Dirty Dirty Wi-Fi: AT&T Wi-Fi Service Phishing?

I’m sitting at Dulles airport right now, at gate C19, on my way to Vegas. I’m excited to catch up with friends and colleagues at BlackHat this year.  I realized a few days ago that my 81 slide presentation for DefCon isn’t for a 75 minute slot.. instead I’ll be trying to fit it into a 50 minute slot! Wish me luck!

Public Wifi is so dicey… I would never use it for anything other than entertainment during delays.  If I need to get work done I hop on EVDO.  Captive portals are everywhere… and if you pay much attention to security you probably know how easy it is to MAC change and steal wireless services.  These captive portals are interesting to me because the service is so dangerous to use. One bad guy with Cain and Abel can really wreck havoc.

T-mobile hot spots are no longer the only targets – ATTWIFI, pcswifi, and others are all fighting over this precious spectrum.   I decided to check out the other captive portals to see if they are doing anything better then MAC address authorization.  Look what I ran into:

What is “Other Provider”? Intrigued I put in some bogus credentials to see if the next screen would prompt for a non-listed hot-spot service provider like Boingo. Nope… I just got an authentication failure screen. I wonder how many users will supply AT&T with non-AT&T credentials.  Not good AT&T. You shouldn’t have an “Other Provider” category.


Harry Potter Phishing Attack: Fact or Fiction?

On June 19th a spoiler for the next Rowling book Harry Potter and the Deathly Hallows was posted to the full disclosure mailing list:
(WARNING: If you’re a Harry Potter fan you may want to hold off reading it.) The spoiler was nothing more than a summary of which main characters allegedly die in battle with Voldemort and other rivals.
What is more interesting is how this book was allegedly obtained. The author of the messages claims he launched a phishing attack against Bloomsbury Publishing.

“The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.”

The claim is that a spear phishing attack was executed against Bloomsbury Publishing staff. Was Bloomsbury Publishing really phished? This telegraph.co.uk story: “Harry Potter ‘hacker’ posts plot on internet” has a quote from a Bloomsbury spokeswoman, “There are lots and lots of rumoured versions of the book (on the internet). We don’t confirm or deny any rumours.”

Did the Bloomsburg phishing attack really happen or was it a hoax? https://cofense.com/ doesn’t know but one would think that if this hack really did happen over a month ago, that the Harry Potter and the Deathly Hallows would be all over bittorrent. I checked a few tracker sites before starting this blog post. All the claims on Demonoid were that the 5 available Deathly Hallows books were either hoaxes or ……..

********** BREAKING NEWS **********
Demonoid has removed all of the hoax torrents and only this one remains:

“I found this on another site, for those of you who simply can’t wait. It only includes the book up to pg.495.
But at least now we can compare the fakes to the real thing.
Enjoy and remember to seed!! ”

This one appears to be someone who has taken digital photos of 495 pages. Now that is someone dedicated to their piracy!

********** END NEWS **********

So it seems that there is still no official full copy on bittorrent but it’s only a matter of time.

In another story by PCmag: Dissecting the Harry Potter ‘Hack’ we read:

“it is conceivable that a successful download-based exploit was launched, according to a member of the hacker community, who asked that his name not be used. He pointed out that hackers have begun to carefully target companies and market segments. A well-crafted attack that uses correct names and titles, and spoofs a sending address from a partner firm, can be highly effective.”

For the record, it’s beyond conceivable, it’s happening now. In the recent incident response projects that we’ve worked the attack vector used to gain a foothold into the organization is a targeted phishing attack. It’s not just a problem for the commercial world either.
Do you think that the DOD is requiring mandatory anti-phishing training because they fear that they might get hacked using this method? Check out this quote from this DOD battles spear phishing article:

“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states. “

It’s too bad that external penetration testing no longer mimics the ways that attackers are getting into organizations. If you’re responsible for commissioning an external penetration test against your organization, maybe it’s time to do more than full TCP/UDP port scans (*Think social engineering). Today’s myspace generation of attackers don’t even know what UDP is.


iPhone Phishing Bait: would you like fries with that?

We’ve all heard there’s no such thing as a free lunch, but this is not always easily remembered when online. The latest example of that is the number of iPhone related phishing messages that had flooded my inbox while I was on vacation. Some of the links didn’t even need to claim it was a ‘free’ deal; just a site claiming to have the cool tool in stock was enough to get clicks.

Of course this is nothing new. Go back and replace ‘iPhone’ with ‘Wii’ or ‘PSP’ or ‘Nano’ and you get similar results. As a gadget geek, I’m always at least a little tempted when I see one of these deal emails come in.  I think back to the few times I have gotten a free lunch from the Internet borg,  free speakers from some early online music start up or free Microsoft discs from a Vista promotion.  It’s not far fetched to believe that  some new start up is blowing their marketing wad to ride the wave of the latest ‘gotta-have-it’ item. But like they say “if it sounds too good to be true, then it probably is not”… And then multiply by 3.14 to take into account the Internet factor 🙂

Damn you, spammers! I think you may have found my weakness.


McAfee’s “Groundbreaking” Phishing Study

Recently, I came across a press release by McAfee citing the results of a “groundbreaking” study that talks about the psychological games played by phishers and email scam artists. The results of the study indicated that “cyber criminals use fear, greed and lust to methodically steal personal and proprietary financial information”. Frankly, I didn’t see anything groundbreaking in those results. Don’t we all know that social engineers (including phishers) have to play with people’s psyches to get them to click on links and submit personal information?

The study did however quote some interesting statistics from a 2006 Gartner study:

  • Cumulative loses stemming from phishing attacks rose to more than $2.8 billion in 2006 as compared to $137 million in 2004.
  • Number of US adults that received phishing emails doubled from 57 million in 2004 to 109 million in 2006.
  • The per-victim loss due to phishing increased almost five-fold from $257 in 2004 to $1,244 in 2006

These numbers beg the question – are we fighting phishing the right way?


Rohyt Cited in Industry Week Article

Brad Kenney interviewed me about the unique information security challenges faced by manufacturing companies. Excerpts from that interview can be found in his IndustryWeek story –  From ID to IP Theft.

Moral of the story: Large employee bases whose skill set is not in technology, coupled with fragmented operations make the job of an information security officer in the manufacturing sector very challenging.