Fake Dropbox password reset

Wednesday, October 23rd, 2013 | Mark Bedford | Comments Off on Fake Dropbox password reset

There are reports of a recent spam campaign that tries to deceive Dropbox users in to resetting their passwords but instead leads to malware. Dropbox, which is a popular cloud storage service who sometimes do in fact reset users’ passwords when they haven’t been changed for a while. They DON’T send an advisory email though, instead at their website they require a password reset before linking a new computer, phone, tablet, or API app on their web site.

The spam has quite a convincing message along the lines of

Hello <user>
We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven;t changed long time already. Your old password has expired and you’ll need to create a new one to log in.

Please visit the page to update your password

Clicking on the link takes the user to a suspicious looking page hosted in the .ru (Russian domain) that tries to pass itself off as a Microsoft site with several downloads for non Microsoft browsers. All very suspicious.

So if you had followed our tips on how to detect phishing emails you would have caught on to their ruse and saved yourself some grief.

Patching Java

Monday, October 21st, 2013 | Mark Bedford | Comments Off on Patching Java

Oracle have settled on a quarterly patch period for not only their database products but also Java. I have yet to decide if this is good or bad as I really would like to see a shorter update period to reduce to time that the unpatched vulnerability exists in the wild. The release notes are here for 7u45

The schedule is
14 January 2014
15 April 2014
15 July 2014
14 October 2014

Cyber Attackers Access 72,000 Confidential Employee Details

Thursday, August 1st, 2013 | Mark Bedford | Comments Off on Cyber Attackers Access 72,000 Confidential Employee Details

The University of Delaware was on the 22nd July the recipient of a criminal attack on one of its systems. The criminals were able to steal files that contained 72,000 names, addresses and other personally identifiable information for past, present and student employees. The University is working with the Federal Bureau of Investigation and Mandiant to determine the scope of the attack after having taken immediate corrective action. The University has indicated that the attackers used a vulnerability in software acquired from an unnamed vendor.

Oracle releases Java updates

Wednesday, June 26th, 2013 | Mark Bedford | Comments Off on Oracle releases Java updates

Oracle Fixes 40 Vulnerabilities in Java.
On Tuesday, June 18, Oracle issued a Critical Patch Update for Java 7 for Mac and for Windows. There are 40 security issues fixed as well as enabling online certificate revocation checking by default. On the same day, Apple issued an updated version of Java 6 for OS X Snow Leopard, Lion, and Mountain Lion. Snow Leopard users cannot upgrade to Java 7.


Content Management System Plugin Patching

Tuesday, April 30th, 2013 | Mark Bedford | Comments Off on Content Management System Plugin Patching

Over the past several months there has been an uptick in the number of web sites running Content Management Systems that have been compromised. Systems like WordPress, Joomla or Drupal have all been targeted. Site administrators struggle to keep their CMS’s patched and almost never remember to include all the plugins that are used. In many cases the plugin vulnerabilities can do just as much evil as the core CMS vulnerabilities. Due to the breadth and quality of maintenance and support for plugins vulnerabilities and updates are often not monitored or reported.

A couple of very popular plugins announced serious vulnerabilities recently that allow them to execute arbitary PHP on the server, WP Super Cache and W3 Total Cache. So take care of the plugins that you deploy and if you no longer need them then uninstall them.

A primer on phishing emails

Thursday, January 31st, 2013 | Gene Teo | Comments Off on A primer on phishing emails

I’ve put up some basic information about detecting phishing emails. The outlook is not bleak, as some would expect. Based on internal data, over 98% of recipients do not respond to phishing emails.

In a few days I’ll put up some examples of actual phishing emails, and point how the features that betray their malicious intent. There will also be an article on more technical methods of analyzing suspicious emails.

Vacation phishing tips

Wednesday, November 28th, 2012 | Mark Bedford | Comments Off on Vacation phishing tips

With the Christmas just around the corner many people will be ordering from overseas. As part of the online ordering process many companies use email to confirm orders and provide updates. The spammers know this and take advantage of the increase in this type of email by sending out their “ware” hoping to catch people. Most anti-spam systems do a very good job of blocking these, but some still gets through.

The common thread among phishing emails to watch out for include:

    unfamiliar transaction report from a familiar business
    an attachment with no explanation in the message body
    “phishing” or asking for your email password
    asking you to “log in” to obtain something

Looking into the messages’ headers can prove helpful but this is a little more technical and is best covered elsewhere. So enjoy the festive season and remember not to respond to emails from companies that you didn’t ordered from.

Down or Not?

Wednesday, October 10th, 2012 | Jim Cheetham | Comments Off on Down or Not?

Here, this looks like a good joke … downornot.com is down!

Except of course, it isn’t down …

Or perhaps it is …

So, is DownorNot.com down, or not?

The problem here is that the meaning of “it” in the phrase “is it up or down?” is different each time. For the human, “it” is the service provided by the website, and that service is certainly non-functional (it looks like the website’s usage of the Google AppEngine service has gone over quota; and the developer who wrote their website didn’t anticipate this error. In this case, we would also anticipate that the service behind the website is also broken at the moment, whereas often a service and a website are separate). For isitup.org, “it” seems to be the initial contact with the site’s webserver, which is responsible for handling the HTTP conversation. For downforeveryoneorjustforme.com, “it” is the same thing, the webserver and not the application, but they are going a couple of steps further, following the redirections and noticing that the final page is delivered with an error status … and in this case, the failure of the application is reflected in the webserver status code. It doesn’t have to be.

Let’s ask isitup.org again, but this time go straight to www.downornot.com instead of just downornot.com …

So, if you are monitoring or testing a service, make very very sure that you understand what the question “Is it up?” is supposed to mean — and this depends on who is asking. Then, make very sure that you understand how your monitoring tools work, what you are asking them to do, and how to interpret them. Obviously, this isn’t as easy as it sounds …

If you are not careful, this is what you end up with :-

The future of computer threat response

Thursday, August 23rd, 2012 | Jim Cheetham | Comments Off on The future of computer threat response

Dan Geer is a voice in the IT Security world that should be listened to, and he has co-authored a short but intense article in the IEEE S&P Cleartext column that addresses the reality of the rapidly-changing threats that we all face.

Stand Your Ground” has a few key messages, which I’ll try to summarise :-

  • Minimise the number of targets; stop adding new services without effective defences, remove old services. Use the savings to fund better security for what remains.
  • Distrust the internal network; distrust any service that is not continually verified. Defend against outbound traffic as well as inbound traffic.
  • Do not assume perfection is possible; plan for failure modes that reduce services sensibly. Reduce the time-to-repair with automation instead of extending the mean-time-between-failure.

For more reading and a less technical take on these ideas, here’s another article about Dan’s thoughts from Ben Tomhave, a GRC (Governance, Risk & Compliance) consultant.


Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.