Rogue certificate authorities destroy trust on the Internet

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an ownerÔÇÖs name.┬á The process relies on trust.┬á ÔÇ£SecureÔÇØ websites utilize such a certificate to validate their identity.┬á This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.┬á The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.┬á This chain of certificates is called a certificate hierarchy.┬á A small group of trusted certificate authorities is installed on computers within the operating system.┬á These authorities include such names as Equifax, VeriSign and Thawte.┬á So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with a SQL injection attack against ComodoÔÇÖs GlobalTrust and InstantSSL databases resulting in the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com.┬á This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site.┬á In response, DigiNotar was removed from the trusted list so that all the certificates it had issued ┬áwere no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.┬á Users then will be redirected to such sites through phishing or ÔÇÿÔÇØman in the middleÔÇØ attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates is so crucial  that McAfee lists rogue certificates as one of their 10 threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  In order to do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the amount of time machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific, thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.┬á Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.┬á Depending on the browserÔÇÖs settings, it may be accepting revoked certificates.┬á Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further  validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service  is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

For more information:

Why Diginotar may turn out more important than Stuxnet

Certificate authority hack points to bigger problems

Compromised certificate authorities: How to protect yourself

Timeline for the DigiNotar hack

 

Email phishing tactics revealed

Scams exist.  That is the simple truth, there are honest people and then there are others who try to cheat.  Email and the technology age facilitate scamming through email.  Often these emails promise jobs or an irresistible offer, but sometimes they are more subtle then that.  This article analyzes the types of email phishing traipsing around the World Wide Web so that, armed with the knowledge of email phishing attacks, you can avoid them in the future.

Job Scams

The first type of phishing I will look at are job scams.   These scams come in three flavors.  First there is the money mule, second the pyramid scheme, and finally the stolen goods mule.

Money Mule:

The life of a money mule begins simply enough.┬á An email arrives, often unsolicited, that asks whether or not you would like to change careers, receive copious amounts of money, and work unsupervised.┬á Who wouldnÔÇÖt want that?┬á The job ads might call this position a payment processing manager, fund manager, transaction processing agent, or some other legitimate sounding name.┬á Those who accept the position are instructed to transfer funds from one account to another, in the meantime gaining a percentage on the amount transferred.┬á It seems like an easy job with more than adequate compensation so whatÔÇÖs the catch?

If you read the fine print you will see that this is just a basic money-laundering scheme.┬á These money transfers the person engages in are illegal since the funds transferred are stolen.┬á Those who participate could be fined or jailed.┬á In the best case scenario, participating in such a scheme, even unknowingly, could result in a freezing of the victimÔÇÖs account, while investigations go on.

There is another variation you should be aware of.  Instead of transferring money over the wire some scams may ask you to deposit checks and then wire money elsewhere.  The check will arrive in the mail and you go to cash it taking your promised percentage.  The problem happens when the check bounces and the bank deducts the money from your account along with a fine after you have already wired the money elsewhere.

Pyramid schemes

A pyramid scheme is much like the old chain letters people received when the post office was the en vogue form of communication.┬á The way this scheme works is simple and very identifiable.┬á One person begins at the top of the pyramid and recruits a few other people to ÔÇ£investÔÇØ some amount of money, say $100, into the initial investor.┬á These new recruits go out and recruit more people, who recruit more people thus promulgating the scam further.┬á The fraud comes in when people closer to the bottom of the pyramid cannot recruit enough people to pay off those who are a level above them, thus losing money.┬á There are many types of pyramid schemes that have similar motives and results: invest in order to see a profit, but there is nothing tangible to invest in.┬á Other similar schemes are called, ponzi schemes, chain letters, and multilevel marketing.

Stolen Goods Mule:

Stolen good phishing schemes are similar to the money mule scam as they are a way for people to launder goods.  Emails for these positions will describe a position for a fake company that needs someone to send products out to customers.  Victims are told that the company will be ordering the products from another source when they are purchased through their web site.  Those who accept such positions will be asked for their address where goods will be shipped.  They are expected to further the shipment along to other addresses.  These shipments are either outright stolen or purchased with a stolen credit card.

These companies also like to trade in information.  They find that the personal information of individual people is worth quite a bit.  Furthermore, in order to get this information out of a potential victim they pose as legitimate inquiries.  However, once they have attained the information they will sell it to whoever will pay.

Irresistible Offer:

The second type of phishing message is the irresistible offer.┬á Here is the ultimate dream held by many Americans: Get rich quick.┬á In this type of phishing, this dream of getting rich quick is exploited by informing you of your good fortune and how to make the dream come true.┬á Take, for example, an email from Williams and Williams Probate division saying youÔÇÖve inherited $1 million from your distant relative in the UK.┬á Elated and overtaken with joy at your good fortune, you are asked to provide bank and other personal information so that the money can be wired to your account.┬á As you wait for the money to arrive the attackers drain your account instead.

Spear Phishing:

Another form of phishing is called spear phishing.  This method utilizes messages that look like they come from a company you do business with like eBay, PayPal, Amazon, Facebook, etc.  Spear phishing messages provide you with a link to what appears to be the site and they ask you to log in or to update your password.  After you have authenticated, albeit to an improper source, they have access to your account via the information provided to then when a username and password is entered into the false website.  You should beware of any message asking you to login or change a password.  This type of phishing is why companies often state that they will not ask for account information via email.

Whale Phishing:

The last form of phishing I will look at is called whale phishing.┬á Whale phishing is a specific attack against an individual with wealth or access to valuable assets or information.┬á Think of con movies, such as OceanÔÇÖs eleven, and to what these movies define as a whale.┬á They like to think of whales as high rollers, people with copious assets.┬á The casinos recognize these people and often set them up with fabulous suites and fantastic food, free of charge.┬á The idea being that these rich people will gamble away much more then the room or food cost the casino.┬á This concept of high rollers can be translated into the world of phishing life.┬á One example of whale phishing is an attack on an executive where supposedly the US Court wanted subpoena records.┬á These emails are customized for the individual so they often look credible.┬á The executive was directed to click on a link, and by doing so inadvertently installed malware that would spy on the computer and report back to the phishers.

Awareness of such attacks is increasing but the mere fact that the average user still receives so much spam means that it must be paying off for someone.┬á DonÔÇÖt be the one who gets burned.┬á Educate your employees on the risks.

Tips:

There are steps that can be taken in order to safeguard yourself against potential malfeasance.  First, always pay attention to the website you are visiting.  Oftentimes, phishers will set up a mirror site that looks exactly like the site you want to see.  Always be skeptical and go to the website directly rather than clicking on any link provided in an email.  Be wary of hyperlinks within emails and remember that banks will not ask for personal information via email.  Installing anti-spam software from a reputable source will greatly diminish your vulnerability to an attack.  Finally, if something phishy does occur to any one of your accounts, change your password and secret questions.

Scamming happens, that is a simple fact.  Today I looked at multiple ways that a person could get burnt ranging from spear phishing to a money mule.  In any case the best defense is a proactive one.  Pay attention to your financials, and always protect your personal information.  Be cautious about any offer that seems too good to be true.  Follow these steps and the job of sifting out what is potentially dangerous versus what is benign becomes much easier.

Interesting Phishing – Churches are targets – Beware!

Phishing has finally gotten more interesting.┬á I am tired of the Nigerian phishing schemes that contually pmy into my mailbox.┬á In the last week I have received two new phishing ploys.┬á I want to post them so that others will be aware of them and also to point out that phishing artists are becoming creative again.┬á Below are both messages.┬á Let’s take a look at both emails to find out how you can tell if it is a phishing message.
Message #1

My Beloved one In Christ,

GreetingÔÇÖs in the name of my Lord Jesus Christ. I am Mrs Rebecca┬á Thomas,69 years old widow & a new Christian convert, suffering from long time cancer of the blood (Leukaemia According to my doctor my condition is critical and I might not survive.

Although as a Christian, I believe in God and I know that I will not die, but will live to declare the glory of God. My late husband (Dr Martins Thomas) and my only son were killed during the ABIDJAN-BOUAKE Crisis some years back(take a look) Our Lord Jesus Christ is my only comforter.

I have the sum of Five million, One hundred thousand US Dollars($5.1m) The fund is presently deposited with a financial company for security reasons and all the documents concerning the fund are in the custody of my lawyer.

I inherited the money from my late husband who was an industrialist and international businessman. I have prayed concerning this donation for God’s guidance and if in your heart you genuinely and faithfully desire-to use this fund for the propagation of God’s work in any form whether for charity, ministry, evangelical work or otherwise in relation to God’s work, do get in-touch with me for further arrangements with my lawyer on how you will receive my Charity donation.

God bless you once again and as you receive, give and give God all the Glory.
Remain blessed in the Lord

 

Yours in Christ;
Mrs. Rebecca Thomas,

DIVINE CALL.

This message appeals to Christians and those interested in taking money from Christians.┬á The first tip that this message is a fake can be found in the grammar errors.┬á There should be an ending bracket “)” after Leukaemia and the later placement of “(take a look)” just makes no sense.┬á The next hint can be found in the reply-to address.┬á The sending address is listed as mrs-rebeccat69@hotmail.com but the reply-to address is mrs_rebecca@gawab.com.┬á Gawab.com is another free webmail service but if you go to the site you will notice that all the ads are in arabic.┬á Wouldn’t this seem odd for a Christian woman named Rebecca Thomas to have an Arabic email account?┬á Lastly, who puts Mrs. before their name?┬á The only time you see a title before a name is when you are writing to someone else or when you are a doctor, teacher,┬áor member of the clergy. (ex: Dr. Rev. Pastor. Prof.)
Message #2
Dear Friend,This letter confirms my understanding of the mutual present intent of my client (Jan Andrew Stecko), who wants to deal with you in respect to his investment portfolio in canada.

Mr. Jan Andrew Stecko is a British National you assisted some time ago during his active business life. One good turn deserves another he says, he gave us your names and mandate to work with you. He has chosen to entrust his investment portfolio to you as his apparent heir who will manage his resources as a result of his deteriorating health condition.

However, he was unable to provide us with your current address, but I carried out a detailed search on the names and location he provided from which I got your address. We hope that you are indeed who I are looking for and you will be willing to handle this brief in spite of your busy schedules.

Mr. Stecko is currently on a sick bed suffering severely from leukemia and stroke. He is unable to carry out his normal business activities effectively and needs you to act in his place as he is confident that you can manage his investment portfolio in charity work effectively.

Before his ailment struck, he was a philanthropist who was consistently involved in humanitarian projects and also the Executive Director of Gazprom Ltd., a gas company in Moscow Russia. He had most of his business activities in Russia, Canada, the United States of America and United Kingdom.

Over the years, I have worked indefatigably and uncompromisingly to locate any of his immediate relatives but to no avail hence, the need for this correspondence. Though I do not know you in person, I have decided to take this chance with you as instructed and hope you will not let us down. We would be delighted to have you as the apparent heir of my client to claim and manage his charitable investment portfolio in fulfillment of his last wishes.

Considering the volume of money involved in this transaction, there is need for us to have proof of your credibility and your age rang as proof of maturity. Please endeavor to provide us with detailed information about yourself and/or your business life that will enable us verify whether you are indeed the person he referred to have deserved another good turn who he always talked about.

Meanwhile, I have worked out the logistics and modalities of realizing this goal and details shall be discussed with you in due cause.

We need your courage and commitment to actualize this transaction and together I can make it happen.

Ymy earliest response is imperative as my client is currently on life support hence he has a very limited time to live. We can be reached by phone, fax or email.

Thanking you for your attention in anticipation of your response ASAP!

Most Sincerely,
Marlene OÔÇÖMalley,
Campbell Law firm
32-43 Chart Street,
4th Floor, London N1 6EF, United Kingdom.
Tel: +44 – 70 0596 8740
Fax: +44 – 70 0596 8744
E-mail:

ma2malley@aol.co.uk
URL: http://www.campbell-law.co.ukWARNING: The information on this email sent from a law firm and it may be legally privileged and confidential. If the reader of this message is not the intended recipient you are notified that any use, disclosure, copying or distribution of the information is prohibited. If you have received the message in error please notify us immediately, delete the original and all electronic copies, and destroy any hard copies.

This message also suffers from bad grammar and odd sentence structure.  Complex words are used when common words would make more sense. Indefatigably for instance means tirelessly.  I have never heard anyone use the word indefatigably in normal writing.  Consider the following example of an odd sentence structure:
Considering the volume of money involved in this transaction, there is need for us to have proof of your credibility and your age rang as proof of maturity. Please endeavor to provide us with detailed information about yourself and/or your business life that will enable us verify whether you are indeed the person he referred to have deserved another good turn who he always talked about.We would usually write: Considering the amount of money involved in this transaction, please provide documentation of your identity and age.┬á A driver’s license or birth certificate will be satisfactory.

This sentence here We need your courage and commitment to actualize this transaction and together I can make it happen. sounds like a poorly written motivational statement.  I also love this statement: Thanking you for your attention in anticipation of your response ASAP!
It is also odd to ask for this information since the law firm apparently knows who I am.  They also claim that their client did business with me in the past.  I know I never did business with him.  This might appeal to someone greedy which is a common appeal phishing emails use.  Both emails referenced Leukaemia but I find this to be a coincidence.  Anyway, there are a number of other ways to determine that this is a phishing message but I think I have pointed out enough.  Please do not be fooled by such messages.