Here’s an interesting twist on the old Internet Pharmacy scam… we’ve all gotten those emails offering to sell us various pharmaceutical products without the need for a pesky prescription.  Now, I’m assuming that all of the readers of this blog are smart enough to keep their credit cards in their wallets and hit delete.  However, there are apparently enough dimbulbs out there to keep these guys in business.  They order the pills and get… real drugs?  expired drugs?  fake drugs?  Who knows?

Well the scammers have come up with a new way to extract further profits from the stupid… according to a news release from the US FDA, version 2.0 of the scam now comes with a twist.  After taking an order for Rx free drugs, the scammers apparently come back for a second round – they call the purchaser posing as FDA agents or other law enforcement types and threaten the mark with fines, arrest, deportation, property searches and the like.  The “agents” then tell their victims to provide a credit card or wire transfer the money to pay their fines and avoid further trouble.

This is the kind of thing that makes me wish I was unafflicted by a conscience… seems a lot easier than working for a living…

We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter.  Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it.  It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page.  The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers.  The lesson here?  Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible.  However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome.   When you start your browser, you type in one password to decrypt the password files and you are set to go.   You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use.  Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy?  My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

OK, before I get started with this blog entry, I want to be up font with you.  I have become a cliche… I am writing this from Starbucks whilst sipping a cafe mocha and leeching off their free ‘lectricity.  I have truly become one of those stereotype bloggers.  Shoot me now.  Anyway, on with the post…

It seems that the German government is getting together with ISPs to set up a help line for citizens whose PCs are infected with malware.  The ISPs will watch network traffic for signs of communications between zombie computers and their evil controllers.  When the ISPs detect malware activity, they will direct users to a website with instructions on getting their computers free of viruses, worms, back doors and the like.  For users who need additional help, 40 government employees will staff a call center dedicated to helping out.  (This truly sounds like a job from hell…).

This is a great idea, which other countries should consider with one twist; vendors such as Microsoft, Apple, Adobe, and the like should be required to kick in some funding for this type of work.  After all, it is their software which opens the doors to cybercriminals and (potentially) cyberterrorists.  Maybe pegging the amount they have to pay to the number of security advisories issued by the CERT about their software would make sense.    It would be pretty easy to gauge the success of this type of an effort by tracking and publishing stats on the numbers of infected machines before and after. As for the cost beyond the vendor kickins, there are a lot of places in the US federal budget to get the money from…

What do you think?

Read more
Germany pays to clean malware from Windows PCs.

The NSA is one of the most secretive of the US Government’s TLAs (three letter agencies), which makes sense since it is charged with intercepting, decrypting and analyzing communications for the intelligence community.  However, in addition to its role in SIGINT, the NSA is also tasked with helping the government and private industry secure systems against cyber attack (information assurance).  If you go to the agency’s web site, you’ll find a number of configuration guides which provide security advice for products such as computer operating systems, database servers, and Cisco routers.  These guides are a great use of our tax dollars (IMHO) – they help protect government systems from attack and (with some modifications) are helpful to private industry.  So why am I telling you this?

This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release.   According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.

So, is Microsoft helping the NSA get access to millions of computers worldwide?  Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak.   But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions.  Maybe it is time for the government to separate the jobs of protecting information and gathering information.

One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets.   After all, widget production figures don’t need the same level of protection as the nuclear launch codes.  I think a lot of security professionals pass the NSA documents by because of this perception.  What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency.  For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:

• Home users
• Educational institutions
• Small and medium sized businesses
• Large enterprises
• Critical Infrastructure Providers
• Financial Institutions

I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet.  Having some very basic standards (and some teeth to back them up) would do two things:

• Provide incentives to enterprises to secure their systems
• Provide a generally accepted security baseline
• Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.

I think that there would need to be private sector involvement in developing these documents, of course.  It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.

On guard, protecting your data

Last week, the big story in social media (and infosec) was the theft and subsequent publication of a whole mess of internal documents from Internet phenomenon Twitter.  While the purloined documents did not contain any earth shattering information, the incident was pretty embarrassing for Twitter and raised some questions about the wisdom of using cloud applications such as Google Docs for corporate applications.  Further information has been released as to how the documents were filched and there are lessons in this for all of us.

Authentication questions are not secure enough to protect passwords. Think about all of the information about you out on the Internet… your Facebook page, your postings to web forums, mentions on school and social organizations’ web sites.  This information can be used to guess correct answers to those questions used to protect your passwords.  My advice?  Make up “special” answers that have no basis in reality – just be consistent about them.  Maybe your first school was the Jupiter Academy of Space Sciences or your first pet was a Tapir.  Using a set of “special” answers gives you another level of password protection for your real passwords.

Using the same password for all sites is a recipe for disaster. I know… we all have a zillion passwords to remember and asking you to have a separate password for each site you visit is a pain.  But think about it… if I get hold of  the password you use for Facebook, can I also access your bank account and your email?  There are some really good tools to help manage a plethora of passwords.  My personal favorite is Keepass, which runs on PCs, Linux boxen, and Macs.  Keepass keeps your passwords (get it?) in an encrypted file which you can carry with you or store “in the cloud” safely since it is encrypted.  (You need a password to open the password file – make sure it is unique!)

Old email accounts can come back to haunt you. One of the tricks used by the attacker was based on the fact that web email providers sometimes recycle accounts which have not been used in a long time.  In this case, the Twitter employee had listed a Hotmail account as their backup email address for Google Mail.  This meant that when the attacker answered the password reset questions correctly, the new password was sent to the hotmail account.  Just one problem… the Twitster had not used the Hotmail account in a really long time, so it expired.  The attacker simply signed up with Hotmail for a new account with the same name and voila… the password was his (or hers).

The overriding lesson here is that the “best” hacks are not the result of amazing technical skill – they are the result of a moderately smart attacker taking advantage of the openings we leave for them.  YOU are in control of your online security – if you are going to get hacked, at least make the SOB work for it!