Sunday, August 28, 2016

Phishing spam e-mail that harvests Hotmail users e-mail account using Canada Revenue Agency e-mail INTERAC deposit as a lure (Canada Revenue Agency sent you $214.17 (CAD) ). CYBER



CanadaCyber has identified a recent e-mail phishing attacks, targeting Canadian Hotmail users.
The e-mail comes in titled as:

You received INTERAC e-Transfer  Or You received a tax refund
The email looks like this on a phone then a laptop. 





The e-mail is simple you get message that looks like a standard email money transfer via INTERAC something that many Canadians are accustomed to. The amount of $214.17 is also a number that a lot of families in Canada are used to receiving from their federal government from GST to Child money.
When you click on the Deposit your money link it fwds you to a page that is asking you for your password. When you place your password it collects your password then it moves you to the next stage of the attack.
At this stage you think all is good as you see the normal government of Canada web site. You then go on and place more information like your PII Personally identifiable information and banking information. After that you are thanked, at this stage the BAD Guy has all of your info. Then you are redirected to the real government of Canada revenue agency website.   So now they have your passwords and all of your information.

The e-mail it self has a embedded png file ejuiceejuice.com/image/data/etransfer2 the interesting thing is the server used to host this image is diff than the landing page.this could be due to the attacker just linking to the file directly or using different servers for different jobs. this way it would be much harder to talk him down. as you have to contact 3 diff providers.    

the above screen shows the landing page for the first stage it send you http://support.cra.interac.taxid-423.redapp244.com/secure/index.php?em=somename@hotmail.com, we can see this is not hotmail or outlook.com from the URL. if  we do a dns lookup on the URL we do see it from217.160.0.192 belonging to 1& 1 shared hosting account that is hosting almost 1500 websites. this means any of these website could been exploited to do this but it is likley redapp244.com was compromised and the attacker created a subdomain with the name support.cra.interac.taxid-. On a mobile device this would fool most users as it does look like it is CRA.
 


On the 2nd stage we see the attacker is trying to mimic/clone a real  CRA page. they even change the title header to look so. in both 2nd stage and 1 stage the attacker used the landing page server for the links redirection and content.


Now we analyze the e-mail by looking at it source:


We see it came from a shaw.ca cable IP address 24.70.214.97 in Calgary; this could be the attacker or a compromised workstation working on his behalf. We then see it doing to the smtp-out-so.shaw.ca @ 64.59.136.138, also in Calgary. We suspect this server is allowing mail forwarding from trusted IP’s as the source IP is from the SHOW.ca network. 



This is the first mistake SHAW.ca did, it trusted its internal users IP range. Shaw.ca also did not confirm the email sender X-SID-PRA was notif482@grs.trustwave.com this is clearly not a shaw domain name or a show e-mail sub-domain. This is even more dangerous as the average user looking up this www.trustwave.com gets to see a legitimate security business, something that will later on help in convincing the victim to click on the link that will later on harvest his password.

Again this is due to Shaw not confirming the sender e-mail address so the mail severs they use just fwd the e-mail even if the email sender is forged. 

The e-mail is crafted to gain your trust first after it collects the most valuable item your PASSWORD it then moves on as it knows you might even give away more info like your PII, address, name banking info. Anything they need to fully steal your identity.

Canada Cyber had also submitted the url to virus-total and only google safe browsing identified it as bad.  https://www.virustotal.com/en-gb/url/26ae24d8a6e5bdad3cdf9bf8bbf8c78dbe89b4d4df96fb058f526a7bde680be1/analysis/1472437103/


This new attack is similar to this: http://globalnews.ca/news/1900959/canada-revenue-agency-warns-of-recent-scam-involving-money-transfers/


CanadaCyber 
 





Wednesday, August 17, 2016

Intelligent IDS A CanadaCyber prospective

What is Intrusion Detection System [IDS]? We will not cover the very technical definitions on IDS.
However, we will mention the industry standard definitions.



Institute Says: Intrusion Detection can be defined as “…the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource, more specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls” Did you get what they are trying to explain rather define? Good! NIST Says: “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices” Did you get what they are trying to explain rather define? Hmm better?

Okay, let us explain what IDS is, “It’s nothing but a mechanism which helps you in the detection of something abnormal i.e. intrusion into your defined boundaries which constitute a system.” To detect something abnormal, you should teach your IDS what is abnormal so it can detect any abnormality.

This teaching part is termed as methodology on which your intrusion detection system basically works.

Intrusion Detection Methodology

Generally, there are three types of methodologies that exist which can be used to gear up your intrusion detection system. Normally, intrusion detection systems are build on any of these types of methodologies or sometimes on a combination of these technologies.
The three methodologies
  • Stateful protocol analysis
  • Anomaly based detection
  • Signature based detection

Signature Based Detection
The simplest and very actual method of detecting known threats signature is basically a pattern that corresponds to a known threat. It’s a process of comparing signatures against observed events to identify the possible incidents.

Anomaly Based Detection
Anomaly based detection is basically the process of comparing the definition of an activity considered normal against the observed events to detect or identify the significant deviation. Anomaly based intrusion detection systems use profiles that represent the normal behavior of such things as users, hosts, network connections or applications. Monitoring of typical activity over a period of time basically develops these profiles.

The major benefit of anomaly-based detection methodology is that they can be much effective at detecting previously unknown threats. For instance, they can be used to detect the infection of a computer with a new type of malware.
However, signature based detection does not support this technique of detection for previously unknown threats.

Stateful Protocol Analysis
In comparison with Anomaly based intrusion detection systems, which uses host or network-specific profiles, the Stateful Protocol Analysis methodology basically relies on vendor-developed comprehensive profiles that identify how particular protocols should or should not be used.

Therefore, we can define Stateful Protocol Analysis as basically a process, which compares the predetermined profiles of generally accepted definitions to identify deviations.

The Types of Intrusion Detection & Prevention Systems So far, we have spoken about the methods on which these systems works, IDS & IPS are also categorized in different types based on the types of intrusions they monitor.
  • Network Based
  • Wireless
  • Network Behavior Analysis
  • Host Based
The most common and most used are basically host and network based intrusion detection systems and in our workshop, we will talk about Network Based Intrusion Detection System i.e. Snort!

Host Based Intrusion Detection System (HIDS)
Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device only rather than on a network.
HIDS generally involves an agent installed on each system that monitors and alerts on local OS and application activity, using a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Network Based Intrusion Detection System (NIDS)
Network based intrusion detection basically identifies unauthorized, illicit, and anomalous behavior solely based on network traffic.
They use a network tap, span port, or hub and collect packets that traverse a given network and use the captured data and flag any suspicious traffic. An intrusion detection system does not actively block network traffic.

What is Intrusion Prevention System?
So far, we have explained to you more on intrusion detection systems. Basically, if you have a clear concept of how intrusion detection system works, then it’s much easy for you to understand how intrusion prevention system works.
Basically, intrusion prevention system is one step ahead of intrusion detection systems. The role of intrusion detection prevention system is to stop the intrusion; however, intrusion detection system alerts when there is any intrusion in the system.
“Intrusion prevention follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity. This can be done with Network and Host based intrusion detection systems” One thing we do not like IPS systems, their ability to deny legitimate traffic when a false positive
happens.

Architecture of Intrusion Detection & Prevention Systems

The main question is how these systems are designed or how they actually work. The architecture of an intrusion detection system comprises of different key components.

Architecture components

There are four (4) main components of the architecture:
  • Sensor or Agent
  • Database server
  • Management Server
  • Console
Sensors
Their job is to monitor and analyze activities. Basically, the term sensor is typically used for both intrusion detection and prevention systems, which monitor networks. There can be multiple sensors configured within one network i.e. based on the network architecture.

Management Server
A management server is a device, which works centrally and receives the information from sensors and manages them.

Database Server
Its job is to store the events information recorded by the sensors. This information is later used at the time of reporting and performing different analysis for any security purposes.

Console
The console provides access to intrusion detection and prevention system. You can say it’s an interface for administration or related activities and tasks.
Most consoles offer many features to assist administrators in their daily tasks. For example, most consoles offer drill-down capabilities, which mean that when a user examines an alert, more details and information are available in layers and draws different graphs and are more presentable to senior management.

At Canada Cyber we usually employ all these items on 1 Physical or Virtual server, we do this as we are service you contract, and we manage all of the items within our sensor. We also deal with business that are usually less than 2000 employ meaning the network load is not that cumbersome of one physical device.

It is important to understand, that we offer something no one else does and that is a intelligent point of view, our security team, understand the global security threat. And can identify strange network patterns; something no hardware can ever give you. As we understand your business. This allows us to identify the threat that will pose you.

This is why we ask you, the bandwidth of your network. What is average throughput and what is the sustained session count of your network connection. As this help us determine what best to install at the edge of your network.

What is usually logged or detected by IDS & IPS
This can be customized based on the type and features of your device. Generally, intrusion detection and prevention systems usually store the following types of information.

Timestamp (usually date and time)

Connection or session ID (typically, a consecutive or unique number assigned to each TCP connection or to like groups of packets for connectionless protocols)

  • Event or alert type.
  • Rating (e.g., importance, severity, impact, confidence)
  • Network, transport, and application layer protocols
  • Source and destination IP addresses
  • Source and destination TCP or UDP ports, or ICMP types and codes
  • Sum of bytes transmitted over the connection
  • Interpreted payload data, such as application requests and responses
  • State-related information (e.g., real username)
  • We can also set it to record everything, Just think of a Video Camera system for your network.

Always keep your sensor up to date
It is important to ensure that your intrusion detection and prevention systems are up to date with the newest feed released by your vendor. This could include both software update fixes for your IDS or IPS itself or it can be a new update in their signatures to detect newer threats and attack vectors. An intrusion detection or prevention system without the latest feeds cannot help you in securing your network or systems. That is why we offer it as a managed service.

This is the introduction to the types, architecture and methodologies which intrusion detection and prevention systems generally are comprised of.

We at Canada Cyber employ a blend of these products from open source to enterprise grade system, giving us an optimum system that benefits from the open source community and the commercial options.

Wednesday, March 16, 2016

OpenWRT WIFI Detect

If you run Openwrt on a X86 system the best way to get WIFI working after you install the drivers and to get it work in luci.

Just run

rm /etc/config/wireles


This will erase the wireless file.

 wifi detect > /etc/config/wireless

This will detect the correct wifi information for your hardware and send it to the wireless file. 




Sunday, March 13, 2016

Free Iphone 6 SCAM Congratulations Bell Canada User! Your Desktop has Won (1) Google Gift!).


Congratulations Bell Canada User! Your Desktop has Won (1) Google Gift!). 


Canada Cyber has a detected a scam promising you a free iPhone 6, as long as you answer the 4 questions next. (Congratulations Bell Canada User! Your Desktop has Won (1) Google Gift!). 

NO one is going to give you’re a Free things. So never be fooled.



So we decided to play and follow on with the questions. After attending to the easy 4 questions reference google correctly. A form pop comes up congratulating you again and informing you that you have reserved yourself an iPhone 6. But to do so you must pay $1.0CDN for the DHL of the phone.
When you click OK, you are then redirected to another website that is asking you for your credit card and address.
This is a typical scam that uses your Geo location/and provider only to make it look like it is real. It also uses some clever social engineering. To make you think you earned it by asking you 4 easy questions.  
It then uses the idea of a small amount of only $1.0 to make you think it’s so cheap why not just but in my CC info.