On the 10th of December a tongue-in-cheek demo of a failure of a HP webcam was published on YouTube. The video shows the failure of a software which is designed to recognize the speakers face and react so it is always centered on the face.

The failure is that the software does not recognize a black persons face, while it clearly identifies the white persons face.

In the meantime several other videos appeared that further analyze this situation. It appears that a person with very dark skin is not recognized unless there are perfect lighting conditions, since the camera cannot distinguish between the facial features.

This only adds oil to the fire on the issue of the facial recognition in biometrics IDs. It is now proven that facial recognition can fail miserably on a nice chunk of the world population.




Does this mean that black people should not use biometric ID's. What do you think?

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?

A lot of people on the internet have become frustrated by the rapidshare free limitations, and wished that they have a premium account. Well, you actually can have such an account, but it may come at an unexpected cost. Just use a rapidshare premium link generator service.

One of those 'services' is Rapid Premium. To log in just use the public/public credential and go to the download section. In the text box paste the URL of the public access rapidshare link to the file you wish to download. Rapid Premium will use the stolen credentials and create an URL for you that will use a 'borrowed' Rapidshare Premium account.



As a simple test, I logged on to the service from an isolated virtual machine, and downloaded a small text file. The test was performed with a our own file to limit possible malicious code from rapidshare. The file got downloaded faster, and the MD5 hash wasn't changed - so no intrusion from Rapid Premium on thisone.

• Is it useful? Probably yes.There are a lot of situations when you need a fast download, or the free download slots on rapidshare are full just when you need something.
  
• Is it legal? Most probably not. Just as a lot of these services do, this one relies on stolen rapidshare credentials. But it's a bit safer then just obtaining such a credential from black hat forums or IRC channels, since you can always claim plausible deniability.
  
• Is it safe? Most Most probably not. Always remember that there is no such thing as free lunch. Services like Rapid Premium are excellent locations for all kinds of hacking attempts at the visitors - browser vulnerabilities, XSS, CSRF or anything else. So before we thinking about 'hacking' rapidshare, just consider is it really that important it really is to get the data a bit earlier
• 
  

Talkback and comments are most welcome

Related Posts
Ratproxy - Google Web Security Assessment Tool
How To - Malicious Web SIte Analysis Environment

Free stuff is being used as a marketing or brand awareness tool, but it can be used for a much more sinister goal: It can be the tool to collect a significant amount of money via simple social engineering.

The scenario
I get offers for many products by e-mail which i mostly delete or let the spam filter take care of them. But in the past week i got bombarded from several different sources regarding one apparently free product. The sheer amount of e-mails made me read through one of them. It was an announcement for a free distribution of some SEO program.

Just for fun, I clicked on the included link, and got to a page with a style of a typical social engineering 'easy money' page. Here is the analysis of such pages.
At the end of the (very long) page i got to the real deal. They need my credit card in order to send me the free program on a DVD

• I will be charged just shipping and handling costs for the program which are $7 for US and $10 internationally, and i get free access to the service for a month.
  
• I will be billed $100 per month for the SERVICE, after the first month. I understand that I can cancel at any time right from within the site or by just logging a ticket at www.SOMEADDRESS.TLD

Wait, if it is a FREE PROGRAM delivered on a DVD with no strings attached, they can just dump it on rapidshare and let the visitors rip.

Why would they bother with all this shipping? Here is why:

The cost of one DVD, with replication, e-mail advertising (spamming), web site setup and credit card processor charges comes up to

• $2.76 per DVD for delivery in the US
• $ 4.54 per DVD for delivery outside US

So, based on the 'shipping and handling' charges, there is a profit margin on each CD of

• $4.24 per DVD for delivery in the US
• $5.46 per DVD for delivery outside US

The DVD needs to have something useful - an advertised PROGRAM . It is some program that should improve your Search Engine Optimization and can be whipped up by a programmer within 2 weeks to follow certain logic rules presented in SEO books all over the Internet.

• Cost for the software - a maximum of $1000 - on rentacoder you get that done for even less.

If 1000 people out of 50,000 e-mails bite the bait, and 1000 DVD's are distributed in US (low margin scenario), there is a profit of $3240 before taxes.

But wait, there is more!
All those 1000 people left their credit card info online in order to be charged the 'shipping and handling'. However, the agreement is that by taking this free item, these 1000 people have opted in to a monthly fee of $100 for some online service which is never really explained and can be as simple as a mailing list for 'Valuable SEO Info'. Of course, the user can opt out at any time, but for the moment he is opted in!
So, just as there are people who forget to send in their rebate vouchers, there will be people who forget to opt-out of the online service, thus getting billed the $100. I would set the percentage of forgetful people at 20%, with 25% of them having a debit card with no funds to be taken. So, out of the original 1000 people who got their wonderful DVD, we arrive at 150 credit cards that will be billed after one month.
So, apart from the initial $3240 before taxes, we get additional $14925 before taxes.

Conclusion
The analyzed model is not a direct scam for all legal purposes, since it delivers a product which is free, and you have been informed of the additional charges that will be incurred after 1 month of usage of the 'service'.
On the other hand the product is promising a MONSTROUS income from Internet sites, which in 99.999% WILL NEVER HAPPEN.
At any rate, be very careful. THERE IS NO SUCH THING AS FREE LUNCH

Talkback and comments are most welcome

Related posts
Internet Social Engineering - Avoid Con Tricks

Most of all Internet Marketing and Sales content is a very dubious selling scheme. While not directly a security issue, all these sites have characteristics of Confidence tricks - A subset of Social Engineering that merit analysis, so they can be identified and avoided.
Let's use the same tactic of actions to help the visitor protect himself, and differentiate real deals from scams:

1. Analyze the content.
2. Identify their goals.
3. Question their promises.

1. Analyze the content:
The common characteristics of immediately visible dubious sites are:

• No site structure or organization - everything is blasted on the title page. These sites don't have a meaningful structure, menus, links or sub levels, nor any real readable content. They instantly remind of a commercial, where everything needs to be communicated within a time frame of 10 seconds.
• Large and contrasting font, delivering a message sounding like "You can do this too" - The actual message varies, but always boils down to "I have done it, you can do it too"
• Messages appealing to laziness and promise of easy money - These sites always stress that all achievements will be made from the comfort of your home, or in your free time, or while you sleep.
• Frequent use of key words that make the reader imagine a better future - money, saving, earning, improve, change...
• Success or Character References from unknown sources - John Doe from Down Under, SomeCounty, OtherState is thanking the author for the great success he achieved using this miraculous system. This statement is usually accompanied by an obvious clipping from a family or wedding photo of some unknown person.
• References to "actual" weekly or daily income that should look like a real sum - The sites drop numbers which are not rounded, since rounded sound too fake. Instead, you'll see a lot of $7,431.51 a week or something similar
• Actual Images of Success - Images of the site author leaning on a brand new BMW or Mercedes parked on a street or driveway in front of a mansion. Similar to this, images of large office with the author sitting at a huge desk, or an image of a beach with the author suntanning while supposedly money is pouring in.
• Invitation to action on every second paragraph so you can start your success - Frequent occurrence of a statement like: "Just buy this for a small price of $79.99 and you'll earn within a week"

2. Identify the goal of the site:

There are 2 major goals that the authors of such sites are attempting to achieve:

1. Sell some unknown product or service (CD/DVD/Book/Pamphlet/Training)
2. Collect valid email data for spamming purposes or sale of targeted leads (mostly used for offers of credit by loan sharks or for real estate scams)

3. Question the promises in the offers:

As in all education about social engineering, the solution to avoid these "attacks" is to avoid implicit trust and question everything :

• If you see an image presenting a pyramid structure of people or objects, RUN LIKE HELL - pyramid schemes don't work for you. Don't even hope they will work for you! You have much better odds at blackjack then in a pyramid scheme!
• Are these references actually real? - Who are these people, and did they actually write the reference? Simply disregard such claims, it takes too much time to verify them and they are too easy to be faked (Photoshop).
• Do these pictures have any merit? - Last time you checked, once you lean on a parked car and take a photo of yourself, the car instantly becomes yours. Using this method, I became a proud owner of a Bentley Continental, 2 Carreras, Lamborghini Diablo and several BMW's. Yeah, right!
• Who actually makes $7,431.51 a week? - Very very very few people in the world. A person earning $19,000 per year is in the top 11% of the world population. So, yes It is NOT possible to sit on your ass and earn that amount per week, no matter what they tell you.
• If this product can make my car achieve a 100 mpg, why isn't it on the title of TIME magazine? - There is a process by which a real idea gets used - first you patent it, then you offer it to the big manufacturers and present it on innovation conferences. Pretty soon, SCIENCE, NATIONAL GEOGRAPHIC and a lot of others write articles about it, and the big manufacturers negotiate the purchase of the patent. If instead you find the product just on the Internet, the author is either unbelievably stupid, or he just hopes you are unbelievably stupid.

Related posts
Preventing Online Credit Card Theft - Revisited
Control Delegated Responsibility


Talckback and comments are most welcome

Here is another example that even the largest companies cannot be safe from information security breaches, especially when using partner companies with lesser security:

According to a report by ZDNet Australia, an undisclosed number of personal data records were stolen from Colt Express Outsourcing Services.

The company provided HR services for Google, CNET and other large companies - the stolen records are of employees of these companies. The breach was actually a physical burglary, but obviously targeting data instead of funds.

Actually, according to statement made by the CEO of Colt Express Outsourcing Services, they are in financial difficulty, so the MOST VALUABLE ASSET they had were the personal records of employees of large companies.

While measures are being taken to protect the employees from identity theft and fraud, it becomes apparent that companies need to strongly address not only their security, but the security of their partners.
The incident of Citibank where the PIN's were most probably stolen from a partner company, also underlines the same requirement.

To reiterate the measures of protection, which although not foolproof actually to minimize the risk towards your business and personnel:

• Always agree on security levels for infrastructures and processes of your business partners.
• Make periodic audits that the agreed levels are respected and enforced.
• Maintain vigilance on your information in the wild - the faster you identify that some information is in the wild, the less impact it will have on your business.

Related posts
Risk of losing backup media - real example

Citibank PIN Heist - Sources of Security Breach

8 Tips for Securing from the Security expert

Talkback and comments are most welcome

It is a common practice in corporations to delegate certain responsibility down the chain of command. However, when such delegation is left unchecked by any formal or technical mechanism, it can become abused.


Here is a example scenario:

I was looking into a DNS configuration for a company DemoCorp, to assist in proper set-up. DemoCorp is outsourcing the DNS service to their ISP, and I was tasked to verify that all is OK.

As part of the process, i did a reverse lookup of all IP addresses published in the company's domain to check whether reverse lookup is correctly set-up. DemoCorp is publishing the following hosts

• smtp - for smtp delivery, as a smtp relay and antivirus host, and is pointing to 10.10.5.1
• mail - for e-mail , and is pointing to 10.10.8.1
• pop3 - for pop3 access, if someone forgets the generic mail host, and is pointing to 10.10.8.1
• www - for the web site, and is pointing to 10.10.12.10
• www1 - which they use for testing purposes and is pointing to 192.168.10.15

When I did a reverse lookup of 192.168.10.15 i got a very peculiar response:

• On the first query, the IP address 192.168.10.15 resolved to www1.democorp1.com, as expected. But from then on, things went downhill:
• On the second query, the IP address 192.168.10.15 resolved to http://www.other_domain.com/
• On the third, it resolved to http://www.some_other_domain.net/...
• and this went on for another 5 domains.

All other domains had nothing to do with DemoCorp, actually some were resembling companies from other industries with no affiliation to DemoCorp. Suspecting an error at the provider I did a WHOIS check of all peculiar domains in the query to identify thir owner. The registrant was Democorp's ISP, but the Administrative Contact was indeed DemoCorp.

It is not unusual for a company to reserve domains for future use, so I consulted the CTO of DemoCorp.

Indeed, DemoCorp had the strategy to reserve domains, and for that reason they had an open contract with the ISP to register domains and provide hosting in the name of Democorp.

But with further verification with the Chief Marketing Officer, it was concluded that the domains under scrutiny were not planned for products, nor were requested by the business.

The responsibility to communicate with the ISP was delegated to a senior systems administrator in the IT, but he was on vacation and couldn't be consulted.

I explained that this may be a an error at the ISP, so the CTO called up the ISP and asked for an explanation. The response was received within 15 minutes, so i was still present to witness to it. The response shocked everyone present in the CTOs office:

• The ISP produced requests for registration of all domain names, received as scanned documents via e-mail from DemoCorps mail server.
• All scans were signed by the delegated senior systems administrator.
• All registrations were invoiced on the open contract for domain registration.
• The ISP also produced headers of all emails through which the requests were sent. Simple check confirmed that they were indeed sent from the IP address and hostname of the Delegated system admin.
• An informal call followed from the Account manager of the ISP. She explained that they have also received other registration requests, matched with de-registration requests in which the domains were made available to other companies. She was preparing the full documentation for delivery.

At this point, I excused myself, since what was going to happen next was entirely internal matter.

Analysis:

Obviously, the job of administrative and technical contact was given to the System Admin because higher management trusted him.

• The problem was that there was no control or second authority to monitor or verify his activities, probably since it was deemed a safe and cheap service. This gave the System Admin freedom to capture and sell domains. Since he did this at the expense and in the name of Democorp, he tarnished the reputation of the company, and probably earned them legal actions for brand theft.
• Furthermore, this escalated another issue: The incident was caused by a Systems Admin - a person who can access any number of confidential or business data, without much control. So unless the audit system of DemoCorp is very good, what other illegal activities were done by the system admin will probably remain an unanswered question.

Conclusion:

Delegation of authority is a good corporate practice. But full and utter trust is bad corporate practice. So, delegation of authority should always be paired with audit, verification and/or oversight controls.

Talkback and comments are most welcome

Online Credit Card Theft is a very old and frequently discussed topic. And yet, a lot of people in the world are still victims to credit card theft. So, in a brief morning post, here are several simple pointers to minimize the risk of online theft.

1. NEVER respond to e-mails claiming to be from your bank and requesting ANY account or personal information. Also, NEVER click on links contained in such mails
2. NEVER give out information when receiving a telephone calls from someone claiming to be from your bank, and asking account or personal information.
   
3. Alert your bank of all attempts described above - When reporting, don't press reply on a received e-mail. Call the bank's official phone number - printed on your credit card
   
4. Buy from reputable sources - although there may be better deals at a smaller store's site, when exposing your credit card information online, use a trusted online store.
   
5. Use a dedicated debit card for online purchases - Leave a minimal amount of funds on it, and don't use it in everyday purchases. When purchasing online, plan a day ahead and put some money on the debit card. Put just a little more then amount of money needed for the purchase. This way, you'll spend it immediately, and if the card data is stolen, the hackers can't use it - it has virtually no credit.
6. In case of actual theft, treat it as any other crime - Immediately inform authorities and the store where you suspect your credit card info was stolen. The authorities will will send expert forensic team to analyze your equipment, as well as follow the money trail.
   
7. Ask your bank to assist you in tracing the funds - This may have to be done by the authorities, by the bank will always comply. An extremely common error that hackers do is to transfer the money to their accounts, or purchase something very traceable (passing through customs, or having DHL tracking).

Related posts
Personal Data Protection - Anonymizing John Doe

Talkback and comments are most welcome