More reports of evil twin attacks at cafes

via The Times Online: Hackers target wi-fi hotspots in new phishing attack

Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.

Times Online has uncovered evidence that criminals are using a technique known as an ‘evil twin attack’, where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a ‘rogue’ connection.

This attack has been predicted to be popular for a long time, so this is not very surprising. It’s very difficult using current software for anyone to verify the identity of a wireless hotspot, so hotspot users need to make sure that their applications are communicating securely too.

Unfortunately for most people not very familiar with computer security (i.e. most people), determining if your applications are communicating securely is ALSO usually quite difficult to determine. Browsers are the obvious candidate, but some recent research determined that most users ignored missing security indicators or warnings anyway. Besides that, do most users know whether their IM session or online service is secured in an appropriate manner?

As a side note: similar man-in-the-middle attacks have been conducted on the Tor network, too. Never trust a common carrier, eh?

Aus security firms demo CBA SMS 2FA vulnerability

Via ZDNet: Two-factor bank authentication proven vulnerable

Two-factor authentication systems using SMS messages can be exploited by criminals to steal money, according to security experts who demonstrated an attack in Sydney on Thursday.Australian security firms TrustDefender and Dragonfly Technologies, who specialise in endpoint security and two-factor authentication respectively, broke the security of a Commonwealth Bank account using a specially crafted piece of malware.

The demonstration showed how malware could be used to not only capture the login credentials of an online banking customer but also how, once the users’ system was infected with a trojan, an attacker could exploit weaknesses in the mobile phone-based authentication system to clean out a victims’ account.

I’m not familiar with the specifics of CBA’s system, but are their SMS codes are used on a transactional basis?  If not, this would make it easier for a trojan to make its own transactions using the victim’s logged in session, of course.  This type of attack has been around since 2004 at least, most famously in the E-Gold / Grams trojan.

Seeing LCD screens through walls

via New Scientist Technology Blog: Seeing through walls

Have you considered that someone could be reading what’s on your monitor from a few rooms away? It’s unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.

A radio antenna and radio receiver – equipment totalling less than £1000 – is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.

Neat.  But what to do about it? As the article points out, this type of attack has been around for quite a while against CRTs.

DoS extortion is no longer profitable

via Symantec: DoS extortion is no longer profitable

In the last six months of 2006 we saw a pretty sharp decline in the daily number of denial of service attacks. Although there are likely a number of factors at play here, I think there is one primary factor: denial of service extortion attacks are no longer profitable.DoS extortion attacks are usually carried out by a bot-network owner. Using their bots, the extortionsist has to make a successful DoS attack against a target organization. Following that they have to issue the extortion request and hope the target organization pays it.

Statistics like DDoS volumes and motivations are difficult to accurately obtain, but this makes intuitive sense really.  There are other, stealthier ways of making money out there.  DDoS extortion involves an investment of time to negotiate with the victim and carefully monitor the attack, and leaves the attacker more vulnerable to profiling and tracing.  As the Symantec post also points out, political and retribution attacks won’t be going anywhere, which also lines up with recent experience.

Slick social engineering: fake Windows re-activation

via Symantec Security Response Weblog: MS Needs Your Credit Card Details?

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical – it’s really just another classic social-engineering attack. What makes it interesting is that the author has obviously taken great pains to make it appear legitimate.When you restart your PC after the Trojan is installed, this window appears:

UK ID cards – the smoking gun

Oopsie!  Via the Daily Mail (UK):

Secret paper reveals Labour’s lies over ID cards

They appear to contradict commitments given by Labour in its 2005 Election manifesto, which pledged that the cards, and the national identity register containing people’s names, addresses, fingerprints and other information, would be ‘on a voluntary basis’.

The briefing notes, released under the Freedom Of Information Act, show that civil servants had already been told ID cards would be compulsory for everyone by 2014.

…
In a table illustrating the predicted yearly savings expected by the department it states that from 2014 – Year 7 of the project – ‘The identity card scheme is now compulsory’.

With Australia’s proposed and hastily-legislated ID cards using a similar ‘voluntary’ opt-in – being those who want the luxury of health care – I wonder if a similar smoking gun exists?

Mule scams via BPay now? How convenient!

Via iDeceive, it looks mule scammers are now advertising you can now process your mule scam transactions via BPay. Mule scammers have had very slick web sites for a while which are almost indistinguishable from real businesses (or lifted from real businesses), but this blurs the line further still.

As the iDeceive site notes, who knows if they are actually using BPay or not, but it adds a good bit of credibility to the hook since BPay is very popular in Australia and it’s generally perceived that only ‘real’ businesses use it.

Phone scam targets Brisbane homes – but maybe not a very good one

From the Brisbane Times:

Phone calls to Queenslanders where an employee of a law firm asks for the resident’s personal details could be a well organised scam or identity theft racket.

And divulging those details to a stranger who phones at home could be potentially dangerous, the Queensland Office of Fair Trading warned.

and:

The caller had her full name, and the call sounded official, but when the man asked to confirm her address, he had the wrong information.

“He gave an address that sounded totally fictional, something like ‘Mahogany Grove, Sweet Waters’,” she said.

She told the man he had the wrong number, be he continued to probe her for details, and asked if she lived close to Brisbane.

“He sounded quite nice, not aggressive at all; the type that puts you at ease.

It’s always good to publicise ID theft scam techniques that operate over mediums other than email – which have been around for much longer anyway, of course.  A good rule for salespeople or conducting a survey is to start with small talk, ask innocent questions, gain trust then gradually ask more probing questions.  The same rule applies to scammers of course, so if this is a scam, it’s not a very good one.

It’s always very hard to be paranoid of people’s intentions if you don’t want to appear rude.  My favourite example of this is swipe card access into buildings.  In a big company, it’s likely that an employee won’t know all the other employees; yet if someone is behind you, is wearing a suit and looks friendly, would you hold the door for them or slam it in their face?  You should do the latter, but most do the former.

3 men indicted in stock hacking scheme

Excellent news at a time when many cases of electronic fraud go unpunished (and undetected). Their scam sounds quite efficient, too – may as well cut out the middleman chumps of pump-and-dump scams and pump those stocks yourself.

Reports of planned physical attacks on UK datacentre

The Times Online reports of an Al-Qaeda plot to bring down the UK internet. There’s often precious little solid information to properly judge the true threat and the maturity of any plot through the hype (ala the liquid bomb plot), but there certainly must be a good few UK sysadmins who will be able to name their next security budget. Regardless of the feasibility and potential impact of this particular reported plot of course, any data centre as large as the one reported here should have a well-established disaster recovery plan for a situation like this anyway.