Even Phishing Emails warn of Phishing Emails

I received a Phishing Email targeting customers of a UK bank just moments ago. I wouldn't normal post such things up, but I found this one particularly amusing and a bit of a phishing Email first, because the email actually warns of suspicious Emails and phishing! I thought the phrase "A new Second Level Password" particularly funny. The scam email finishes with another warning about "suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank - please ignore it and contact us now", it all rather like a 1970s Monty Python sketch!

Phishing Emails always target one of two human emotions, Fear or Greed. This one is targeting Fear; its objective is to scare the receiver into thinking their bank account security (their money) has been compromised, so encouraging the user to click the link through to a bogus website impersonating the bank site, where the users banking credentials are harvested unknowingly.  "Greed" based phishing Emails usually offer free prizes, free holidays or just straight up cash, for example telling the receiver they have won the European Lottery, or that Nigeria millionaire who needs you to pay the bank transfer fees in order to send that a large oil inheritance you have due, not that the user has ever entered any lottery nor has any connection with Nigeria what-so-ever.

Perhaps I shouldn't be making light of these scam Emails, as even though most people are aware of these types phishing email scams today, there are always one or two who do get sucked in and caught out.  This is why these scam emails are still common place in our mailboxes, it is simply because they do work
 
(I have removed the bogus website links)

"Dear Customer,

Latest News

ALERT MESSAGE: SUSPICIOUS E-MAILS - PHISHING FOR DEBIT CARD NUMBERS AND PASSWORDS:

Please be informed that currently fraud e-mails are sent to customers and non - customers of Alliance & Leicester Commercial Bank requesting to provide their online banking details.

In any case you should not provide any of your personal information or banking details.

A new Second Level Password has been sent to all our Retail customers in your online

Please activate the new one.

Start now the Alliance & Leicester Commercial Bank authentication process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Alliance & Leicester Commercial Bank would never ask you to give through e-mail or any other mean any private and confidential information.

If you receive in your mailbox a suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank,

please ignore it and contact us now.

Alliance & Leicester Commercial Bank Online Billing Department."

No such thing as a Secure Web Browser

The big security story in the main stream news today, has of course been the security vulnerability with Microsoft's Internet Explorer web browser (Serious security flaw found in IE) The vulnerability can be exploited by deliberately engineered or compromised regular websites, allowing the attacker to invisibly access the host PC system, from which point a whole series of further possible attacks can be run, such as stealing website usernames and passwords. At this time Microsoft aren't saying when they will be releasing a patch to fix this issue, which is really unfortunate, as this vulnerability has been known about for at least week from my own knowledge.

The solution to problem being eagerly suggested on TV and radio news, is to download, install and then use different web browser, as they are not affected by this flaw (which is completely true), and are safe & secure. I have problem with the latter, which I heard said and implied on several occasions today, this is a highly misleading statement, as there is no such thing as a "secure web browser".


A couple of weeks ago I spoke with some nice chaps from OWASP (Open Web Application Security Project), a non-profit making and "The" world recognised authority on web application / website security. At the time I was taken back and found it astonishing that at their last OWASP "brain storming" event, which was attended by some of the world's leading web (site) application experts, not one of the web browser companies or organisations sent a representative, despite them all being "VIP" invite to the event. OWASP rightly recognise the architects and developers of web browsers play a key role with the overall security of web sites (web applications) on the internet, and the big flaw discovered with IE really highlights this.

The leading used alternative web browser on Windows systems at this moment is Mozilla Firefox (click here to download it), which is completely free to download and pretty easy for any novice to install and start using. Personally I switched from using Internet Explorer (IE) to Firefox several few months back, mainly because I found it was generally a better web browser to use than IE, and I particularly found the array of security related browser plug-ins extremely useful. So I'm a Firefox convert, but I think it would be a completely wrong and dangerous statement for anyone to state or suggest Firefox is more secure an Internet Explorer, all web browsers by their nature, open source or not, are bound to have vulnerabilities present which are currently unknown and are yet to be exploited. You cannot ever get 100% security, and this law especially applies to software applications.

So what's my advice to IE users? Well I'm not quite going to be a sheep and bleat what I've heard others are advising the masses today, which was to just switch to another web browser application, and hey I'm certainly neither pro nor anti Microsoft either...

My advice is if you are using Internet Explorer, make sure you have "PROTECTED MODE" ENABLED (IE7 or 8 with Vista) and set the Security Zone to "HIGH".

And then make sure you are taking the usual security measures on your PC, such as enabling the local (Windows) firewall, applying all Windows patches & updates, and installing and keeping up-to-date anti-virus / anti-spyware software. Until a patch is released, be especially cautious when browsing "dodgy" type websites, setting the security zone to high, allows you to accept or deny any scripts being executed through the web browser, which is how this and other vulnerabilities are exploited.

Sure, this could an opportunity to give Firefox or another web browsers such as Safari, Opera, Chrome a try out. Using a different web browser will fully protect from this particular flaw, but do not assume your new web browser is any more secure than using Internet Explorer. We tend to know a great deal about the security issues and weakness with IE, mainly due to it being the worlds most popular, therefore the most attacked web browser. Firefox has also had (no doubt will have further) it's fair share of serious security vulnerabilities too - Mozilla Foundation Security Advisories, but these tend not to get same level media coverage, and to be fair here Firefox vulnerabilties have tended not to be exploited to the same high degree as IE vulnerabilties at present, but if everyone switched to Firefox and it became the worlds most popular browser...

So if you are Firefox user (like me), make sure you exercise all the usual security precautions on your PC, firewall, patches, security software etc. And for any techie who is truly paranoid, you could do what I do when researching the real dodgy websites, which is to run your web browser in a Virtual Session.

Finally I have no doubt Microsoft will release a patch for this issue in the next few days anyway, it's just a real disappointment they couldn't of patched the problem last week as part of the usual security patch release cycle.

EDIT 17-Dec-08: Since the original post, Microsoft has released a patch for this vulnerability - http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Recommended Business WiFi Encryption

I was forwarded an interesting wifi security tech question yesterday which resulted in a debate about whether hiding a WiFi SSID made you secure. I just couldn't resist answering the question, and as usual went off on a security mission with my answer. Lots of positive comments on my answers and my general advice around home and enterprise wifi security, so I'd thought I'd post it up on my blog for all to see. 

Original Q. "I've been having an ongoing debate about the the practice of hiding SSIDs in a corporate environment.  I'm curious to know if hiding SSIDs is widely (emphasis on widely) considered a best practice or whether there are equal arguments on both sides.  My thoughts are that if you couple high grade encryption (WPA2) with some form of authentication (802.1x?) then hiding the SSID is unnecessary - and in fact makes it harder for valid users to find the network."

"Hiding the SSID can keep out the casual WiFi browsing neighbour, but will not prevent the “school boy” level of WiFi broadband thieves from finding out details of your WiFi network, you know those guys who steal WiFi for downloading illegal games, music and other unsavourily whatnot…

The SSID name plays an important part of the WPA-PSK encryption process, as the name is used to uniquely create (or salt as it is referred to) the hash of the WPA passphrase in order to protect against bruteforce attacks, as each bruteforce attempt needs to be hashed 4096 times, meaning it takes ages to try combinations for the passphrases, although it is doable if you have power and time on your hands.  I have rainbow tables (like a hash answer cheat sheet) for top most popularly used SSID names against pre-computed hash values, which allows me to bruteforce passphrases extremely quick, so I can quickly crack poor WPA-PSK passphrases for the most commonly used SSIDs like “NetGear”.  

So therefore my advice, for commercial companies using WiFi always goes with the enterprise WPA encryption options instead of using WPA-PSK (static key/passphrass). At home, go with a long and unique SSID name and decent random passphrase which will prevent rainbow table hash bruteforce. If you are super paranoid at home, go with 20 char+ random SSID name, hiding it doesn’t make any difference to those with the capability of breaking in.

Another point already made, do not name the SSID after your family name or company/department, you shouldn’t advertise what it is to the world, unless you are offering a guest WiFi network.

And yes, we all know WEP is has been broken for 6 years, any WEP key can be cracked in a couple of minutes no matter length and complicity of password and SSID name you used.

Also in the corporate environment, best practice is to scan for WiFi rogue access points at least once a quarter, or even buy a device with continually scans if you have a particularly sensitive site to protect, this is regardless of whether you use WiFi or not at the site.

Oh MAC address filtering is a waste of time too, MAC addresses can be easily spoof (in fact they are impossible to prevent from being sniff), applying a sniffed MAC address to a network card within any OS is easy." 
 

Response - "Thank you for your informative response.  While I’m quite knowledgeable of Microsoft’s products (AD, Exchange, etc.), I’d consider myself an intermediate when it comes to wireless security.  When setting up WAPs, I’ve always used WPA-PSK because that’s what I know to do.  I assume that Enterprise WPA is more secure, but I don’t know what it is.  Is there a website that you could point me to help learn more about this?  I understand that there’s a thing called 802.1x authentication that, for example, would let me require authentication against my Active Directory.  I envision a wireless user establishing the connection, and being prompted to enter their AD credentials, or perhaps it takes what’s cached from when you login to the computer.  Again, any good concise references to this stuff would be greatly appreciated."

"To recap, WPA-PSK (Pre-Share Key) is a personal mode designed for home and small office users who basically do not have any authentication servers available, i.e. Active Directory. WPA-PSK operates in an unmanaged mode using a pre-shared key (PSK), and uses a passphrase to create the encryption key, this the big weakness, as it’s vulnerable to bruteforce attacks. If you have to use this mode within the business setting, I recommend a passphrase of at least 13 characters and regularly changing of that passphrase. BTW the passphrase can be up to 95 characters in length.

By Enterprise modes, I was referring to WPA & WPA2 with IEEE 802.1X and EAP, which operates the WLAN in a managed mode. It uses IEEE 802.1 authentication framework and EAP (Extensible Authentication Protocol) to provide authentication between the client and authentication server. In this mode each user is assigned a unique key to access the WLAN. In answering your question, it uses single-sign on with AD or it can prompt, or it can be setup to use certicates.

Something else I should mention about enterprise modes is WPA-TKIP.  TKIP encrypts each data packet for each individual user at a time, making the encryption extremely difficult to break.  WPA uses the RC4 encryption cipher, where as WPA2 uses the AES encryption cipher, which provides a stronger degree of encryption than RC4. Recently TKIP was proven to have several minor weaknesses with it, in that it’s possible in inject a few packets, and decrypt ARP frames in around 15 minutes, although this is not over concerning and a major flaw, however in my view it is always best to completely avoid such potential issues and go with WPA2 AES option given a choice.

You can use digital certificates with WPA-EAP-TLS, and there’s PEAP authentication as well; all have single sign on capabilities with Active Directory, LDAP, NDS and even with NT Domains."

Reason to Secure your Home WiFi

Just the other week I saw “Which? Computing” report which highlighted complaints against video games companies who were going around accusing innocent of people of being file-sharing pirates. In one case Atari accused a couple in Scotland of file sharing the game Race07. The couple were aged 54 and 66, and unsurprisingly had never played a computer game in their entire life, yet they received a threatening letter care of Atari’s lawyers, instructing them to pay a £500 fine or face court action.
In due course the fine and case was rightly dropped, however there were 70 other similar cases dropped, often involving senior citizens who have never heard of peer-to-peer file sharing.
But what caught my attention was the law firm’s response in making these accusations, according to Michael Coyle, an intellectual property solicitor with law firm Lawdit, “more and more people are being wrongly identified as file-sharers. Most commonly problems arise when a pirate steals someone else's network connection by "piggybacking" on their unsecured wireless network” While prosecutors argue that users are legally required to secure their network, Mr Coyle dismisses this. "There is no section of the Copyright Act which makes you secure your network although it is commonsense to do so" he said.

For some time now I have been warning home users about the consequences of not securing their home WiFi properly, or even purposely sharing WiFi Internet access with anyone in range. In this case it was a computer game being shared without the WiFi network owners knowledge, which resulted in a scary letter from a law firm. But what if their neighbours or a complete stranger was using the Internet connection to file sharing illegal pornography, it would probably result in a knock on the door by the police, subsequent removal of all computer equipment from the address and an arrest. Interestingly the lawyers were certainly thinking about blaming the wifi networks owner, I wonder if the network was intentionally by the owner shared whether they could be found liable, regardless of that I don't think it's the smartest move to purposely share your home WiFi network outside your home..

Opening wireless network access up or not ensuring the WiFi is properly secured, opens up many other concerns. For one it’s possible for someone to listen in (snoop) your Internet traffic, learn what websites you visit and in some cases steal personal information. Unless you encrypt your Email, the bad guys can intercept and read your Email, and even adjust the Email contains without your knowledge. And by attacking the wireless router from inside WiFi network, they can even redirect you invisibly to fake websites. For instance it's possible to snoop which bank website you use, adjust the DNS on the wifi router, so the next time you visit your bank website have your computer sends you to fake bank site which has the correct URL in the address bar, in doing this the bad guys could harvest your bank account website logon credentials without your knowledge.
All food for though, whether stealing your personal information, or your neighbours are committing file sharing piracy or worst, you should make sure your home WiFi is secured for just your own usage, and avoid all the inconvenience and hassle.

Web Application Security with HP's Billy Hoffman

The increasing shift in Internet hacking attacks against the (web) application layer is leaving many end customers as victims. Recently I met up with the head of HP Security Labs and Web application Security researcher Billy Hoffman, and discussed why this attack vector is on the rise, and solutions to the problems.

In recent years there has been an explosion in the number of web applications on the Internet, the so called “Web 2.0”. Web applications are becoming more complex, whether they are social networking sites, e-commerce sites or banking sites, the new breed of web applications are increasingly handling high amounts of consumer financial data and personal details. Such information is of commercial value and targeted by cyber-criminals. Many web applications are simply not developed as secure as they ought to be, and as a result are vulnerable to web application hacking and attacks. The bad guys are taking advantage on this situation, with recent research showing 75% of cyber attacks are now carried out at the web application level. So the stakes are high for the end consumers of these web site applications, and the rewards are high for the cyber-criminal, who exploits poorly written web application code to steal data. In essence if the application doesn’t have proper security checks written in the code, the hacker can take advantage and make the web application do something it wasn’t designed to do, this can result in large amounts of consumer information being harvested by cyber criminals. One of the most common attacks is a SQL Injection, which can literally return the whole chunks of the database within the webpage, while another common attack is know as a Cross-Site Script (XSS), which allows the attack to inject malicious code into the webpage, which in turn could steal user login sessions and deliver malware to user desktops, amongst things.

Firewalls do not protect Web Applications
What’s even more worrying about web application attacks is such attacks are often not even being monitored and therefore are going unnoticed by the website administrators. A web application (layer 7) attack completely bypasses the security and monitoring provided by devices such as network Firewalls, Intrusion Detection and Protection Systems and website encryption (SSL/TLS - that golden padlock on the browser). Even network level penetration tests resulting in “not hackable” seals of approval offer no guarantee against a web app hack. So when you see that webpage stating it’s a “secure website”, using encryption (“https”) and displaying an up-to-date anti-hack testing seal of approval by a well known security company, it all has no consequence to the security of the web application, which could be full major security issues despite all those security measures which only operate at the network layer.

The network layer security really does lull some organisations into a real false sense of security. A specific web application layer penetration test can be used to test for web application vulnerabilities; however these are still rarely regularly carried out by medium to small sized organisations, and even some large organisations, mainly because it costs too much to get one done, or the organisation just isn’t aware of the problem.

The Reality of Web App Hacks
A recent UK example highlights the problem, a few months ago Manchester based online clothing outlet, Cotton Traders, disclosed their website users were victim of an web application attack, namely a SQL Injection attack in early 2008. They had firewalls, a “secure” encrypted website and a seal of approval, yet their customers had credit card details stolen through a web application attack. And just last week NetCraft found a cross-site script vulnerability on Yahoo -Netcraft

Why are these Web Application Attacks possible?
It’s quite simple, the developers writing the web application code, either do not know how to code a web application to be secure, such as using proper field validation, or the developers are skipping proper code techniques in a bid to have the application ready and released due to commercial pressures on time. Either way these are needless flaws and yet are too common place, with 8 out 10 web applications on the Internet having a high to medium web application vulnerability going unchecked.

How to combat Web Application Security?
Some vendors will state their or their client’s reputation on installing Web Application Firewall (WAF); however WAFs are still a relative new technology. I have to say I am sceptical about any vendor who says such a product is the silver bullet which will plug all possible web application layer vulnerabilities. The other big problem with a WAF, is throughput, as every packet has to be inspected at the top layer of protocol stack (layer 7), so data packets need to dissembled and analysed, which takes time and results in a performance hit. The answer to the performance hit is to have a large or many WAF devices inline, which can really rack up the cost. I am not dismissing using a WAF, but for me it needs to be a “belt and braces” security approach, which means ensuring the code is developed and tested for web application vulnerabilities prior to release, which for me is the first and key battleground to win ahead of the installing a WAF.

How to Secure the Development of Web Applications
To do this, developers need to be properly and regularly trained to code web applications securely. In addition other controls within the development process are needed to ensure corners are not cut, security coding is not being missed, or mistakes being made. It is surprisingly easy to miss validation on that one field, the more complex the application, the more likely security vulnerabilities tend to slip in. The answer to this problem is to use a web application vulnerability scanning tool as part of the development process, and for testing within live environments.

One of the leading commercial web application vulnerabilities scanning suite of tools is Hewlett-Packard Security Labs’ DevInspect, WebInspect & QAInspect, which was formally under the umbrella of SPI Dynamics, which were acquired by HP in 2007. For further details about these tools and what they can do click here
https://h10078.www1.hp.com/cda/hpms/


Billy Hoffman (HP Security Labs)
I managed to spend quality time with web application expert Billy Hoffman, Head of HP Security Labs. I use the phrase “quality time”, because Billy Hoffman is just one of those guys who I could talk techie security all day long, and I count myself lucky to have spent several hours chatting about web application security with Billy, as well as listening to several fascinating “hacking” stories, which I can’t publicly repeat!

Prajakta Jagdale - Dave W (Me) - Billy Hoffman

Billy is just one of those inquisitive out of the box thinkers, which makes you thankful he is one of the good guys, alas a white hat. However Billy became well known as a bit of a grey hat hacker, known as Acidus. While he was studying at Georgia Tech he famously hacked the university swipe card system, finding a fault with the magnetic stripe data, and it’s fair to say his resulting exposure of the flaw wasn’t fully appreciated by the system owners. Billy went on to graduate from Georgia Tech and joined Atlanta start-up company SPI Dynamics, becoming their Lead Security Researcher. Billy and SPI Dynamics specialised in web application security and web app vulnerabilities scanning products. So Billy is a real web application subject matter expert and is a frequent speaker on the subject at many of the top security conference events around the world. In fact I think the term “Web Application Security Guru” is the more fitting description to use when describing Billy Hoffman.

In late 2007 Billy released his first and in my view a much needed book on Ajax Security, appropriately called “Ajax Security”. http://www.amazon.co.uk/Ajax-Security-Billy-Hoffman Today many Web Application are being re-written in Ajax, which gives an application that “real desktop application” feel within the web browser. However poorly written Ajax code produced by developers is introducing a new frontier of web application security vulnerabilities problems which the bad guys are taking advantage of.

Prajakta Jagdale (HP Security Labs) on Flash Security
Also in attendance at the met up was HP Security Labs Security Researcher Prajakta Jagdale, who highlighted issues with Flash application security. In recent times malware has targeted poorly secure Flash web applications, and there have been several cases of successful exploitation of premium website Flash applications by malware and hackers. A common example of such an exploitation is specific malware which automatically embeds advertisements within the application, which known by the term “Malvertisement”. The bottom line is secure Flash application development is really not too different to traditional secure web application development, developers need to code the application so it fit for the purpose of being public facing. We all agreed writing a secure web application isn’t rocket science; most of it is just common scene, such as adding proper validation checks on entry fields, by white listing acceptable characters instead of trying black list. However the “secure” development of Flash application still tends to be overlooked by many organisations, perhaps because Flash applications are more difficult to scan than traditional web applications and perhaps there are less people with the expertise to code review and test them, or perhaps Flash application aren’t on radar with security testers and professionals. Whatever the reason, Prajakta’s research and findings with Flash application security is very interesting, leads me to believe there are many Flash applications on the Internet today which are vulnerable to attack.

Summary
In summary, in the security industry today it is generally accepted the web application security problem is increasing, with the bad guys going after this layer more. It’s not hard to learn how to attack at web application layer either, anyone can do it, and interesting it is not particularly difficult to fix. Speaking with application security experts like Billy Hoffman and Prajakta Jagdale, really underlines the importance of web application security, and the role of the HP Security Labs Dev\Web\QAInspect web application vulnerability tools in tactically the problems. It is clear that the HP Security Labs suite of web app security tools are helping many responsible organisations develop and deliver public facing web applications much securely, which in end protects those organisations end consumers.

If you have any interest in testing your web application, check out the HP Security Labs website and download a 15 day free trial of their tools.
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200_4000_100__