CUISPA Podcast #22 - Numb with Oddness over reasonable expectation of privacy…

CUISPA Podcast #25 - We're back!
Panelists: John Brozycki, Alex Rams, Larry Porres
Recorded: 7/27/2009

Questions, comments, or something you'd like us to cover? Contact us at: podcast@cuispa.org

I. News stories

1) SSNs are NOT randomly assigned and can be fairly accurately predicted. For anyone still considering SSNs as a valid and secure form of ID, this is Fonzie jumping the shark on his water skiis. It's also predicted that this attack will become more and more refined.
http://www.wired.com/wiredscience/2009/07/predictingssn/

2) Network Solutions breach exposes 500,000 cards. Remember when a breach of half a million cards sounded like a lot?
http://www.theregister.co.uk/2009/07/25/network_solutions_ecommerce_breach/

3) More Adobe flaws. Adobe's PDF, Flash, and Shockwave clients have become a real security issue, with serious vulnerabilities seeming to pop up every couple of weeks.
http://arstechnica.com/security/news/2009/07/flash-security-vulnerability-exploited-in-pdfs.ars

4) 12% of email users have tried to buy stuff from spam. No wonder it keeps on coming.
http://arstechnica.com/web/news/2009/07/12-of-e-mail-users-try-to-buy-stuff-from-spam-e-mail.ars

5) Return of the L0pht. The infamous group is again working on some projects, including an update to the popular password auditing tool L0phtcrack. Another project is HackerNews Network, a video stream of security news. What other projects might they be working on? It's probably worth following their website over the upcoming months. (http://www.l0pht.com/ www.hackernews.com)
http://www.csoonline.com/article/498016/L_pht_Makes_Comeback_Sorta_With_Hacker_News_Network

6) Pepper Spray Shooting ATMs in South Africa. If that's not surprising enough, consider that last year there were nearly 500 ATMs blown up with explosives in that nation!
http://www.guardian.co.uk/world/2009/jul/12/south-africa-cash-machine-pepper-spray

7) Windows 7 Released to Manufacturing (RTM). IT Professionals and Developers with MSDN or TechNet subscriptions can get the RTM versions on August 6th.. Microsoft Action Pack subscribers can download the OS on August 23rd. Windows 7 will be available to consumers on October 22nd.'
http://www.microsoft.com/Presspass/press/2009/jul09/07-22Windows7RTMPR.mspx
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=218600379

8) Low-Tech Attacks. Forget about technically sophisticated attacks like man-in-the-middle as criminals are 'resurrecting low-tech attacks … according to financial fraud experts are using little more than a telephone and old-fashion con artistry dubbed ‘man-in-the-phone'. The criminal calls a target, claiming to be the fraud department of the target's bank calling to alert the mark to potential unauthorized activity.' 'The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim's bank, and bridges the call, while placing his portion of the call on mute.' The bank's fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer's answers.' *may include victim's SS#, National ID#, PIN or password, and/or the amount of the last deposit or location of the last transaction.
http://voices.washingtonpost.com/securityfix/2009/07/high_crimes_using_low-tech_att.html

9) Pay or it'll display. Russian cybercrooks have come up with a variant of ransomware scams, which works by displaying an invasive advert for online smut in users' browsers that victims are extorted to pay to remove...
http://www.theregister.co.uk/2009/07/27/ransompage_trojan/

II. Tech Segment

Credit card number generator in Perl.

Sometimes it can be handy to have one or more card numbers for testing purposes. These numbers would be valid in the sense that they would pass the checksum algorithm. However, the BIN (Banking Institution Number) can be whatever you want and the card number itself may not exist. I've used this to 'test' phishing sites as well as to test applications to see how they reacted to different values and see if they recognized proper BINs. This Perl script will generate any desired number or card values for any desired BIN. In general, the algorithm is widely known and there are a number of criminal tools to do this sort of thing for malicious purposes.

How to use:

- Install Perl if you don't have it on your system. You can get it at:
http://www.activestate.com/activeperl/

- Copy the Perl script at the end of this document and paste it into a separate file. Name it ccgen.pl when you save it.

- Run it by typing perl.exe ccgen.pl.

-Follow the prompts to set the BIN and the number of numbers you want to produce. It will save to a file called ccnumbers.txt, as well as output to the screen.

-Use the program *legally* to test your own applications. It can also allow you to get farther into a phish site that is targeting your CU without having to use a real card number.

Note: If you have problems copying and pasting the program, send us an email.

III. Cooltility (Cool + Utility = Cooltility)

A1. DimDim. This is an online meeting offering free accounts that can host meetings up to 20 participants. No special client is needed if you have a supported browser and Flash installed.

http://www.dimdim.com/

IV. Smarter U.

One investment you can never lose on is the investment of yourself.

1. Reminder: Find a plethora of papers on a ton of topics at SANS Reading Room. Lots of timely papers to learn from, perhaps even one (or two) from one of your podcast hosts (wink wink, nudge nudge): http://www.sans.org/reading_room/

2. Online training. (Monthly or annual subscriptions. Alex is using this.) www.lynda.com

Got a suggestion for this space? Please send it to podcast@cuispa.org.

Appendix: Perl listing

# ======================================================================

# NAME: ccgen.pl

# AUTHOR: John Brozycki

# DATE : 5/11/2006

# PURPOSE: Generate a user selected number of credit card numbers, based

# off a user selected or default BIN, for use in "cramming"

# phishing sites with invalid card numbers.

# ======================================================================

$bin = 0;

$count = 0;

$BinChecksum = 0;

$DefaultBIN = "123456"; #Change this to change default BIN

$DefaultCount = 10; #Change this to change default quantity of CC#s

$ccfile = "ccnumbers.txt"; #Change this to change default outfile name

$BadBINEntered = "Y";

$InvalidCount = "Y";

open (OUTFILE, ">".$ccfile) or die "Cannot open output file: $!";

# =========================================================================

# Print instructions

# =========================================================================

print ("---------------------------------------------------------------------\n");

print (" This utility will generate however many 16-digit credit card numbers\n");

print ("you want starting with a default BIN or user supplied 6-digit BIN. After\n");

print ("prompting you for the BIN, you are asked how many numbers to generate.\n");

print ("The numbers generated will pass credit card checksum tests, but will not\n");

print ("work if an inquiry is run against the card number.\n\n");

print ("Output is to the screen and also to a local file named:".$ccfile."\n");

print ("---------------------------------------------------------------------\n\n");

# =========================================================================

# Get the User's input for the BIN or use the default if nothing is entered

# =========================================================================

while ($BadBINEntered eq "Y")

{

print ("\nPlease enter a BIN code [".$DefaultBIN."=default]: ");

$_ = <STDIN>;

$bin = $_;

chomp($bin);

if ($bin =~ /[0-9][0-9][0-9][0-9][0-9][0-9]/)

{

$BadBINEntered = "N";

}

if ($bin eq "" and $BadBINEntered eq "Y")

{

print ("\nUsing the default BIN of".$DefaultBIN."\n");

$bin = $DefaultBIN;

$BadBINEntered = "N";

}

if ($BadBINEntered eq "Y")

{

print ("\nERROR: BIN needs to be a 6 digit numeric value.\n");

print ("You entered: ".$bin." Please try again.\n\n");

}

# =========================================================================

# Get the User's input for the number of CC numbers to generate

# =========================================================================

while ($InvalidCount eq "Y")

{

print ("\nPlease enter how many CC#s to generate, 1-1000 [".$DefaultCount."=default]: ");

$_ = <STDIN>;

$count = $_;

chomp($count);

if ($count > 0 and $count < 1001)

{

$InvalidCount = "N";

}

if ($count eq "" and $InvalidCount eq "Y")

{

print ("\nUsing the default count of ".$DefaultCount."\n");

$count = $DefaultCount;

$InvalidCount = "N";

}

if ($InvalidCount eq "Y")

{

print ("\nERROR: Count needs to be a numeric value between 1 and 1000.\n");

print ("You entered: ".$count." Please try again.\n\n");

}

# =========================================================================

# Calculate the checksum for the BIN once, then reuse for each card number

# =========================================================================

print ("Using BIN#:".$bin." and making ".$count." card numbers.\n");

for ($increment = 0; $increment <= 5; $increment++)

{

$digit = substr($bin, $increment, 1);

$digit = $digit * (1+(($increment+1) % 2));

if ($digit > 9)

{

$digit = $digit - 9

}

$BinChecksum = $BinChecksum + $digit;

}

# =========================================================================

# Loop through the CC# creation process until the desired number of CC#s

# has been generated.

# =========================================================================

while ($count > 0)

{

$ccnum = "";

# ====================================================================

# For CC digits 7 to 15, generate a random number and update running

# checksum

# ====================================================================

for ($increment = 7; $increment <= 15; $increment++)

{

$digit = int(rand(10));

$ccnum = $ccnum.$digit;

$digit = $digit * (1+(($increment) % 2));

if ($digit > 9)

{

$digit = $digit - 9

}

$BinChecksum = $BinChecksum + $digit;

}

# =========================================================================

# Create the last digit by getting the remainder of the current checksum

# divided by 10 and adding that remainder to make it divisible by 10.

# =========================================================================

$digit = (10-($BinChecksum % 10));

if ($digit eq 10)

{

$digit = "0";

}

$ccnum = $bin.$ccnum.$digit;

print ($ccnum."\n");

print OUTFILE ($ccnum."\n");

$count = $count - 1;

}

close OUTFILE;