The Pwn Plug is a little white box that can hack your network

Built by a startup company called Pwnie Express, the Pwn Plug is pretty much the last thing you ever want to find on your network—unless you've hired somebody to put it there. It's a tiny computer that comes preloaded with an arsenal of hacking tools. It can be quickly plugged into any computer network and then used to access it remotely from afar. And it comes with "stealthy decal stickers"—including a little green flowerbud with the word "fresh" underneath it, that makes the device look like an air freshener—so that people won't get suspicious.

Anyone can say they are part of Anonymous... unless it makes them look bad

Anonymous likes to say that anyone can be a member just by saying they are. But apparently anyone creating malware while claiming to be part of Anonymous are officially *not* part of Anonymous. Unless of course it is malware written by other members of Anonymous. This is bizarre circular thinking for folks who have been known to be far more clever in the past. What gives?

Police trick 19 criminals into coming forward with free beer

Undercover officers at Derbyshire police sent letters to dozens of people who had evaded arrest asking them to ring a marketing company to collect a free crate of beer.

A total of 19 suspects fell for the hoax and called the number on the letter, which put them through to police officers based at Chesterfield Police Station.

They were told that they needed to arrange a date and time for the free alcohol to be dropped off at an agreed address.

But instead of being handed free ale the wanted men found themselves confronted by police, handcuffed and under arrest.

"Spam King" Surrenders.

Sanford Wallace, a.k.a. "the Spam King," has surrendered to federal law

enforcement agents in California. Wallace has been charged with sending

millions of spam messages to Facebook users. He allegedly tricked users

into submitting their account login details. An estimated 500,000

Facebook accounts were compromised. Once he had access to compromised

accounts, he accessed their friends lists and posted junk messages on

their walls. Facebook won a US $711 million judgment against Wallace in

2009. Wallace faces charges of electronic mail fraud, intentional damage

to a protected computer and criminal contempt. He has been released

after posting US $100,000 bail.

I doubt many people are feeling sorry for him.

Check out The INTRUDER Daily

The INTRUDER Daily is a newspaper style aggregation of information security news. Check it out!

DMCA Takedown

Today we had to send out a DMCA Takedown Notice to a site that has stolen from me and my consulting firm twice in the past. Now we're in for round 3. We aren't sure what kind of nonsense game these charlatans are playing, but this time we decided an immediate takedown at the ISP level was required.

It is impossible to tell how much damage The Management Group have caused their unwitting customers. Even more pathetically, they appear to sell their lies to the US Government. I wonder if there are laws against that.

By openly stealing my content and making false claims about the origin of my published work, these guys do a disservice to all in the Information Security industry, and especially to their customers and partner organizations.

---- letter body follows ----

I am the sole copyright owner of the text content and IP rights being infringed at:

http://www.mgt-gp.com/articles/view/information-security-servicecapabilities
https://www.gsaadvantage.gov/ref_text/GS35F0658N/GS35F0658N_online.htm

The owner of these sites has been asked to remove this content twice in the past. After first claiming that he indeed is the writer of the Offensive Operations Model (A claim falsely repeated throughout the above named websites), the owner said he would remove the content and the fraudulent claims that he is the developer of the model. The Offensive Operations Model is a model I wrote in 1998 and was published by the IEEE in 2004, and is available online from many sites who do properly credit me as the author and developer. The owner of these above referenced sites has no right to abuse my copyrights in this manner. The entirety of text content on these pages was written by myself years before they appeared on these websites. After several phone calls from myself to the owner of these pages, the text disappeared only for a short time, and has at some point resurfaced with nothing more than a cosmetic makeover. This is now my THIRD time approaching these people about the offending content. I am willing to provide absolute proof via the WAYBACK MACHINE on archive.org which demonstrates clearly that the entirety of the text content of these pages was written by myself years before they began appearing on these 2 sites in question. Comparing this way shows the exact month and year that this person began stealing my work. The Offensive Operations Model that this person claims he wrote, is available from the IEEE website, and of course is listed with my name as the author.

Here is a link to an article I wrote about this thievery back in 2006. You will notice the mgt-gp site is specifically referenced. The link I proviced no longer works since the owner did change the URLs after I phoned him repeatedly. 

http://penetrationtestdotcom.blogspot.com/2006_10_01_archive.html

Please note: At the time I initially caught this person stealing my content, there were 7 other sites infringing my content in the same manner. All sites removed the content without question, save for the owner of these two sites listed above. He is not only cheating me by claiming copyright to the Offensive Operations Model. He also cheats his customers since in our phone conversation in 2006 it was clear he didn't even know really what the Offensive Operations Model was.

This letter is official notification under the provisions of Section 512(c) of the Digital Millennium Copyright Act (“DMCA”) to effect removal of the above-reported infringements. I request that you immediately issue a cancellation message as specified in RFC 1036 for the specified postings and prevent the infringer, who is identified by its Web address, from posting the infringing text and references to the Offensive Operations Model to your servers in the future. Please be advised that law requires you, as a service provider, to “expeditiously remove or disable access to” the infringing content upon receiving this notice. Noncompliance may result in a loss of immunity for liability under the DMCA.

I have a good faith belief that use of the material in the manner complained of here is not authorized by me, the copyright holder, or the law. The information provided here is accurate to the best of my knowledge. I swear under penalty of perjury that I am the copyright holder.

Please send me at the address noted below a prompt response indicating the actions you have taken to resolve this matter. If this DMCA Takedown Notice needs to be sent to any other parties, please let me know who they are.

-----

DMCA takedown template written by attorney Carolyn E. Wright.

The Amazing Orgasm Facebook scam

Sophos details the latest Facebook social engineering attack. A link purporting to be a woman having an exceptionally enthusiastic orgasm turns out to be a series of survey questions that once completed, makes money someone apparently in Finland. You'll never get to see the video. The survey questions are of the same ilk you find in connection with fake torrents.

Cleverly, the Age Verification prompt asks if you are above the age of 18 with the word "Jaa" written on the button. While Jaa appears to mean "Yes", it is actually Finnish for "Share". The trouble begins right about there.

Con artists pose as security companies in growing scam

Criminals posing as computer security engineers are having success in calling victims at home and stealing their money, according to a survey issued Thursday by Microsoft. Fifteen percent of 7,000 computer users polled in the United States, Canada, U.K. and Ireland said they have been been contacted by a phone scammer, and 22 percent of those were tricked into following the fraudsters' directions, which included giving them remote access to a computer or providing credit card information. Seventy-nine percent of those suffered a financial loss as a result. Victims were out an average $875 in the United States, the survey found.

Condé Nast scammed out of $8 million with single spear phishing email

Condé Nast - the company that publishes popular magazines such as Vogue, GQ, Architectural Digest, Wired, Vanity Fair, and many others - has been nearly defrauded of almost $8 million with a single, well-crafted spear phishing email.

The perp was caught, but this case demonstrates how the proper use of reconnaissance can lead to an efficient, yet devastating attack.

The HBGary story keeps getting more and more interesting

Another PDF file today - But well worth the read. The more we witness the fallout from Anonymous' exploits, the more interesting it gets.

According to a letter signed by 20 members of congress, HBGary and a law firm conspired to sabotage critics of the US Chamber of Commerce - namely U.S. Chamber Watch, Change to Win, the Center for American Progress, the Service Employees International Union, and others. In their attempt to halt free speech, it seems HBGary and their crew of goons may have carried out, or at least conspired to carry out actions that violate Federal law: Forgery, Mail and Wire Fraud, and Fraud and Related Activity in Connection With Computers.

Creator of the fake water-witching bomb buster has finally been arrested

Get this. Some guy converts a star trek water gun with a wobbly antenna into a water dousing rod meant to sniff out bombs and anything else you want it to. And the forces in Iraq spend $120M to purchase these useless toys, jeopardizing the lives of all who were forced to put their belief in woo ahead of their will to live.

Well that guy has finally been arrested. That this device was known to be useless pretty much from the moment it was first publicized says a lot about military spending.

Why Penetration Testers Need To Remember The Good Old Days

As a penetration test trainer to fortune 500 companies, I often see a few students in the class phase out and stare off with glossy-eyed disinterest when I cover legacy systems and protocols. Examples of these "boring" topics include Windows NT, WEP, and ancient attacks like the 'Ping of Death'. They ask me "Why do we need to learn this stuff when it was fixed years ago?"

The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.

A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.

To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.

The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.

The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.

0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.

Burglars Said to Have Picked Houses Based on Facebook Updates

According to New Hampshire’s WMUR Channel 9 News, three local men, Mario Rojas, Leonardo Barroso and Victor Rodriguez, have burglarized more than 18 homes in the Nashua area of New Hampshire simply by checking status updates on Facebook and then pillaging the houses of victims who announced on the social network that they were not home.

Are You Working With a REAL Security Expert?

The attrition.org website has been posting exposés of security "veterans" who sound like they've been around the block, and seemingly single-handedly invented the information security industry. However, even some of the so-called famous experts are charlatans at best, ripping off their customers and potentially causing them more harm than good.

One example provided is Dr. Ali Jahangiri, who's entire career is so dubious that not only is his resumé in question, entire books that he has "authored" appear to have been entirely plagiarized. Much of the information is so out-of-date that it would only be of interest in a historical sense if this information wasn't already widely available on the Internet for free. Worse, they demonstrate that his Information Policy Templates, which sell for $150 / CD, are all ripped from various places freely available on the Internet, save for 2.

I don't fully agree that everyone on the list is a charlatan, though. For example, professional social engineer Ira Winkler is on the list merely for having a larger-than-life ego. It fails to recognize that extreme self-confidence is a requirement for any social engineer, which makes this hardly a surprise.

What differentiates consultants like Ali from the bad guys? If their credentials don't add up, and their work seems to be ripped off from someone else and repackaged as something new, you may have hired a thief into a position of trust. They haven't only ripped off their sources, they're also stealing your money.

Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect

 A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.

An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. 

This article analyzes some of the newer techniques being employed. 

An Interesting Lie Detection Method

Forget expensive fMRI-based lie detection or iffy polygraph tests, give your suspect a pencil and paper and get them to draw what happened - a new study suggests their artistic efforts will betray whether they are telling the truth or not.

Will your company win the competition? I hope not!

Social engineering has evidently earned a new level of respect from hacker community: For the first time, this year's Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies -- over the telephone instead of the Internet.

Bears In A Honey Trap

In the Bible, Delilah seduced Samson in order to discover the source of his super-human strength. When she got what she was after, she sold the information and services to the enemy.  The use of Sex as a spy technique of compromise is exactly what makes James Bond style movies so fun to watch.

Using sex to dig up secret information is not always the stuff of fiction and mythology. A sexy girl named Katja Gerasimova, who seems to have a sexual affinity for pro-democracy activists, just happens to also be a spy for the Russian government. Once the deed has been done, she posts her raunchy sex and drug exploits on the web in order to expose the activists publicly, making them look like petty criminals and subsequently discrediting their political affiliations.

It isn't only Russia that uses sex to dig up and exploit secret information, but also India, China, Saudi Arabia, Poland, United States, and so on.

Using Embedded Commands in Social Engineering

Using a technique known as preloading, you can convince someone to think of something, even believing that they came up with the thought independently. The reality is that you purposely implanted the very idea in their memory. I can't get into extreme examples here in a blog format, but you already know that when I tell you do not think of a black cat, you will automatically think of a black cat. The phrase "think of a black cat" is there in the sentence you heard well before you received the reasons you should ignore it.

And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat.  You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.

This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.

Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else.  We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4.  For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.

I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.

Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple.  I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.

I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not.  Tell me a number from 1 to 4. The last digit of this ticket."

He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1.  "You too," I said. "Choose a number".

She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"

I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."

She chose 4. Of course,  and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.

How did I do this so smoothly?  Pay attention to the words I used  to make sure I got the numbers I was expecting. Tell me a number from one, two... four.  You two. There's only four...

The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.