Tuesday, February 7, 2023

Help the Diana Initiative

We interrupt our normal shenanigans for a serious post. For those who have not heard ofr them, the Diana Initiative is a 501(c)(3) non-profit organization which runs a security conference focused on women, diversity, and inclusion in Las Vegas (if you check the dates for this year, it is around DEFCON). Recently all the gear they use in their event was stolen including their Weller soldering irons which are used in their workshops, and now they need help. If you can donate gear, little pieces of green paper, or become a sponsor, do contact them either through their website or Twitter account. They are already considering canning their CTF; let's see if that is that is the worst thing they will have to sacrifice.

Reason I am making this post is to plead to those who read my blog to see if they can help in any way. If you can, thank you! If you cannot, just pass the word to others.

Tuesday, January 31, 2023

Fired from your IT/Security job? Come to the dark web! We have cookies.

Your boss just asked you for a meeting. You walk into his office and realize HR is sitting there too; this is The Meeting. The company you have been working at needs to improve its quarter earnings, and you have just joined the thousands of unemployed IT and Security/Privacy professionals. I personally know people in that group. What to do? You have to find something else and quick: you have bills to pay and need to put food on your family's table. You will look anywhere for a job.

What about the dark web?

You would not be the first or the last. The truth is APT groups also need staff like any other business. The image of the lone hacker with no social skills and skin problems sitting on a dark room wearing a hoodie while being illumintated only by the glow of the laptop screen belongs to Hollyweird. ChatGPT notwithstanding, good malware does not write itself. Someone needs to be by the phone on the better phishing campaigns. Large scale attacks need monitoring, and attack servers do need to be patched. According to Kapersky, developers are in high demand in the dark web, and that has been the trend since COVID lockdowns:

Distribution of dark web job ads across specializations. source: http://kaspersky.com/

How safe are such jobs? Like everyone else, it depends. Some are scams, others are worse than that (think being kidnapped in the middle of the night either by your new employees or the FBI/NSA/Girl Scouts). After all, many of these jobs are sketchy at best; they legality depends on which nation is sponsoring the operation and which on the receiving end. But, there are organizations who treat this as a business, so they have a vested interested in having happy and productive employees who are eager to improve their software and services to levels they never thought possible. Some developers adn attack specialists are being offered $20K a month for their services; that is FAANG salary right there.

What about the company that fired you? Maybe after passing bonuses around for cuting costs, they bought the amazing cybersecurity software I mentioned in an earlier post to replace their staff. What could possibly go wrong?

Monday, January 30, 2023

The Amazing Cybersecurity Tool That Will Make You 10 Years Younger!

If you expect this post to be intelligent or thought-provoking, you may want to skip it.

Have you shopped around for some kind of tool to monitor your traffic and/or logs, adjust your firewall in response to an event such as good old exfiltration, or ensure your security and privacy policies are up to date? Or you just go to a trade show booth and ask a few questions. And you then make the mistake to leave your contact info, which then leads to and endless river emails and calls and brochures saying how their amazing product will drop ransomware dead, eliminate any and all phishing emails, patch your ssh to a release that is 2 years in the future, and all of that while shrinking the ozone layer and bringing the dodo bird back to life? Well, I decided it was time to make my own.

Ok, the software who features my code announces is vapourware, thankfully. But I thought it was time to have fun with the algamation of buzzwords salesreps call product descriptions. With my amazing tool you too can spew garbage like "Our disruptive tool implements a passwordless methodology enabling you to amplify the positive impact of the ROI of your verticals by using our continuous monitoring interface," which I do not know whether it promises things it does not deliver (vapurware?) because, to be quite honest, I do not think it really means anything. But, it sure sounds impressive for a someone of a business lean. So, if you need a laugh, give it a try. Or contribute with more buzzwords.

Repo link: https://github.com/raubvogel/cyberSecurityTool

Incidentally, this is related to a proper post I am trying to finish.

Saturday, December 31, 2022

TransUnion data breaches, GDPR, CCPA, BIPA, and Ramirez

3 round icons representing CCPA, GDPR, and BIPA each of them on their sides implying things are not as they should be

TransUnion LLC, one of the three major credit reporting companies in the United States, also has branches in every continent but Antartica. It is said that just in the U.S. the personal information and credit histories of some 200 million consumers is stored in their servers; I have not been able to find veritable information regarding consumers located outside the US.

Some of you may remember that TransUnion recently suffered a data breach (I will be using the GDPR definition of personal data breach which is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed").

"How recently," comes the voice from the back of the room, "which one are you talking about?"

Good question; it is hard to keep track of them. Let's go over a few of them and later see what we can learn from them.

The Events

  1. In 2005 -- a long time ago (in dog years) -- TransUnion lost a laptop containing personal data from more than 3600 US consumers. The Chicago-based company offered up to one year of free credit reports to the affected customers. At the time -- one must remember these were pre GDPR/CCPA/BIPA times -- some of the main questions raised were
    • Were credentials to access the TransUnion databases and other systems also exposed?
    • TransUnion chose to report the data breach. At the time there was no real requirement to do so: the California Senate Bill 1386 of 2002, one of the first security breach notification laws, specified a criteria corporations should use to determine whether they were required to report the incident: if they answered "yes" to every single one of the following questions, they must report the breach:
      1. Does their data include "personal information" as defined by the statute?
      2. Does that "personal information" relate to a California resident?
      3. Was the "personal information" unencrypted?
      4. Was there a "breach of the security" of the data as defined by the statute?
      5. Was the "personal information" acquired, or is reasonably believed to have been acquired, by an unauthorized person?
      The late Alan Paller, director of the SANS Institute at the time, warned this test provided a legal loophole for companies not to report data breaches since all 5 conditions have to be satisfied before a report is required.

    So TransUnion is very popular this month, this time in due to a larger issue than possibly being used to send phishign emails.

  2. During the Summer of 2019, the personal data of some 37000 Canadians being held in TransUnion servers were compromised. Note that the Canadian Digital Privacy Act, which ammended PIPEDA and provided mandatory breach notification requirements, had become law 4 years earlier. Also, GDPR and CCPA had already become law.
  3. On March 12, 2022 ITWeb broke the story of a data breach, which caused TransUnion to admit that attackers had indeed stole 28 million credit records. At first it was believed that more than 3 million South Africans and businesses such as Mazda, Westbank, and Gumtree were affected. The Brazilian group who claims responsibility for this act, "N4ughtysecTU," state it gained access due to a poorly secured (password "Password") TransUnion SFTP server. TransUnion later stated that more than 5 million consumers were actually affected and once again offered a period of free credit reports to the affected customers.

    But Wait! There is more!
  4. On November 7, 2022 it reported to the Massachusetts Attorney General about a data breach that could involve 200 million files profiling nearly every credit-active consumer in the United States. On the same day, TransUnion also sent out data breach letters to all individuals whose information it believes was compromised. As this is still developing, the true impact is yet to be learned.

OK, I will stop here. If they had another data breach between Nov 7 2022 and the time this was published, it should not affect the point of this article.

The Outcomes

According to GDPR Recital 75, a personal data adverse effects to a person (individual) include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. So, if TranUnion was an European company or people living in the European Economical Area (EEA) were affected by this personal data breach, as the data controller it would have to submit the Personal Data Breach Notification to the Supervisory Authority should be done within 72 hours unless there is no risk to the freedom and rights of a data subject. In this case, they better be reporting. The next step would be to inform all those who were possibly affected about what happened, what are the consequences to their customers, and what TransUnion is doing about it. Of course, those affected should be expected to file complains with their regional Supervisory Authorities (Art 77).

In The United States things are a bit different. U.S. Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez stated that only those that can show concrete harm have standing to seek damages against private defendants. How will victims of a personal data breach prove their personal information was stolen and disclosed by negligence of the company holding this data, and as a result a violation of American consumer protection and privacy laws such as California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA)? Compare that with GDPR already mentioned article 77 and recital 141, which requires only the data subject (i.e. the victim in this case) considers that his or her rights are infringed or "supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject."

With that said, it is possible that will change. Given that the US government and the European Union are currently actively working together to establish a new EU-US data flow deal (PrivacyShield 2?), one must wonder how they will balance this Supreme Court decision with GDPR. Which one will have precedence?

Fun Facts

  • I started this article mentioning the phishing campaign they were possibly being used to launch. What if that is related to this data breach? I mean, if your attack has been successful and you are already in the final (Actions on Objective) stage of the cyber kill chain and taking your time to hoover the victim's data, why not see what else you can do while there to pass time?
  • In addition to its main line of business, it also offer services to help companies "protect and restore consumer confidence" after a data breach (they do not list an office address there). In fact, they title themselves as the "One-Stop-Shop Incident Response Solution."
  • I made those round images representing the 3 regulations mentioned here because I did not have an interesting image to put in this article. They turned out nice, so expect me to make more and use them in future posts. You have been warned!

Wednesday, December 21, 2022

FBI: Use ad blockers to protect against brand impersonation

Today the FBI just announced, cyber criminals (which are easily recognizable according to the news and many websites for their predilection to wearing hoodies even in the summer) "are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information." Well, there are two parts for that:

Search engine advertising services

We are talking here about Search Engine Optimization (SEO), where you do magic tricks to move your website as close to the top search results since most people will not look more than 2 search page results for something. There are thousands of companies who make money helping businesses with this, including courses, Ez-Button products, and services ("give your url, what do you think you do, and we will take care of the rest for a price). What they are mentioning here is weaponization of that, which has been known as SEO poisoning since 2020. An example of that is when it was used to distribute BATLOADER malware.

Brand Impersonation

This is a traditional phishing tactic and relies on techniques such as (not exhaustive list):

  • typosquatting, which creates a fake website whose domain sounds close enough (within a typo or two) to that of a well known website. They pray on people like me, who mistypes a lot: if the browser returns a page that looks like the one victims expect instead of an error page, they may never noticed they are in the wrong site. This kind of attack is old enough -- yet still quite effective -- to be metioned in the 1999 Anticybersquatting Consumer Protection Act (ACPA)
  • URL Shortening, which converts long descriptive links into short sometimes cute ones that provide you no idea of where they really came from. Good ad blockers will check these links against lists of known spammers and block them, as shown in the picture below where UBlock origin does not allow a shortened url identified by the Perter Lowe's list of known domains serving ad content, tracking users, spyware servers, and occasionally malware and other nasty purposes.
    go.usa.gov being blocked by UBlock origin
  • IDN homograph attack, an attack where tsome of the characters in the url of a website are replaced by similar (think 1 vs l) characters, or those from a different alphabet that look the same in a HTML-formatted email. As a result this can be seen as a more sophisticated version of typosquatting.
This leads the victim to the website containing the malware (think ransomware), some way to steal the victim's login crendentials, or a combination of both.

Is this a new form of attack?

Nope.

Are ad blockers enough to stop this kind of attack?

There are no magic pills. They can only do so much. I recommend stopping and checking the url for a search engine result that smells suspicious. Some of the attacks mentioned above -- typosquatting and homograph -- can even be stopped by pasting the url in a proper text editor (think Notepad for windows or vim in Linux) that will not try to import fonts, and then just looking at them. With that said, I do use UBlock Origin myself; the picture on the top of this article is mine.

Should I panic and flail my arms while running in circles?

You could; if you do, make a video of it.

Do you have links for those apps/extensions you mentioned?

Thursday, December 1, 2022

Phishing Is Too Easy - 5: Season to be Scammed Edition

Good news everyone: There are phishers who take pride in their work

We continue our series on phishing emails. I am glad to say a phisher heard my plead and stepped up to the challenge before Black Friday ended!

We have here an email that claims to be coming from American Express which states there is a problem in my card and I need to click on the link to find out. Let's ignore the fact of wether or not I have an American Express card or this article would have ended right here. The timing was good: lot's of people are going crazy purchasing milliong of trinkets online, and then they receive an email saying their card has a problem. Did they go over the limit? Was it's information stolen?

Good show old boy!

If I had such a card, what should I do next? The answer depends on how much effort we want to put in this:

For the impatient

You can't see in the picture but the From: field looks like this:

From: American Express MyCredit Guide <transunion@em-tuci.transunion.com>
Why would TransUnion, a US consumer credit reporting company, be sending emails for American Express? This should be enough for us to immediately drop this email and move on.

For the willing to spend a bit more time

First of all, when in doubt of whether a suspicious email is legit or not, find the official contact number/email of the company in question and reach out to them. In this case, I did call them. American Express said if they send an email, it will contain

  • Your name.
  • The last 4 digits of your card.
This email only contains the first name, so per American Express, it is at best suspicious. They did ask me to forward it to spoof@americanexpress.com, which I did.

For those with time to deep dive and ponder on the implications

Some of you may remember that TransUnion suffered a data breach recently. What if this data is being used to create targeted phishing email? And, what if the criminals are able to either impersonate transunion email addresses or still have access to their servers so they can send emails through their servers? To answer that we need to look in the email header:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@em-tuci.transunion.com header.s=scph0919 header.b="ou/BSRUG";
       spf=pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com 
designates 147.253.210.36 as permitted sender) smtp.mailfrom="msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=em-tuci.transunion.com
Return-Path: <msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com%lt
Received: from mta-210-36.sparkpostmail.com (mta-210-36.sparkpostmail.com. [147.253.210.36])
        by mx.google.com with ESMTPS id 62-20020a630141000000b004778207ac4dsi7561754pgb.396.2022.11.26.12.06.50
        for Clueless Sheep
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 26 Nov 2022 12:06:50 -0800 (PST)
Received-SPF: pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com designates 147.253.210.36 as permitted sender) client-ip=147.253.210.36;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@em-tuci.transunion.com header.s=scph0919 header.b="ou/BSRUG";
       spf=pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com designates 147.253.210.36 as permitted sender) smtp.mailfrom="msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=em-tuci.transunion.com
X-MSFBL: fXbaPXh+ne/E8ZM3Y6OyFt9TLlavvIujqeENrG6IrbY=|eyJyIjoicmF1YnZvZ2V sQGdtYWlsLmNvbSIsIm1lc3NhZ2VfaWQiOiI2MzgxZGE3MTgyNjM0YmI3ZmY3ZiI sInN1YmFjY291bnRfaWQiOiIwIiwiY3VzdG9tZXJfaWQiOiIyNjY3NTgiLCJ0ZW5 hbnRfaWQiOiJzcGMifQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=em-tuci.transunion.com; s=scph0919; t=1669493210; i=@em-tuci.transunion.com; bh=g54YI3MysS1MVd8EV8xjgfkc97E2Z2epcQAJzoXhCkw=; h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:
	 From:To:Cc:Subject; b=ou/BSRUG3cUbJKbYUZ1LVr3J0Z3xP7nFJPUjPutaxPAlyQU2bd2vFDbfNHxdU0LbB
	 HxEwc9YzSTrKnrbFfjcLwSxfZk48k6br1t4DI9fsDgWAimdohpxIGKK6ukD2NE1q/L
	 SESZw9WVeXNvoEVjsYIPh67accGucYF32laIH8ICsqeopmxSoaxsrjHBa/MBjqYZAz
	 8r+jHG+Ilr/QzlJ0Lq5rGA/hJGnHR3lPbkuVRFBsrnV9841IbsIpQDVOUdW172sQbQ
	 zZ+JErYKYYvpwmjqd6A4XMPu3TG9QcymMjHHYqcXRmtL4OdKzB8GKtksDI4uLakZkw
	 8HR0NVWvPUjzQ==

At first glance it seems the email came straight from TransUnion, specifically from the host called em-tuci.transunion.com. But, then we find the most interesting entry in the above header exerpt (which I highlited):

Received: from mta-210-36.sparkpostmail.com (mta-210-36.sparkpostmail.com. [147.253.210.36])

It seems this email came from mta-210-36.sparkpostmail.com, whose IP (147.253.210.36) has been whitelisted by bounce.em-tuci.transunion.com as a sender. From there it ends up in the Clueless's gmail account relying on transunion's server's relationship with google's.

But, who is SparkPost?

Short version, it is a mass emailing service. They seem to be well-known enough for Microsoft to have instructions on how to access them using a connector from within Azure. Does that mean they were compromised or the attackers obtained the TransUnion's credentials to use this service?

So, is this Spearphishing via Service (T1566.003)?

If we read the MITRE ATT\&CK® entry, sounds like a very good possibility.

Some kind of Conclusion

Even though this phishing email was much more well thought out than that insult mentioned in the last entry of the series, if you stop and examine it -- without first clicking on its links -- you can still identify it as such rather quickly, without needing to tear down through its raw contents. Don't get me wrong: doing that is fun, but if you are trying to go trhough your daily routine and see this email, in less than 5 minutes you can make a call of whether it is legit or suspicious.

Ok, more if you have to wait on the phone listening to elevator music to talk to a company to verify if they sent said email.

Friday, November 25, 2022

Phishing Is Too Easy - 4: Season to be Scammed Edition

It is Black Friday! And We are in the Season to be Scammed! A few moments ago (I am typing this as fast as I can) I received the following phishing email:

Phishing email pretending to be dicks sporting goods. Description of what to look out for is written below

It's call to action is the claim Dick's (insert jokes here) Sporting Goods decided out of the blue to give me a Yeti cooler if I just click on the "Confirm Now!" link. I usually would spend the time (see the last phishing article I wrote) and look at the email's source to see if it has any interesting teltale signs of phishing. But, this phisher is so lazy he does not deserve a deep dive on the email. So, let me count the ways this is a scam:

  1. Why would Dick's want to send me a cooler? They do have a store here but I make my point not to go there. So they do not know I exist... unless they bought my name off a list. If that is the case, I feel I should ignore them even more.
  2. Why is the name in the return address "Dicks SportinGoods" (blue line) instead of "Dicks Sporting Goods"?
  3. Why is the domain of the return address celimopafeseda (red line)? I could say that I could not find that domain registered anywhere I bothered to look (spent some extra time I really did not need to for this article), but let's be honest: this has nothing to do with dicks.
  4. If I had spend time and looked at the email's header, I would have seen it was sent through outlook.com. But I will not. I am not saying mailed through Outlook is a telltale of a phishing email but I do not like how the path it took while inside their network is obscured. Still, short post this is.

As a result, I think we can safely label this as phishing and move on.

I am disappointed for the lack of pride this phisher has. Do you think some other phisher will redeem my faith on them or is this the best I can expect this Friday?