Blackmoor Vituperative

I own an IT consulting company in Richmond, VA. This morning I received the following email from someone who claimed to want us to service several laptops:

Hello ,

How you doing,I read your description and i am highly impressed in your services,I have some Hp PCs(Intel Pentium IV) since we currently have a major breakdown on most of our systems and I thought it was best to have a general upgrade and maintenance.(I will be providing the software needed).Below are the things needed to be done one on each laptops:

1 Format Hard Drive
2 Install Win Xp with Service Pack 2
3 Microsoft Office Package
4 AVG Virus Software (Free Lifetime Updates)
5 Adobe Acrobat
6 Laptop Cleaning of the keyboard, screen and other case.
7 Diagnostics of the entire system after to check hard, CD Rom, floppy, etc.

I will like you to know that my mode of payment is by US certified check mailed and address to you from my employer company since I am presently on a business workshop in Panama city,South American and i want you to know that i will handle the shipment myself since i have a shipper from the state here that will bring the laptops to your place,and will come pick them up as soon as you are done with them.

I should have make this a phone order but i have a network problem of where i am and my shipper will be coming with the necessary Software for the installations of the Computers with both the Operating System,Microsoft Office and the Anti-virus for each computers .

However,get back to me with your last asking price for the 8 laptops. I await your urgent response so that i can put the arrangement in order.

Thanks and hope to read from you soon.

The warning flag here is the “US certified check”. I did a quick search, and discovered that this is a typical “Western Union scam” (not that Western Union is in any way at fault: they are simply being used by the scammers). Here is what the scam looks like in operation:

1. First email

2. ---

3. from    Nicole Bagwell <karenww1@live.com>
4. reply-to        nicoleww1@hotmail.com
5. to      nicoleww1@hotmail.com
6. date    Sat, Mar 28, 2009 at 5:00 PM
7. subject PC needs repair and installations !
8. mailed-by       craigslist.org
9.        
10. hide details Mar 28 (10 days ago)
11.        
12.        
13. Reply
14.        
15.        
16. ** CRAIGSLIST ADVISORY — AVOID SCAMS BY DEALING LOCALLY
17. ** Avoid: wiring money, cross-border deals, work-at-home
18. ** Beware: cashier checks, money orders, escrow, shipping
19. ** More Info: http://www.craigslist.org/about/scams.html
20.  
21.  
22. Hello,
23.  
24. I got your resume on  www.craigslist.org and i was just checking if you will be available to repair and install some applications on 12(Twelve) PC .
25.  
26. Get back to me for details if you’ll be available.
27.  
28. Nicole.
29. Hotmail® is up to 70% faster. Now good news travels really fast. Find out more.
30.  
31. this message was remailed to you via: serv-xtstn-1063755610@craigslist.org

32. ---

33.  
34. Second email
35.  

36. ---

37.  
38. Hello ,
39.  
40. How you doing? and thanks for getting back to me.
41.  
42. I read your description and i am highly impressed in your services,I have some Hp PCs(Intel Pentium IV) since we currently have a major breakdown on most of our systems and I thought it was best to have a general upgrade and maintenance.(I will be providing the software needed).Below are the things needed to be done one on each laptops:
43.  
44. 1 Format Hard Drive
45. 2 Install Win Xp with Service Pack 2
46. 3 Microsoft Office Package
47. 4 AVG Virus Software (Free Lifetime Updates)
48. 5 Adobe Acrobat
49. 6 Laptop Cleaning of the keyboard, screen and other case.
50. 7 Diagnostics of the entire system after to check hard, CD Rom, floppy, etc.
51.  
52. I will like You to know that my mode of payment is by US certified check mailed and address to you from my employer company since I am presently on a business workshop in Panama city,South American and i want you to know that i will handle the shipment myself since i have a shipper from the state here that will bring the laptops to your place,and will come pick them up as soon as you are done with them.
53.  
54. My shipper will be coming with the necessary Software for the installations of the Computers with both the Operating System,Microsoft Office and the Anti-virus for each computers and i should have make this a phone order but i have a network problem of where i am.
55.  
56. However,get back to me with your last asking price for the 12 laptops. I await your urgent response so that i can put the arrangement in order.
57.  
58. Thanks and hope to read from you soon.
59.  
60. Nicole.
61.  

62. ---

63.  
64. Third Email
65.  

66. ---

67. Thanks for the mail .
68.  
69. I must confess I’m comfortable with the cost and its quite reasonable and affordable and also,i hope i can trust you that to do a good job.
70.  
71. I will be sending you the payment inform of US certified cashier check mailed and addressed to you and regards to this kindly get back to me with your full information (in the format below)to receive the payment so it can be made out on-time.
72.  
73. NAME:
74. ADDRESS(NOT P O BOX):
75. CONTACT PHONE NUMBER:
76. DIRECT PHONE NUMBER.
77.  
78. For clarity,all the softwares will be coming with the various license and key.
79.  
80. Will be waiting to read your mail soon.
81.  
82. Best Regards!
83.  
84. Nicole.

85. ---

86.  
87. Fourth email

88. ---

89.  
90. Hello Jonathan,
91.  
92. Sorry for my slow response to your mail,I was busy making a call to my employer company in the state as regards your payment.My Employer company just called from the state few hours ago informing me that there is no exact check for your payment.
93.  
94. Mind you, a payment of $2850.00 [which happen to be my salary and  travel allowance  for this month of March] has been issue out in your name from my company and  mail to your contact address in which upon receipt ,you just need deduct your own payment  out of the money and help us to send the remaining amount to my shipper who will be bringing the PCs to you for the installations and repairs.
95.  
96. Sorry for not informing you about this before,I guess things will workout as  well.
97.  
98. Hope we can count on you about the payment and your service.
99.  
100. Hope  to read  from you soon .
101.  
102. Nicole.

103. ---

104.  
105. Fifth Email

106. ---

107.  
108. Hello Jonathan,
109.  
110. Sorry for not getting back to you since.It’s just that am However,the payment has been delivered to you few minutes ago via United State Postal Service( u.p.s) and here is the Ups  tracking# of the payment….1Z95V97V2210004613,you can go to  www.ups.com/us to track the package movement.
111.  
112. I want you to proceed to your bank immediately you get the payment to get the payment deposited and withdrawn immediately you get it deposited.
113.  
114. As soon as you get the payment withdrawn ,i will want you to proceed to the nearest western union outlet and get the Balance sent when you deduct your own payment from the total payment sent to you by my employer company and get the rest money sent to my shipper that will be bringing the PCs over to you.
115.  
116. Below is my shipper information that you are to get the balance sent to.
117.  
118. Name  :  Christina  Lynch
119. Address: 4207 Park Avenue
120. City  : Hot Springs
121. State : Arkansas
122. Zip code :71901
123.  
124.  
125. Please do that immediately so that my shipper can come over to you with the PCs and also to sign/receive the necessary document .
126.  
127. As soon as you get the money sent i will want you to get back to me with the Western Union control Number( MTCN),full sender’s name and the actual amount in USD when you deduct the western union charges.
128.  
129.  
130. Moreover,you can go to any of the below  western union outlet in your area today to get the payment sent and for easy transaction :
131.  
132. VALLEY DRUG
133. 208 EAST MAIN STREET
134. Everson, WA 98247
135.  
136.  
137. LYNDEN FOOD PAVILLION #441
138. 8130 GUIDE MERIDIAN
139. Lynden, WA 98264
140.  
141.  
142. Hope to read from you Soon.
143.  
144. Cheers !
145.  
146. Nicole.
147.  
148. PS…Do get the money sent today because my shipper call me to inform me that she will not be bringing the laptops over if she did not received the money today since she will be needing the money today to settle some bills,for documentation and booking the  hotel room she will be staying prior to the completion of the repair and installations.

149. ---

I hope this information saves someone from an expensive mistake.

Many cryptographers and other security experts are familiar with what has come to be known as Kerckhoffs’ Principle. Many, however, do not know that there are actually six such principles. The core ideas of these principles are still relevant today, more than 125 years after he first articulated them.

1. The system should be, if not theoretically unbreakable, unbreakable in practice.
2. The design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents (Kerckhoffs’ principle).
3. The key should be memorable without notes and should be easily changeable.
4. The cryptograms should be transmittable by telegraph.
5. The apparatus or documents should be portable and operable by a single person.
6. The system should be easy, neither requiring knowledge of a long list of rules nor involving mental strain.

(from Six principles of practical ciphers, TechRepublic)

Forrester Research has come out with a report stating, among other things, that half to two-thirds of businesses have “concerns” about open source security.

The problem with empty headlines like “Companies still concerned about open source security” is that they tell you nothing and yet imply everything. You may as well say, “Study Reveals Pittsburgh Unprepared For Full-Scale Zombie Attack“. What does this headline tell you? Is any city prepared for a full scale zombie attack? Is a full-scale zombie attack even remotely likely?

The answer to both is “no”. Yet the headline implies that the answer to both questions is “yes”.

Should companies be concerned about the security of open source software? Of course they should — and they should also be concerned about closed source software, as well as the firmware in their hardware, their physical security, and the safety of their employees in the parking lot.

Should companies avoid open source software for “security” reasons? Of course not. Open source software is, in general, more secure than closed source software, and security flaws in open source software are more quickly corrected when they are found.

The problem with polls like Forrester’s (and those who conduct them) is not that the results are inaccurate (although they may be). The problem is that you won’t get the correct answer if you do not ask the correct question — and you have to understand the topic in order to ask the right questions. Forrester Research clearly doesn’t.

It is not possible to prevent every possible security breach. However, some common sense measures will make such a breach significantly less likely to occur.

In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. […]

Microsoft pushed out its .NET Framework 3.5 Service Pack 1 update this February […] it installs the Microsoft .NET Framework Assistant extension for Firefox, silently, without informing the user. If you had Firefox on your computer when this update was installed, you may be subject to some dire consequences. […]

Yes, that’s right — the long-time, well known security hole present in Internet Explorer that consists of essentially letting Websites install dangerous, untrusted code on your computer willy-nilly has now been shoehorned into your MS Windows install of Firefox without your knowledge or permission.

Worse yet, Microsoft isn’t satisfied with just giving you vulnerabilities without your permission or even your knowledge. It has also gone out of its way to ensure that you’ll have a difficult time removing the vulnerability from your system if you should happen to become aware of it. The Uninstall button for this extension in Firefox has been deactivated.

(from Microsoft may be Firefox’s worst vulnerability, TechRepublic)

To find out how to remove this security vulnerability, see Uninstalling the Clickonce Support for Firefox.

Just thought I’d pass along a few security-related links which I thought were interesting…

• Advice for reading about security
• Code for ultimate rootkit to be released on 2009-03-19
• Recession: a chance to deploy open source security solutions

In particular, I think this comment strikes at the heart of what’s wrong with IT in many companies:

Open source software in general, and Linux in particular, also has an undeserved reputation for poor security in some circles. Part of the reason for this is the fact that many people simply don’t understand how software security, and open source development, works. They hear “open source”, and think “Hell, if anyone can get the source, then anyone can modify it. How do we know we aren’t getting software modified by some malicious ‘hacker’ who wants to steal our sensitive data?” Another part of the reason is that many people with limited technical skills — and a dismaying number of supposed technology “experts” — simply don’t understand that there’s more to security than counting vulnerabilities.

(from Recession: a chance to deploy open source security solutions, TechRepublic)

I got a fun email today from Comcast (my ISP), saying they are blocking port 25, the port on which SMTP sends email, as a measure to fight spam. Isn’t that a kick in the pants? Of course, the only time I send email from home is when mortshire.org sends me reports. However, that is important, so I needed to find a way for mortshire to send me email with Comcast’s blessing. Thanks to Patrick Ben Koetter and Chris Fay, I have done just that.

1. In /etc/postfix/main.cf I added or changed these lines:

myhostname = annwn.mortshire.org
mydomain = mortshire.org
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain


relayhost = [smtp.comcast.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options=


2. I create a file /etc/postfix/sasl_passwd with the contents:

[smtp.comcast.net]:587 userid:password


where userid and password are my comcast.net username and password.

3. Next, I changed the ownership and permissions on the sasl_passwd file to protect it from unauthorized access.

sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd


4. Finally, I created a database file from the contents of the sasl_passwd file:

sudo postmap hash:/etc/postfix/sasl_passwd


There we go: postfix now uses the Comcast mail gateway, and operates on port 587 rather than 25 (because spammers would never be able to do that, right? Yeeeeaaaahhhhhh…).

(Note: this is Postfix 2.5.5 under Fedora 10.)

TechRepublic has an interesting article that gives a brief explanation of the MD5/SSL exploit that was the cause of such panic last month.

On the surface, this “event” proves that it’s possible for an attacker to insert himself into the certificate acquisition process, resulting in wrongful authentication of visited sites. However, SSL might not be in as much danger as originally reported.

Yes, there are many CAs still using MD5 for at least some certificate signing. In fact, the rogue certificate used in this exploit emulated a VeriSign RapidSSL cert. TC TrustCenter AG, RSA, and Thawte Inc. also still use the vulnerable hash function. But there are four significant mitigating factors.

1. Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function.
2. Certificates already issued with MD5 signatures are not at risk. The exploit only affects new certificate acquisitions.
3. CAs are quickly moving to replace MD5 with SHA-1. For example, VeriSign was planning to phase out MD5 by the end of January 2009. The date was pushed up due to the December proof of concept. On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures.
4. The researchers did not release the under-the-hood specifics of how the exploit was executed.

Again, these are mitigating factors. It isn’t impossible for cybercriminals to come up with an attack on their own now that conceptual understanding of approach is public knowledge. But SSL is not broken. The only thing broken is a portion of the public key infrastructure (PKI) which underlies it, and the risk is manageable.

(from The new MD5/SSL exploit is NOT the end of civilization as we know it, TechRepublic)

I do not pretend to understand the mathematics behind much of this, but I find it all very interesting, nonetheless.

It looks like the NSA is actually doing something useful for a change, rather than just spying on American citizens.

Warning: shareaza.com has been suborned by scammers. For Shareaza updates, always go to http://shareaza.sourceforge.net.