List of Websites Hacked by Anonymous Philippines

I belong to the Information Security space, I'm one with Anonymous Philippines in their fight against online liberl, I can also do what they can do (to hack other websites) but I'm not one of them nor know any of their members list of government websites hacked by Anonymous Philippines hacking group in protest of the Cybercrime Prevention Act of 2013 (Republic Act No. 10175) 1. Bangko Sentral ng Pilipinas (BSP) 2. MWSS 3. National Telecommunications Commission (NTC) 4. Philippine Information Agency (PIA) and the 5. Food Development Center 6. Agusan del Sur And i thought Bangko Sentral ng Pilipinas guys are good at it...I was wrong :(

And Now Wordpres.Me Spam/Virus Emails

After a deluge of spam mails from Wordpres.Us, now comes so many virus emails that tricks users to a blog post from domain wordpres.me

the spam variation sends to three random addresses plus BCCs. I noticed I can't filter out wordpres.me and wordpres.us so i just used filters for wordpres.* to cover them both.

not much you can really do to fight those miscreants for they always keep on thinking of new ways to advertise their fraudulent products.

Virus Spam Emails from Wordpres.Us Domain

I've been receiving lately many spam emails with blank subjects and with just a link to a website using the domain Wordpres.Us

Apparently it uses the username of the email address of the sender and creates a subdomain and a blog post of the spammed product e.g. for username the URL would be like

http://username.wordpres.us/07/10/the-effect-this-menopause-medication-produce-on-my-health.html

Solutions and Countermeasure:

I sent an email advisory on the spam email, instructed our email administrator to block the keyword wordpres.us and blocked wordpress.us in our company proxy server. No idea yet on what virus is causing the sending of the spoof email messages yet as I'm feeling lazy.

Comelec Source Code Review of Election Software?

A step in the right direction, that's what I call the recent news about the Comelec asking for advice fro IT and Information Security exports in the Philippines on how to conduct code review for the automated election software it will be using for the 2010 elections

Manual Code reviews, something quite unheard of in the Philippines, is offered as a service by a lone company (as far as i know) and they're really having a hard time marketing such Source Code Review Services besides their relatively easy to market Vulnerability Assessment and Penetration Testing Services.

Source Code Reviews are necessary in information security to eliminate or at least minimize the risks of security flaws, bugs and even backdoors installed in programs by developers and programmers, particularly the common programmer unaware of secure programming practices.

After code review and intense scrutiny, the code should be at least signed to verify if it's not tampered or else we have another case of "dagdag-bawas" in the midst of the May 2010 Philippine National Elections-- election cheating to the next level!

Tenable Nessus Error on Windows Vista: Invalid Challenge Response

I'm trying to install Nessus Vulnerability Scanner (version 4.0.1) at home on Windows Vista Basic and the installation went fine but registering the product stalled my effort for quite some time with the error message below:

the error message comes after I enter the activation key and clicked Register. I can't start the Nesses server and therefore can't also condifure the daemon. If I try to re-register the same registration code, i get a message that the code has already been used so I need to get another code the Tenable website.

Frustrated, I also tried Nessus Off-line registration (without an internet connection), got the nessus-fetch.rc installed and I was able to start the nessus daemon at Services but still can't get past the initial screen of Nessus Server Manager.

Is this another one of Windows Vista problems or just Nessus? Will try to post this on the Nessus Discussion forum for answers, solutions or workarounds.

Information Security and Conflicts of Interest

I used to handle both Information Security and Auditor, I know but it happened because our Internal Auditor left.

I know I can perform both but the situation is really conflict of interest. Now that we have an Internal Auditor, other conflicting roles came out to the surface

Conflict of interests mostly uncovered were roles that doesn't adhere to segregation of duties. I know many banks who have a listed Information Security Officer just to comply with BSP mandate but the personnel is actually doing another function.

Information Security needs to be independent from IT or Operations and needs to report to management directly. Any InfoSec officer or IT security officer is not a good one if he's reporting to the IT head.

Independence is the key!

The Best IDP/IDS/IPS Intrusion Prevention System: Do you Really Need One?

In my normal line of work, I always get questions regarding certain technologies I use to secure my network beyond the usual firewalls

One of them is the IDS (Intrusion Detection System), IDP (Intrusion Detection and Prevention) and IPS (Intrusion Prevention System)...

It's just a play on words thou IDS is merely detection which is inutile since the damage may have been done already.

As for me I prefer the IDP/IPS particularly the inline type i.e. placed before the server/network to be protected rather than one that's just passively listening on a mirrored port.

But I was asked why it' took me so long to ever think of buying and justifying one. It's just that it's hard to justify expensive security systems if you're going to face traditional thinking superiors looking for security ROI.

I'm more into securing the hosts: the OS and apllication more than expensive security equipment...

adding an IPS is just another layer of security for me.

If you're looking for the best there is, I can;t make recommendations but it's always Tipping Point, Forescout, IBM's ISS et al or probably the free Snort :P

Tamper-proof Birth, Marriage Death Certificates on Security Paper

Tampering of birth certificates for many people to cheat the real age or name in applications is rampant. Forging to marriage certificates also happen to many people for marrying again or faking a death certificate for pension and other fraudulent claims is fast becoming hard to do.

Local civil registrars will no start issuing the certificates using tamper-proof security papers made by the Bangko Sentral ng Pilipinas (BSP). This means copies of civil registry documents will be assured of clear and secure copies.

The certificates are required for the issuance of passports, visas, and government examinations.

Note that using security papers can make it hard for "recto university" people who make a living by making fake certificates lose business. But many people are so easy to fool that I think it ain't so.

The government should also control scums inside local civil registries and NSO who can alter data on registries for a fee...i have a friend who knew someone inside NSO who does that...change name, age, birthday, without court order...for a fee of course :(

Microsoft Internet Explorer Flaw: Patch Tuesday and Exploit Wednesday (MS08-078)

The just released patch for critical IE flaw by Microsoft, released out-of-band and not along with the regular batch of Patch Tuesday schedules just makes you realize that the vulnerability being corrected is really critical.

Normally, MS will release patches on the second Tuesday of the month, that's why it's called Patch Tuesday.

When I got wind of the vulnerability release, I immediately had the patch tested for bugs and rolled out to PCs and laptops with Internet access. It's a good thing that most users in the office don't have Internet Access (was cut off on September 21, an ominous date indeed) and also most of those who have use Firefox.

After a vulnerability's made public (though this exploit has been making the rounds of the underground hacker community for a while now), crackers and miscreants race to develop proof-of-concept codes and exploit the vulnerability, zero day or the next day, aptly called Exploit Wednesday.

For those looking download the latest patch, it's filename is IE7-WindowsXP-KB960714-x86-ENU.exe available at Microsoft Update Website (direct link here)

As for me, I don't use Internet Explorer except for testing and accessing stupid IE-only online banks and websites.

Clickjacking: Attack, Defense and Proof of Concept

Clickjacking, the latest of the seemingly endless attacks concocted by security researchers and crackers where unsuspecting visitors of a website are forced to click on invisible buttons and execute scripts, program, malware to steal passwords, cookies, listen to you , even activate your webcam to see what you're doing.

Almost presented by researchers at OWASP (Open Web Application Security Project) and also presented at the Hack in the Box security conference in KL.

For users, it's so dangerous that you'll never know what hit you just by clicking your mouse on a clickjacker's website.

Vulnerable browsers to Clickjacking: ALL (Internet Explorer, Opera, Google Chrome, Firefox, Safari)

Clickjacking Countermeasure: Firefox with NoScript add-on.

The only thing that will protect you from a clickjacking website is Firefox with NoScript Add-on, something I've been using be default when browsing the Internet. Just don't set NoScript to "Allow Scripts Globally" for it's useless defense.

For security awareness seminars, I always remind people refrain from visiting untrusted websites but it's hard for them to actually determine which sites are fine to access.

Later, I will test various clickjacking proof of concept codes/scripts to analyze, but not to be one of the miscreants.

GoDaddy Domain Hijacking Using Gmail Security Flaw

An exploit was recently posted where miscreants can hijack domains hosted by GoDaddy using a flaw of Google's Gmail filters.
For the xploit to work the miscreant must know the email address of the domain owners registered with GoDaddy to receive Support emails, a bit of social engineering to trick your target to visit a website with malicious code to get the session authorization key.

Difficulty of Exploiting:
Medium to Hard, too complex for script kiddies,

Defenses:
1. Force Gmail to use SSL (https) to avoid snooping on your emails. Google's default setting is https for authentication and unsecure email after.
2. Avoid visiting untrusted websites.
3. Use a Firefox plugin called NoScript (like I do) so as not to allow scripts executing XSS code for hackers to steal your Google account ID and session ID.

2010 Automated Elections Security: DRE or OMR

We've all been awed anew with the speed of counting votes during the last US presidential elections where my candidate won. One and a half years from now, the Philippines will again hold new national elections in May 2010 to elect a new president (that is if assholes in Congress take it away from us through charter change to serve their own interests).

During the ARMM elections last August, there were two technologies pilot tested: optical mark recognition (OMR) and direct-recording electronic machine (DRE). DRE is more expensive for it uses touch screen machines that allows voters to key in their votes directly while OMR uses scanners that read ballots filled out by voters and transfers the data through a network.

How to choose among the technologies? It should not be on cost and a logistics alone but focus also on security. How secure is the system? Is it "immune" from hacking and cheating? Due diligence of the people behind the company/suppliers, source code audits, proper procedures, and so many things.

The hardest part here is do you trust the COMELEC? But at least traditional politicians with PhD in electoral fraud will be relegated to newbies once this system is in place. But be on guard always as some can be so smart they'll get a masters degree in no time :(

Starbucks: Coffee Shop Risks and Information Security

Do you have an idea where potential information disclosure is possible? It's not hacking through servers of installing bugging devices in offices or meeting places. It's actually a place popping out of almost every street and buildings in Makati, Ortigas, Fort Bonifacio Global City and other places where yuppies and oldies are present: Starbuck!

Ever notice people dressed in office attire, with laptops and other mobile devices, conducting meetings in Starbucks? The meet up up with officemates and clients and presentations and product pitches. Some of them even discuss confidential items in a public place endangering trade secrets, marketing plans and other information that should only be divulged in the hallowed and secure halls of meeting rooms in their own offices.

Some establishments offering free wifi Internet is also inviting for hackers and eavesdroppers looking for vulnerable and unsuspecting coffee drinkers with laptops unaware of the danger lurking. Bluetooth devices left open is another. There are also risks of connecting to rogue wifi hotspots set up by miscreants to lure people to connect to them and eavesdrop on the connection. Dangerous indeed!

There is also the risk of some outlets to robbery/holdups where robbers target moneyed patrons with laptops and cellphones. This is particularly risky for those on street frontage where the robbers can come and get away on motorcycles for easy escape.

This is not limited to Starbucks, btw, there's also UCC, Coffee Bean and Tea Leaf, Mocha Blends, Figaro and other coffee shops.

I only see coffee in those places as overhyped and overpriced coffee that became some sort of status symbols to some pretentious souls out there :(

BAIPhil Seminar: Information Security Beyond the Basics

For those interested on the latest updates in information security, particularly those in the banking industry, do check this upcoming seminar by the Bankers Institute of the Philippines (BAIPhil) on October 24, 2008 at Best Western Astor on Makati Avenue, Makati City, Philippines.

Seminar programme includes talks about Mobile Banking by Roger Delgado of D3 Systems, Jr., Application Security by Philip Casanova of Chinabank and Computer Forensics by Drexx Laggui of Laggui and Associates.

Seminar fee of P900 for BAIPhil members and P1100 for non members include buffet lunch, snacks and seminar materials and certificate.

Note: I co-organized this seminar and principally prepared the program as well as solicited speakers and sponsors. Expect me to be there.

CEH Certified Ethical Hacker: Training Without Ethics?

I just received "great news" from an attendee of a local training of CEH or Certified Ethical Hacker held somewhere in Metro Manila. The attendee came from a local bank and came right to us that he tried to crack our website's security

It came to a surprise to me that their instructor in the "certification" training made them nominate a website for them to hack and test their newly-acquired skills. The attendee gladly told us he wasn't able to penetrate our website and so congratulated us, including me being the information security officer, for such a job well done.

I'm not going to discuss it fully and didn't rebut the attendee but there really is something wrong here.

What the certified ethical hacker instructor did was actually ethical. He ordered his students to attempt to hack websites without the website owners' written approval. Something penetration testing professionals and vulnerability assessment consultants have prior to the engagement.

CEH-EC should check him out. Gaining the basic skills to conduct security assessments is very easy even by just browsing the Internet, but who will certify hackers as ethical when the instructor himself is urging his students to let loose their new-found skills?

There is only thing that separates white hat hackers from black hats from one another despite having the same set of skills: Permission!

Poking around systems without permission is unethical and downright illegal!

GMA Codename Asero and Information Security

I happen to always catch the showing of GMA Kapuso's Codename Asero by the time I get home at around dinner time. Not that I follow the show but since people at home are Kapuso fanantics

I was able to catch the initial showing of the science fiction series on tv, some sort of Alias meets Universal Soldier, but noticed too many glaring shortcomings typical of Filipino writers just to get a storyline going.

There is a scene there that the two protagonist agencies, Advocate and Empire, doesn't practice the age-old principle of "Know Thy Enemy and know thyself" by not actually having a dossier on their employees. Stupid leaders of the agencies don't know the parents of Asero while Empire guys have a stupid policy of not knowing anything about their employees' family.

Spare me the crap. No top secret company can operate under wraps for so long without the principle of "know thy employees."

All over the place, you get things and bags and stuff marked with Empire and Advocate, a practice not done by real top secret companies, not even the agencies of the hit TV series Alias.

There's also a stupid way to check if Agent Asero is really a cyborg when they let him get near an octopus-like gizmo to detect is he's really a cyborg. Good thing Empire guys encrypted the signal.

C'mon, a simple metal detector or x-ray machine can do the trick.

One more thing, the Empire knows where the Advocate holds office and yet they don't know the employees and stuff.

Stop pulling my leg with such glaring boob tube booboos.

Filipino writers and directors should break away from stupid plots in order to be really world-class, less of the melodrama, and more attune to reality, something like the producers of sci-fi series and films like Alias, who seem to be in touch with the real world. Foreign sci-fi series don't resort to cheap gimmicks and perhaps employ consultants on technical stuff to be at least acceptable.

Or does it really mean that Filipino audiences are too...never mind the word!

Poisoned DNS Servers Redirecting My Website to AsianMultiAdvertising.Com

For the last two days, I experienced about a 30% drop in taffic to my main blog, Backpacking Philippines,. I thought it was normal until I received an email from PBS yahoogroup (one of whom seems to be working at Dell Computers traced from the IP address) asking me to check my blog since it's redirecting somewhere else.

I checked first my own blog and concluded there's nothing wrong with my blog and probably the DNS servers used by the people complaining is that the DNS server they're using are poisoned, with the recently made public critical DNS flaw still unpatched by lazy and/or clueless systems administrators.

I suspected this to be the problem also with the recent problem of SmartBro.

To check if your DNS is the culprit, change the settings of your DNS to point to OpenDNS then re-visit my blog. If it correct the problem, contact your ISP or network administrator to immediately update the DNS software their using.

How to Scan for Yahoo Messenger

Part of my regular job is to scan the internal network for rogue software installations and unauthorized software. I fiddled again with Nmap to scan for Yahoo Messenger in my home network and this is a snapshot of my findings:

snapshot of nmap to scan for TCP 5101:


Interesting ports on 10.252.236.117:
PORT STATE SERVICE
5101/tcp filtered admdog
MAC Address: 00:0B:CD:A2:10:24 (Compaq (HP))

Interesting ports on 10.252.236.122:
PORT STATE SERVICE
5101/tcp open admdog
MAC Address: 00:1B:38:9E:D9:3E (Compal Information (kunshan) CO.)

Interesting ports on 10.252.236.126:
PORT STATE SERVICE
5101/tcp filtered admdog
MAC Address: 00:0F:20:24:28:30 (Hewlett Packard)

note that I found one YM install, the one with admdog open on TCP 5101.

Yahoo Messenger is unwelcome in a corporate environment. It's a big security hole, I tell you. Ban it if you will. Installing anything on office PCs need official approval from Information Security and the installation to be performed by IT staff.

Time to draft a letter reprimand to the concerned staff!

DNS Poisoning/Redirection of ITECC, DOJ and CIDG Websites to Enchanted Kingdom

The Inquirer news report bannered a story of the websites of Department of Justice (DOJ), ITECC and PNP-CIDG were redirected to the website of Enchanted Kingdom, a theme park in Sta. Rosa, Laguna.

The report showed how people in the law enforcement and government admistering (in)justice can be so clueless what hit them. EK, as what Enchanted Kingdom is popularly known, is going to its site hosting for questions and guesses malice for the site redirection. No hint of the actual method was presented so the people doing the investigation on the matter still don't know what to do.

I can offer an explanation though and it involves a technique known as DNS poisoning or DNS cache poisoning, used in pharming where legitimate requests to victim websites are re-directed to bogus/spoofed ones inorder to trick visitors to divulge personal information such as username/passwords, PINS et al. This attack however merely re-directed government sites to a EK possibly by hackers to make fun of the government who still has to learn information security (there are only a few of us information security practitioners here in the Philippines and most of them in the private sector). The government and the military can't even keep their secrets to themselves so what do you expect?

I recommend checking your DNS servers for signs of cache poisoning and check/patch all vulnerabilities for this event not to happen again. Other causes of this problem may have been a misconfiguration of the webserver, network problem, load balancer (if there's one) or a compromised/misconfigured DNS (domain name server). The report claims the sites are hosted by PLDT so PLDT can give out explanations for these incidents (though I doubt if they'll release the true story of they're the ones to blame)

Recover Data from Hard Disk Crash or Corrupted Partitions

Crashed hard drives? Corrupted HDD and other media not detected by your operating system?

In case you're led to this page through search engines, I know I don't have to remind you to create backups of all your precious data in your hard drives, compact flash (CF), memory stick (MS), Secure Digital (SD), MMX, USB Flash Disks (Thumb drives), and other media. Losing precious files, sometimes precious memories not just pictures, is really such a pain in the *** but there're services and solutions out there to recover your data even partially if you have the money for it.

There are many free data recovery software/utility available in the Internet that you use to successfully recover files from a corrupted USB thumbdrive. The free tools can can also be used to undelete files.

Recovering data from physically damaged hard drives involves qualified engineers and technicians, often involving a clean room and spare similar hard drives to replace damaged parts of the disk including the electronics, heads and motor.

There also were claims that freezing your defective hard drive will correct the clacking sound and make it work again but most of them are accidental "magic" recovery for a limited time only after the drive is taken out of the freezer and data copied immediately. (try booting Knoppix or other bootable CDs, mount the hard disk then copy the files you need)

Data recovery services in the Philippines is still scant and expensive, you can have your data/pictures recovered by professionals but for a stiff price.