd on the same email all supposedly having the same failed transaction number. Obviously a mistake on the part of the sender. Also the from address didn't bear much relation to the supposed sender. *thi***@sui****.com Opening the email on a "safe" machine I took a look through the source and there was a significant amount of javascript. along with a link to a website in South Africa which is accessed once the "view report" link is clicked. The site is a company site and therefore has likely been compromised and the offending link hidden with a numeric directory name. NACHA have reported this scam and users should not open the link due to it's likelihood to infect the machine. To protect identities, the CC'd addresses, website link and from address have

Fake BA Email Scam

Image
This one has reached a lot of people including myself. Check the email below. The url in red is where clicking the link above it actually takes you. Once clicked you are redirected to another fake webpage. (below) This is where you are asked to enter your credentials. Right or wrong the credentials entered get harvested and the link redirects you to another real BA webpage. BA are aware of this scam and are looking into it....

Would you know if you had been hacked ?

It would be fair to say that many companies assume they have secure systems because they implement strict security measures. The problem is how do we know that our security is working. Does never getting hit by a virus mean that our anti-virus software is doing it's job or have we just been lucky ? It usually takes an incident to focus awareness on system or procedural failings. The benefits of regular Penetration Tests are well understood in the industry, however taking more time to frequesntly examine and understand log files will pinpoint areas of concern a lot sooner if they are being exploited. The problem with log files typically falls into a few categories. 1) The number of devices which require management. 2) The quality and retention period of the logs produces. 3) Undestanding the meaning of the files themselves. Even the simplest of networks will have one or more servers, a firewall, a router and wireless access points to name a few. Firstly enable logging on each devic

Vulnerability scanning <> penetration testing

It is fair to say that vulnerability scanning / port scaning is a component of any penetration test, however many companies are relying purely on the results of these scans to assess their security, often carrying out these assessments themselves or using automated services. The role as a pen tester is a continuous learning curve and the use of tools can greatly simplify the bulk of the task, however many of the issues I find are through manual testing and verification as tools alone cannot always pinpoint these issues. Testing your own systems also has it's disadvantages due to the fact that tests are undertaken against known targets using expected input. A third party testing the same target will approach this from a different angle as they do not always know what is expected and will vary the attack in order to glean different responses. Interpreting these errors and modifying the approach can often lead to uncovering new vulnerabilities in the systems. On many occasions it m

SecurID was responsible for Lockheed Martin breach

SC Magazine Full Story

Apple MAC Fake Virus Alert

Similar to the windows fake AV alerts, MAC users have now been targeted with a fake AV scam. After visiting an infected site, the software scans the users hard disk and reports on viruses found. Users are then given the opportunity to purchase remedial AV software, thus parting with credit card information. The trick here is that is can masqurade as the legitimate MAC Defender application making the users less suspicious about the warnings. Apple Mac users have been adviced to disable a setting in the Safari browser that allows "safe" files to be automatically installed. Full details on removing and preventing this malware can be found here. Apple MAC Malware Removal

Fortinet FortiToken simplifies 2-factor authentication

Image
Fortinet have delivered a solution for 2-factor authentication within their Version 4 FortiOS. Customers with the Fortigate UTM platform can make use of the solution by upgrading their systems to V4 MR3. This is a free upgrade for customers with maintenance. The only chargeable component are the tokens themselves. Traditionally 2-factor authentication required some form of middleware solution which intercepted the logon details to verify the token one time password. This middleware is included in the FortiOS and therefore minimises implementation and up front costs. The offering works with Fortinet's IPSec and SSL VPN remote access (also included within the FortiOS).

Sony makes the right call

The Playstation network has been down since about 20th April now. The full consequences of the attack may take some time to manifest, however the commitment to ensuring security since the attack has been foremost in Sony's agenda. The difficulty here is that although what has happened may be relatively clear, the how and who may be less obvious and because of this Sony need to take extra care when restoring the services as they cannot afford another similar incident. The fact that they may be offering a reward for information relating to the identity of the attackers proves that whoever did this were skilled enough to hide their tracks well. With enough digging, many clever breaches can be traced due to the smallest fragment of information in the logs or other data leading to clues. There is claim that information pertaining to the group Anonymous has been located on the systems, however Anonymous have denied the incident and apparently say they may have been framed. If the o

Application Control In The Workplace Using the Fortigate UTM

Image
Whether you are a small or enterprise size business, controlling internet application usage can become a major productivity not to mention security issue. With the ever growing number of applications available to users the problems escalate. Facebook, Instant Messenger and online gaming to name a few are difficult to manage with traditional Firewalls. Typically, for example Port 80 may be allowed for users to access the internet, howvever many of these applications use Port 80 to "get out" on. Also most applications are able to port hop and find open ports to use, making allowing or blocking a difficult if not impossible task. Fortinet offer a solution to this by integrating Application Control into their UTM appliances. Regardless of the Application or Port Fortinet are able to inspect the traffic and pinpoint applications being used. Depending on the application type there are several actions which can be taken with multiple levels of configuration and granularity. A

UPS Delivery Scam

Out of the blue I received the famous UPS delivery emails. Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc. Attached was a rar file pertaining to be the delivery information. Knowing of the scam and also that I had not ordered anything I saved the rar file into a virtual machine and took a peek with notepad. Pretty much all of it was random ASCII except for the legible text "United Parcel Service document.exe". Knowing this was a virus I submitted it to an online virus scanner to verify the content. The abrieviated version of the output is outlined as follows. W32/Agent.OUH!tr It displays the following fake warning message: Danger! Harmful viruses detected on your computer... It deletes the following various registry keys It creates the following new registry entries It tries to download files f

Free Anti-Virus, Anti Spyware, Firewall and URL Filter Solution From Fortinet

Image
If you are looking for a free anti-virus product, there are a few to choose from, however the Forticlient suite offers many additional features beyond a standard Anti-Virus product. Fortinet are the world leaders in the Unified Threat management arena and have a client in their portfolio. There is a premium version for the enterprise and a standard version free for download. The image shows the features and a download link is provided below. Download

Microsoft Telephone Call Scam Still Rearing It's Head

A colleague of mine called me this week to report he had received a call from a foreign sounding gentleman from Microsoft. The man seemed to have a fair bit of information about my colleague and was reporting that Microsoft had flagged his PC as being infected with a known virus. At this point my colleague was suspicious and started to ask a few questions to which the bogus Microsoft teccy tried to answer with various cover up tactics. Asking my colleague to run a few commands on his PC etc.... This was when my colleague insisted that the bogus Microsoft person sent a letter to him stating exactly what was being asked so he could show it to the technical team at work (us). To this the Microsoft teccy replied an email would be quicker but my colleague insisted on a letter. I am sure a letter which will never arrive and if indeed it did, it certainly woulnn't be from Microsoft. click here for a story from 2010. Further Reading

Aerohive Wireless Solutions

Aerohive Networks has introduced an innovative new class of wireless infrastructure equipment called a Cooperative Control Access Point (CC-AP). A CC-AP combines an enterprise-class access point with a suite of cooperative control protocols and functions to provide all of the benefits of a controller-based wireless LAN solution, but without requiring a controller or an overlay network. Aerohive Networks implementation of a CC-AP is called a HiveAP. Read More

We are under attack !

Surprisingly the UK Government has made recent press releases about the possibility of cyber attacks against their systems. I have worked in the IT Security space for 16 years and the possibility of attacks and espionage have always been a very real threeat. Indeed I have been called in to investigate many instances of such threats. Whether it be a virus, direct attack or intrusion they have all been very real for many years. Vigilant and responsible companies have consistently carried out the necessary measures to at least protect themselves from the majority of the well known exploits and deploy other systems to alert for suspicious network activity. They train staff and continue to review their policies on a regular basis. Standards have been implemented to enforce and to some degree, force companies and institutions to fall in line with specific levels of security, so why should the Government assume that they were somehow immune from such attacks. This is nothing new, althou

Hackers penetrated Nasdaq computers

Full Story CNET

UK Threat From CyberAttacks

UK Under Threat From CyberAttacks

Passwords...nothing new...just a recap

Been doing a lot of work around password security lately and I think it is fair to say that given enough time any password can be cracked. The time could be hundreds or thousands of years in some cases when using brute force methods . In reality though this time is likely to be a lot shorter than we think due to end users only being able to cope with relatively short passwords. Using various tools on windows XP and Vista and 7 machines it was surprising to see just how many passwords were recovered in a matter of minutes and not hours or years even. Passwords on Windows machines can be local or cached Domain credentials. Password attacks can be classified into two main categories: Online: Where the attacker is physically on the PC or network in question and is either actively trying tools against the host pc or attempting to sniff the traffic to and from that machine for hashes on the wire(Later take offline). An important note here is that we do not need administrative credent