Wednesday, April 25, 2007

How To Spot A Scam

Spotting a scam isn't always easy. More than anything, it helps to view e-mails, phone calls, and people at your front door with a critical, skeptical eye. If you're skeptical, you'll look for holes, and in 19/20 scams you'll find them without too much searching.

In this blog post I'll walk you through two recent examples of scams that have targeted me. The first one I'll talk about made it through my spam filter this morning.
Scam One

Here's the e-mail:


Let's start with the red flags:

I will need a few moments of your time to cover all related lottery-type information from procuring your prize to any related taxes.


Any time someone wants information for tax purposes, they want your social security number. This should cause alarm bells to ring. Loudly.

Then there's this line in the e-mail:

44.71.188.154 9/3/2006 0:19


This appears to be an IP address and a date and time. I believe this line is there to lend some kind of credibility to the e-mail, but the year says 2006 and the time is 19 minutes after midnight. Clearly something odd is going on.

Seeing that date lead me to look at the date of the e-mail, which is "April 25, 2007 4:14:23 AM MDT" -- and this is another red flag. A quick Google search tells us that North Aurora, Illinois (where this company is supposedly located) is in the Central time zone, so this e-mail went out at 5:14am Illinois time, which is a bit earlier than their own stated office hours:

P.S. For your convenience, we are available 8:30 AM to 4:00 PM Central Standard Time, Monday to Friday


As long as we're looking at the e-mail headers, let's take a look at the From address: cedwardsb -at- prize-claim-center.com. But the e-mail says its from "Michelle Ruland." Shouldn't that from address look more like mruland -at- prize-claim-center.com? Or micheller -at- prize-claim-center.com? It's another red flag.

By now its obvious that this is a scam, but as a final check, let's take a look at their website. We never click links in e-mails (and nor should you), but with proper protections in place, it can be okay to type a URL into your address bar. Instead of going to the referenced page used supposedly for unsubscribing from their list, let's check the site's home page:



...it's blank. No website there.

As a final note, there are a lot of these "claim your prize" type of e-mails out there. If you entered a drawing for a prize somewhere, you almost certainly gave your phone and mailing address. If you put your e-mail address on there as well, it will likely be used for spam and it will not be used to contact you about the prize. Finally, if you really did win, there would be specifics about when you filled out the form, where, what it was for, and what you won.

Scam Two

I received a phone call at home. The caller said he was with Discover card and wanted to confirm some charges on my account. I haven't used my Discover card in a long time -- in fact, I shredded it -- but even so, this sounded important and the caller rattled off a discover card number that was supposed to be mine. Then the caller asked me to confirm my identity by giving him my social security number. Whoa there! I've never had a fraud department ask for that information before. So although I was convinced that it was Discover calling, my skepticism kicked in and I asked if I could call him back. He gave me the real 800 number for Discover Card, which I confirmed after I got off the phone by going to their website. When I called Discover, they had no record of any charges on my account for several years and they confirmed what I already knew: it wasn't Discover who had contacted me. For good measure, I officially canceled the card on that call.

The big lesson here is again skepticism. Even very convincing, helpful, and friendly callers to your house who seem to know who you are and maybe other details about you, should not be trusted. If anyone, ever, calls you and then asks, for any reason, for details about you -- your address, mother's maiden name, social security number, etc. -- ask if you can call them back. Get their number, but then don't use the number they give you, instead look up the number on the Internet or in the phone book. Prudence will save you a world of headaches. Also, never trust Caller ID. Just because your phone says Discover Card Fraud Department is calling, doesn't make it so. That information is easy to fake.

Phishing

Phishing scams are getting better. Phishers are able to reproduce their target websites much better now so all the broken links that used to be a dead giveaway are happening less frequently. If you get an e-mail ostensibly from your bank, paypal, ebay, or any official institution, don't follow the links in the e-mail. Use your own bookmarks or enter the official site into your URL bar directly. Do this every time. What you lose in convenience, you more than make up for in security and identity protection.

Combatting Fraud

From the FTC website:

If a scam artist has contacted you or if you've been defrauded, contact the FTC at www.ftc.gov or 1-877-FTC-HELP. We gather evidence, identify fraud trends and alert law enforcement throughout the U.S., Canada, and abroad. By reporting your experience, you can prevent others from becoming victims and help put an end to fraud.


Here are e-mail addresses for forwarding scams, spam, phishing, and more (this has been compiled from different sources but most notably from the Internet Storm Center:

Spam
uce -at- ftc.gov

spamarchive.org is interested in any spam, but send it as an RFC822 attachment to submitautomated -at- spamarchive.org.

Child pornography
children -at- interpol.int
gmail -at- cybertip.ca
Do not send child porn e-mails to spamarchive.org or redistribute anywhere besides the above two addresses.

Nigerian/419 scams
419.fcd -at- usss.treas.gov.

OEM software
netpiracy -at- siia.net
piracy -at- microsoft.com

Phishing
reportphishing -at- antiphishing.org
phish -at- ists.dartmouth.edu
spam -at- mailpolice.com
phishing-report -at- us-cert.gov
phish -at- phishtank.com (but you have to register at phishtank.com first)
Also: postmaster -at- corp.mailsecurity.net.au, spoof -at- millersmiles.co.uk, and report -at- reportphish.org, but send the mail as an RFC822 attachment.

Pills
webcomplaints -at- ora.fda.gov
drugs -at- interpol.int

Pyramid scams
fraud -at- uspis.gov

Rolex/replicas
steve.govin -at- rolex.com
expert -at- lpconline.com

Stock/pump and dump
enforcement -at- sec.gov

Tobacco
alctob -at- ttb.treas.gov

Viruses
Submit to Threat Center, Jotti, and Virus Total. Also, you can forward to av -at- annex.esoft.com.


Note: If you have updates or additions to the above list of e-mail addresses and websites, please post them in the comments.

Monday, April 23, 2007

Patched Apple Flaws and New Quicktime Flaw Impacts Windows and Mac

Apple's been in the crosshairs recently. Last week they released their fourth security update of the year fixing 25 separate security issues. Several of the fixes are related to file format flaws announced in the Month of Apple Bugs in January. Others allow local privilege escalation.

Possibly the most serious issue is with the RPC runtime (libinfo) library used by services such as NFS. Mu Security has provided some very specific details on the flaw and for machines that are running NFS, the information may be enough for an attacker to create an exploit.

Although we haven't seen any exploits for any of these vulnerabilities, all Mac users should update before exploits start hitting the 'net.

On a related note, security researcher Dino Dai Zovi won a $10,000 bounty when he found a flaw and wrote an exploit to hack into a fully patched Mac laptop. We now know that the flaw he found was actually in the Quicktime application and can be exploited in various browsers and on various operating systems including both OS X and Windows. Exploitation of this flaw requires the user to browse to a malicious website. There is no fix for the flaw at this time, but disabling Java in your browser should protect you. If you don't regularly use Java Applets when browsing websites (I can't remember the last time I came across a website that required it) you should go to your preferences or options and disable it right now.

Wednesday, April 18, 2007

PHP Applications and Vulnerabilities

Every day we sift through an avalanche of newly found vulnerabilities in PHP applications and they all come down to improper sanitization of user-supplied input. Until our Universities are teaching secure coding techniques in Computer Science 101, we'll be in this situation for a long time. But that's a rant for another day.

Here's an example list of vulnerability announcements of PHP application over the last 24 hours:

• EclipseBB Phpbb_Root_Path Remote File Include Vulnerability
• Extreme PHPBB2 Remote File Inclusion
• Zomplog File.PHP Directory Traversal Vulnerability
• Joomla Template Module Index.PHP Remote File Include Vulnerability
• Gizzar Index.php Remote File Include Vulnerability
• Joomla/Mambo JoomlaPack Module MosConfig_Absolute_Path Remote File Include Vulnerability
• Cabron Connector InclusionService.PHP Remote File Include Vulnerability
• Wabbit PHP Gallery v0.9 Cross Site Scripting
• ActionPoll Script (actionpoll.php) Remote File Include
• LS simple guestbook - arbitrary code execution
• MyBlog <= 0.9.8 Remote Command Execution Exploit
• my little forum 1.7 Remote File Include Vulnerability
• PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
• Directory traversal vulnerability in Kai Content Management System (K-CMS)
• Directory traversal vulnerability in Monkey CMS 0.0.3
• Cross-site scripting (XSS) vulnerability in OpenConcept Back-End CMS 0.4.7
• PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9
• Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9
• ... and more!


Remote file inclusion, remote code execution, SQL injection, directory traversal, and cross site scripting vulnerabilities are running amok in PHP programs.

Ed Finkler at CERIAS took the time to sort through the NIST vulnerability data and come up with the top 20 offending PHP programs by score and by volume of advisories. This is skewed, of course, because programs not being prodded could be just as vulnerable, but less visible. Just the same, it's pretty interesting. Here are the top 5 by number of entries:
  1. MyBulletinBoard
  2. phpBB
  3. phpMyAdmin
  4. WordPress
  5. PHPNuke


The top 20 is even more enlightening if you happen to use some of those products (like VBulletin, Jupiter CMS, Joomla, and TikiWiki).

Anyone running this kind of software should be doing frequent scans of their files to make sure they haven't changed without their knowledge, frequent downloads of their website to make sure people haven't added code, and should make sure that their web server is isolated from sensitive parts of their network.

Note from the sponsor:eSoft's Intrusion Prevention Softpak has generic and specific detections for a number of common PHP vulnerabilities.

Triage For Oracle Critical Patch Updates

tri•age (from dictionary.com)

–noun

1.    the process of sorting victims, as of a battle or disaster, to determine medical priority in order to increase the number of survivors.

2.     the determination of priorities for action in an emergency.


As always, our focus at Threat Center is on remotely exploitable vulnerabilities. Our interest in privilege escalations and local attacks takes a back seat to vulnerabilities where an anonymous attacker could compromise your business.

Yesterday was Oracle's quarterly "Critical Patch Update" or CPU. This round they released 36 new security issues across the following products:
  • Oracle Database

  • Oracle Secure Enterprise Search

  • Oracle Application Server

  • Oracle Collaboration Suite

  • Oracle E-Business Suite

  • Oracle Enterprise Manager

  • Oracle PeopleSoft Enterprise

In other words, just about every Oracle product is affected. The Suites listed above include numerous programs such as the Oracle Portal, Oracle Streams, Oracle iSupport, Oracle iStore, Oracle Applications Manager, Oracle Agent, and more. For details on all of the patches, view Oracle's security advisory. For a quick triage of the updates, read on below.

Oracle Database


DB01 Core RDBMS Authentication Bypass on Windows
This flaw was reported to Oracle in 2002. Exploiting this flaw is trivial and can be done remotely by an unauthenticated attacker... but you probably aren't affected.

This flaw is specific to Oracle databases running on Windows machines that have "Simple File Sharing" enabled. Simple File Sharing allows a user to share files with anyone without the hassle of managing usernames and passwords. All users are authenticated as Guest regardless of the username or password they provide. If Oracle is configured to use OS-based authentication on a machine with Simple File Sharing enabled, then every attempt to authenticate against the database as any user will be successful. Hopefully if you're running Oracle Database on a Windows machine you aren't also doing any kind of file sharing, and especially not the free-for-all file sharing that is "Simple File Sharing."

David Litchfield has a paper with the full details.


DB05 Authentication Component Logon Trigger Bypass
This is a flaw that requires login credentials and usually wouldn't merit a mention, but it could allow users to bypass logon triggers. These are frequently used to control access by time of day, IP, and other factors or to add extra audit trails, etc. Many of the fixed flaws in this batch that do require a user to first log in may be more dangerous if the user first takes advantage of this logon trigger bypass flaw.


Oracle Enterprise Manager


EM01 Oracle Agent Authentication Bypass

A person can connect to the Oracle Agent and shut it down without authentication.


Oracle Application Server


AS04 and AS05 Oracle Portal Component Flaws
Two flaws in Oracle Portal can be remotely exploited over HTTP to gain access to the system. Authentication is not required and one of them is rated as easy to exploit. This involves some kind of parameter tampering, but we don't have more details at this time.


Oracle E-Business Suite


APSS02 Oracle iProcurement and APPS03 Oracle Report Manager
The vulnerable pages for both of these components are blocked by default by the URL firewall and are therefore not of high concern.


APPS05 and APPS06 Oracle iStore Parameter Tampering Issues
While these two bugs both require authenticated users, an anonymous user can self-register and get an account that way. Once they have an account, the attacker can get unauthorized access to information such as order information for other users. It isn't clear, but this may include access to credit card data. Because of this possibility, and the fact that Oracle says the exploit is of low complexity, we're rating this as a serious vulnerability. If you use the Oracle iStore, upgrade your software right away.


And that's it for the vulnerabilities that look serious to us. For the less serious vulnerabilities where authenticated users are able to gain elevated privileges, there are some exploits in the wild, so if you have strict trust settings, you will want to get going on installing these patches.

Of course we recommend installing all of the patches as soon as possible. If you need time to test the patches before installing, then start with the ones listed above.

Note from the sponsor: Many of the flaws that are fixed in this month's Oracle CPU center around SQL Injection and Cross Site Scripting. eSoft's Intrusion Prevention Softpak provides generic protection for many of these types of attacks. To prevent these types of attacks in the future, refer to eSoft's newest whitepaper, 10 Tips to Better Security.

Monday, April 16, 2007

Microsoft DNS Server Exploits Abound

Over the weekend a number of exploits turned up that make it easy to exploit the recently announced flaw in RPC found on Microsoft DNS Servers.

Those using best practices to firewall inbound connections to ports not explicitly needed should be protected. People who have Windows servers at colocation facilities or who use ISPs to host services where the ISPs don't have gateway firewalls setup are at risk.

Among the circulating exploits are an exploit module for Metasploit.

We're also beginning to see variants on established worms, in particular the Rinbot/Nirbot worm, taking advantage of this exploit. This behavior means that unprotected machines will likely be found soon, so please make sure you are following all of the suggestions in the Microsoft Advisory as well as following firewall best practices.


Note from the sponsor: the new worms are detected and stopped by the Gateway AntiVirus Softpak, while attempts to exploit the DNS RPC flaw are detected and stopped by the Intrusion Prevention Softpak. The InstaGate firewall is also instrumental in defending against this vulnerability.

Friday, April 13, 2007

New Microsoft DNS Server Exploit

There is an exploit in the wild, although not yet public, that takes advantage of a flaw in RPC on Windows DNS Server. Microsoft has issued a security advisory with some recommendations on how to protect your computers while waiting for a patch from Microsoft.

Here is a list of affected operating systems:

  • Windows 2000 Server Service Pack 4

  • Windows Server 2003 Service Pack 1

  • Windows Server 2003 Service Pack 2



The best advise from Microsoft on this issue at the moment is to disable RPC capability for DNS servers by changing a registry value. From Microsoft's advisory:

  1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
  2. Navigate to the following registry location:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

  3. On the 'Edit' menu select 'New' and then click 'DWORD Value'

  4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.

  5. Double click on the newly created value and change the value's data to '4' (without the quotes).

  6. Restart the DNS service for the change to take effect.



And you should make sure you are blocking all unsolicited traffic on ports over 1024. In fact, you should block all unsolicited incoming traffic period. Use personal firewalls on individual machines and gateway firewalls between your machines and the Internet.

TCL Episode 7 - April 13th, 2007

The seventh episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Microsoft Patch Tuesday: Client/Server Runtime Subsystem, UPnP, MS Agent, and Content Management Server. Also: new Word exploits and windows help files. Apple's Airport Base Station, Oracle, Winamp, eIQ Networks Enterprise Security Analyzer, Kaspersky ANti-Virus, Symantec's Enterprise Security Manager, MIT's Kerberos package, including the telnet daemon, various Cisco wireless products, and a new version of the "storm worm."

Link

Thursday, April 12, 2007

New Worm, More Social Engineering

The Internet Storm Center is reporting a new worm making the rounds. It may be a variant of the "Storm Worm" (we use the word worm loosely here) and it is being detected as Nuwar/Zhelatin.

It's worthy of note chiefly because of the social engineering tricks it is using. The subjects of the e-mails include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

And the e-mail tries to trick users into opening the encrypted zip attachment (the password is displayed inside an image) by convincing them that the attachment will protect them from the worm. It's a true trojan horse pretending to be a gift. Be suspicious of e-mail gifts.

This worm is also of note because of the encrypted zip. This is not new ground and is in fact an old trick. A number of virus scanners have the option of blocking encrypted zip files, but most gateway devices will not block encrypted zip files due to the high number of false positives and legitimate encrypted zip files. Your desktop antivirus solution is the best thing to protect you here. That and common sense.

Note from the sponsor: eSoft's Desktop AV and Intrusion Prevention Softpaks protect customers from this threat.

Tuesday, April 10, 2007

Apple Airport Base Station Vulnerability

Versions of Apple's Airport Base Station -- Apple's wireless access point product -- with 802.11n capabilities are vulnerable to a flaw that could allow unauthenticated wireless users to inject traffic into the network. Apple has released a firmware update to fix the problem.

802.11n is an emerging standard for wireless communications that is much faster than other commercially available wireless protocols. Apple is pushing 802.11n in order to wirelessly push movies to TVs through their Apple TV product.

Note that if you haven't updated the firmware on your base station in awhile (six months or more) you probably aren't vulnerable.

Microsoft's April Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Today Microsoft released 5 advisories that impact all of their operating systems. Of highest concern are those that can be exploited remotely, and of these, there were three. Here's the summary:


  • MS07-018 -- Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

    Microsoft's Content Management Server, which allows users to "quickly deploy scalable, reliable and dynamic personalized e-business web sites," can be compromised via a "crafted HTTP request." Users of MCMS are advised to make their sites Read Only until they apply the related patch.

  • MS07-019 -- Vulnerability in Universal Plug and Play Could Allow Remote Code Execution

    Universal Plug and Play is a technology intended to make it easy for computers and devices to interact with limited manual configuration. It's frequently used to configure port forwarding on routers, and peer-to-peer networking of PCs.

    This bug affects all versions of Microsoft Windows XP through Service Pack 2. The built-in firewall on XP SP2 will restrict attacks to the local network segment. A properly configured firewall between the vulnerable computer and the Internet will stop attacks exploiting this vulnerability. To make sure your firewall prevents these attacks, check your settings and see if UDP port 1900 and TCP port 2869 are blocked.

    Update: although Microsoft's advisory says only XP is affected, reports are coming in saying that Windows 2000 is affected as well.

  • MS07-020 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution

    Remember that annoying animated paper clip that used to show up when you opened a Microsoft Office document? That's the Microsoft Agent and its still around. It can be used by any application or web site to provide an interactive question and answer dialog. Unfortunately, it can also be used by a malicious website to run arbitrary code on a user's system.

    Internet Explorer 7 is not affected. All operating systems with Internet Explorer 6 or below are vulnerable. To workaround the vulnerability, disable the Microsoft User Agent by following the instructions in the advisory. Or install the patch or update to IE 7.

  • MS07-021 -- Vulnerabilities in CSRSS Could Allow Remote Code Execution

    CSRSS is the Windows Client/Server Run-time Subsystem (winsrv.dll). It's a core part of the operating system on all versions of Windows from 2000 through Vista. This vulnerability has had exploits in the wild since December 2006. Luckily, most of the exploits for this are local privilege escalation exploits, meaning that a piece of malicious software can use this vulnerability to gain full control of a system. However, Microsoft says that there are remote exploitation vectors that are exploitable by malicious websites. Although more details on this attack vector are net yet public, it is likely that it won't be long before we see code that remotely exploits this vulnerability. We'll keep an eye out for this.

    Also in this advisory are another local privilege escalation and a denial of service involving the Client/Server Run-time subsystem.

  • It should be mentioned that the recent MS07-017 advisory (the ANI file format vulnerability) was supposed to be announced today, but was announced and released a week early due to widespread exploitation.


Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from remote exploitation of the vulnerabilities announced today.

Monday, April 9, 2007

ThreatLevel Returned to Normal

Microsoft's release of an out-of-schedule patch for the .ANI bug has helped the threat abate. While malicious .ANI files are still being seen actively in the wild, the available patch and widespread antivirus signature coverage has caused us to lower the Threat Level to more normal levels of awareness.

Microsoft Patch Tuesday is tomorrow. Let's hope there are no big surprises.

Tuesday, April 3, 2007

TCL Episode 6 - April 3rd, 2007

The sixth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Animated Cursor files, Cisco VOIP, Brightstor ARCserve, and OpenOffice.

Apologies for lower sound quality and the scratchy voice on this one.

Link

Sunday, April 1, 2007

Raised ThreatLevel Due To Widespread 0-day ANI Exploit

The ANI vulnerability is going from serious to very serious. The Threat Center Threat Level has been raised and will remain raised until the threat subsides or official patches are available.

Variants on the ANI exploit are circulating very fast and already one worm has been detected that takes advantage of this exploit to infect web pages (.htm, .html, .aspx, .php, .jsp, etc.) and executable files.

There is no workaround for this vulnerability, but both the Zero-day Emergency Response Team (ZERT) and eEye Security have released unofficial patches that can be used to reduce the risk for machines while we wait for an official patch from Microsoft. Note that we have not tested these patches thoroughly and are not endorsing them.



Update: Microsoft's blog says that they plan to release an emergency patch to fix this vulnerability on Tuesday, April 3rd. Stay tuned.



Note from the sponsor: eSoft's Gateway Anti-Virus and Intrusion Prevention products protect customers from this vulnerability. However, laptops infected with a worm while not being protected by an eSoft Gateway could potentially infect the network. Please be sure to virus scan any laptop computers before allowing them to connect to your local network.