Comments on: Warning About ZeuS Attack Used as Lure

By: patrick

patrick — Wed, 29 Sep 2010 06:16:40 +0000

This just came to my attention. Is WOT which places a little green circle beside the links while browsing in google. But i heard that WOT is a spyware is this ture.

Mr Kreds

Like or Dislike: 0 1

By: warning. fake e-mail « What's Up

warning. fake e-mail « What's Up — Sun, 28 Feb 2010 17:11:49 +0000

[...] I received this fake e-mail. I will be asked to fill in your username and password. This email should go in [...]

Like or Dislike: 0 0

By: An Information Security Place Podcast » Blog Archive » An Information Security Place Podcast – Episode 32

Thu, 18 Feb 2010 13:25:42 +0000

[...] Kreb’s has blog post used by scammers - Link here and Sophos article link [...]

Like or Dislike: 0 0

By: An Information Security Place » An Information Security Place Podcast – Episode 32

Thu, 18 Feb 2010 13:24:43 +0000

[...] Kreb’s has blog post used by scammers - Link here and Sophos article link [...]

Like or Dislike: 0 0

By: Usan como señuelo una advertencia sobre ataque de ZeuS | ooo la la la la : ) HACKED ! by ! mOmiX ! Sory Security Team :(((

Wed, 17 Feb 2010 12:10:56 +0000

[...] los ataques .mil y .gov. Traducción: Raúl Batista – Segu-info Autor: Brian Krebs Fuente: Krebs on Security [...]

Like or Dislike: 0 0

By: IT Ninja

IT Ninja — Wed, 17 Feb 2010 07:22:00 +0000

people should just accept the fact that nowadays nothing is impossible anymore specially online. its that simple.

Btw, the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html

Like or Dislike: 0 1

By: MichaelFigueroa

MichaelFigueroa — Tue, 16 Feb 2010 19:07:48 +0000

It depends on what kind of authenticity check you leverage. What I’m proposing is a publicly-available infrastructure that enables people and organizations to verify that the email source is legitimate. Imagine it as a background level certificate authority that provides trusted certs that businesses can integrate into their email servers and that public email systems can integrate into their services. Verification can be done at an organizational level without the need to distribute user certs (though, that extension would be nice for those of us who know what we’re doing). It would definitely require changes in server software (Microsoft) and the deployment of the infrastructure (Google) and may also require protocol changes.

Can it be attacked? Sure, but the likelihood of a successful root-level attack against a savvy adversary, such as Google, is unlikely and would be limited. The more likely attack would be an internal organization attack, but then the organization could be held liable by its user population to a much greater degree than it can today.

Like or Dislike: 0 1

By: TheGeezer

TheGeezer — Tue, 16 Feb 2010 18:25:53 +0000

Correct me if I’m wrong here Michael but I don’t think an authenticity check would have stopped this exploit.

Sophos said that the email “appeared to have been sent by the National Security Council”. I doubt that they, zeus, tried to use an existing valid email address belonging to the National Security Council but rather made up an address that looked similar. Therefore, there would have been no authentification error.

One thing most email servers do do well is check for known viruses. So once that link for the ‘security update’ was reported it would probably not make it through many email servers.

I found this out the hard way by informing a friend about a malicious url and was naive enough to put the entire url in my email. The email servers picked up on that, my friend never received the email, and I got put on an email black list!

So, let that be a warning to others. If you are discussing fraud with people by email DO NOT put the fraudulent URL involved in the body of your email. Replace the dots with spaces or whatever so that it will not be interpreted as a link!

Like or Dislike: 2 0

By: Patrick Connors

Patrick Connors — Tue, 16 Feb 2010 18:04:59 +0000

That is a nice idea, but since infiltration and overriding of security systems is part of the general discussion here, do you think that this background authentication system would eventually come under attack or misuse also?

I think they all will. (Theoretically at least.)

Like or Dislike: 0 1

By: MichaelFigueroa

MichaelFigueroa — Tue, 16 Feb 2010 16:50:35 +0000

One thing to note, however, is that these types of reputation attack are largely successful due to the poor design of modern email systems. As a commodity that has been around for far longer than the browser, email systems have had a remarkably poor rate of evolution by comparison.

A key failure (largely shared with modern http design) is the general inaccessibility of email authenticity verification. You would think that we could have solved the signature problems by now, but the industry has largely ignored it in light of historical PKI/PGP distribution and use difficulties. With no method of assessing authenticity, users cannot trust anything that comes into their inbox. As such, they simply choose to trust everything. It’s a shame, but what choice do they truly have?

This is an area that I think Lotus Notes has always done well (though…admittedly one of the few things). Every user on a Lotus infrastructure receives a verifiable credential. They’re not told that it’s a digital certificate or anything, but they gain all of the benefits in the background.

I would love to see Google, Yahoo!, or Microsoft deploy a similar “background” authenticity system. With the power of either of them behind such an innovation, I bet that we would make a lot of progress on really defeating both reputation attacks and phishing attacks in general.

Like or Dislike: 1 0