14.1 C
Thursday, November 23, 2017
Home Tags WHOIS


Whois maintainer for Asia Pacific notifies customers of an error where hashed authentication details for were inadvertently available for download.
Asia's internet numbers registry let some weakly-hashed passwords into the wild Asia's internet numbers registry APNIC has apologised to network owners after a slip in its WHOIS database config leaked credentials, including weakly-hashed passwords.…

Two Tickets as Bait

Over the previous weekend, social networks were hit with a wave of posts that falsely claimed that major airlines were giving away tickets for free. Users from all over the world became involved in this: they published posts that mentioned Emirates, Air France, Aeroflot, S7 Airline, Eva Air, Turkish Airlines, Air Asia, Air India, and other companies.
PayPal, CloudFlare, Shaw, and Whois “are involved” in attacks, Twitch claims.
He registered domains years ago, leaving personal data exposed—like lots of people.
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement, intelligence agencies and others in security-related work since it was released in 2008.

To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer.
I received the following “domain abuse notice” for one of my inactive registered domains last week: Those of us who have dealt with falsely blacklisted domains in the past have seen notices like this before.
It’s usually from an antispam vendor or service letting you know that your domain has been used in a spam attack—and they’re going to put you on one or more mailing blacklists until you resolve the problem. I hate spam blacklists.

Although well intentioned, they tend to be reports on false positives rather than domains used to send spam. Lately, antispam services and products have become quite good, and it’s a rarity for me to get these types of reports, false or not. Plus, I bought this particular name a few months ago, and it has remained completely inactive in that time. Still, I wasn’t sure whether this was a malicious email or an overly aggressive sales tactic.

To add to my confusion, I had received junk mail last week in the name of the same inactive domain.

Although I didn’t expect unsolicited junk mail, my name and personal home address can be found through any domain lookup service. Many companies and services look for newly registered domains and start sending spam or junk mail from there. Most domain registrars allow anyone to register pseudo-anonymously for that reason, though they usually charge an additional fee. I have to say, at least for a few seconds, I mostly believed the claims when I first read the email.

The domain name, domaincop.net, sounds legit enough.

The complaint is familiar.
Initially I wondered how the spammer started using my domain name to send spam—and why this particular service didn’t pick up on the fact that my domain lacked a mail exchange DNS record. I even briefly contemplated letting the domain stay blacklisted—I wasn’t using it, and I could always start unblacklisting it if I changed my mind.

But I decided that taking care of it now would make my life easier than letting whatever damage it caused stay and spread over time.

Blacklisting, if legitimate, can be a real pain to clean up. I needed to find out if the service and email was real or a scam.
I first looked at the country code of the telephone number provided in the email that supposedly led to domaincop.net.

A quick internet search revealed that the country code did not exist.

That’s a big ding against a potentially legitimate service and almost certainly, by itself, disqualifies the email.

But who knows? Perhaps the “139” was a telephone area code instead of a country code.
I kept exploring. Next, I placed my cursor over the two links listed in the email.
I love that most desktop browsers (though not all mobile browsers) will show the real link underlying the reported text before you commit to clicking on it.

As you can see below, the link reported back to www.domaincop.net, but it ended in “kerouac-judgments.” The name of a famous Beat poet and novelist did not bode well. Randomly picking words from an English dictionary is a common tactic used by phishers and spammers to bypass antiphishing and antispamming software and services. More than likely, those two randomly chosen English words were unique for my copy of the spam email and would help identify that my email address was valid if I clicked on it, which would lead to more spam and phishing emails. Next, I typed domaincop.net into a Whois query.
It returned the following information: The Whois return is full of red flags, including the “clientHold” status and the fact that the domain was created on the same day as the email was sent to me.

The clientHold status is not common on legitimate domains and essentially means enough people have complained that this domain was put on ice.

That’s enough evidence to officially call this email bogus. I did more internet searches on the domaincop.net email and came up with plenty of people who got similar messages.

After doing some research, I reached the same conclusion.

The malicious domain was put up and taken down in a few hours—gotta love the internet. Check out these related reports.

The latter link contains dozens of useful links for doing your own investigations. As an additional precaution, I called my domain registrar to inform them of the ongoing spam campaign.

They already knew what I was talking about and were on top of it. Lessons learned What did I learn? Maybe the additional privacy services during domain registration are worthwhile. Also, I’m glad my first personal experience with this sort of domain phishing was so easy to detect.
If the phisher had created a more authentic-looking email with fewer red flags, I might have fallen for it—although had I clicked on the link, it would have likely tried to get me to download malicious files, which I never would have done. You should always do a little investigating before blindly clicking on any email that claims to be helping you. I’m glad I did.
95 per cent of the 650,000 messages not relevant Analysis Since igniting a political firestorm and triggering major changes in US presidential voting intentions by revealing some emails passing through Hillary Clinton's private email server had been found in an unrelated criminal investigation, the FBI has gone to ground. The US criminal investigation bureau has repeatedly refused to answer basic media questions about simple and long-established computer forensic procedures. But the math, based on detailed information previously released by the FBI, points to the conclusion that the agency will have known by Monday morning exactly how many emails found in a laptop computer seized a month ago from disgraced former New York Congressman Anthony Weiner had come from, gone to, or been copied on from the Clinton server, and how many, if any, could contain possibly classified information not already checked. The agency appears to have pushed a completely misleading number out to US media outlets, suggesting that 650,000 emails had to be checked. Comey told Congress: "The FBI cannot yet assess whether or not this material may be significant.
I cannot predict how long it will take to complete this additional work." But the FBI did not point out that of the 650,000 emails mentioned to the US media, 95 per cent could not possibly be relevant. Comey's letter to Congressional leaders, which started the whole debacle, explained that the agency could not officially look at or report on the emails without obtaining a specific new warrant.

The letter implicitly acknowledged that the agency already had copies of all the mails on its computer systems (which would normally automatically have been indexed by forensic software), bringing the Clinton connection to light. To find out how many emails on the laptop were relevant would have taken "seconds", according to e-discovery software industry experts.

To then find out how many of those – if any – the FBI had not seen in its previous investigation would, at most, have taken "minutes." Standard methods are to take and match cryptographic hashes of email files (which proves the email files identical, if the hashes match), or to match metadata and then textual content. The FBI's previous, year-long investigation into the private Clinton server finished in July, when director James B Comey reported that: "We cannot find a case that would support bringing criminal charges." As only 110 of 30,490 official emails previously examined by the FBI were found to contain classified government information, the number of previously unseen mails that had strayed onto Weiner's laptop is likely to range from zero to a few tens. How the mess began The laptop at the heart of the election controversy was seized on October 3 from former Congressman Weiner after a then-15-year-old girl from North Carolina had complained of sexting.

The alleged victim, now 16, has now complained vociferously that Comey had irresponsibly forced her identity into the open, exposed her to continual and continuing media harassment, and caused the abuse to continue. "You have assisted him in further victimizing me on every news outlet.
I can only assume that you saw an opportunity for political propaganda," she said. Standard forensic procedures for e-discovery in civil and criminal investigations is to make a certifiable digital copy of all media immediately after getting access, and immediately to analyse and index the contents, including buried metadata and email attachments. The software utilised in these investigations is used to handling and sifting big data, scaling up to tens of millions of files.

The global e-discovery market in software systems and services is now worth an estimated $1bn, with many companies offering sophisticated email analysis add-on systems to spot, map, network and visualise chaining, duplicates, and to provide searchable indexes. The FBI have long been leaders in this business.

As revealed by Edward Snowden, the FBI has been operating the PRISM and other systems for over ten years from its Digital Intercept Technology Unit (DITU) at its sprawling Quantico, Virginia base.

The unit annually "ingests" and analyses billions of emails intercepted from US optical fibre cables or passed on by telecommunications operators.

The critical part of the system's front end, obviously, is to spot email addresses associated with intelligence targets. But when it came to the debate, the agency's computer teams had apparently regressed to the digital stone age. The New York Times reported: "The FBI needed custom software to allow them to read Mr Weiner's emails without viewing hers.

But building that program took two weeks." Industry experts used to massive email searches in large civil cases have been scathing about the idea that the FBI's job is difficult with modern tools. Linda Sharp of ZL Technologies said: "In the scheme of e-discovery, 60,000 documents is nothing. We're used to seeing documents in the tens of millions of documents, terabytes of data." Even if you read every email, "we're not talking about a lot. 60,000 is nothing." Journalists have also become users of high-end e-discovery software to handle document dumps in recent high profile reports, such as the Panama Papers and Offshoreleaks investigations (Duncan worked as the data manager for the Offshoreleaks project of the International Consortium of Investigative Journalists).
In the Offshoreleaks investigation in 2013, two million emails were analysed and catalogued, and made available to international journalism teams on a secure server.

To find all emails from a domain takes seconds, once the gruntwork of indexing is complete – which had previously been done for Weiner's computer, to look for sexing evidence. Standard WHOIS registry records show that the clintonemail.com domain was registered on 13 January 2009.
She turned down the opportunity to use a standard state.gov address, and corresponded throughout her term of office as hdr22@clintonemail.com. In 2009, Clinton appointed Huma Abedin as deputy chief of staff at the State Department.
In 2010, Abedin married Weiner.

They separated this past August.

Abedin then became vice chairwoman of Hillary Clinton's 2016 Presidential campaign.

Apart from communicating with Clinton on her email, Abedin and another aide also had personal accounts on the Clinton server. The implication of the FBI's October findings is that Abedin communicated with her husband from the clintonemail domain, or copied him some of her boss's email, or even that he lifted and copied them in a domestic setting. Whichever happened, or all of them, finding those emails on Weiner's laptop will have been forensically trivial, as all will contain the unique string "clintonemail." Google it and you get it, in seconds. Republicans have form for previously exploiting making fundamental forensic errors in reporting on email data in the Clinton investigation.
In 2015, it was claimed that she had a second "secret" address on the server.
In fact, it was a new address she used after being Secretary of State. Phoney numbers Asked by The Reg if they agreed that as their own investigation into Clinton reported that there were 62,320 emails handled on the clintonemail.com domain during her term in office as Secretary of State, and that they had already checked 30,490 of those handed over by her lawyers as being official, 90 per cent must be irrelevant – an FBI spokesman refused comment. The Reg asked how long it had taken them to filter the emails to select only Clinton mails, and how many had actually been found. "No comment." Do the math.

The FBI have already seen nearly half of the emails handled by the server.

The balance of emails deemed private by Clinton's lawyers is 32,740.

Even if, implausibly, the entire contents of the Clinton server had been copied to Abedin, and then on to Weiner, it is obvious that 95 per cent of the Weiner emails could not be relevant.

Commonly, two such troves contain many sets of multiple copies of the same emails, made automatically by backup and other processes. Oregon Senator Ron Wyden, a longstanding critic of FBI and NSA electronic mass surveillance, told The Reg that the FBI's "continuing leadership failures" underscore the "need for independent oversight" on surveillance, and reflected a "pattern of poor judgment" by the FBI's director. The US media have been full of hyperbole about how no effort has been spared by the FBI in its efforts to break the butterfly on their wheel.

They would "spare no resources," are working "round the clock" on "16-hour shifts," developing "new software" for the taxing task. In an internal FBI message reported by NBC, Comey is said to have told agents that it would "be misleading to the American people were we not to supplement the record.

At the same time, however, given that we don't know the significance of this newly discovered collection of emails, I don't want to create a misleading impression", he added.
Indeed. ® Sponsored: Customer Identity and Access Management
New Internet Data Sets, Monitoring, and Project Features Yield Greater Context Into Attackers’ InfrastructureSAN FRANCISCO and LONDON, UK – November 1, 2016 RiskIQ, the leader in external threat management, today announced major enhancements coming to RiskIQ PassiveTotal, its world-class threat investigation platform.

The enhancements will enable security teams to better address the massive increase in web, social, and mobile cyber threats. New features will simplify and accelerate incident investigation processes, provide external context to security alerts, and reveal threat infrastructure so organizations can accurately understand, triage, and mitigate incidents. Using RiskIQ PassiveTotal, security teams have access to the largest number of internet data sets in a single platform, allowing them to work faster and more intelligently.
In a recent survey of over 400 PassiveTotal customers, 100% of respondents said they save at least 1-3 hours a week researching threats. "PassiveTotal gives our security research team access to the most critical data sets necessary to investigate and connect threat infrastructure, all without leaving the platform," said Irena Damsky, senior director of security research at ThreatSTOP. "The intuitive new project capability and real-time alerts on infrastructure and threat elements that we're investigating make it easier for our team to continuously monitor and detect new and advanced threats." RiskIQ is recognized as a leader and received the highest score for the current offering category in The Forrester Wave™: Digital Risk Monitoring, Q3 2016. RiskIQ views threat infrastructure analysis as a core tenet of a complete DRM program.

The report put the C-suite on notice that they must address threats beyond the firewall as part of a complete security program, or “remain susceptible to a wide variety of brand, cyber, and physical risk events.” Organizations must be able to analyze and correlate the most thorough data sets available across web, social, and mobile in order to reduce their digital risk; a task made easy by PassiveTotal. With the latest release, PassiveTotal continues to strengthen RiskIQ’s platform, which uniquely combines publicly available and proprietary data sets with predictive analytics to automate the investigation processes and keep pace with the shifting threat landscape. Rather than attempt to assemble, learn, and use a myriad of tools, PassiveTotal offers an end to end platform.
Security analysts can readily pivot between extensive data sets to intelligently surface seemingly unrelated threat infrastructure to get ahead of attackers and prevent their next moves.

As a result, security staff can reduce the time to understand new threats, speed up investigations, and more effectively remediate incidents. “Organizations are moving business-critical resources from behind the protection of firewalls to the internet to enhance customer engagement and gain operational efficiency.

This exposes the company and its customers to organized threat actors and advanced persistent threats beyond conventional layered defenses,” said Arian Evans, VP of product strategy at RiskIQ. “The good news for defenders is that we can show them the muddy footprints in cyberspace to help proactively address new threats and block impending attacks before they happen.” Key enhancements in PassiveTotal allow analysts and security teams to:Predict threats forming on the internet: New monitoring capability in PassiveTotal provides analysts and threat investigators with proactive notification of changes on infrastructure they’re watching or interested in, as well as the ability to set notifications on new data sets such as SSL certificate details, current and historical WHOIS registrant information, and more. Investigate infrastructure used to launch attacks: Automatically aggregate and correlate data from passive DNS, email, SSL certificates, host pairs, web trackers, WHOIS, and comprehensive web crawling, to provide context about security events that would otherwise take an analyst days or hours of manual analysis. With the newly designed user interface, users can narrow investigations and only highlight infrastructure changes and resolutions to a specific timeframe. Defend internet-exposed assets from attackers: Enable cyber defense project management by grouping similar infrastructure and investigation elements into sharable projects, making it easier to collaborate with other analysts and researchers. Organize responders to uncover and proactively block hidden facets of attacker infrastructure and set monitors to be made aware of new or changed infrastructure elements that may target a brand for reputation hijacking, phishing, or other malicious activity. The new release of PassiveTotal is currently in beta and will be generally available in the coming weeks.

For more information about PassiveTotal and to sign up for free, visit www.riskiq.com/whats-new-passivetotal. About RiskIQRiskIQ is a cybersecurity company that helps organizations discover and protect their external-facing known, unknown, and third-party web, mobile, and social assets.

The company’s External Threat Management platform combines a worldwide proxy and sensor network with synthetic clients that emulate users to monitor, detect, and take actions against threats. RiskIQ is used by thousands of companies including many of the Fortune 500 and leading financial institutions to protect their digital assets, users, and customers from external security threats.

The company is headquartered in San Francisco, California, and backed by growth equity firms Summit Partners and Battery Ventures. To learn more about RiskIQ, visit www.riskiq.com.
Pair abused typo blind spot to game certificate authority Two European security researchers exploited Comodo's crappy backend systems to obtain a HTTPS certificate for a domain they do not own. That cert could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks. The infosec bods, Florian Heinz and Martin Kluge, found that the CA uses optical character recognition (OCR) software to process requests for certificates.

This image-recognition system is designed to ensure server-side certs are only sent to the registered owner of that domain. Comodo uses OCR to parse screen grabs of records from domain-name registries or registrars when verifying the ownership of a website.

Thanks to shortfalls in the OCR system used, Comodo can fail to distinguish an authentic domain name from one with similar characters (such as the number "1" instead of the letter "l") and end up giving valid certificates to owners of the fake domain. Comodo says that upon hearing from the researchers, it suspended the use of the OCR software and will be reviewing certificates it issued using the optical recognition tools between July 27 and September 28 of this year. The issue, it seems, is due to privacy protections in place on the .eu and .be domains.
In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses.
Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot. Comodo, meanwhile, normally relies on the automated WHOIS lookup to verify its applications. When a person requests a certificate via email, the CA gets the contact information from the WHOIS lookup and sends a verification message to that address, at which point the applicant would click a link to verify they own that domain and obtain their certificate. When the owner's address can't be read automatically for .be and .eu domains, Comodo instead uses the OCR to match the characters, and here is where the researchers found their weak point. By registering a domain name similar to that of their target (an Austrian service provider), they were able to send Comodo's application system a request for a certificate for the targeted domain.

Failing to spot the one character difference (the letter "l" and number "1"), the system errantly sent a verification email to the researchers' domain believing it to be the one listed in the WHOIS report. According to Comodo's incident report, the researchers contacted it directly on September 23 and upon verifying the issue, the OCR system was disabled.
So far, no other incidents of fake certificate registrations have been found. ®