Secure Today

A follow up on my previous entry about Phishing, here comes another threat on the Net – Pharming. As discussed earlier, phishers bait potential users with genuine looking email to convince victims by taking action to expose critical or personal information. A typical example is an email requesting you to update your password or provide your bank account information. Or asking you to click on the link to update your data. Be aware that banks do not email their customers asking them to change their password or provide their PIN or confidential data. They have better and more secure communication channels to acquire those.

But here comes the joy, or the trouble in this case. Pharming attacks usually do not require convincing emails. It is also more wide-coverage than phishing. While phishing trick victims using a genuine looking emails or links, pharming goes deeper underground in planting a seed for its farm err, pharm?

Pharming cultivation

The technique used in Pharming is not new. In fact it had been around for long. The difference, however, is the intention. They want your identity or data. Pharming takes advantage of hacking DNS (Domain Name Server) such as cache poisoning, spoofing, and hijacking. Let’s see how this works.

How Pharming Works

1. An attacker exploits vulnerabilities of a DNS. Using crafted responses or take advantage of a vulnerability, an attacker can poisoned the DNS cache and can change valid entries. Internally, a disgruntled engineer can even manipulate the host lookup on these servers. Externally, attackers can take advantage of the operating systems vulnerabilities.
2. A user wants to go to a website securetoday.net and enter in the browser.
3. The user’s computer queries the DNS to resolve the site. Now, DNS being poisoned resolved the site to the nefarious fake website and redirected to securetodat.net.
4. User unaware of what happened thinks he is on the correct website.

Of course, the fake website has to be designed as close as possible to convince the victims that they are on the correct website. On the website, they can ask the user to login, provide confidential information, and more.
Read the rest of this article »

PASSWORD MANAGEMENT

One of the overlooked area many of us struggle with is password management. In our day to day computing activities, many of us would simply just use or chose to protect our assets with a simple password. These assets could be critical such as bank accounts, confidential data, or even health information. We are lacking the real work on password management.

Now, just what is password management really is? Well, in its very simplest form, managing passwords!

In corporate world, there are various technologies that does password management. In fact, password management is covered in a good scope on many of books for the CISSP exam.

Now, before going deeper to it, let’s magnify our glass to the word password itself. Many, if not all of us know what password is. That’s the word you write on your sticky note and hide it underneath your keyboard. Kidding aside.

Password is the most widely and commonly used authentication mechanism. They are also considered the weakest security mechanism. Users would simply choose very easy passwords such as their date of birth, favorite color, their nickname, etc., that are easy enough to guess. Sometimes too, they give it away to their buddies or best friends.

It is funny yet interesting to see how users typically thinks security is not one of the most important part of their computer. Not until someone hacks into their computer or account, then that’s when security is all the frustrations.

So here comes password management to the rescue. Although the scope of this article will dive only deeper to day-to-day users of computers, emails and services; it will touch a bit on the corporate world where I will cover some of the best ways in managing password. Bear in mind, this article does not go deeper in how to implement SSO technologies or token devices and such.

Read the rest of this article »

Phishing comes from the analogy that Internet scammers are using e-mails lures to fish for passwords and financial data from the sea of Internet users”. And the term phishing was derived since hackers have a tenancy to replace “f” with “ph”.

In internet world phishing attempt originates when – a malicious user forges a website pretending your trusted site, for stealing personal information (user name/password/sensitive information). Those of us who blindly trust “emails from unknown sources” or “receive unknown links in IMs” becomes easy prey to such fraudulent attempts of identity theft. Motive behind such attempts are mainly for financial benefit, make easy money, access sensitive information, wide-spread marketing, causing damage etc. Any internet user can be at risk of being phished, having an Instant message-id or email address. Yes, this is one of the fastest growing problems within internet which creates billions of dollars of damage every year.

ISP plays an important role in protecting its users from phishing attempts. Also available in market are anti-phishing tools, browser add-ons protecting from phishing, etc. But the main responsibility lies with users education for  “safe clicking” practice.

PHISHING is a social engineering technique, which means to trick someone into believing something but different to what it really means, with a full purpose of obtaining personal information, credit card information and credentials.

The word phishing has been around since 1996. It was originally coined by hackers who started stealing AOL passwords by posing as a staff member and sending email messages to victims asking them their account information to verify their billing information and other information about their AOL accounts. The attacker lure, or fish the victims. This is when the word phishing began.

Although this social engineering technique had been around since the ’90’s it did not hit its popularity until the mid-2003. Phishing attackers, also called phishers creates very convincing emails requesting victims to click on links to update their account information. These emails and the redirecting website looks very closely similar to the actual website. Too convincing enough, a typical user would not spot the differences.

Some of the few tricks that these phishers would manipulate is to ask you to click on the link inside the email with a link almost the same as the actual website. For example, if you have an account with Bank of Alaska and their website is bankofalaska.com, they would create a site something like backofalaska.com. Or they would place @ symbol like bankofalaska.com@oursite.com. Before the @ sign would be the username following the http protocol. The actual website is oursite.com, which is a bad site. Depending on the way the site is written, the username can be ignored if it is not required.

Read the rest of this article »

Thank you for visiting our site, our blog. Over the years, there have been several sites and blogs that I have started, supported, and maintained. Few of them have areas where I could share my ideas and knowledge about what I enjoy to do- Security. Two years ago, I wanted to start a blog about the same passion. Instead, I set up my own personal site, which includes a blog also, but seldom I had the opportunity to write articles that can be beneficial to others or just my own babbling that most people don’t even care.

Less than a year ago, in the comfort of my apartment in Austin, Texas, I began to develop onto my stage server. I wrote many small posts and less interesting articles. However, they did not make it to production. Since then, I moved to California and with my server got lost in transit by the careless Vans line company that supposed to take care of my belongings.

Few months ago, earlier this year, I restarted building the same idea and wanted to put it to production. By the way, the domain name have been purchased for years. Few of my colleagues showed interest and also would like to start sharing their ideas, opinions, and experiences through blogging. So here is our site and we hope it will, in some way or another, help you secure your assets today – to prepare for tomorrow.

Welcome once again and enjoy!