Monday, December 27, 2021

The Infosec Tower of Babel

If you’re God then confusion makes sense. Making people say the same thing in different languages was effective risk management when it came to shutting down the Tower of Babel APT gang. All of the babbling fools had a problem. What if you saw a loose brick that a co-worker was about to step on, and he would surely fall to his death if he did? You yell out “STOP, the brick is loose,” but in his language you said, “Get me a sandwich” Well, he tried to. He even landed right in front of the cafeteria, but he never got up again. That’s the problem, if you don’t use the same words to describe the same thing, the you’ll never get your sandwich.

Time and time again in the infosec world I hear people call vulnerabilities exploits, exploits vulnerabilities, and call payloads either exploits or vulnerabilities. And so, as a public service, and to prevent you from incurring the wrath of God, I’m going to explain the differences between vulnerabilities, exploits, ad payloads while I tell you all about the windows vulnerability I found, how I exploited it, and the unexpected payload. Well, it wasn’t unexpected to my wife, but she knows what I’m capable of.

Check out my latest SecureIQLab blog at https://secureiqlab.com/vulnerabilities-exploits-and-payloads/

Friday, December 24, 2021

Amazon Caught Scamming Consumers - Cyber Criminals Are Good Teachers

As a public service, it would be really cool if you share this specific blog post you can copy and paste it. You don't have to send people here. You can put it on your own website if you want. I don't even care if I get atribution. It's not about promoting my blog, it's about holding scAmazon accountable.

Don't worry, no chain will be broken that results in galactic destruction if you don't share it. Just please consider sharing after you read the blog. If you have any questions, I'll be happy to answer them.

Thanks in advance

I’ve seen a lot of phish in my time. Sometimes they appear to come from Amazon, but this time the phishing attack was designed and delivered by Amazon. If after reading this you know of others who have had the same experience, please put them in touch with me. There may be grounds for a class action lawsuit.

Even though I talk about my experience, bear in mind that this Amazon scam was probably sent to thousands, if not tens of thousands of people, and almost certainly virtually everyone who tried to avail themselves of the offer were victims of Amazon's deliberate false advertising. This isn't just about me.

Moving on,

·       Calling the email I received from Amazon a “social engineering attack” is accurate

·       Calling the email I received from Amazon “deceptive advertising” is accurate

·       Calling the email I received from Amazon False advertising is accurate

·       Calling the email I received from Amazon a scam is also accurate

·       Calling the email I received from Amazon phishing is subjective, but conceptually accurate

Calling the email I received from Amazon a phish is somewhat subjective and based upon a definition of phishing that you may or may not disagree with. I can accept arguments either way, if you accept a definition that includes an email-based social engineering attack that designed to trick a person into doing something they wouldn’t, for the sole purpose of financial gain, then it is fair to say Amazon engages in phishing. Regardless, as you’ll see, Amazon, AKA Scamazon, used an email-based social engineering attack engage in false and deceptive advertising,  

Make no mistake. I am talking about a genuine Amazon email scam and not a different cyber criminal's scam. Amazon is better at it.

Let’s take a quick look at the incident I refer to. It’s different from other deceptive advertising related to one or more lawsuits that Amazon is facing.

This is the offer I received. Just like any scam email, there’s a glaring disconnect in the information. Still, I signed up for the business account. The following will show it was a social engineering attack and that Amazon never had any intention of honoring the offer.

The offer clearly states:  You will be eligible to redeem this offer 48 hours after business verification using promo code HOLIDAYAB40. It also says “Register & redeem today.” Since it does say “see terms for more information,” it’s conceivable that there would be a situation in which you would have expedited promo redemption abilities., but no, it was the old add urgency for immediate action con.

This is the message included as an inducement to get consumers to open business accounts. Amazon has studied the tactics of illegal scammers, and cherry-picked what they thought would work best for their specific application.

You might be inclined to say the inconsistent language was an error, but Amazon's customer service representatives leave no doubt that it is a scam by design.

I did read the terms and conditions. They also contradict the email. The terms and conditions say that the promo code must be redeemed within 48 hours of verification rather than after 48 hours. I did try to redeem the offer less than 48 hours after verification, and that resulted in a message indicating that the code was not valid. Obviously, the bold print in the email was correct and the code would be valid 48 hours after verification, right? Wrong. Figuring that the email was accurate I waited until after 48 hours passed to try again. Still, I got a message saying that the code was not valid. There was demonstrably never any intention to ever honor the offer. The deception regarding when the promo code could be used would have scammed every single person who tried to use it in accordance with the email offer.

I reached out to “customer service” and was advised that I had waited too long to redeem the offer. At this point an honest company, obviously not Amazon, would have honored the offer when they discovered they were at fault for the confusion. But it wasn’t confusion, it was a craftily planned, and well-executed scam. Amazon customer service even indicated that the information I gave them is accurate. There can be no denying that there was never any intention on Amazon’s part to honor the offer.

Aside from reaching out to Amazon’s CS (criminal service) Department, I have reached out to Amazon’s general counsel (David Zapolsky) to see if he condones this illegal behavior. I have not received a response yet, however he may be out on vacation. It is that time of year. I have also reached out to and Amazon’s Neil Lindsay to see if Amazon wants to provide a statement from them to include in this blog. Until November 2021, Neil was the SVP of Amazon Prime and Marketing before moving into the role of SVP of Health and Brand. If it’s not his department he’ll know which Amazon department to congratulate for the successful scam. The day that Nathan Strauss in Amazon’s corporate communications department viewed my LinkedIn profile, I reached out to him and offered to let Amazon provide a statement for the blog. We’ll see if they decide to.

Meanwhile, it is clear that Amazon is deliberately scamming consumers. It’s in their DNA.

If you know somebody who has been scammed by Amazon, please have them contact me. It would be good to aggregate data about Amazon’s false advertising and social engineering attacks to pass along to the FTC. You could of course tweet “I was scammed by @amazon too @FTC.” This will ensure the FTC sees at least some of the extent of Amazon’s illegal activities. There is a distinct possibility that Amazon will claim it is an error and send out new promo codes AFTER holiday sales are over. Doing so would be how Amazon tries to convince the FTC that it was an honest error and increase profits based upon the success of the scam. Amazon wanted to get people to sign up for business accounts, but not be able to use the promo code while major sales were happening, if ever. It saves Amazon a lot of money to scam now and say "oops later". Of course if I'm wrong, Amazon will replace the promo codes with 50 to 60 percent off in order to compensate their scam victims properly, but don't count on it. Jim Morrison is more likely to host next year's Grammy Awards ceremony than Amazon is to do the right thing.

I can be contacted at @randyab on Twitter, or https://www.linkedin.com/in/randy-abrams-ba24391/. I have a LinkedIn Premium Membership, so you should be able to message me even if we aren’t connected. You can leave a moderated comment for me here, either commenting on the post or for a private conversation, but Google’s notification of comments seems to be hit and miss.

Before wrapping up, let me show you one other example of Amazon’s dirty tricks. Look carefully at the images below.

Did you notice the 512MB (yes megabyte) card in the list? Amazon is counting on the phenomenon of the eyes seeing what is expected. The card is inexpensive enough that many people won’t bother with returning it, and if they didn’t use it right away, they can’t return it. The reason that 20% of the reviews of the card are one star is because people were deceived by Amazon’s dirty tricks.

This lawsuit is closely related to the dirty trick shown above. 

https://www.paloaltoonline.com/news/2021/03/30/amazon-settles-claims-of-false-advertising-unfair-competition-for-2m

So, this holiday season be as you are diligently watching out for phishing attacks and other scams, don't fall for Amazon promotional offer scam.

The views and opinions presented are my own, reflect Amazon's practices, and do not reflect the views and opinions of my employer. My views and opinions in this matter are probably the same views and opinions as most, if not all people who received the same Amazon scam email.

Randy Abrams

Amazon’s best buddy

Friday, August 6, 2021

Web Application Firewalls: What Are They and What Do You Test For?

 Hi Folks,

I've been remiss in letting you know about new blogs that are no longer new. So, let's catch up.

Did you know that WAF stands for web application firewall? Acronyms can be confusing, and as you will see, it took me a while to figure out why we at SecureIQLab are testing them. You you check out WAF or Gaffe: Comparing Cloud Web Application Firewalls you'll understand my confusion. That said, they are an important security technology and SecureIQLab is about to release our test results. A quick read of the blog will give you some information about the security threats that WAFs are supposed to protect you from.

Incidentally, in the early days of firewalls, some people tried to explain them using the firewall in a car as an analogy. Now a days, in the age of "intelligent" vehicles, it might be getting close to time for automotive WAFs, but that isn't part of the blog.



Wednesday, April 21, 2021

If You’re Going to Get SASE Then We Can’t Be Trusted

Don’t take it personal. I trust you with everything but the network, internet, computer, phone, web browser, or anything you can put in a USB jack except epoxy (USB lava lamps excepted), or anything else required to do your job. Those of you in the know are asking why it took 40 words to say zero trust. Simple, it was all a setup for the lava lamps.

SASE wasn’t a typo; I didn’t mean sassy. SASE stands for secure access service edge. SASE is a security model designed to address cloud security. The zero trust model is just one component of SASE. As I explain SASE I will devote a blog to each of the concepts that make up a SASE model. In my most recent blog at SecureIQLab I talk about zero trust. As I point out in the blog, zero trust means “trust but verify,”

Don’t trust that the blog actually exists, verify it for yourself!

Randy Abrams

The SPAMfighter Security Threat

While looking for a company or researcher who might want my spam samples to help train their AI systems, I stumbled across a product called SPAMfighter. I’m going to assume that the people behind SPAMfighter are not evil, just dangerously unqualified to touch anything related to security.

So, what’s wrong with SPAMfighter? SPAMfighter uses crowdsourcing and an untrained AI system to identify spam. Once a user flags an email as spam, all of the customers are protected... or are they? I mean, what could possibly go wrong? Here’s what.

If an email is incorrectly flagged as spam by a customer, there’s no undo. There is no mechanism to report false positives. The email address is forever blocked and the account owner doesn’t know that their email is being flagged as spam. Note, blocked is SPAMfighter’s terminology for sending email to the spam folder.

Let me describe a scenario. You and I have a falling out. I have email from you from the good old days when you still bought me beer. I dig up one of your emails, right-click and choose “Block.” Tada! Your email is block from all of SPAMfighter’s customers. The odds are that I’m the only person you know who uses SPAMfighter until after this blog is posted, so it’s not a big deal for you. But it can be seriously harmful to their userbase. But that’s not one of the more interesting scenarios.

Let’s say I’m mad at my bank… yeah, you see where this is going. Don’t worry, evidently somebody else was mad at my bank… SPAMFighter blocked my bank’s email. Here’s just one of the problems that it creates. I, and many other people get an email if there is an online credit card transaction. Obviously, time is of the essence if the charge was fraudulent, but it is likely to be quite awhile before most people would check their spam folder immediately unless they are expecting an email that hasn’t shown up.  

It does get better. Let’s say I’m mad at a massage spa chain (I won’t say which one). I get an email from them and I select block to get them classified as spam. Since the spas are franchised, they each have their own unique domain name. Whew, at least the rest of the franchises won’t become acceptable collateral damage. Well, you’d think not, but as it happens the spa chains emails don’t come from the franchises or from headquarters. Here’s what would happen if I flagged their email. Like 12,000+ other businesses in over 50 countries, the spa uses an industry specific service from Zenoti. The promotional emails are sent from a zenoti.com email address. Yep, one or two clicks, and 12,000+ other businesses are negatively impacted or potentially in harm’s way. This is truly as simple as attack tools get.

Shall we talk about the emails from .gov domains? Yep, .gov, bankofamerica.com, aarp.org, xfinity.com, linkedin.com, twitter.com, newyorker.com, nytimes.com, offcedepot.com, costco.com, homedepot.com, wordpress.com, gmail.com, amazon.com, uhc.com(healthcare), trinet.com(healthcare), virusbulletin.com, aavar.org, lastpass.com, eset.com, eccouncil.org, google.com, and some closed security lists that I am not at liberty to divulge. Note that google.com is not the same as gmail.com. Google sends very important security related emails from the google.com domain.

SPAMfighter claims to use AI in addition to their dangerously reckless crowd sourcing model. Some of the domains blocked were definitely from their “AI” implementation. False positives are very common when training AI systems and sometimes whitelisting is in order to compensate for dangerous system deficiencies. Unfortunately, SPAMfighter appears to have no intent to remediate the serious security flaws in their system. I have offered on multiple occasions to create a large whitelist for them. There has never been a reply to my emails.

Typically, I would not ask security companies to take action against a vendor for designing a product that the Oxford Dictionary uses as the definition of “gross incompetence,” but in this case the product can cause serious financial harm, create a threat to their customer’s health, and block security related information, but they have no interest in fixing their problems. This includes the inability to be able to have mis-detections remedied and a lack of commitment to remedy their dangerous system.

It should be noted that Twitter has suspended the SPAMfighter account.


It is due to these reasons, and the fact SPAMFighter, like Subseven, is a powerful attack tool that is far too easily abused to bring to harm to millions of users, I call upon the antimalware industry to detect SPAMfighter and SPAMfighter Pro as potentially dangerous or potentially unwanted applications.

Incidentally, if any of you, or someone you know wants my growing spam collection to improve anti-spam applications and research, just let me know. I will not publish comments concerning suggested contacts without explicit permission.

Randy Abrams
Opinions are my own, facts are facts.

Thursday, March 18, 2021

If You’re Not Going To Take Privacy Seriously Then Why Should I?

I am reminded of an old joke. I’m old so those are the only jokes I know.

The head brew masters for Coors, Budweiser, and Guinness are at a conference. At the end of the day, they go to the bar. When the bartender asks what they’ll have, the Coors brew master says “I’ll have a Coors, made from Rocky Mountain spring water.” The Budweiser brew master says “I’ll have a Budweiser, the king of beers!” The Guinness brew master orders a Coke. The other two look at the Guinness brew master and ask why he isn’t having beer? He replies “If you’re not having beer then neither will I. There’s a man who takes his beer more seriously than most people take their privacy.

In my newest blog at SecureIQLab, I discuss the disconnect between many people’s actions and their sometimes irrational privacy concerns, such as fear of Covid tracking apps. Biometric privacy and security risks are real, but do you submit to biometric data capture when you have a choice not to? I end with a little guidance about what should go into a decision when choosing what privacy risk to accept and what to reject.

Essentially it comes down to choosing between cats and privacy. Cats are the only reason the Internet exists, yet once you go online to look at cat videos, especially on YouTube, kiss your privacy goodbye. Choose wisely.

Randy Abrams
Senior Security Analyst (that’s Señor Security Analyst to you)
SecureIQLab

Tuesday, March 9, 2021

Have You Noticed A Pattern To My Blogging?

Some of you may have noticed that I frequently go for long periods of time without blogging. That means I’m employed. When I’m not employed then I have time to blog here.

So now I’m blogging for my employer, SecureIQLab. If you don’t want to wait until I am unemployed again to read my blogs, here are three I’ve written recently.

From Supply Chain to Kill Chain: Biometric Security is a look at some of the ways biometric systems can be attacked. Supply chain attacks are the launchpad for many breaches. For biometric devices this can be problematic. But there’s more…

A couple of years ago I was tasked with writing an article about biometric privacy. 200 hours of research later I had tested every breathalyzer on the market. Well, not really since I just thought of that research. Maybe we can have a beer and breathalyzer club and do Zoom meetings with B&B (Beer and breathalyzers).

Ok, actually the most interesting thing I found was that in Illinois people can sue their own employer into bankruptcy for violations of the Illinois Biometric Information Privacy Act. It’s not just for employers, Facebook settled for $650 million for BIPA violations. Anyway, privacy legislation is getting stricter and the number of states that have such laws or will have them is increasing.

Pretty much anyone considering using biometrics for commercial purposes needs to stay on top of things to avoid costly mistakes. The Illinois BIPA is not at all hard to comply with, and other such laws in other states are easy to comply with, but you have to know what they are and what is required for compliance. It’s good for consumers to know what protections they have as well. Come on over and take a look at some Biometric Legal Implications. This isn’t a law school class and I’m not a lawyer, so there are no parties of any part, no binding arbitration agreements, and it doesn’t cost $500/hour to read it either. 

Next up!

Yes indeed, The Supply Chain Looks Like a Bunny Rabbit With a Drum. Well, what can I say? The Rabbit of Caerbannog has nothing on the Energizer Bunny, Sony, the Russians, or stupid ideas like a Wi-Fi water kettle and networked fish aquarium thermometers in casinos! Seriously, one stupid unsecured refrigerator can spoil your company’s security. Any questions?

Finally

GoDaddy gave a world-class lesson on how to f*ck user security awareness training, encourage insider attacks, and put your customer at increased risk. I explain in Inciting Supply Chain Attacks GoDaddy Style

I hope you’ll pop over and take a look!

Cheers,

Randy Abrams
Senior Security Analyst and Rabbit Whisperer
SecureIQLab

 

Saturday, April 25, 2020

COVID-19 Has Been Confirmed To Cause AUC (Acutely Uninformed Comparisons)


You’ve all heard it: There are more deaths due to car accidents than to COVID-19, but we don’t shut down the economy due to lethal car accidents. Or, we didn’t shut down the economy due to SARS, MERS, or Justin Bieber. And people nod their heads as if these are rational comparisons, all the while oblivious to the concepts of research and analytical thinking.

Let’s start with the SARS comparison. I start with SARS because I once had a moped and the brakes worked just fine. Moped brakes are also far less expensive than the brakes used on 18-wheelers. If moped brakes are good enough for a moped, then no semi should need more than moped brakes to stop it. Now that we have established that the same brakes which are appropriate for mopeds are undeniably suitable for 18-wheelers, we can demonstrate that the response to COVID-19 should be identical to the response to SARS.

In 2003, there were approximately 8,100 confirmed cases of SARS and about 750 deaths—worldwide. We’re talking about a whole year of cases and the entire world. In the first 3 months of 2020, there were more than 55,000 confirmed cases of COVID-19 . . . in New York alone. Not in the world, not in the US, not even in the north east. 55,000 cases in New York alone. I know, I know, those numbers are so close; I’m clearly splitting hairs. Obviously, the response to COVID should mirror the response to SARS. (Where are those damned moped brakes when you need them?) But comparing New York to the world is like comparing apples to moped brakes. Let’s go worldwide. In less than four months, we’re talking about 2.8 million confirmed COVID-19 cases worldwide—roughly equivalent to 8,100, right? The 195,000 confirmed COVID-19-related deaths worldwide is essentially equal to 750 deaths, and therefore, the response should be roughly equivalent. Give me a minute, I need to go hoard moped brakes.

I’m back. Where did I leave off? Oh yeah, MERS, which is a disease that is known to have infected 2 people in the United States. Both cases were in 2014. Neither victim spread the disease to their families or to healthcare workers. Since 2012, there have been 2,494 confirmed MERS cases (worldwide), 857 deaths attributed to MERS (worldwide), and 27 countries known to have had MERS cases. So far, over 200 countries have reported cases of COVID-19. Yeah, you guessed it . . . that’s also roughly equivalent to 27.

Let’s pick up the pace a bit. Just like the COVID-19 infection rate, cars go really fast. OK, the Datsun B210 didn’t, but let’s ignore that one.

The response to COVID-19 is aimed at flattening the curve and putting it on a declining trajectory.  How have we been doing when it comes to the car conundrum?


Since about 1973, the number of deaths per year in the US due to traffic accidents has trended downward, while the population and billions of vehicle miles traveled (VMT) per year has grown rapidly, the number of deaths per million people and per tens of billions VMT has shown an incredible decline. Around 1973, there were approximately 260 traffic fatalities per million people. Since 2005, the number of traffic fatalities per million people has not exceeded 150, and since 2010 it has not exceeded 120 per million people.





Still, the body count is significant and must not be dismissed. Body count is the gross number of deaths, not the net number which would be the number of deaths due to car accidents minus the number of lives saved due to the use of cars to transport people to hospitals, doctor’s offices, drug stores, etc. Now how about the net number of deaths directly attributable to COVID-19 minus the sum of the lives saved by COVID-19? Yeah, the net is essentially equal to the gross. If you are going to gauge the appropriateness of response based upon deaths, then the net is the relevant number as the basis of comparison.

Now let’s look at cars. I don’t have a source for numbers, nor do I know where to find one—but I haven’t searched particularly hard either. We know that cars are used to get people medical care, both proactive and reactive, which saves lives. While I don’t have an official number, it’s inconceivable that it is less than highly significant. I really don’t have time to extrapolate from statistics the number of lives saved by early detection using procedures that are not typically performed at home and that do not typically require an ambulance for transportation. I do not include trips requiring ambulances because they would be considered essential, and therefore allowed.

How about the flu? Of all of the comparisons I have heard, comparing our reaction to COVID-19 to the flu is the closest to rational that I have heard—at least this is comparing fruit to fruit. But it is still deeply flawed to compare the mortality rate of pre-existing seasonal flus to COVID-19. It does not take into account the fact that COVID-19 numbers are significantly reduced because we have taken drastic actions, and even with these actions, we are getting quite close to the number of other flu fatalities per year. It is true that the numbers vary from season to season. Even with extreme measures taken, COVID-19 is proving more lethal in 2020 than influenza has been in many years, and the number is still growing rapidly. There are vaccines for seasonal flus, but not for COVID-19. I haven’t even touched on things like incubation periods, asymptomism (is that a word?), availability of tests, and turnaround time for test results.

Bonus question! Of SARS, MERS, H1N1, and cars, which has caused global shortages of ventilators, N95 respirator masks, and widespread infection of healthcare workers? According to the CDC, 19% of those who are infected by COVID-19 are healthcare professionals.

I need to return to the car-to-COVID-19 response comparison. I’ll throw a bone to those who think it is valid. True story: I have a friend in Belgium, who has a friend, who in turn has a friend, who survived a fatal car accident in Belgium. Precisely one week later, a car ran into mine (in Washington State) because my friend’s friend’s friend was in a collision in Belgium. Really, it happens all of the time. Car accidents in 200+ plus countries can be directly attributed to that one accident, and the body count is climbing.

Shhhhhhh. We don’t want to disillusion the people who believe that the car-to-COVID-19 response comparison is valid.

I am not commenting on when we should or should not lift the quarantine. If you want to discuss that, fine. Just don’t use blatantly stupid and/or disingenuous comparisons to support your arguments. In case it isn’t clear, comparing shutting down the economy until cars are much safer to a temporary quarantine is also disingenuous.

And for the record, I am completely incapable of sarcasm.


I’m Randy Abrams, Independent Security Analyst, and I approve this message.