Whistling In The Dark

OK, this is not tech related but I’d like to know the answer. What exactly does ‘whistling in the dark’ mean? I found several different definitions (not including sexual ones. This is a family blog):

Can it be that the expression means different things in different places?

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?

A Phishing Worm

Welcome to the phishing worm.

Korgo, a new worm that appeared last week, scans for random machines to infect and attack, using a vulnerability in Windows called the LSASS flaw which was discovered in April, according to Internet Week. Korgo, also known as Padobot, then sits on users’ computers waiting for instructions from home. Most such bots would open up the victim’s computer for relaying spam, launching Denial of Service attacks, or for infecting other machines.

Korgo seems to go one step further. According to F-Secure, Korgo “seems to be stealing user information very aggressively through keylogging techniques.” Mikko writes on his blog (sorry, no permanent link available): “The Korgo network worm keeps spreading actively, and it’s aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form – this will collect lots of credit card numbers, passwords etc.”

This would, if true, mean that users don’t need to receive an email, visit an infected site, or unwittingly download anything for their passwords to be stolen. That would seem to take phishing to the next level in that it doesn’t involve email, either as a form of transmission or as a lure. Roger Thompson of PestPatrol agrees it’s probably the first: “There have been bots that phish, but I don’t think any have specifically targeted banks”.

For some reason McAfee and the others are rating Korgo as a low threat, and make no mention of its keylogging abilities that I can find. I’ve asked F-Secure for more information, including which banks are targetted. I’m also not sure whether there have been previous worms that capture banking passwords. What does seem clear is that the worm is Russian in origin. F-Secure says it believes the HangUP Team, a team of Russian hackers, is the worm’s ‘probable creator’.

Phishing, And Some Advice

I was just reading the new publication put out by the U.S. Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council on “Lessons Learned by Consumers, Financial Sector Firms, and Government Agencies during the Recent Rise of Phishing Attacks” (PDF here, page on Treasury website here). A rather wordy title for a document that to me is rather thin on specifics.

In short, there’s not much here people don’t know already. And there are some bits of poor advice. One for banks and other institutions whose customers are being phished: ”Contact consumers by e-mail or postal mail warning them not to respond to suspicious e-mails. Remind consumers of the firm’s or agency’s official policy of not soliciting sensitive information through an e-mail.” How exactly is sending an email going to help? A lot of phishing emails use exactly this ruse to get the target to check in to their fake website, suggesting they suspect their account has been compromised, or something. I’d say now is the time to spend some cash on doing a proper mailing to all customers using the postal service. Now is not the time for more emails saying ‘Beware of scams. By the way this is a not a scam’.

Anyway, here are three of my own suggestions for banks to build trust with customers and minimise further confusion about what is genuine and what is phishy:

  • Don’t be tempted to fire pop-up ads at them when they visit your website, like one U.S. bank I know of, because pop-up ads can legally be hijacked by other companies like WhenU, which means they can also be hijacked by scammers.
  • Don’t outsource your marketing to email marketers, like the Singapore arm of one U.S. bank I’ve written about here before, who then send out dubious unsolicited emails inviting me to open a new Premium Deposit …and enjoy a potentially higher interest rate on your money AND a S$10 Tangs shopping voucher for every US$10,000 invested. What’s to stop a phisher mimicking the same email and then luring someone to a kosher-looking website, asking them to submit some personal data about, say their existing Internet account at another bank, and then directing them to the real website?
  • Don’t give customers an extra screen of ads for other services after they’ve logged out which uses cute but confusing language – one Hong Kong-based bank I visited the other day said something like ‘You’ve logged out but you haven’t logged off’ and then proceeded to offer the customer some more services. A lot of customers are going to be confused about that. And what for? Just to sell them a few extra services?  

All bad practice, and I think if anyone is going to draw up a ‘lessons drawn’ note it should be along those lines: specific, cautionary, and at least trying to anticipate the way this war on scamming may go.  

This week’s column – Visualizing Tools

This week’s Loose Wire column takes a look at programs that visualize your hard disk.

ONE OF THE CRAZY THINGS about computers is that the more we use them, the more of a mystery they become. Think of all the things you’ve done with your computer: reading and writing e-mail, browsing Web sites, downloading (and making) music, editing and watching video, storing photos. All these things take up valuable space, but are impossible to find without a team of forensic experts to help. In short, finding what’s valuable and what’s not is easier in your loft, basement, garage or den than on your own hard disk.

That’s the problem. Here’s the solution: Software that allows you to view your hard disk as if you were X-raying it. These programs take a close look at your hard drive–or whatever disk you want it to, from a USB drive to a CD-ROM–and present it as a graphic, broken down into little coloured blocks that represent the files and folders that make up your data. The size of the blocks depends on the size of the files and folders they represent, and their colour depends on whether they are photos, music files, documents or whatever. Your hard drive will look like mosaic, with the various files and folders all separately adding little rectangular bits to make up the whole picture. Such programs, for want of a better term, are called disk-visualization tools

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com  (subscription required). Old columns at feer.com here.

Anti Phishing Tools And The Lull Of False Security

From Buzz Bruggeman, here’s another tool that may help fend off phishing attacks (here’s an earlier post on similar software): SpoofStick, a browser extension that sits in either IE or FireFox and tells you what website you’re really visiting.

It works like this: Many phishing scams conceal the real website in a link behind tricks such lots of prior gobbledegook preceded by a legitimate website. Others put in lots of white space so the real link falls off the edge of your screen. All rely on one weirdness in URLs: if there’s more than one website in the link, it’s the last one that counts. So when you see a link begining in ebay.com, you can’t be sure whether it’s really an eBay link until you get to the end of the link, and even legitimate links can sometimes be longer than the width of a screen. CoreStreet do a good job of explaining all this, and SpoofStick will tell you what site you’re really at.

Now, I’ve got nothing against CoreStreet offering these kind of tools; in fact I think it’s a good public service. But given the company is involved in ”massively scalable validation products for identity management and access control” I can’t help wondering whether there isn’t a better way to do this.

First off, with something like SpoofStick users would have to click on the link in their email program and visit the site in question before they know whether the email/website is genuine. Given many phishing emails now don’t bother trying to get the user to fill out a form but instead upload a keylogging trojan when they visit the scamming website, it’s going to be a bit late to find out whether the URL is legitimate or not. Better would be a tool that allow the user to copy the offending URL into a program which would then check its authenticity.

Secondly, what happens when the scammer uses a website name that sounds kosher? As mentioned in a previous posting, some scammers are smart enough to set up website names that may sound legitimate to some users (in that case updatesecuritycheck.com), so the approach adopted by SpoofStick is going to only help those who think that doesn’t sound like a legit site. To many it does.

Bottom line: SpoofStick and its ilk are good, but they don’t go far enough, and they may merely lull users into a false sense of security. It’s not that elegant, but I’d suggest concerned users go to something like Karen Kenworthy’s URL Discombobulator, freeware which will investigate any URL you paste into it and tell you what’s really behind it. Just remember to copy the link itself, not the text in front of it. Many scams will create what looks like a legitimate link but actually links to what, in a recent phish I received, the scammer charmingly admits is the ‘scampage’ (this is a real scam so I don’t advise clicking on it): https://www.paypal.com/fraudcheck/secure/bill.html?sl=070304=”/A”> 

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

Double Checking A Phishing Scam

Sometimes the usual checks to see whether an email is a phishing scam or not don’t work.

Here’s an example. This morning I received a quite credible looking PayPal email. Of course it had all the hallmarks of a phishing scam too, but then again I’ve received some genuine emails I thought were phishers, so you can never be 100% sure.

The best test — viewing the email in non-HTML format, so the links show up for what they really are — didn’t work particularly well this time: The URL was http://www.updatesecuritycheck.com, which doesn’t sound like PayPal, but then sounds official enough to possibly lure some folk.

So I checked the registrant of the website in question, usually a surefire way to know whether it’s dodgy. It was under the name of someone in the UK, with an address and telephone number that all looked kosher (right postcode, all that sort of thing). Hard to imagine that someone in the wilds of Devon would be administering PayPal accounts, but who knows? If the website was fraudulent, the thinking goes, why would someone go to such trouble to register a full name and address?

So I checked to see whether the person existed. He does. I contacted him, not via the email address given, but by hunting down a working email address via Google. Needless to say he’s not part of the scam and is suitably outraged that his name has been used. (Of course all this raises the possibility he has become the victim of broader ID and financial theft.) The page on the scam site itself no longer exists, as far as I can see, but the home page is a boilerplate PayPal copy.

The lesson: Sometimes it’s not enough to check whether the URL looks and feels kosher. Neither it is sufficient to see whether the website itself has been registered by someone who looks kosher. Clearly scammers are going to greater lengths to register proper sounding website names, and to register them under real names and addresses — which they’ve probably found in phone books and on the Internet.

This week’s column – Flash Drives Aren’t Flash

This week’s Loose Wire column is about Flash drives:

 I LEFT YOU last week in the capable hands of Ethel Girdle, the fictitious octogenarian who took her accusations of built-in obsolescence to the technology giants. One of her beefs was about so-called flash drives–small devices that store data, for example as memory cards for MP3 players, digital cameras or personal-digital assistants, or as ultra-portable drives which can plug directly into your computer’s USB port. These little things have taken off in a big way. Nowadays it’s hard to find a gadget that doesn’t use them–even your cellphone uses the same technology–or a keychain that doesn’t have a thumb drive dangling off it. But Ethel (OK, it’s really me) found that two out of five memory cards in my possession have given up the ghost within a year or so of buying them. So what gives? Are flash drives the future or, if you’ll excuse the phrase, just a flash in the pan?

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

Didtheyreadit’s Response To Privacy Issues Part II

More on Alastair Rumpell’s response to my privacy concerns about his new email monitoring service, didtheyreadit.  (Here’s the first one.)

I wondered how the email addresses harvested by Rampell would be used (These would include all emails sent from and to recipients via the service since as far as I can understand it didtheyreadit, unlike MSGTAG, would work via tagging the email address, not the email itself. This would involve collecting the email address of sender and recipient). Alastair’s response: “We don’t harvest any e-mail addresses—I wasn’t sure to which e-mail addresses you are referring. We can send you e-mails to the account you register with, but we also allow you to opt-out at any time. We do not send any commercial e-mail or e-mail for any other companies to our customer list.” That’s not quite the complete denial I was looking for, but perhaps I wasn’t specific enough in my original post.

Another question I raised: How will Rampell prevent this service being used by spammers and other mass-mail marketers? Alastair’s response:
“We limit you to 750 messages per month. Very few individuals will ever exceed this number…whereas all mass-mail marketers would.” Fair enough.

Although Alastair takes pains to address my general privacy concerns, however, I’m not sure I can agree with his arguments. He candidly writes, “I had a discussion with somebody last week who was offended and repulsed by the idea of our service; the reason why is because a criminal could use our service to tell if somebody was at home. (Although she recognized that a telephone call could be used for the same purpose).” I can agree with that: Privacy is a long tunnel that can suck you in if you’re not careful — where everything is a threat — but while I don’t think didtheyreadit and MSGTAG represent threats to one’s physical safety, there are still some serious issues out there.

Alastair, for example says in response to my question “Why is the service invisible by default?” (In other words, why is there no default notice in the email informing the recipient the email they are reading is being tracked). Alastair’s response: “I believe it is what the market demands.” He later goes on: “We are planning on doing a free version (like msgtag) that automatically places the disclosure there, as it is a form of marketing. In
our initial tests, though, people who were trying the service were very concerned about having it disclosed to the recipients that the messages were being tracked.” I think that pretty much defines the problem. If someone sends a message to someone but doesn’t want them to know they know their message is being monitored, you’ve pretty much got yourself trapped in a privacy quagmire. If I do something to know something about you, but I don’t want you to know I am doing something to know something about you, then I would submit that as a default definition of snooping, or invasion of privacy.

What’s more, what kind of user would want to monitor their sent emails so invisibly? It’s hard to imagine they’re sending something to Aunt June or their son Bobcat. Given the other elements of didtheyreadit — monitoring exactly when, how long, where and how many times an email has been read — I’d say a consumer who demands the service be invisible may not be the kind of customer you’d be proud of having. What’s more, Alastair’s response to the issue of informing the recipient the email is being tracked is a rather strange one, in my view: Including a message informing the recipient might deter customers. “Even if it is an option,” he writes, ”it will confuse a good deal of people who might avoid using our service as a result.” I can hardly agree with that. Including an option to address a serious privacy issue is only likely to deter folk who aren’t great respecters of privacy.

I had some other issues with Alastair’s company, not least because it sells products that inhabit a grey privacy area. They include a keyboard logger called Spector, and ViewRemote (“record everything that happens on your computer and watch it from any other computer in the world!”). Alastair’s response: “I realize that some of our other products are often considered invasions of privacy. However, we take great pains to make sure that the products (ViewRemote and Spector) are only used by authorized people. For example, you cannot install ViewRemote or Spector without entering your computer’s administrative password—so it can’t be installed without your permission. Installing Spector or ViewRemote on somebody else’s computer is not only a gross violation of privacy—but it’s also illegal. I feel that this is immoral and unethical, and thus we do not support it. But “spying” on your own computer, for lack of a better word, is sometimes necessary. Our products have been used to catch an employee stealing, identifying a pedophile, etc.”

I’m sure there are legitimate uses of such programs. But it leaves an uncomfortable taste that the company whose main products are what I would call stealth software is now selling a service that invisibly and remotely monitors the fate of emails. Alastair, who says his academic background is on the other side of privacy, via cryptography research, is at least discussing the issues, which is a good sign. But I am not sure I agree with him when he concludes that ”I believe that DidTheyReadIt is relatively harmless. Yes, you can use it to catch somebody in a lie…but there are a wealth of legitimate purposes that give the sender more information (such as if the message was even received) without necessarily infringing upon the privacy of the recipient.”

My response: Yes, in the midst of spam’s deluge there’s definitely a legitimate market here for checking whether your email got to where it was supposed to go safely. But it shouldn’t be necessary to go beyond that, to check about aspects of its fate that should really be the private property of the recipient: How long the message was read, where it was opened, whether it was forwarded to others. Furthermore, didtheyreadit (and MSGTAG) need to address the issue of allowing the recipient to easily and definitively opt out of having the emails they receive tagged by such services; if possible, before the first email they receive from either service. If such companies don’t address these issues before they get successful, they may find themselves caught up the full glare of privacy advocates, and end up destroying what is in essence a useful and benign service.