But here comes the joy, or the trouble in this case. Pharming attacks usually do not require convincing emails. It is also more wide-coverage than phishing. While phishing trick victims using a genuine looking emails or links, pharming goes deeper underground in planting a seed for its farm err, pharm?

Pharming cultivation

The technique used in Pharming is not new. In fact it had been around for long. The difference, however, is the intention. They want your identity or data. Pharming takes advantage of hacking DNS (Domain Name Server) such as cache poisoning, spoofing, and hijacking. Let’s see how this works.

How Pharming Works

1. An attacker exploits vulnerabilities of a DNS. Using crafted responses or take advantage of a vulnerability, an attacker can poisoned the DNS cache and can change valid entries. Internally, a disgruntled engineer can even manipulate the host lookup on these servers. Externally, attackers can take advantage of the operating systems vulnerabilities.
2. A user wants to go to a website securetoday.net and enter in the browser.
3. The user’s computer queries the DNS to resolve the site. Now, DNS being poisoned resolved the site to the nefarious fake website and redirected to securetodat.net.
4. User unaware of what happened thinks he is on the correct website.

Of course, the fake website has to be designed as close as possible to convince the victims that they are on the correct website. On the website, they can ask the user to login, provide confidential information, and more.

Wall of Sheep

I will discuss the actual and real meaning of Wall of Sheep on a separate article. For now, let me relive one of the cool projects we did back in those college days. The Wall of Sheep was our final project in our “Hacker Tools and Techniques” class. Me and my buddy Will Caput took advantage of iWhack, an (old and already decommissioned) distro of a Knoppix. I think it has been integrated with BackTrack now.

Using the DNS redirect/spoofing program built into the Knoppix, we were able to take advantage of our existing DNS server at school and redirect traffic. We configured it to redirect traffic of the email functions of Yahoo, Hotmail, and AOL. I have developed three local virtual sites from my laptop running Apache that is so identical in look and feel of that Yahoo email, Hotmail and AOL email. Behind the login page is the code where I strip off the email address and password, save it in a database, and export it to the Wall of Sheep.

Users who logs in to these fake pages would get invalid error messages at first try. Behind the scene, my code is actually stealing their information. They are then redirect to another local page on my Apache server. The DNS-redirect program knows this page and ignores it, and then redirect it to the actual Yahoo or Hotmail login page. Cool?

The Wall of Sheep is viewed by anyone in our class during the project presentation, but it had been running for few days. It listed down actual compromised emails. We did not display their passwords for their protection but we kept them to use in exchange of something. Like their watch or backpack. Just kidding.

That example above is a type of Pharming. We took advantage of the DNS traffic by intercepting traffic from the wire (non-switched environment) and redirect all queries to our rogue DNS where we explicitly defined which addresses to redirect and to where.

The virtual sites I’ve created are the fake websites that fools victims in thinking they are on the correct website. Only to find out that they weren’t but instead, are now being viewed on the Wall of Sheep in class. I think we got an A in that class?

Any advices for users?

• I mentioned it in my Phishing article, one of the best ways to countermeasure this is awareness. By understanding and learning how these attacks work, you can add extra caution to your day to day works. By simply enumerating your emails which is trusted and not trusted. If it sounds too good to be true? Watch out! It may sound too good to be true, but with a catch. That catch might be the big fish that Phishers have been waiting to have.
• Installing anti-virus is a must. You should not be reading this article, I really meant, surfing the Internet, without latest and up-to-date antivirus software. They are not really expensive compare to the loss you can have if you are compromised.
• Install anti-spyware programs also can help check your computer if there are any programs running in your computer or can even monitor phishing attacks real time. I’ve tried AdAware, Spybot S&D. The new Windows Defender also is good. As with anti-virus, anti-spyware programs need to be updated with the latest definitions. They are as good as not having one if you are not up-to-date.
• Most, if not all browsers today supports, or even comes built-in with site-checker. The new Internet Explorer comes with this feature to check whether your accessing a site that is safe or not. McAfee’s Site Advisor is also a good program you can take advantage to install on your browsers. It may affect a small performance but it help you in real-time to detect whether the site you are about to access is bad.
• Also, most user ignore these, but check for the Security Alerts that pops up when you are accessing an SSL-enabled site (https://). Check those whether you are on the wrong site, or the site certification is expired. This certificates proves the website who they said they are. So don’t just ignore those. Check if the site certificate is invalid. It could mean that it is not a trusted site and I don’t encourage you to proceed.

So in our world, we thank our Farmers for doing the best they do to give us the food we eat on our tables. But in our Security IT world, watch out for those ‘pharmers’, they want the food on your table scrape out.

One of the overlooked area many of us struggle with is password management. In our day to day computing activities, many of us would simply just use or chose to protect our assets with a simple password. These assets could be critical such as bank accounts, confidential data, or even health information. We are lacking the real work on password management.

Now, just what is password management really is? Well, in its very simplest form, managing passwords!

In corporate world, there are various technologies that does password management. In fact, password management is covered in a good scope on many of books for the CISSP exam.

Now, before going deeper to it, let’s magnify our glass to the word password itself. Many, if not all of us know what password is. That’s the word you write on your sticky note and hide it underneath your keyboard. Kidding aside.

Password is the most widely and commonly used authentication mechanism. They are also considered the weakest security mechanism. Users would simply choose very easy passwords such as their date of birth, favorite color, their nickname, etc., that are easy enough to guess. Sometimes too, they give it away to their buddies or best friends.

It is funny yet interesting to see how users typically thinks security is not one of the most important part of their computer. Not until someone hacks into their computer or account, then that’s when security is all the frustrations.

So here comes password management to the rescue. Although the scope of this article will dive only deeper to day-to-day users of computers, emails and services; it will touch a bit on the corporate world where I will cover some of the best ways in managing password. Bear in mind, this article does not go deeper in how to implement SSO technologies or token devices and such.

Simply put, you got to protect your treasured belongings with your best security. You wouldn’t really want to put your jewelries, money, and other important belongings into a carton box just lying around your doorstep. The same would you need to protect your emails, your computers, your accounts with a good password.

A good password is at least eight characters and contains a combination of upper and lower case and special characters. Try to choose something not closely related to you, such as your color, pet name, or belongings. An example would be “1Fo126iveYoU” is a strong password. “blue123″, while it contains letters and numbers, it is still vulnerable to dictionary and brute-force attacks. I am not going to explain those but in short, those are types of attacks a hacker can use to guess your password. There are many free and easy to use programs out there that can easily do the guessing.

Also, not writing your password where someone can read or see is a good countermeasure to remember. Sometimes, we often change our password similar to previous one but incrementing or decrementing other characters. Such as “PassWord1″ is your previous and “PassWord2″ is your new. If you wrote it down in a piece of paper and throw it away, an attacker can go to the trash bin and try to find them. This technique is also called Dumpster Diving. So be aware, not because you are done with your password doesn’t mean they still cannot use it to guess your other passwords.

There are systems nowadays that will ask you for phrase instead of a password. These are called passphrase. So instead of entering “password 123″, you might be asked to key in “let me in this is me”. Also other systems do a different way by allowing you to enter cognitive password. Cognitive password are opinion- or fact-based information. These are usually derived by answering questions related about your life. The answers are then transposed to a virtual password.

In systems where we are only required to put our password, it is your duty to secure it. I’ve covered few ways to secure your password here but there are other many ways you can do on your own. Something I did not cover which is beyond the scope of this article is the implementation of encryption or token device to ensure that the password of user are not sniffed, eavesdropped, or captured by attacker for a replay-attack. These countermeasures are for security professionals to implement technical or logical controls in their enterprise.

The use of password synchronization, assisted password reset, and self-service password reset are few approaches you can implement in your enterprise to assist users reset their password and not being compromised during resets. Those are the real “password management” discussion.

As end users, protect your password as if it is the key to all your belongings. Remember, attackers can sniff them (so corporate should implement encryption), can brute-force guess them (apply hard-to-guess strong password), or they can steal them (using techniques such as dumpster diving, shoulder surfing, keyboard monitoring). Shoulder surfing is when someone is looking over your shoulder or back as you type in your password.

Next time, I will try to cover in details some of these attacks that you really need to be aware of.

PHISHING is a social engineering technique, which means to trick someone into believing something but different to what it really means, with a full purpose of obtaining personal information, credit card information and credentials.

The word phishing has been around since 1996. It was originally coined by hackers who started stealing AOL passwords by posing as a staff member and sending email messages to victims asking them their account information to verify their billing information and other information about their AOL accounts. The attacker lure, or fish the victims. This is when the word phishing began.

Although this social engineering technique had been around since the ’90’s it did not hit its popularity until the mid-2003. Phishing attackers, also called phishers creates very convincing emails requesting victims to click on links to update their account information. These emails and the redirecting website looks very closely similar to the actual website. Too convincing enough, a typical user would not spot the differences.

Some of the few tricks that these phishers would manipulate is to ask you to click on the link inside the email with a link almost the same as the actual website. For example, if you have an account with Bank of Alaska and their website is bankofalaska.com, they would create a site something like backofalaska.com. Or they would place @ symbol like bankofalaska.com@oursite.com. Before the @ sign would be the username following the http protocol. The actual website is oursite.com, which is a bad site. Depending on the way the site is written, the username can be ignored if it is not required.

Nowadays, there are so many newer techniques that phishers have developed in trying to convince potential victims into going into their trap. Some smart developers have found some ways to create java script to hide their actual URL or web address and show something else. So if someone checks the web address showing bankofalaska.com, it shows just that, but the script actually hiding the actual phishing site. Newer browsers should be able to detect these and warn you.

Other attacks come in the form of pop ups and the exploit of cookies. Phishers, who have developed a strict code to find if you are surfing, say, your bank account, will automatically trigger a pop up window that appears as it comes from your real bank. Unknowingly it was generated from the pop up script. That pop up dialog window would then ask you for your personal account information and other important things.

Phishing is still rising and staying on top. The Q1 2008 report from APWG (www.anti-phishing.org) shows there are still an average of 30,000 unique URL’s in that quarter report.

One of the countermeasures that we really need to start doing from within ourselves is “self-awareness”. There those small contributions that we can do to protect ourselves from phishing. Things like not clicking, or even opening emails, that came from some unknown sender. Or even if someone emailed you with a link, it is better to copy the URL and access it manually. Links on the email may direct you to somewhere else. And as always, DO NOT believe emails asking you to update your Account information or ask you for a password. Or even telling you that they will send you money to transfer from an African bank. These are all scams. It is a rule of thumb not to give out your password or critical account information via email or anyone who asked you for it.

Next time, I will extend the discussion of phishing to a wider scope such as attackers redirecting you to what appears to be a legitimate traffic, yet fake, with the techinique such as DNS poisoning. This is also called PHARMING.