DNS Poisoning

DNS poisoning is an attack that’s becoming more widespread and it can affect most people using broadband.

Here’s a summary on what it is, how it can affect you, and what you can do about it.

Every time you use anything on the internet, including reading web pages, reading or sending emails, online chatting, etc, you use domain names (even if you don’t realise you’re using them). Domain names could be www.google.com, or www.fraudo.com, etc. They’re just addresses on the internet.

Your internet service provider (ISP) would have a machine in their network that your computer uses to look up these addresses. You won’t realise you’re using it but your computer definitely needs it (and it’s called a DNS server).

A DNS server is a phone book of web addresses.

Here’s how things work on a healthy environment (click to enlarge):

click to enlarge

You try to load up www.fraudo.com

  1. Your computer finds the DNS Server and asks it "where’s www.fraudo.com?"
  2. The DNS Server responds ("there it is –>")
  3. Your computer finds FraudO on the internet

All’s good and everyone’s happy browsing the internet. Along comes someone trying to hack your system. They make a change to your modem/router, telling it to use someone else’s DNS server.

How do they do this? The most common method today are viruses that break into routers and change settings. We’ll cover these another time.

Here’s how an environment looks when it’s been DNS poisoned (click to enlarge):

click to enlarge

Instead of using your ISP’s DNS server, it’s using a bad DNS server. The bad DNS server tells your computer how to find the evil websites instead of the real ones.

If this happens chances are you wouldn’t know how or why, it can be difficult to see what’s happening.

To prevent things like this happening here are some tips:

  • Change the password on your router. Everyone knows the default password (here’s a list of all the default passwords, find yours in the list)
  • Use a good virus scanner that scans all web pages, emails, and files
  • Keep your virus scanner up to date

How To Recognise URLs

Understanding URLs is extremely important in avoiding online scams. If there’s only one technical skill you need to know about the internet it’s this, and it will save you being caught out one day.

I’ve limited acronyms to just one (URL) to make it easier to understand.

URL. It doesn’t matter what the letters stand for, it means the address of the web page you go to. You get to see URLs in the top of your web browser. An example of a URL is:

www.fraudo.com

You probably see these every day, every page on the internet has one, and you see links for them every day. This is basically how the internet works.

The only other thing you’ll need to keep in mind for this article is that there are good web pages and bad ones – legitimate sites and scam sites created for various evil purposes.

Now we’ll explain how to recognise a good URL from a bad URL.

I’ve made up two names to demonstrate, and apologies in advance to anyone who’s real business name is similar to these (I googled the names and they came up blank so I’m fairly certain they aren’t real business names at the time of writing).

Let’s say a legitimate company is called SomeFancyBank, and that their legitimate website is www.somefancybank.com. It’s the good site. And imagine you have an account with them and a fair bit of money in there.

And let’s say there’s a fraudulent website registered as confusinglookingname.com. So this one is controlled by someone intent on stealing your money, it’s the bad site.

So if you get an email asking you to click on www.somefancybank.com/login.asp you’ll probably feel safe to do so.

If you see a link that looks a little like www.confusinglookingname.com/login.asp you’ll be surprised and you won’t click, it’s a fake website designed to look like the real bank’s site, only they capture your details.

What if the link is www.somefancybank.confusinglookingname.com ? You can see your favourite bank’s name in there so maybe it’s real… Read on, you’ll see why this is definitely illegitimate.

A URL can be broken down into three parts:

1. There’s the stuff at the beginning (often it’s www but doesn’t have to be). And it could be long and could include many dots.

2. Then there’s the domain name (e.g. somefancybank). It’s usually a company name or some other trademark, followed by a .com. There can only be one dot in this part.

3. Then there’s a / followed by a bunch of technical bits. We’re not covering this part in this article. It’s what comes before the / that’s important.

So there are three parts to a URL and we’re only concerned with the first two.

Let’s go straight to some examples (the important bits have been highlighted in bold):

  • somefancybank.com/login.php – good
  • abcde.somefancybank.com – good
  • 123.somfancybank.com/123/456/789 – good
  • abc.somefancybank.com/scaryletters/ – good
  • confusinglookingname.com/login.php – bad
  • 123.abc.zz45xy.confusinglookingname.com/some/fancy/bank – bad
  • www.somefancybank.confusinglookingname.com – bad
  • www.some.fancy.bank.confusinglookingname.com/somefancybank – bad
  • important.clicknow.confusinglookingname.com/some/fancy.bank/login.asp – bad

I’m sure you’re starting to get the idea by now. Now for some trickier examples:

  • www.somefancybank.com.au/login.php – bad
  • www.somefancybank.com.login.confusinglookingname.com – bad

Let’s leave things simple and end it there.

Humans are good at recognising patterns, so when you see your favourite company name in the URL you might immediately think it’s legitimate. Scammers take advantage of this and deliberately make these links to trick people.

You’ll find these fake links in emails, other web pages, chat programs, etc. They’re everywhere so get used to recognising how they work and you’ll be a lot better off.

Using Unsecured Wireless Networks

Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?

If you have a wireless network that isn’t well secured then:

  • Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
  • Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
  • Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
  • It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
  • It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous

aerials The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.

I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.

If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:

  • It’s illegal in a lot of countries (people get arrested for this quite often)
  • It’s effectively stealing. It isn’t a victimless crime
  • You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords

So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.

Wireless Network Used in Extortion

An Australian man in Rockhampton has been arrested for trying to extort money from people. Here’s how he did it.

  • He gained access to other people’s wireless networks. This is fairly easy to do, even if you turn on WEP encryption (read about securing a wireless network here). By using other people’s networks he was harder to locate
  • He sent users threatening messages, made to look like they came from elsewhere
  • He then demanded money to be dropped off at a specific location
  • And he repeated this a total of 12 times

Suitcase full of moneyThe police were able to find him and arrest him. It’s important to secure your wireless networks so that other people don’t use it to commit crimes.

Full article here.

MDB Files are vulnerable

At the moment there’s a vulnerability in Microsoft’s Access program. This means it’s possible to create an Access file that contains malicious code (e.g. a virus, trojan, spyware, etc). More details here.

In plain English it means if you receive a file who’s name ends with .MDB treat it as highly suspicious.

Statistics Update

Secured CDA quick update about online crime.

In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.

And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.

Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.

Some lessons to be learnt are:

  • There are a very large number of online criminals doing everything they can to try and steal your money
  • Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
  • Keep in mind that your personal details are not all that private anymore

Russian Chat Bot

Female robotIt’s amazing how many new tactics these people come up with in order to steal your personal information. There’s a new “bot” that chats with users on Russian online chat rooms (a bot is a program that mimics a real person online). It’s called CyberLover and apparently it’s quite clever in impersonating a human and gets people talking to it.

During a test it was found that the CyberLover chat bot got 10 real people to have conversations with it, in only 30 minutes. During this conversation it tricked people into providing their real names, contact information and photos. This is all private data, provided to the chatbot.

The darker side of this clever piece of software is that the bot is run by hackers intent on committing identity theft. Personal information like this is regularly sold on an online black market, and then used to commit fraud, such as opening credit card accounts in your name. Serious crimes indeed.

CyberLover is an interesting piece because it has different levels of its personality, and they’re mostly of a sexual nature. This type of conversation seems to get people’s attention more easily making it easier to manipulate them into providing personal information (called Social Engineering).

At the moment this is all in Russian however it won’t be long until it appears in other languages including English.

Skype Encryption

Skype is a popular communication tool allowing people to have voice and video conversations over the internet. And one of its features is how it transports that communications data. Skype first encrypts your data then distributes it using a network of other skype users (using what’s called a peer to peer model).

The encryption is intended to stop random strangers eavesdropping on your conversations. And it seems to be fairly effective from what this article says – the German Federal Police Office have a problem wiretapping Skype calls.

Is this a good thing or a bad thing? Well, it’s a little of both. It gives Skype users a level of security that makes the general public comfortable enough to use it, and stops casual eavesdropping. That’s the good news.

The bad news is that VoIP traffic (phone calls over internet) can be intercepted in other ways. When it becomes too hard to break the encryption, as the German police found, an easier path is to install a trojan on the PC and intercept the voice data before it becomes encrypted. This stuff really happens.

The German federal police office is looking into developing trojans so they can install one on people’s computers they need to listen in on (article here). This is a legal form of spyware (at least in the country it’s used in). Other governments have been using this technique for years and legally it’s not much different to wiretapping a phone. What makes it scary is that antivirus companies have an understanding with law enforcement agencies and some government spyware may go undetected.

This isn’t a problem to most people. And at the end of the day it’s no different to using a house or mobile (cellular) phone.

The message in this article is that you should place the same level of trust in any VoIP phone (such as Skype) as you would with any other phone. It doesn’t offer any additional level of privacy. Law enforcement agencies have been finding ways to listen in, and fairly soon we’ll have spyware that can do the same thing only with less legal intentions.

Gameige.com has been compromised

GnomeSome pages on the website gameige.com have been compromised, using iframes to cause people’s browsers to download malware and steal information from the computer. This is a risk if your web browser loads ActiveX controls (such as Internet Explorer). Gameige.com is used by players of online games such as World of Warcraft.

The use of a good antivirus program that filters websites would help here. And hopefully by the time you read this the people supporting the site would have fixed it.