Please Read this important post first from one of our members...
http://finance.groups.yahoo.com/group/investmentprograms/message/14310
Thx TaS
I thought the following may be of interest. With so many losing their
gold due to hackers, this clever phishing is a very likly cause it is
incredable how they can trick you even when you are on a trusted site.
See or read below:
http://www.theregister.co.uk/2004/11/02/phishing_tabbed_browsers/
Phishing for dummies: hook, line and sinker
By Scott Granneman, SecurityFocus
Published Tuesday 2nd November 2004 14:55 GMT
Recent "phishing" episodes, and two new browser vulnerabilities, show
how the bad guys are tricking people into exposing their passwords
and bank accounts. Couldn't happen to tech-savvy users, right? Unless
you consider how entire nations have been fooled.
The art of faking out opponents in a clever, elegant, beautiful way
is one that I find fascinating, and I cherish examples of that art.
When looking through history for stories illustrating the deliberate
use of distractions to obfuscate an intended purpose, I often return
to World War II, which offers many such tales.
The story of the allies' cracking of the German Enigma machine is one
that everyone in security should know about. Used by the Germans, the
Enigma machine was cracked by the allies using a variety of
techniques. Math played its part, but so did subterfuge. Robert
Morris, former chief scientist at the NSA (and father of the Morris
Worm author), explained during a talk at Blackhat Briefings that the
Americans noticed that German weather ships trawling in the North
Atlantic used Enigma machines to send in weather reports every day.
If the Allies could acquire those machines and their keys, it would
be a major help in decrypting Enigma. Consquently, the Allies sank a
couple of the ships in what seemed like a normal wartime action, but
in reality salvage teams immediately went to work and recovered the
Enigma machines and the required keys. The Germans never suspected
what the real target of the attacks was, and the Allies had another
tool to use in their war.
Several incidents, famous only after the war, occured during the
preparations for the liberation of Europe from the fascists. The
Allies wanted to confuse the Nazis so that the actual locations of
the landings - the beaches of Normandy for D-day in 1944 and Sicily
in the Mediterranean in 1943 - would be secret as long as possible,
so they developed several deceptions that were purposely designed to
be "accidentally" picked up by Nazi operators, including:
Operation Fortitude A fake First Army Group, supposedly commanded by
General George S. Patton, sent fake radio messages confirming that
the Pas de Calais was going to be the epicenter of D-day. In
addition, airfields were created that contained row upon row of
papier-mache planes, designed to fool air surveillance.
Operation Skye Radio traffic out of Scotland intentionally deceived
the Germans into believing that the D-day attack was going to come
out of northern Europe, in either Norway or Denmark.
Operation Mincement (This one is my favorite) This brilliant plan
involved dropping a dead man, wearing a life jacket and supposedly
named "Major William Martin", into the ocean off the coast of Spain
in April 1943. Chained to his wrist was a briefcase containing forged
war plans about the upcoming invasion of Sardinia. Hitler fell for it
completely, diverting Axis defenses to Sardinia and allowing the
Allies much easier access to the island of Sicily, the real target.
In the cases above, the good guys used subterfuge, trickery, even
treachery to fool their enemies into beliving that what they were
seeing and hearing was true, when it fact it was anything but. We're
seeing the same sort of chicanery today on the web, except now its
ordinary users who are being duped by the bad guys, and the good guys
have a heck of a time making the situation any better. I'm referring
to the epidemic of phishing that is currently one of the biggest
problems on the net.
Reaching the point of epidemic
I don't know about you, but I get at least one email every few days
that is supposedly from CitiBank (currently used in 54 per cent of
phishing messages), or PayPal, or eBay, or Amazon, or SunTrust Bank
(who the heck are they?), or or or or or ... the list goes on and on.
The emails always mention that my account needs to be updated, or my
credit card has been charged for some enormous purchase that I never
made and I need to correct this, or that I need to verify some
information the website has on me. Whatever. The goal is always to
get me to believe that a company I use for financial transactions -
and who therefore is trusted by me - needs information, so that I
submit personal data that can be used by criminals to further their
own ends. These messages can look very, very real, as the image
below, taken by blogging pioneer Dave Winer shows. Yes, he uses
Outlook Express for some reason, and received this in his email
(click for a bigger pic):
Keep in mind that phishing is not confined to email, but is also web-
based as well. In fact, those emails wouldn't work without a
corresponding website, designed also to look as realistic as
possible, containing forms for suckers to fill in. But there are also
various tricks that can be played on unsuspecting web users that can
get them in trouble.
How big is that trouble? Enormous, and growing. According to a
Gartner Group study from May of this year, at least 1.8m consumers
have been tricked by phishing attacks into revealing sensitive
information - and the majority of that 1.8m occured within the year
prior to that report. In just the last six months, phishing emails
have increased by 4000 per cent. On average, a consumer loses $1200
when his bank account is taken over, and the vast majority of such
takeovers are from phishing. Think about those numbers for a second.
1.8m people affected. 4000 per cent increase. $1200 average loss per
person.
This is escalating into such a problem for banks that many of them
are now refusing to protect their customers and, as The Boston Herald
reports, are now choosing instead to "litigate, fight and force
consumers to settle for lower amounts". If you were fooled through
phishing, your bank very well may refuse to reimburse you. Most
consumers know that if they get screwed using a credit card, they're
only liable for $50. Not so with bank accounts, evidently. Some of
you might think, as I did, that FDIC protections safeguard those of
us who live in the US, at least up to $100,000 (which is far, far
more coverage that this columnist needs!) Nope. Those only apply if
the bank declares bankruptcy, not if an Eastern European cracker
employed by the mob tricks me into revealing my PayPal password and
then cleans out my bank account.
Browser Problems
So phishing is a large, serious, and growing, problem. That's bad.
And then within the last few weeks we received even worse news: many
of our favorite (and some not-so-favorite) web browsers were
vulnerable to phishing using a particularly clever attack vector: the
tabs that many of us have come to know, love, and depend upon.
Secunia issued a security report detailing how most major web
browsers with the tabbed browsing feature were vulnerable to two
different vulnerabilities.
First, the browsers. Recognize any you use?
Mozilla 1.7.3
Mozilla Firefox 0.10.1
Camino 0.8
Opera 7.54
Konqueror 3.2.2-6
Netscape 7.2
Avant Browser 9.02 build 101 and 10.0 build 029
Maxthon (MyIE2) 1.1.039
That list contains several that I use on a daily basis: Firefox,
Opera, Konqueror, even Mozilla. In many cases, these are the very
latest versions of these browsers (not counting nightly builds, of
course). A cross-section of browser rendering engines - Gecko, KHTML,
Trident, Presto, and more - is represented. The major operating
systems, Linux, Mac OS X, and Windows, are represented as well.
Microsoft's Internet Explorer - at least an un-enhanced IE, since
Avant and Maxthon are just feature-laden shells wrapped around IE's
Trident rendering engine - is unaffected, but only because IE by
itself is so lacking in modern features that it doesn't even support
tabs (hey, maybe that's why Microsoft hasn't ever included support
for tabs in IE - 'cause they're concerned about security!).
Now, the vulnerabilities. One of them is pretty clever, and one of
them, I think, is a bit overstated, but I'll explain that in a second.
You have a couple of different websites open in a couple of tabs. You
open another tab and head over to a trusted website, like PayPal's.
You're on the PayPal site, when suddenly a dialog box opens,
apparently from PayPal, and asks you to enter your password and your
credit card info, "for verification purposes". You do so and keep
using the PayPal site, never realizing that it was not the PayPal tab
that spawned that dialog box, but a web site on a different, inactive
tab. To see what I'm talking about, open the demo site at Secunia
with an affected browser and follow the instructions. Very clever.
There are two problems here. First, the browser doesn't easily keep
the user informed as to which tab is responsible for the dialog box.
That's an easy fix. Second, the browser shouldn't allow inactive tabs
to spawn dialog boxes in the first place. Another easy fix. But
still - not good. Clearly, none of the organizations creating these
browsers ever envisioned such an attack. Of course, this attack will
only work if you're already on a shady web site to begin with, and if
that site knows you've gone to a site that it knows you trust, like
PayPal. As Secunia itself points out, for this sneaky stunt to work
it would "normally require that a user is tricked into opening a link
from a malicious web site to a trusted web site in a new tab".
Clearly, the likelihood of that string of events is pretty small. But
it's still clever, and it would undoubtedly get a lot of folks in
trouble if they somehow had both the "bad" and the "good" sites open
at the same time in separate tabs.
The second vulnerability strikes me as even less likely, but perhaps
I'm wrong. Let's say you have a couple of different web sites open in
a couple of tabs. You open another tab and head over to a trusted
website, like PayPal's. You type in your username and password, but
nothing shows up. You type it again. Still nothing. Assuming that
PayPal's site is temporarily borked, you close the tab and continue
on your merry way. Little do you know that everything you typed
actually went into a form on a site found on one of your other tabs.
If you want to see this in action, Secunia has a demo site up for
this one as well.
Now, this one seems quite unlikely to me, even more so that the
first. Secunia justifies the seriousness of the hole by claiming that
it "is escalated a bit by the fact that most people do not look at
the monitor while typing data into a form field", which doesn't jibe
with what I do or what I see. In my experience, most folks - not all,
but most - look at form fields while they're typing, so I think that
they would immediately notice when text isn't appearing. Further, it
doesn't matter if the text you're trying to type is actually entered
into a form field in another tab - you'd have to actually go back to
that tab, not notice that your PayPal password was sitting there in a
field, and then go ahead and press Submit and send that data to the
bad guys. I find this scenario even less likely than the one in the
first vulnerability, but maybe I'm nuts.
So here we have problems in some very popular tabbed browsers.
Secunia's advice is logical: either disable JavaScript (which will
cause problems using a vast number of web sites, so it's not likely),
or avoid opening a trusted web site in a tab when other tabs already
contain untrusted websites. OK. Not bad advice. So if you want to use
PayPal or eBay or your bank, open up a new Firefox window first. No
problem. A fix, of course, would be better.
In the usual open source tradition of fixing flaws quickly, Konqueror
released a version of the browser that was patched against the
vulnerabilities, and Firefox promised that it would be secured by the
time 1.0 is released, sometime in the new few weeks. On the other
hand, Netscape, now owned by AOL, and Avant never bothered to respond
to Secunia when it contacted them. Guess I know which browsers to
avoid.
I'm not trying to discredit Secunia or these vulnerabilities. They
are definitely problems that need to be fixed. It's just that there's
a big difference between the almost torturous series of steps
required to exploit users with these vulnerabilities as compared to
the recent IE exploit that involved simply visiting your bank's
website. However, there are other phishing vulnerabilities out there,
involving Google, for instance, that are far easier to fall for.
Undoubtedly there are many, many others, involving weaknesses in the
web sites and in the web browsers we all use every day, that will be
discovered. We need to be aware of these openings because they remind
us that phishing is not just a matter of receiving an email that's a
doppelganger for a real one from a company we do business with, but
also that phishing is increasingly going to use the vector of the
browser itself as an opening for exploitation. And that, as security
pros undoubtedly know in their bones, is going to be an even bigger
problem than duplicitous emails.
Copyright © 2004,
Scott Granneman is a senior consultant for Bryan Consulting Inc. in
St. Louis. He specializes in Internet Services and developing Web
applications for corporate, educational, and institutional clients.
All the best,
Tony P
http://myhyipworld.com
http://www.myhyipworld.com/AAI.htm
http://finance.groups.yahoo.com/group/investmentprograms
http://www.easyresponders.com/subscribe.aspx?u=1231/1490
http://finance.groups.yahoo.com/group/AAInvestors
http://finance.groups.yahoo.com/group/HYIPGames
***
Tidak ada komentar:
Posting Komentar