Security I want around my online banking experience…

UPDATE 3/7/12:  So hitting the banks up on twitter went no where, they didn’t even approve my comments.  I have a good disscussion going on in the “Internet Banking” group on LinkedIn if you want to join.  Next step might be a reddit post or possible emailing some of the bank CSOs directly.  Wish me luck.

5/5/12 I reached out to BofA’s CISO Patrick Gorman and was ignored. Don’t see much point in banging my head against the wall anymore.

Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article

So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.

Continue reading

Detecting emails spoofing your domain using Outlook Rules…

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

Continue reading

Update to filter IP ranges in SMTP headers…

I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria ( 78.138.3.237), is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241])  by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911”
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35])  by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [78.138.3.237] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <rxxx@xxxxx.edu>
Message-ID: <fce1a4442b7d.4a43bd5e@xxxx.edu>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Return-Path: rxxxx@xxxx.edu

Filter Country IPs in SMTP Received Headers…

My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers.  Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header.  I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.

My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching.  419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard.   However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.

See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.

Received: from [79.80.169.10] by web36802.mail.mud.yahoo.com via HTTP; Sun, 31 May 2009 17:00:44 PDT

Being able to filter on the CIDR ranges (countryipblocks.net or maxmind.com) in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists.  For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China,  Romania,  Russia, or Poland IP ranges.  Pseudo policy below….

#SPAMKeywordsfromNigeria

SPAM_KeywordsInBodyorAttachment:

If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND

If (header-dictionary-received-contains (‘NigerianIPs’))

{

Quarantine (‘419 from Nigeria’);

}

I’ll update my blog if I’m able to apply this and how effective it is.

Email Scammers…

   You know it’s hard for me to talk about the 419, stock pump/dump, bank phishers and the rest, without using excessive profanity which isn’t quite appropriate for a blog.  So recently there was a customer of mine that forwarded an email through the SMTP gateways I manage that was caught in a custom word filter list.  While I tried determine if I should release the email it became apparent the scam has already been effective to the tune of 900.00.  And the Nigerian loser was trying to get an extra 300 out of the victim.  The scam involves posting a house for rent on Craig’s list, after searching for real houses for rent or sale in the area.  So if the mark drives by the address the pics match and there is a for rent or sale sign out front.  The response to the initial inquiry about the house, is usually about getting called away on business to Nigeria and needing first month’s and security deposit sent through Western Union.  I’ve been seeing more and more of these idiots trying whatever they can to steal money from others as if they are entitled to it; because they were born in a 3rd world country anything they do to “the rich” in America is justified.  I really can’t understand the upbringing these people must have had to be able to sleep at night ripping people off.  Although I know it’s not true, it’s really hard to not generalize and see the entire country of Nigeria as a bunch of cheats, crooks, and liars when you are exposed to the these emails on a daily basis. 

  Craig’s list highlights that anyone asking for payment from Western Union is a scam link.  But unfortunately people are busy and trusting when it sounds like a good deal.  All I ask is please be vigilant out there, the Internet is not only the happy joyous place social networking sites want you to believe it is. It has a dark side and like many forms of negativity it often comes with a “pretty face” and a good deal.  Here’s an example reply from one of these morons link.

PS. And in case you needed more convincing here’s an article about a convicted SPAMMER that escaped from minimum security prison recently and then proceded to kill himself, his wife, and toddler.  Just goes to show the cowards these individuals really are. link

One Time Passwords…

I’m going to keep this article from the Miami Herald, so I can forward it to anyone who complains about needing a One-Time-Password to remotely access their employer’s network.   I encourage everyone to program a red flag to pop up in your head whenever anything asks you for username/password.  Ask yourself…

  1. Do I believe I can trust this physical location
    1. Is it shared internet and/or computer access?
    2. Do I trust who had access before me?
  2. Do I believe I can trust this virtual location?
    1. Is it HTTPS with valid certificate?
    2. Did I get here from a reliable source?
  3. What would happen if these credentials were compromised?
    1. Remember many sites will allow a password change while relying on nothing but the belief that only you know the password to your web-mail.

Of course almost all of the long term risk posed by these threats can be mitigated by using a one-time-password.  Next time you have to use one thank an Information Security Administrator instead of complaining to one.

No Clicking for You…

Please don’t be that guy, you know the one who posts fake Credit Card data to a phishing site because they believe it’s some how “fighting back.” BAD IDEA folks. I’ve seen this error in common sense, if you will, because of IPS filters that use Reg Ex to catch such SB1386 type data being sent over HTTP not HTTPS, a clear sign of either a company that doesn’t deserve your business or Phishing. So here are the top 2 reasons why such a thing is bad for the Information Security weekend warrior.
1. Once you’ve clicked on the Phishing link in email they have won.
You just validated your email address is monitored by a human; it’s now worth 10x as much to SPAM gangs. Who are they? Click here. Those SPAMMed HTML links often have code behind them that has been dynamically generated to contain the recipient of that particular SPAM imbedded in them. So when you click the Phishers link it’s like saying, SPAM ME please, I read and click on anything!
2. You will most likely get malware sent to you.
OK so the goal of people behind this organized crime is to get credentials (username and password) they don’t care how that is done, they don’t even care what credentials they get. It’s cheap to try them at every bank, ecommerce, and webmail site out there. You don’t reuse passwords do you? So whether you fill out their fake form with all your personal information or they can implant a Trojan on your machine and keylog that info a week from now, what’s the difference? As soon as the site comes up expect to have many invisible iframes pointing your browser to all kinds of obfuscated scripts trying to exploit application vulnerabilities (not just OS stuff anymore my friends) as well as trying social engineer you to download a much needed codec or the like.
So moral of the story is you’re only tempting fate, should you try to clog the bad guys database with illegitimate info. In the end you may very well get owned faster then your grandma who just got a popup asking her to “CLICK RUN” to get a free virus scan on her Win98 machine. The real experts (one of whom I don’t claim to be) use completely sandboxed virtual machines with many safeguards for them and the Internet to do this kind of stuff. I suggest anyone who doesn’t reverse engineer malware on a weekly basis leave such things up to them. And luckily for the average ecitizen there are many very intelligent people who do just that. Suggested Links Below….
PS Don’t expect your shiny new <insert AV vendor> 2008 to protect you 100% either, AV is a necessity for the average user on Windows but isn’t an invincible shield against foolish bravery.

http://www.secureworks.com/research/threats/

http://isc.sans.org/  (do a search for Tom Liston, then click the links for “Follow the bouncing Malware” very well done albeit a few years old now.)