A interesting video on well-known security researcher Dr Charlie Miller, which discuss the security postures of Android and iOS
Monday, October 24, 2011
Sunday, October 23, 2011
My Million dollar ATM is ready for delivery??
I have just received an interesting Scam mail. Think it will be useful to share with all my readers.
The email claims to be from FedEx. They are ready to deliver "my" million dollar ATM card in GHANA.
-Below are the extract-
Dear Valued Customer.
The office of the FedEx Managements in the capital city of ACCRA GHANA do hereby wish to inform you that your ATM card package is ready for delivery.
The issuing bank of this ATM card has instructed us to inform you that your card has been credited with the total sum of US$4,750,000.00 (Four Million-Seven Hundred & Fifty Thousand Dollars) which is now accessible and you can make your withdrawal from any ATM machine worldwide.
This ATM card with the PIN code and other vital documents has peen packaged into an Envelop which has been assigned for immediately delivery but unfortunately, the issuing bank has cleared (PAID) the delivery fee, insurance fee, custom duty fee, delivery permit fee but they were not allowed to pay the security bonded keeping fee because we have not been told when you will be coming for your claim not until the bank instructed us to contact you and inform you of the security bonded keeping fee which is only the sum of US$98 dollars, this is the only fee that you has to pay.
We further request you to kindly clear security bonded keeping fee of US$98 Dollars to enable us effect the delivery of your ATM card to you as soon as possible. At the meantime, you have to get back to us with your address where your package would be delivered to you within the nest 48hrs.
Your complete Name:…………………………
Your Complete Address:………………………
Your Mobile Number:…………………………..
Upon your swift response, we shall instruct you on how you will make the payment to the security office before we would be allowed to move your package. Our delivery duration is only 48hrs starting from the time when your package was picked up and dispatched out from our office here in Ghana.
We anticipate your response.
Thank you.
Mr. Mac Moses
FedEx Delivery Officer
Tel: 233- 247630112
-End of email-
From the email header, you will able to see some useful information:
1> Source email address.
2> Source mail server
3> Source IP address connected to mail server
4> Reply to address
From the "1> Source email address", you know that the email is coming from "chinkyeyes@rogers.com". Rogers.com is exactly a Canadian ISP, which uses Yahoo mail gateway (as shown below). So it has verified the "2> Source mail server" in the mail header.
From the "3> Source IP Address" (41.218.192.255), it was from Ghana. So it is likely that the user "chinkyeyes" account was compromised by the scammer.
Scam mail tends to show tell-tale sign such as spelling error.
The email claims to be from FedEx. They are ready to deliver "my" million dollar ATM card in GHANA.
-Below are the extract-
Dear Valued Customer.
The office of the FedEx Managements in the capital city of ACCRA GHANA do hereby wish to inform you that your ATM card package is ready for delivery.
The issuing bank of this ATM card has instructed us to inform you that your card has been credited with the total sum of US$4,750,000.00 (Four Million-Seven Hundred & Fifty Thousand Dollars) which is now accessible and you can make your withdrawal from any ATM machine worldwide.
This ATM card with the PIN code and other vital documents has peen packaged into an Envelop which has been assigned for immediately delivery but unfortunately, the issuing bank has cleared (PAID) the delivery fee, insurance fee, custom duty fee, delivery permit fee but they were not allowed to pay the security bonded keeping fee because we have not been told when you will be coming for your claim not until the bank instructed us to contact you and inform you of the security bonded keeping fee which is only the sum of US$98 dollars, this is the only fee that you has to pay.
We further request you to kindly clear security bonded keeping fee of US$98 Dollars to enable us effect the delivery of your ATM card to you as soon as possible. At the meantime, you have to get back to us with your address where your package would be delivered to you within the nest 48hrs.
Your complete Name:…………………………
Your Complete Address:………………………
Your Mobile Number:…………………………..
Upon your swift response, we shall instruct you on how you will make the payment to the security office before we would be allowed to move your package. Our delivery duration is only 48hrs starting from the time when your package was picked up and dispatched out from our office here in Ghana.
We anticipate your response.
Thank you.
Mr. Mac Moses
FedEx Delivery Officer
Tel: 233- 247630112
-End of email-
From the email header, you will able to see some useful information:
1> Source email address.
2> Source mail server
3> Source IP address connected to mail server
4> Reply to address
From the "1> Source email address", you know that the email is coming from "chinkyeyes@rogers.com". Rogers.com is exactly a Canadian ISP, which uses Yahoo mail gateway (as shown below). So it has verified the "2> Source mail server" in the mail header.
From the "3> Source IP Address" (41.218.192.255), it was from Ghana. So it is likely that the user "chinkyeyes" account was compromised by the scammer.
Scam mail tends to show tell-tale sign such as spelling error.
Friday, September 30, 2011
I won $10,000 worth of shopping voucher??
I received an email informing me that i have won $10,000 worth of shopping voucher coming from HardwareZone's newsletter.
The email format really give me the impression that i am the lucky winner, with two other "winners" listed in the email.
But after reading through the emails, it start to show tell-tale sign that it is just an advertisment and i did not really won a prize. They skillfully claims that "you may be a possible winner" as not to be accused as fraud later.
After clicking the link "www.greatsingaporevoucher.com.sg" to "verify" your details, it was obvious that the email is actually a legal "spam".
By "verifying" your details, you are actually joining the lucky draw instead. It also allow them to collect your information so to legally "spam" you further via Handphone, email, and mailing address.
w01f advise: If anyone still interested to join this lucky draw (or any similar online contest) and to be "spam" further, make sure you read and understand their "Terms and Conditions" and "Privacy Policy" before releasing your personal information to them.
The email format really give me the impression that i am the lucky winner, with two other "winners" listed in the email.
But after reading through the emails, it start to show tell-tale sign that it is just an advertisment and i did not really won a prize. They skillfully claims that "you may be a possible winner" as not to be accused as fraud later.
After clicking the link "www.greatsingaporevoucher.com.sg" to "verify" your details, it was obvious that the email is actually a legal "spam".
By "verifying" your details, you are actually joining the lucky draw instead. It also allow them to collect your information so to legally "spam" you further via Handphone, email, and mailing address.
w01f advise: If anyone still interested to join this lucky draw (or any similar online contest) and to be "spam" further, make sure you read and understand their "Terms and Conditions" and "Privacy Policy" before releasing your personal information to them.
Thursday, September 29, 2011
Default again?
Another device found to be using default password. This time is a home router in Korea. It is a DAVOLINK DVW-2000N router.
w01f advise: Home router console should not be accessible from the Internet. The account should also be properly secured with strong password.
w01f advise: Home router console should not be accessible from the Internet. The account should also be properly secured with strong password.
Tuesday, September 27, 2011
"Easy" access to exam questions?
While doing my "googling" and security analysis, i happen to come across a Shanghai school portal and manage to easily "gain access" into the "admin" account.
With the admin access, i am able to access to all the documents in the portal. Wondering if there are any exam questions in there?
I can do a listing of all the user account, which i can edit or delete.
w01f advise: Web portal should be proper secured, especially the administrative account. Strong password should also be used by all users.
Disclaimer: Only access to the "main" and "user account" page, no modification to the portal and no download of any files from this portal. It is purely for security awareness purpose with no malicious intent.
Sunday, September 25, 2011
Should print server be secured?
Recently, there are many news on data lost of customer information, product designs and algorithms from big corporation. WikiLeaks that exposed sensitive communication. Printers can be one of the good source of data leakage.
When surfing and "googling" around the Internet, we still see many print servers accessible from Internet. Some of these print servers were even configured with default login credential.
Beside data leakage, you can also create some disruptions to their business by making unauthorized changes.
Below are some examples, which i manage to gain access.
From the Admin console, we can access the "System Tools".
We can also make changes in "Advanced Setting".
w01f advise: Print server should not be accessible from the Internet. If access from the Internet is required, make sure it is properly secured and change all default login.
When surfing and "googling" around the Internet, we still see many print servers accessible from Internet. Some of these print servers were even configured with default login credential.
Beside data leakage, you can also create some disruptions to their business by making unauthorized changes.
Below are some examples, which i manage to gain access.
From the Admin console, we can access the "System Tools".
We can also make changes in "Advanced Setting".
w01f advise: Print server should not be accessible from the Internet. If access from the Internet is required, make sure it is properly secured and change all default login.
Friday, July 1, 2011
Test Drive OmniPeek 6.6
Last week, WildPackets released OmniPeek 6.6, the first network analyzer with 802.11n 3-stream wireless support. You can test it out but downloading the Wireless Essentials Pack. The pack includes the OmniPeek Enterprise 6.6 demo software as well as three popular wireless add-ons: Wireless Signal Stats, Wireless Channel Aggregator, and Roaming Latency Analyzer.
The video below with Jay Botelho, Director, Product Management, and Chris Bloom, developer and evangelist of WildPackets will tell you all about OmniPeek's wireless capabilities.
The video below with Jay Botelho, Director, Product Management, and Chris Bloom, developer and evangelist of WildPackets will tell you all about OmniPeek's wireless capabilities.
Thursday, June 23, 2011
10 Steps: Removing Spyware/Malware/Adware from a PC
To completely remove spyware from a PC can be very difficult. Most spyware like malware propagates in many different locations i.e. registry, files, system and folders and removing all the erroneous files can be a challenge.
In some instances spyware software will disable antivirus, firewall and other well known
security software as well as create fake BSODs. Some may even remove the Microsoft Windows Security Center and replace it with a fake one as well as hijack the browser and stop users from clicking on links to security websites. Worse still a PC may stop loading Windows altogether.
So you can see the difficulty in attempting to clean a PC. There are some simple steps to removing most spyware and adware – these are generic and provide useful guidance when identifying and cleaning spyware and self-replicating malware from a PC.
STEP 1:
Reboot PC in Safe Mode with Networking – always log as the same user that was previously logged in
with, in normal Windows mode*.
An analysis of the spyware threat and how to protect a PC
STEP 2:
Launch IE and from Tools>Internet Options>Connections tab click LAN SETTINGS and uncheck the
checkbox labelled Use a proxy server for your LAN.
STEP 3:
Download Process Explorer – iexplore.exe (or explorer.scr) – use this program to look for processes
linked to the rogue program you have installed. Rename the iexplore.exe or winlogon.exe installers.
Alternatively download and use AutoRuns from SysInternals (you can also run this from removable
media).
STEP 4:
Check the hosts file and if it has any entries other than 127.0.0.1, comment them out –notepad
c:\windows\system32\drivers\etc\hosts**.
STEP 5:
Download Malwarebytes Anti-malware – if this doesn’t happen then download both the program and signature update database from another PC and install on the infected PC using removable media.
STEP 6:
Then download Spybot S&D and Spyware Doctor.
STEP 7:
Reboot the PC in Safe Mode again and in most situations the malicious files have been removed. Download/update the antivirus and firewall and any other security products on the PC.
STEP 8:
Run a full scan not a fingerprint scan and then reboot the PC.
STEP 9:
Download and install CCleaner and click the Registry tab to run a registry clean – don’t forget to make a
backup of the registry.
STEP 10:
Download and install NovaShield Anti-malware software – this program uses the OS Kernel to monitor any file; registry; process and network changes. This program will work alongside your existing antivirus and firewall software.
* Sometimes the Safe Mode is disabled by the spyware/malware – this happens because the malicious file has deleted the Safeboot registry keys. It is possible to merge a reg file with the missing Safeboot entries to re-enable Safe Mode.
** Spybot S&D inserts entries into the host file – as long as the host file IP address is 127.0.0.1 then all should be ok. According to Spybot S&D these entries (which can be in their thousands and is known to affect browser performance) are inserted as part of the immunization process.
Did you know?
Antivirus software actually makes silent calls to servers to check application status/virus definition updates and some collect operating system data. The malicious spyware will continue to be a threat. Expect spyware authors to develop more cunning ways to deliver spyware as part of a malicious payload. The attack vectors will include looking for vulnerabilities in Java, Microsoft Windows, website browsers, Active X, and sending users to IFrame websites (can be done from links in search engines) just to name a few.
By the way
You can make some extra $$$ with this guide
In some instances spyware software will disable antivirus, firewall and other well known
security software as well as create fake BSODs. Some may even remove the Microsoft Windows Security Center and replace it with a fake one as well as hijack the browser and stop users from clicking on links to security websites. Worse still a PC may stop loading Windows altogether.
So you can see the difficulty in attempting to clean a PC. There are some simple steps to removing most spyware and adware – these are generic and provide useful guidance when identifying and cleaning spyware and self-replicating malware from a PC.
STEP 1:
Reboot PC in Safe Mode with Networking – always log as the same user that was previously logged in
with, in normal Windows mode*.
An analysis of the spyware threat and how to protect a PC
STEP 2:
Launch IE and from Tools>Internet Options>Connections tab click LAN SETTINGS and uncheck the
checkbox labelled Use a proxy server for your LAN.
STEP 3:
Download Process Explorer – iexplore.exe (or explorer.scr) – use this program to look for processes
linked to the rogue program you have installed. Rename the iexplore.exe or winlogon.exe installers.
Alternatively download and use AutoRuns from SysInternals (you can also run this from removable
media).
STEP 4:
Check the hosts file and if it has any entries other than 127.0.0.1, comment them out –notepad
c:\windows\system32\drivers\etc\hosts**.
STEP 5:
Download Malwarebytes Anti-malware – if this doesn’t happen then download both the program and signature update database from another PC and install on the infected PC using removable media.
STEP 6:
Then download Spybot S&D and Spyware Doctor.
STEP 7:
Reboot the PC in Safe Mode again and in most situations the malicious files have been removed. Download/update the antivirus and firewall and any other security products on the PC.
STEP 8:
Run a full scan not a fingerprint scan and then reboot the PC.
STEP 9:
Download and install CCleaner and click the Registry tab to run a registry clean – don’t forget to make a
backup of the registry.
STEP 10:
Download and install NovaShield Anti-malware software – this program uses the OS Kernel to monitor any file; registry; process and network changes. This program will work alongside your existing antivirus and firewall software.
* Sometimes the Safe Mode is disabled by the spyware/malware – this happens because the malicious file has deleted the Safeboot registry keys. It is possible to merge a reg file with the missing Safeboot entries to re-enable Safe Mode.
** Spybot S&D inserts entries into the host file – as long as the host file IP address is 127.0.0.1 then all should be ok. According to Spybot S&D these entries (which can be in their thousands and is known to affect browser performance) are inserted as part of the immunization process.
Did you know?
Antivirus software actually makes silent calls to servers to check application status/virus definition updates and some collect operating system data. The malicious spyware will continue to be a threat. Expect spyware authors to develop more cunning ways to deliver spyware as part of a malicious payload. The attack vectors will include looking for vulnerabilities in Java, Microsoft Windows, website browsers, Active X, and sending users to IFrame websites (can be done from links in search engines) just to name a few.
By the way
You can make some extra $$$ with this guide
Wednesday, February 9, 2011
Hacker for Hire
Recently i receive an Marketing Email which sell hacking guides, tools, services and even hiring a hacker.
The hacking guide they are selling includes:
- Credit card hacking
- Bypass Virtual keyboard in Internet banking
- Exploit and malware development
They also selling tools like
- Polomorphic Crypter's (to bypass AV Scantime,runtime)
- Paid Botnets
- IRC Bots
- Exploit packs
Services such as
- VPN Encrypted Connection (Hide your real Ip Address)
- Fake Emailer or Email Bomber
- DDOS attacks
If you dont know anything about hacking, you can ever hire a hacker to do the job.
They even have a website that allow you to order their service online. Even hacker give discount.
The hacking guide they are selling includes:
- Credit card hacking
- Bypass Virtual keyboard in Internet banking
- Exploit and malware development
They also selling tools like
- Polomorphic Crypter's (to bypass AV Scantime,runtime)
- Paid Botnets
- IRC Bots
- Exploit packs
Services such as
- VPN Encrypted Connection (Hide your real Ip Address)
- Fake Emailer or Email Bomber
- DDOS attacks
If you dont know anything about hacking, you can ever hire a hacker to do the job.
They even have a website that allow you to order their service online. Even hacker give discount.
Sunday, January 16, 2011
Swiss Cyber Storm Cargame Challenge
Swiss Cyber Storm 3 is having a online January CarGame challenge. It is a Pen-testing wargame that you have to gain access into a vulnerable web application. Try to solve this challenge and win a new car.Challenge Description
In Hacking-Lab, it provides a vulnerable web application - and somewhere on the web server you will be able to disclose a backend server DB connection properties file including hostname, IP, username and password. It is your goal to disclose this DB property file and then get a SQL connection to the database server. This DB server is vulnerable too! Please gain interactive access on the database server and proof your access by sending a screenshot of having access, some server info you gather with commands like "hostname" or similar.
Goal
Gain interactive access to the database server. Proof you are able to access the box.
Details
You must be authenticated and registered for the January 2011 CarGame Challenge in Hacking-Lab to see the full details of this wargame!
More details - http://www.hacking-lab.com/cases/7025-database-hijack-cargame-challenge/index.html
Challenge Registration - http://www.hacking-lab.com/events/registerform.html?eventid=137
Watch Intro video (on how to participate)
Official Swiss Cyber Storm 3 website
Friday, January 14, 2011
Hacker Space
Hi all,
Just want to share this place called Hackerspace in Singapore. There are many such places around the world. You can find more information here : http://hackerspaces.org/wiki/ and http://en.wikipedia.org/wiki/Hackerspace .It's an interesting initiative and the local site is here - http://hackerspace.sg/ . Only downside is the membership fee due to maintenance of space. I think it's a good spin off from the 2600 monthly meetings- http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly .
Just want to share this place called Hackerspace in Singapore. There are many such places around the world. You can find more information here : http://hackerspaces.org/wiki/ and http://en.wikipedia.org/wiki/Hackerspace .It's an interesting initiative and the local site is here - http://hackerspace.sg/ . Only downside is the membership fee due to maintenance of space. I think it's a good spin off from the 2600 monthly meetings- http://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly .
Friday, December 17, 2010
Part Two: Two Factor Authentication!?!
Alas, finally I made it to part two after so long. :)
Continuing from the previous post, OTP tokens are generally time-based or event-based. For time-based tokens, the pseudo-random number changes at a pre-determined interval, usually 30-60 seconds. For event-based tokens, it's based on a user event such as user pressing the button on the token and using a mathematical algorithm to generate the pseudo-random number and so on from there. Further explanation can be found here about what is an OTP - http://en.wikipedia.org/wiki/One-time_password .
There are now several companies providing such security tokens used for two factor authentication (TFA). A good explanation of the various types of security tokens can be found here - http://en.wikipedia.org/wiki/Security_token .
In Singapore or even worldwide, for most internet banking services, it's already a practice to use such tokens to improve security. (For the curious or security people, you are able to find out which particular token you are using from the list shown earlier.) Although it adds a layer of protection by using security tokens with TFA, it is still not totally foolproof.
With Wikileaks, cyber attacks in Singapore and other recent events, Singaporeans should not be complacent about security. One such event is the DBS false login page that was in the news and luckily the user was knowledgable to not proceed on. Here is one such notice on phishing by the bank - http://www.dbs.com/sg/personal/ibanking/additionalinfo/security/phishing/default.aspx . The banks has done their part in informing the general public and taking other measures for prevention. Normal users still need to be informed of such risks and how to identify them.
For the technically inclined on how it happens and recommendation of TFA usage, Bruce Schneier mentioned it in his blog here -http://www.schneier.com/blog/archives/2005/03/the_failure_of.html .
References:
- Wikipedia
- http://www.schneier.com/
Continuing from the previous post, OTP tokens are generally time-based or event-based. For time-based tokens, the pseudo-random number changes at a pre-determined interval, usually 30-60 seconds. For event-based tokens, it's based on a user event such as user pressing the button on the token and using a mathematical algorithm to generate the pseudo-random number and so on from there. Further explanation can be found here about what is an OTP - http://en.wikipedia.org/wiki/One-time_password .
There are now several companies providing such security tokens used for two factor authentication (TFA). A good explanation of the various types of security tokens can be found here - http://en.wikipedia.org/wiki/Security_token .
In Singapore or even worldwide, for most internet banking services, it's already a practice to use such tokens to improve security. (For the curious or security people, you are able to find out which particular token you are using from the list shown earlier.) Although it adds a layer of protection by using security tokens with TFA, it is still not totally foolproof.
With Wikileaks, cyber attacks in Singapore and other recent events, Singaporeans should not be complacent about security. One such event is the DBS false login page that was in the news and luckily the user was knowledgable to not proceed on. Here is one such notice on phishing by the bank - http://www.dbs.com/sg/personal/ibanking/additionalinfo/security/phishing/default.aspx . The banks has done their part in informing the general public and taking other measures for prevention. Normal users still need to be informed of such risks and how to identify them.
For the technically inclined on how it happens and recommendation of TFA usage, Bruce Schneier mentioned it in his blog here -http://www.schneier.com/blog/archives/2005/03/the_failure_of.html .
References:
- Wikipedia
- http://www.schneier.com/
Subscribe to:
Posts (Atom)
