CautelaNet Blog

As we all begin to feel the pinch of the "credit crunch" and current "financial crisis", it appears that the phishing industry is enjoying a boom!! See - it’s not all bad!

This really is another indicator of how the current global financial problems only serves to fuel financial crime, and stresses again how important it is that businesses take the issue of security seriously.

Given how big the cybercrime industry is, and how it continues to grow, the risk of internal threats is likely to grow as well. Those that may have bee less inclined to defraud their employers in the past may now be slightly more tempted by offers from organised criminals on the prowl for personal and financial information.

BBC NEWS | Technology | Bank turmoil fuels phishing boom

So chip and PIN is not quite as safe as we all hoped! As consumers it really doesn’t look like there is anything we can do to avoid getting caught in one of these scams. Let’s face it, how will you be able to spot a swipe device that’s been tampered with?!!?

What this does highlight, however, is how big and organised this type of crime is now. I was at a Cybercrime forum hosted by Eugene Kaspersky recently where he highlighted just how big an "industry" is involved in this high-tech crime now. It’s big business, and likely to get bigger.

For businesses, this really does reinforce how important it is to take the issue of Security seriously now. No one is immune. You can no longer dismiss these issues as something that will only happen to someone else.

Organized crime tampers with European card swipe devices • The Register

An interesting blog entry has been posted on Securosis.com about a risk in website design. It hinges around  GIFARs - basically a Java archive made to look like a GIF image (good explanation can be found here http://heasman.blogspot.com/2008/08/on-gifars.html).

As my background is in networks, I won’t pretend to fully understand this one fully. But in short, this method opens the potential for implanting malicious code that can be uploaded to any public image repositry like Picassa. When the GIFAR loads the subsequent application can execute actions in the context of Picassa. Effectively this gives the applet access to any of your credentials or other behavious that run on that site.

As the article at securosis.com goes on to show, given the number of sites that allow you to upload images (including forums with “avatars”) this could be quite an effective weapon!

Black Hat: The Risks Of Trusting Content | securosis.com

I attended a Webinar last night hosted by ISACA and ISSA. Webinar’s about the recently disclosed DNS vulnerability are ten to a penny now, but this one caught my attention because of the experts presenting - Dan Kaminsky, the guy who discovered and disclosed the vulnerability, and Cricket Liu, a well recognised expert on DNS.

The Webinar certainly explained the DNS vulnerability well (although to be honest, I wasn’t feeling well and kept dosing off… nothing to do with the speakers though!!) and is well worth catching. ISACA will be posting a recording on their website at some point - not sure if it will be available to non-members, but I’ll post here again as soon as it’s announce.

The message that came through loud and clear though was patch your systems!! Most vendors now offer patches that go at least some way towards addressing the vulnerabilities in DNS. But the warning given was to expect more.

In today’s world of security it seems that the application is the entry point of choice. And this recent DNS vulnerability shows that any application is fair game.

It would seem that patching - and patching quickly - will become increasingly more important if systems are to remain secure.

Evilgrade, the brainchild of Francisco Amato, is an exploit package that can install malware on end user machines by exploiting weaknesses in the automatic upgrade feature of an affected application or operating system.

The package can only work as part of a man-in-the-middle attack. But, thanks to the recent devastating DNS bug which has now been wrapped in to the Metasploit framework, that isn’t much of a problem at the moment.

Affected programs currently include iTunes, Mac OS X, Winzip, Java, Winamp, Notebook, OpenOffice, Notepad++, Speedbit and the Linkedin Toolbar.

A demo of the exploit in action is available here.

Of course, the DNS bug doesn’t represent the only way to perform a man-in-the-middle attack. Other attacks involving DNS, ARP and DHCP could also be used. But it’s frightening to see just how easy this is to perform!

As reported by The Register this afternoon, Virgin Media have now added their names to the ever growing list of company’s guilty of blunders in the way they handle their customers sensitive information.

According to the article, a CD containing bank details for 3,000 of its customers were burnt to a CD with no encryption, and the CD was then promptly lost.

Affected customers appear to have been those who signed up for services at Carphone Warehouse stored from January this year.

Virgin Media have very kindly decided to pay for credit file protection for all of the customers affected.

So congratulations go to Virgin Media for popping their data loss cherry!

OK, so I’m not going to enter in to the debate over what web browser is the best, but Firefox is an excellent alternative to Internet Exploder.

And now they are attempting to enter the record books for the most software downloads in 24 hours with the release of version 3.

I’ve been using the beta releases (and now release candidates) of Firefox 3 and have been enjoying the numerous improvements. So I for one will be joining in the record attempt on release day (whenever that may be - no date posted as yet!).

So to show my support, here’s a banner that you can click to find out more and to make a pledge to download Firefox 3 on release day!

So I’ve just looked back at my blog for the first time in… well, nearly 3 months it would seem!

I’ve been busy with training, exams, work and my other interests (www.project2020.co.uk if you’re curious!) and just haven’t got around to adding anything to the blog.

Having spent the last couple of days at InfoSec I’ve got several bags full of information to work my way through so I’m bound to find some relatively interesting things to post over the next few days.

One highlight of the day for me was seeing a trick/hack demonstrated for extracting disk encryption keys from memory. It was something I read about a while back which involves lowering the temperature of a computers memory to slow down the degradation of data held within it after the power is removed (ie, when you steal the memory from the computer!) so that you can transfer it to your own computer and extract the encryption keys. I’ll post some more on that in a day or two.

Reports seem to indicate that within the last week or so, there have been outages affecting four underwater cables. There have also been rumours of a 5th although that don’t seem to have been confirmed.

Is this just a coincidence? Could be - the suggesting has been that bad weather is causing more ships to drop anchor and that this has been causing the damage. But the odds of that happening to four cables within a short period of time? Food for thought.

There are a number of conspiracy theories being banded around, as can be expected. Can’t say that I’m convinced it’s an accident, and we may never know if it’s anything more suspicious.

There’s an interesting post about this cable cuts on Steve Bellovin’s SMBlog. A post dated 7th February on that same site also reports that Flag Telecom have reported finding an abandoned ship anchor near one of the cuts.

My blog still feels a but lonely, so please post your comments. Pretty please?!!!!

Oh dear - the sound of several cases being rested resonates across the globe!

In an attempt to prove that the publicity around the recent loss of 25 million people’s personal details by HM Revenue and Customs in the UK was just “a fuss about nothing”, TV presenter Jeremy Clarkson printed his bank account details in a UK newspaper.

He claimed that “all you’ll be able to do with them is put money into my account. Not take it out”.

However, after checking his bank statement, he discovered a £500 direct debit payment to charity Diabetes UK!

A lesson learned then - never underestimate the value of people’s personal information.

BBC NEWS | Entertainment | Clarkson stung after bank prank