8/31/2006

A Moebius tape of recursivity

Haven't posted articles in a while and I'm sorry about that.

After Google disabled my mail account my Blogger account was disabled too. Silly me, I didn't see that coming even knowing that Google and Blogger have unified accounts.

Anyway, everything's fine now. I have access to both my mail account and my Blogger account again. But in the meantime I was seting up another blog and re-editing all the articles because I though that my account was as good as gone. And that kept me busy all the time that I could have use to write.

I have a lot to write about.

Check scams are rising now and I'm going to get back to this issue in a future article. Meanwhile, don't take a job as a "payment officer", don't take a job over the web, don't trust a "company" just because it has a website, don't sell book (or any other thing) to schools or academies in India, Africa or anywhere if they were requested by mail. Believe it or not, the scammers are going to that extent to lure you into taking their "rubber" checks.

Phishing is high too. I've seen a lot of mail forms lately. These are the phishing messages where the form to post your data is inside them. No need to click a link and post on a web page, you can do it from the message itself. Which is more tempting and makes the actual phishing web page invisible. In fact the page is only a script that forwards the content of the form to the phiser's mail account. If you call it without the content of a form you get nothing. And that makes it very hard to report to network administrators, because there's nothing to see from the hyperlink.

One of the scripts is totally legal, meaning that it was created and it's used legally. But it's open to the general public when it was intended to serve the customers of a hosting service. The administrator was doing some complicated things redirecting the script to eBay if the referrer included a reference to them. But the result was that if you try to access the script manually by yourself, eBay showed up. Bad idea. Let's say that a person suspect that the message is not real. He tries the link manually and eBay shows up. Most likely he'll think that the message is good, fill the form and get his credit card cloned.

Some other administrators are doing things differently. I saw a phishing page this week that was replaced with a warning page explaining phishing, in case you are a potential victim, and trashing the phisher. I'll see if I can recover the link for you to see.

And I've just contacted another who is taking a strong stand against scammers. But this is for another article.

Today I'm writing about human stupidity and how technology makes things worse.

Lately I'm seeing that the number of scam messages from LatinMail is increasing. This happens often, a free mail server gets popular among them. Yahoo is still the number one, even when it's also the number one in closing their accounts.

The trick nowadays is to send the first message with spam servers with a disposable mail account and, once the contact with the mark has been established, move the operation to the Yahoo account.

Sending from a spam server makes the message impossible to report, no mail server would accept it just because the mail allegedly used belongs to them. They want a header showing that the message was generated from their servers.

This trick works as a crib, those who suspect the message can't report it and won't pursue matters, and those who answer won't report it.

But sometimes, they use a mail server that they know or they think is lenient in its abuse policy, like LatinMail in this case and another that is rising, adinet.com.uy.

I started reporting just to see if there was a response. I didn't get one but at least the abuse address didn't bounce, something that's pretty common.

Then, a couple messages bounced. That was odd. Most of the time the bounces are because the abuse address doesn't exist at all or its quota has been exceeded, meaning that nobody has checked the account in years. And on both cases the bounce is immediate and for every message.

This time only a couple of them bounced. So I took a closer look at the bounce message. And I found this:

< latinmail@latinred.net> : host mail.latinred.net[62.37.236.165] said: 451
Blocked - see http://www.spamcop.net/bl.shtml?62.37.236.187 (in reply to
RCPT TO command)


SpamCop is an organization working against spam, I guess the name is graphically enough. They take information from user reports and traps they set purposely. From that information, they keep a database of offending IP numbers. The addresses from whee spam messages are originated. The database is public and anyone can use it to check if the source of the message is reported. I'll get back to the details later.

Using this database, LatinMail detected that the IP address 62.37.236.165 has ben reported as source of spam several times. So, they blocked the message and buonced it.

Nice, isn't it? Well, not really. Because the IP 62.37.236.165 belongs to LatinMail. And it was reported several times, along with others also belonging to LatinMail, because is the source of a lot of spam. Including scam messages.

The second minor detail in this story is that the message that I sent wasn't generated or forwarded from that IP. The reference to that IP was in the header of the message I was reporting, which was inside the body of my message.

Somehow, their script is unable to understand where the real header ends. Somehow meaning someone did a lousy job, a header has a distinctive boundary.

But the bottom line is it's impossible to report abuse to LatinMail. If you take the IP number out, they won't see evidence that the message generated from them. If you let the I number, the message bounces.

And I'd applaud a system so efficient in dealing with reports. But this one wasn't meant to work like that. This is just the result of plain stupidity in charge of technology.

This is a real Dilbert system, something that Scott Adams talked about on "The way of the weasel". A system so incompetent that looks brilliant in terms of results from a corporative point of view. Their antispam software blocked thousands of messages, showing that's incredible efficient, and thousands of abuse reports never reached them, showing an incredible clean mail server.

And going back to SpamCop. The idea is good but I think it's a very complicated solution for a very simple problem. Eventually they'll fill the database with almost all the IP numbers that don't belong to a mail server and some that belong to a mail server. The database is going to be huge, probably it is now. And it doesn't take into account the human factor like this case of LatinMail. Someone using this database to filter its own mail.

You can read about my idea on a previous article. A system that's more simple, more efficient and based on information and protocols that ae available now. There's no need to invent new stuff.

The idea basically is that every server receiving mail (SMTP) must verify the IP of the sender through the domain name system to see if it's declared as a mail server. It has to receive only from other declared mail servers and terminate immediatly any other attempt. This way it saves storage space and bandwidth. The database to check is smaller, it's efficient and is in use right now. Eventually, the servers can make a second query to another database public or private to check if the sender, even being another mail server, should be banned for any reason.

And that's the problem with the world this days. Things are going so bad just because nobody's asking me...

8/14/2006

Just rant

Today I'm going to rant for a while. So if you don't want to read me ranting you're free to walk away and come back at another time.
My first rant is about something I've been talking about in a previous article (Email and us) but this merits an encore.
This week I've received yet another mail with a Power Point presentation. I made a rule never to open one of those, I just delete them. And it's not because I think they may be a security risk, I do it because I know it's a waste of time. Of course I receive a few work related PP files, but I can tell easily because I know the source, I requested them or I've been told the they were sent to me previously.
I don't know why people feel that a message is more valuable because is presented written in a nice 3D font, with colors, sound effects and animations. It's not. If the message is crappy, meaningless, stupid, nothing will make it better.
But this case was somehow different. The subject was "We have to stop Israel!" and the content was just the PP file that I didn't open. Because it was from an employee of a company we buy supplies from and sent to my work account, I felt compelled to answer with "We have to stop spam!"
And he answered with "It seems that the bombs are not falling in your home". That was when I almost lost it, but I remembered what I wrote and applied my own rules (don't answer in anger, don't answer if you don't have to) to the case and dropped it.
I understand that there's a war there, I'm aware that it's a terrible thing and I agree that the war has to be stopped. But that's not the point. The point is that I don't want to get this garbage in my mail account and I have the right to draw the line and say it.
And the real problem with these people is that they trully believe that they have a higher sacred right to send anything. Just because they're talking about life and peace and harmony, their message is more valuable than animated puppies.
I can write for a long while about how wrong is to put one's right over someone else's. Besides, it doesn't matter. The message has no value, the sender is not fighting for peace, he's not a saving lifes.
It's a whole neew breed of "fat buttocks" warriors. They think that having the Internet they can reach millions and make a difference. And they're doing it, they're annoying millions. Sitting comfortably in front of a computer, they spread THE WORD around and most of the time is not even their own WORD. They use any hot issue to justify a spam crusade. This is something that satisfy their pathetic emotional agenda and that's all the satisfaction they'll get. Because it's not about the issue, it's only about filling their inner void.
So, here's my rant to them:


Wake up!! You're doing nothing!! You're just sitting in your fat posterior forwarding Powerpoints. The israeli government won't stop the war just because you filled its mail box. Hezbollah probably doesn't have one. The phone companies won't lower the prices no matter how many messages you send. Neither the oil companies. Fidel Castro is not resigning because you ask nicely on a message. It's not going to happen. If you take an hot issue from the news, it doesn't make sense to try to bring awareness to the general public. If it's in your newspaper, it's in mine too. If you're watching it on tv, I'm watching it too. And if you really really want to do something about it, go get active on it, do something, move you rear out of that chair. If you want me to listen, at least show me that it's worth enough to make you move away from your bag of chips.


My second rant is about Gmail. My mail account was "disabled" (whatever that means) and I can't use it anymore. It's not a big deal, the only purpose for that account was to catch scams, spam and phishing. The material that feeds this blog. But it pissed me off all the same. This is not the first account of this kind that I loose, it's maybe the fourth or the fifth. I can only guess but I think they're closed because someone reported them in violation of the TOS (terms of service). And it's easy to report them, all their traffic is related to scams, phishing, etc, and the identity of the user is fake. Obviously, the complainer is one of the scammers. And they have very good reasons to do that, I'm expressing them on my rant to Gmail:

Hey! From that mail account over one hundred phishing servers were reported, almost all of them were monitored until their closure. With mail address taken from the phishing messages or from files on the phishing servers, many dozens of potential victims were warned. Over three hundred mail accounts of scammers were reported and closed. And from this mail account, fake checks and transfers for over one hundred US dollars were ruined. Nice work Gmail!

The last thing is what I regret the most. I had two scammers sending fake checks to me and a couple more that were about to enroll me. Every time they write a check with my fake name, they have to pay for that check and there's no way to recover it. It's almost impossible for them to get it back and if they do, my name is on it. Every cent on that checks is one cent they won't get from someone else.
Also I was on the verge of shutting down a fake bank used for lottery scams, Financial Alliance something. I wasn't shutting it down myself, I was in contact with the domain name registrar and the hosting service trying to make them understand the problem. I've just checked and www.fiall.com is gone.
Not bad after all. The account is dead now but it died in the middle of a fight... and it won that fight!

8/08/2006

Are you safe? Are you sure?

Most likely you have a lock on the door of your house, probably more than one. Even so, valuables in the house are stored behind more locks. And I bet that you have at least one box with a lock inside a cabinet with a lock.
This is basic safety. The things that have value for us are stored in safe places. With locks that require keys. And a key is basically a password. It has a sequence of values, the indentations, in a particular order and if they match the lock all the levers will align and the barrel will turn free.
The passwords are the keys to our virtual safe boxes, mail, bank account, blog, etc. And the reason why we use locks for them is that there we store our virtual valuables.
The first problem we have with it is that virtual stuff doesn't seem to be too valuable. If your first experience with a password on Internet was your personal mail account, the password was more an annoyance than a safety. Besides playing you a prank, there wasn't much more value in hacking it.
But when the banks started to offer services through the Internet, things changed. Now the virtual safe has real valuables inside. And not only banks. There's a lot of services with real value that merit a good lock and key to protect them.
Others are not worth a good lock like subscriptions to newsletters, forums, media sites.
But what about our email accounts?
Somehow our personal mail accounts are being left behind in the security department. It's like the old idea of them being worthless stuck in our minds. In a way it's true because the chain letters, the endless forwarding of stupid jokes and hoaxes or the PowerPoint presentations with puppies are as worthless now as they were 10 years ago.
But now that the Internet is full of services with real value that can be measured in terms of cash, our mail accounts turned up to be the sum of all those values. Our mail accounts are the entrance door to all those services. Think about it, any one of them will graciously send your password or a newly generated one to that mail account at your (or anyone else's) request. Your mail account is your key, your ID, your safe box on the virtual world of the Internet.
You probably feel safe about it, you have a password, nobody can enter your mailbox without it. So, the rule number one is never ever tell your password to anyone. Have you? Are you sure?
Believe it or not, the number one method used to get a password is the most simple one, ask for it. Yes, that's right, exactly as you've read it, the best way to get a password is to ask for it. Of course you won't do such a stupid thing, if I ask you to comment on this article with your user name and password you wouldn't do it, would you? What if I ask you nicely? What if I ask you in a different way? What if I change the tone of my voice? What if I rephrase the question?
But you know better than that. You never fell for it, did you? Are you sure?

Everyday thousand of messages ask users to click and login on a web page and some do. I've been talking about this phishing thing in previous articles. You may say that the ones who fell for it were not the smartest in the pack and I think you're right. But are you sure that each and every page you've logged in was the right one? Did you checked every single one? Are you able to tell the difference?
The typical phishing is pretty rough. For starters, it's a business of volume, it doesn't work unless you send several thousands of messages. A lot of them will reach people that haven't an account, they'll be able to tell that something is wrong. For those that have an account, the message looks like any other message they get from that service. Maybe there's a detail or two, like in the case of Paypal. They allways use your first name on every message. The phisher can't do that because he doesn't have that information. This things are explained on Paypal's web page, that part that people don't read. And those who did read it, most likely forget it all by the time they get that message. The only real difference between the fake thing and the real thing is in the source code of the message. Do you check it? Are you able to understand it?
This messages are to direct most of the time. For a paranoid like me, the feeling of being pushed into doing something triggers all my alarms at the same time. Someone asking me to login or else... But let's say that you get one message from the auction site with a showcase of products, all of them with links to their pages. Doesn't seem dangerous, is not talking about logging in, no problems with your account. You click and the auction page shows up, it looks fine, just like the one you know so well. Once you settle down, feel comfortable, the login page appears. It has to be the real one, you were on the site already. Or weren't you?
And this is just one possible scenario. As you can see, it takes someone with knowledge and skills to tell if the message is real. You know about phishing because is everywhere, everyone is talking about it, it's on the news, you're reading about it right here. So you'll suspect any message asking for your password, asking you to login. But sometime it'll change, the attempts won't ask you for your password directly, they'll be more subtle. Are you prepared for it? Are you sure?

Once passed the message, you have to face the web page. Most phishing attempts are pretty rough in this part. If you check the navigation bar is evident that you're not on the right place. It could be an IP number or the name of a cigarette fabric in China. Whatever it is, it's not the address of the site you're trying to get into. But how many times do you check it? Do you at all?
Most of the time we type the name of the site we want to go to or take it from our bookmarks. We can tell that we're going to the right place, we typed the address ourselves. And you know better than clicking on a link offered by an email message. But what about web pages?
This is one of the most popular activities on the Internet, clicking. We go from page to page because it's there, it's easy, it's convenient, it's fun. And it doesn't matter if you're just reading the news. But if at some point you're offered a link to a site where you have an account, one with real value, and you log in there, do you check if you're in the right site?
One of the most dangerous sites today, in my opinion, are the auction sites. The links to their products are everywhere. Even worse, they pay webmasters to have pages with selections of products linking to the auction pages. It's a nice trick and I'd like to rant for a week about it. By having those pages, the auction sites multiply their chances of being listed on top of the search engines. Let's say that they have an auction of a consumer product that's very popular, this one would show once on the search engine. But if there are many pages with that product and a link to the auction page on many different web sites, it would show up once for every site. And if they have many auctions of that product, multiply that number for the number of sites linking to it. And my problem with it is that if I want to get information about that product I can't find it, the search list is full of auction pages and pages linking to the same auction pages. Try any popular consumer product and you'll see.
But this is topic for another article, the point here is that those pages with selections of products from the auction sites are everywhere, are known and accepted by the common user. So, if you find what you're looking for and you want to comment, ask or offer you'll click the link and login. It's natural, we're used to do this all the time. We click on a couple pages, we end up on the auction page, who's paranoid enough to go and check the navigation bar?
Doing a web page resebling a real auction is not really hard, in fact you don't have to actually do it. The phisers don't DO the login page resembling the real one, they just copy it and modifiy it to suit their needs. And it doesn't have to be an auction site, it could be anything. The traps can be set anywhere and take you anywhere else. I mentioned how a links can be disguised on a message, the same technique can be used on a web page. Take a look at this silly example, click on the link, visit Altavista and come back here. Yes, I know. It's not Altavista. If you put you mouse over the link, and your browser status bar is active, you'll see the real link down there, you'll see that it doesn't match the name I offered you. The point is nobody (or almost nobody) checks the status bar before clicking or the navigation bar after.

So the navigation bar is important and should be checked if you're logging in. But it's not all. There are a couple tricks to keep you from seeing where you are. One of them is to offer you the login page on a pop up window without the navigation bar. The other is to use a bogus icon image, those little icons that show up on the left side of the navigation bar. One of those totally useless niceties, for us the users, that turn up to be totally usefull for the phishers. The image is supossed to have a fixed size and square shape. But if you create one that's wide enough to cover the URL field of the navigation bar, now the real address is hidden and what you see is the address of the real site that was drawn on that image. Sometimes the font or the font size don't match those of your browser or the alignment is a couple pixels off center. But you have to be a careful observer to note such detail. This trick had its peak last year and I've never saw it again. I guess the new browsers have it fixed... I hope.
And the state of the art in deceiving you into going to the wrong site is to intercept your name resolution. In a previous article I explained name resolution in relation to a phishing operation. The name you type on the address field is resolved into an IP number because that's the information the net requires to find the site. Your name resolution is being done by a complex system of distributed servers. If I can hack your server and add a record for Yahoo with the IP of one of my servers, you'll connect to it every time you try for Yahoo and your navigation bar will show Yahoo every time. These servers are not very vulnerable but it may happen. In fact there was a case when the root servers were hacked, the records changed on the root servers were propagated to almost all the DNS servers around the world. The event triggered alarms everywhere, and was detected and fixed in a short time. But it proved the potential of a DNS attack. It can alter the name resolution for the whole world by attacking the root servers, only for a group of computers by attacking its DNS servers or only one computer by feeding it the wrong name information.
If you want to try and see how it works, you can do it in your own computer. There's an alternative method to resolve names in your own computer. In fact it's in the chain of resolution and it's top priority. But its lists is empty by default and it's rarely used. There's a file in your system called HOSTS, in the directory %SYSTEM%\Drivers\Etc if you're using Windows and somewhere around /etc/sysconfig if you're using Linux. This file can resolve names for you, all you have to do is put the IP number and name separated by a tab or space, one row per domain name. Try adding this line "208.45.133.23 altavista.com" (without the quotes), and see how Altavista turns into Excite. It may need a restart of your browser if you have the address of Altavista already resolved. To avoid unnecesary traffic, your system checks if the name you're asking for was accessed recently and uses the IP number it has in memory. Remember to delete that line or you won't be able to access Altavista again. This won't work if you're using a proxy server because the server will resolve the name for you.
This is not a common method of phishing or hacking. If someone has the access and the privileges to modify that file, there's a lot of ways to get your passwords and credit information from files stored in your computer. If it happens to you, it's more likely a "crime of passion". Someone close to you doesn't like you or is playing you a prank. It's not a common office prank because in most of them the use of a proxy is mandatory.

If I didn't push you enough into paranoia yet, brace yourself for the next part. Let's say that you were careful enough not to log into a page other than the one you intended to. There's a good chance you didn't actually. Despite the high number of phishing attempts, the number of people falling for them is very small in comparison. And what I'm about to describe hasn't been used as a massive phishing operation, I don't think it will be in the future either. But it's a vulnerability that may expose you to a random act of hacking or, even worse, a targeted one.
As part of your Internet experience you take part of different activities that may require a login. Even some that don't really merit one. Imagine that you join a forum, you're requested to register, you're asked for your mail address to send you a verification code, some personal data and a password. Are you using the same password for all your services? Some of you are thinking that this is a stupid question and that's something not worth mentioning. But you're wrong, is unbelievable the number of people that can't handle more than a couple paswords if they're using more than one at all. If you're one of them, think about this. You´ve registered into a site where people unkown to you have your mail address and your password. You may think that they don't know it's the same password you use for your mail account. Let me tell you, I'm not a professional hacker and that would be my first guess. I tried that with a lot of people I know (with their consent) and my success ratio has been over 50%. And if your mail address is exposed, what else do you have in there? Auction site, Paypal, your bank?
I'm not saying that there's a forum out there hacking into mail accounts. As a plan is pretty lousy. A forum takes time to build up a group of members and not many have a number of members that can be compared with the number that can be reached with a mail phishing. Even with the higher ratio of success that can be achieved. Besides, it's a one shot operation. People will find out the common link of all the haking events very quickly. Mostly in a forum where people talk about things like this.
The problem is not the forum and their administrators, the problem is how good the security of the forum is. I think I mentioned in a previous article that many phishing pages are being set in forums. The phisher are abusing vulnerabilities well known of the most popular forum scripts. And we're talking about maybe two PHP scripts, maybe not even two. Once you find out a vulnerability that suits your needs, all you have to do is find servers running that script with the version you know is vulnerable or one older than that. You wouldn't believe how easy is to do that, just Google for it. Ask for that script and the version number and Google will put in your desk a list of those servers.
And this is because forum administrators have that information available on their pages. They have to, is the right thing to do if they use the scripts. The scripts are very good, that's why they're popular, and the administrators who chose them for their forums have to give credit to whom deserves it. It's not their fault.
And if it's not the script, is a vulnerability on the web server or the operating system itself. The point is that the user database in that forum has a 50% of the keys to you valuables and that you have no way to know how safe it is. And it doesn't matter if they say that your password can't be read because it's encrypted, I'll show you in a minute that this is only half the truth.
I know that having more than one password is a pain in the rear but there's no other way to go. As you can see, once someone can put your mail address and a password together your whole security fortress starts to fall brick by brick.
Even if you're not using the same password for your mail account and the forum, how safe is your password?

The second most effective way to break into someone's account is by password guessing. There are compiled lists of the most popular passwords, some general and some for particular groups. By language of course but also by etnicity, religious beliefs, etc. Those lists are not capricious, they were compiled from real databases of passwords since the beginning of the computer era. Nowadays, most servers have their own list of "popular" passwords and ban them to prevent guessing attempts. Among the top of the list are words like Jesus, God, curse words and, believe it or not, password. Those can be prevented by the server or the user itself, but there's another list that you must take into account, your own list. Your profile in the forum has your name, your birthday, your zip code, your address, your phone number, your city, your country and some other personal details. Which one are you using as password? I hope none, because this is the list that's being used to guess your password and the success rate is amazing. And if you're typing then backwards, forget it, it's on the book too. Your profile is available to the general public in some places and in other only to registered users. Whoever is on the look for your password can register as quick and easy as you just did. But he won't be using his real information.
Password guessing has many advantages for the perpetrator. It can be done from the outside, there are many ways to do it without leaving traces, most of the servers don't ban connections based on the number of failed attempts, it's easy to setup a procedure to do it automatically. And it's effective. Try to play the guessing game with family and friends, you'll see that the youngest, who don't have much value on the Internet, have strong passwords while the oldest, who have money and valuable services, have the weakest.

And this is something that can be done to break into your account without actually breaking into the server. If your password is weak and the perpetrator is lucky, the server won't be able to tell your login from his. The only difference would be that he may need more attempts than you do.
But having access to the server, allows the perpetrator to gain access to many passwords all together. He just copy the users file and do the work at home with time. If the server is simple, with lousy security, the users file probably is a plain text file and no more work is needed, the password is right there in the open. If the password is encrypted, it will take some time but it's possible to get the password or something as good as the password.
Password are not really encrypted, because the value stored can't be decrypted. The method used is to apply a mathematical function to the password and store the result. The function is such that it has to give the same value for the same password and can't be reversed. One example could be the sum of the digits of the password. Let's say that your password is 1234, the sum of the digits is 10 so the number 10 is stored. There's no way to rebuild the password from this piece of information. When you reenter your password and, applying the same function, it matchs the value stored, then the server can say that you entered the right password.
This functions are called hash functions and are a lot more complicated than the example. A good hash algorithm should generate big differences with minimal changes, have an image domain of respectable magnitude and generate the less amount of collisions.
The first condition is to avoid password guessing by proximity. Two very similar passwords very similar have to turn up in two very different hash values. You'll see why in a minute.
The size of the image domain prevents massive guessing. A small image domain means that the number of possible results of the hash function is limited. Imagine a hash using the last digit of the sum of the digits of the password. There are only ten possible results, all I need to access any account is a list of ten passwords that give the ten possible hash values. The ideal hash function would be one with an infinite image domain. But even one with a relatively limited space is almost as good in practice. A 10 hexadecimal digits hash space has more than one million of millions of different hash values, and I can't write the number for one with 1024 digits. It's a one followed by 1,233 zeros.
Being the hash function a one way function, is possible to have the same hash for two different passwords. If the image domain is smaller than the space of possible passwords, it will happen for sure. Because the number of passwords is greater than the number of posible results. The system would let someone login to your account with a password completely different from yours. However, finding that particular password is as much difficult as finding yours.

This system of not storing password but hash values is efficient and practical. It's not bullet proof safe though. If someone gets the users file and knows the hash function used in that server, there's a method to get either the real password or something good enough to access the account. It's called the dictionary method.
To do that, a database is created calculating the hash values of all the words in a dictionary. It's a big database but something that a regular computer can handle. This databse is used to cross check every hash in the users file. If there's a match, the word associated to that hash is a valid password for that account. It could be the real password or not but, either way, it will work.
The hashes that don't match a value on the database can't be guessed by proximity, if the hash function complies with the first condition.

Enough with the bad news, let's talk about the good ones. Things that you can do to improve your paswords.

Pick strong passwords. Not one word passwords, not only numbers, nothing on your profile, not your name or your address, make them long, change them frequently, and I can keep going on and on forever. These are the recomendation of the experts and I totally agree, but it doesn't help much. Add to that the need to have more than one.
The problem is that if they're easy to remember they're easy to guess and if they're hard to guess they're hard to remember. And you shouldn't have them written in stickies around your monitor. So, the best solution is to have a method you can remember. Some kind of password generator algorithm that can make them with a variety of numbers and letters and lenghts but, basically, a method that you can remember. I'll give you an example, not the one I use. The rules are:

- Put the name of the service, the user and the current month together
- Replace all a's for 4's and the i's for 1's
- Capitalize the letters on even positions unless they were converted to numbers

The password for username in Paypal this month would be p4yP4LuSeRn4mE4UgUsT and for the same name in Gmail would be gM41lUsErN4Me4uGuSt.
Including the month allows you to change your password monthly without the hassle to go through memorizing it again. The passwords will repeat in a year, unless you throw the year in the mix, but that will be way beyond the ban imposed for most systems. Including the name of the server or any word related to it (auction, mail, bank, etc) allows you to have as many passwords as needed and you don't have to memorize them all, just the set of rules. The last rule seems simple but it's not actually, it's hard to keep count of the positions when you can't see what you're typing. But that's the beauty of this, you can set any rule you like. Capitalize the last letter, or the first or the one in position X. You can change any pair of letters and or numbers. I pick pairs that have some relation, 4 looks like an A, 1 looks like an I. And there's a lot of pairs to use, O and 0, B and 8, S and 5, G and 6. You can change letters for the next in the alphabet or the previous. Try adding a word that only you know, or only a few around you. Like the name of a pet from your childhood, the name of your secret lover, a word from a song that makes you cry when you hear it. This way, even if you write down your rules and leave them on a sticky under your monitor, there's always a piece missing.
Be creative but not too much or you'll end up with a set of rules impossible to remember.
And try to keep your mail address private, don't spread it around like the plague. Get a disposable mail account for subscribing unsafe places, media web sites, game sites, anything that asks you for a mail account and has no value. And don't link your safe and unsafe mail accounts. If they get to your unsafe one, the safe one is just one step away.

It's great to have the chance of having valuable services on the net, but I'm too paranoid for that. I like to go to the bank and show my ID.

8/04/2006

Don't want to say goodbye anymore


It would be nice not to say goodbye anymore but it's something I have to do.
And I'm aware that it's an exercise in futility. They open more accounts and keep doing what they are wired to do. But in the balance, it's a click to the forward button for me and all the hassle of opening another account plus explaining to their "customers" why the change... it's worth it.
Nothing remarkable on this list, just a bunch of scammers.

I have some news from the phishing front. I saw a new variant where the form to post the personal information is in the message itself. It's interesting because this way the phishing page doesn't have to be too obvious, in fact they don't have to set a visible phishing page at all. The return page could be a blank page with a redirector to the real one (Paypal, eBay, etc).
Unfortunately I couldn't see this one working because it was down already so there's not much to comment on this. Maybe the next...

And here's the list:

mariajames2222@yahoo.co.uk
idrisumar_hassan@yahoo.com
dr_rich19@yahoo.com
johnm_19666@yahoo.com
laagstbank1980@touchtelindia.net
morrisgreen@terra.com.mx
ukspecialclaimsagent@yahoo.co.uk
idris_suleman201@yahoo.com
soludocharles_cbng@yahoo.com
mrs_mudisabrown003@yahoo.fr
kar_zongo2004@yahoo.co.uk
joanbrower904@yahoo.com.br
josephsmith4848@yahoo.com
honestmanankrah@yahoo.com
karimuzongo1@latinmail.com
john_william335@latinmail.com
michealmensah1@yahoo.co.in
agent_dannyalvares49@yahoo.com
danijonesconsultant@yahoo.co.uk
morrisgreen113@yahoo.com
drjohnson_b@yahoo.ca
fachonouremy78@yahoo.com
infoprocessing01_cbn@yahoo.ca
akinbanker@gmail.com
edsonclaimofficre@yahoo.com


Farewell my friends, I know you'll be back and I'll be waiting for you

8/03/2006

A sophisticated phishing operation

Remeber the Live Messenger installer trojan? Is gone. It doesn't change a bit my article but it's good news.
I'd like to add that I had no grudge with Microsoft, at least not only with them.
I mentioned in previous articles how the lack of attention of those in charge of networks and servers is helping criminals in their activities. So, the list of people I have a grudge with is really really huge.

Today I've received yet another eBay phishing message, this one in particular was the tip of a major phishing operation. I saw one like this before but a lot smaller.
The typical phishing page is set on a hacked server, there's no need to take full control of it, just access to create a directory and copy some files is more than enough. Lately I've seen a lot web server running on ADSL or cable networks, almost all of them Apache web servers. My guess is that more people are using Linux and are letting the web server running and serving the public interface. Maybe there's a reason to have the web server on, maybe they're using an administration tool that requires it like Webmin, maybe they're doing web page development. But they don't have to serve the public interface. And I can tell that most of the times the intention wasn't to serve the public interface, because if I go back to the root the Apache default page shows up, there's no page there for users outside.
The whole phishing job is to hack a server, set a page, send the messages and wait. The page may have a local data file to store the data collected; nothing fancy, just a text file; or sends the data by mail to a free account controlled by the phisher.
The messages are sent with the same techniques used by commercial spam. Which is good, because most spam filters are chatching them.
If you want to stop a phishing job, these are the points to attack:

* Block the messages, this part is being done already by spam filters. The problem is that they are a doing damage control, the messages were sent already, received and stored into the user's mailbox. And to make matter worse here are some reasons why spam filters are not enough:

- Not everyone has a spam filter
- Not all spam filter detect all the phishing messages
- Some let the message pass because the alleged sender is an authorized mail address for a Paypal user
- Some users pick up the message from the spam directory thinking that it was a filter error

* Block the access to the page. This is the most effective if done quick. Once the page is blocked or deleted, all the messages are useless. Moreover, the phisher will keep sending messages linked to that page for a while wasting his time. The problem here is the reaction time of the people in charge of servers and networks.

* Catch the phisher.

There's not much that can be done with the messages unless someone comes up with an effective way to eliminate spam (I know how, just ask me).
Going after the phisher is a very complex problem to solve. You can report the message and from it is easy to get the originating IP number. Hopefully, if it's being used legally by the phisher the ISP can identify him, I've seen many of them using a DSL services. But at this point they're only spammers, the ISP may slap his hand or terminate his account. My guess is that it has to be a repeating offender to get to that situation. Let's face the reality, the complainer is someone that could be somewhere on the other side of the planet, the perpetrator is a paying customer.
The servers that were hacked most likely are not being supervised properly, that's the reason why they're hacked on the first place. I don't think it will be easy to get an administrative log, when the phisher logs in to set up the page, or even an access log, when the phisher access the data file.
At this point, depending on the location of the server and the phisher, they may have a crime. But the owner of the server has not suffer any loss. Most likely, he's not using the web server at all and wasn't aware that it was running. He won't go through the hassle of filing a criminal case in court. He'll be happy to fix his problem and move on.
By the time the real crime is commited, with economic loss for the victim, a lot of small links have to be put together to go from the crime to the phisher. The victim has to be able to relate the loss of money from his account with the event of logging on a fake page, someone who wasn't able to tell the difference at that time. Then he has to be able to recover the original message and hope for it to have an IP number linking to the phisher or for the phishing page to be still active. And if the the page is intact, hope for a log showing the phisher activity in any way.
Let's say that all this things can be put together, it seems a pretty impressive amount of evidence to support a case. But so far is all bits and bytes, something that I can made up with Notepad on my PC. This is evidence that requires the analysis of experts to be used in court, people able to explain the meaning of it and to certify that it is the real thing.
But all this is after the crime has been commited, it does no good for the victims.
The most effective way to fight phishing is to attack the pages. They're less than the messages, once thousands of messages are sent they're out of control. There's no way to take action to all of them. The pages, on the other hand are static, they can't move, and they're limited in number.
It's all a matter of speed, they have to be eliminated fast to minimize the number of people login in. And if the page has a local data file, it has to be eliminated before the phisher can access it.
The first thing is to be aware that the page exists. It seems easy because I've reported so many, but I know about all those that are linked to messages I've received. I've exposed my mail address on purpose to get them and, even so, I'm sure I don't get all of them. The method is pretty good, to be used effectively it would take more than my one man army. Not much more, a small group of people working in shifts to cover a 24 hours per day operation.
The other way to get the warning is on the hands of the original sites. I think I said that before but is worth repeating it. The phishing pages are using the images and other elements from the original sites. Every time someone opens the phishing page, is sending requests to the original site for the logos, styles, etc. Every request bears an HTTP-REFERRER tag clearly showing that is not coming from the original site or other site authorized to request that object. So, the first warning, the one that activates every time a victim falls, is being sent to the original sites. This is topic for another long article.
Once the page is detected, the real work begins. The page has to be closed, deleted, blocked. The problem here is that the owner of the server itself can't be contacted most of the time. Sometimes, the site hacked is a public web server, one that's serving a public IP interface with a purpose. If you get to the home page, chances are you'll find a contact, email address or phone number. Even if you don't, you can check the contacts for the domain name registration. But this cases are not the most common. Public web servers are, in most cases, under control. The people running them is aware of the dangers of a public interface and have interest in the smooth operation of the servers. So they're either well protected or will answer quick to a report of hacking. There's still a number of servers handled by clueless people that will be hacked for sure and that won't act quick or won't act at all.
And they should be added to the most difficult group, those servers that nobody knows that are serving a public interface. Those are the real problem, they're over 90 per cent of the total, there's no way to contact the owner directly and, most likely, the owner doesn't know how to fix it.
Here's where the only resource is to contact the ISP in charge of the IP address and hope for the best.
The ISP is not going to block the IP completely, and I think they have good reasons for it. Besides the economic balance, unknown complainer against paying customer, the customer is also a victim. His server has been hacked , he's not getting benefits from the phishing.
All the ISP can do is contact the customer and tell him what the problem is. Then, it's up to the customer to put a remedy to the situation. And, most likely, he won't be able to fix it immediatly.
ISPs don't have firewalls to filter traffic in blocks of public addresses dedicated to customers, it doesn't make sense when the responsibility of the equipment connected to that public address belongs to someone else. With a firewall they'd be able to block the service port for that particular IP address and deal with the problem with time. But it would require high bandwidth equipment with the minimum latency time to filter less than 1 packet in one million.
Another alternative would be to force an IP change of the offending connection, if the assignment is dynamic. The ISP has to identify the customer, so he can be notified to fix the problem, force the expiration of the IP lease and reset the connection, forcing the system to request a new IP number. It would be a minor annoyance for the customer but it's a quick solution that could save many from falling into the trap.
In systems where the IP number assignment is static, the numbers are fixed for each connection, the solutions for the ISP are more complicated and sometimes there's no other solution than requesting the owner of the server to fix it.

And this is basically the way a typical phishing operation works. As you can see, it can be run with almost no resources, besides knowledge and skills, is really hard to fight against it and the chances of being caught are very small. Is the kind of operation that's profitable no matter how poor the results are.

Now, the more complex phishing operation. In this one, the phisher obtained two domain names. I don't know if he bought them, maybe paying with an account hacked on a previous operation, or took control of them by other means. One domain name was used for the phishing server and the other for a domain name server. Then he hacked two servers but not to install a phishing page, instead he installed the domain name servers (primary and secondary) and declared it as the start of authority for the other name. The name of the phishing server was amn27d.info and the name of the DNS server was COMNET-US.COM. Here's the trick, the names we use for domains mean nothing to a network, they have to be resolved somehow to an IP number. The domain name servers do that. There isn't a huge database with names and number correspondences, in fact it's a distributed database system. Each name belongs to an authoritative nameserver space depending on its extension (.com, .org, etc). These nameservers have their lists of domain names, but the records don't have the IP numbers for those domains. Each record has a pointer to the domain name server that has authority over that domain. This allows the owner of the domains to have more flexibility in the way they handle their networks. Let's say that you want to change your web server to a new computer, you don't have to ask someone else to change the IP assignment, you change your DNS record. Or if you want to have more than one server, you can tell your DNS to point your domain name to different IP numbers. This may work as a backup system, if A fails point to B, or as a load balance control, point alternative to A and B.
Having control of the DNS and the name of the phishing server, the hacker started planting phishing pages in as many servers as he could hack. I counted over 40 of them. As the server were set, they were also assigned to the domain name amn27d.info on both domain name servers. So, now, every time a request was made to amn27d.info the DNS server was able to point to anyone of the over 40 active phishing servers.
I said before that the phishing server was a weak point because is at a fixed location and, once detected, it can be shut down rendering all the messages pointing to it completely useless. Well, not anymore. Now all the messages points to amn27d.info and, if one of the servers is down, the DNS will point to any other. In fact, the DNS has no idea if the page is running or not. It reports to the client asking for that name, you or anyone asking for that page, as many IP numbers as it's configured to report. In this case it was configured to give 5 IP numbers picked up randomly from the whole lot. It's up to the client application, your browser, to check if the server is responding and, if not, move to the next IP number.
It's a very complex setup, for a phishing operation, but it's totally normal. Many Internet servers are using this kind of setup to improve its performance and uptime ratio.
To make matter worse, the hacker set the web servers to respond by domain name and not IP number. This means that if you use http://amn27d.info the server responds, but if you use the IP number http://84.138.129.118, the server doesn't respond or gives you another page. In this case it was a blank page. The reason for that is it makes almost impossible to report the phishing servers. If the ISP checks by name, most likely the IP reported by the DNS server will be different than the one saw previously. The ISP would ignore the complaint because it doesn't belong to his network. If he checks by IP number, there's a blank page, no reason to take any action.
I found it by name, I took the name from the phishing message, went to that link and saw the page. Because it was using a name and not an IP number, I assumed that there was a home page with some content. It wasn't, so no contacts there. I checked the name record and started gathering contacts to report to. The name record has info of the owner and also the domain name server that's the start of authority over that name and, making the query, the IP number or numbers.
The first funny thing I saw was that the domain name servers of comnet-us.com were in DSL IP numbers and in different networks. It's normal to have DNS servers separated for safety, the IPs on different networks is not so common. But DNS servers on DSL IPs is weird. There's no difference from a network point of view between one IP or another, in fact if you're looking at the IP number only there's no way to know if it has been assigned to a web server or a DSL customer. The network administrators name their IP numbers, all of them whether they're serving to the public or not, for maintenance purposes. So, if you find an IP number with a name like ltown1-1-74.adsl.trix.net, you can tell it was assigned to a DSL customer.
Then, I saw that the DNS query for amn27d.info returned a different set of 5 IP numbers every time I requested. I tried and tried and finally compiled a list of more than 40 different IP numbers for that domain. I reported them to all of the ISPs, almost all were DSL connections, but it was useless. Not only I had to explain to them how to verify the phishing page resolving the name by themselves, even if half of the pages were taken down the messages would keep linking to the others without a problem.
I tried to focus on the DNS servers but it turned out to be really difficult. One of them was down before I reported it or immediatly after, but with the other still serving it didn't do much difference. And the other kept working for a long time. And the problem was basically that there's nothing wrong with having a DNS server running on your machine with a DSL connection. It's weird, it's a no sense for most applications, but it's not a crime and most likely not a violation of any service contract.
I reported it with all the details, the ISP asked for more information and I gave it to them, but I can understand their position. If they focus on their bailiwick, there's no problem. They have to look at the big picture to see the problem and, even if they do, it's not easy to explain how their network is involved on an illegal operation.
It's gone now. I don't know what happened (nobody tells me anything) but I guess that the customer was contacted and he fixed it.
The moral of the story is that this kind of sophisticated setup is possible, is cheap, is safe, and that we, the Internet community, are not prepared to deal with it. If I've found one, a lot more should be running somewhere even more complex, sophisticated and bigger.

I said it before and I'll say it again, I don't want a police control of the Internet, I think it's fine the way it is. But it need more responsibility from the users and I mean all of us. We all take some from it, we should give some too. The merchants have to take care of the marketplace, it's the only reason why they're there. And they have to take care of all the marketplace, right now they are willing to sacrifice a small percentage because they think that percentage is worth less than the cost of taking a little more responsibility. And I'm not saying that they have to save all, I don't think it can be done. But at least they have to try and it's not really expensive. If I can take down one operation like this over my lunch hour, imagine how much they can do with a small team working full time.