When: July 23, 6PM

Where: Credit Suisse, Kameleon building at Szewska st., 1st. floor

See you at the meeting!

To the point: if you're from Wrocław area or if you happen to be around on July 3, be sure to come to the ISSA Polska meeting in Wrocław. We plan the meeting to be real fun this time. We'll be having a guest from Credit Suisse IT Risk dept. giving a talk. We also plan to discuss latest incidents in Poland.

When: July 3, 6PM

Where: Credit Suisse, Kameleon building at Szewska st., 1st. floor

See you there!

When was the last time you got a phishing email? Not that long ago, I bet. Me too. There is nothing unusual in it, nowadays we get so much of it that we simply get used to it and usually just silently delete or ignore it (if spam filters don’t do it for us).

So, why am I talking about this? Well, because of a funny coincidence. Or maybe it wasn’t that much of a coincidence… Here is the story.

And suddenly, within minutes, I got one! Whoohoo! The nice piece of email pictured at the beginning of this post landed in my mailbox. Then it repeated once or twice a day or two later and stopped. My first reaction was that I got myself some malware that got hold of the credit card activation process and triggered the mailing. But it wouldn’t make much sense. If I had something locally (and I hadn’t, as all sorts of scans showed some time later), what would stop it from reading my previous credit card number and all the authentication information when I submit it during an on-line transaction? It wasn’t on the line with the bank either, as the connection was securely SSLed. So, how come? It might have been an accident, of course, but… a funny one…

The whole thing got me thinking. And what if this information leaked from VISA themselves (I’m not even trying to guess how it could happen). Yes, I know it sounds stupidly paranoid, but, well, you know… things happen. So, if you experienced something like this, I would be really happy to hear from you. I’d at least know I’m not delusional (or not that much at least).

We're gonna do it for the fifth time already! Whooohoo! :)

This time the main theme will be Intrusion Detection Systems and Web Application Firewalls. Also a discussion panel is planned so that we all could shout at each other and throw blunt objects in each other’s general directions.
Here is the agenda:

1. A warm welcome (myself)
2. Intrusion Detection Systems (Wojtek Wirkijowski)
3. Web Application Firewalls (Edward Weinert)
4. Discussion Panel (Andrzej Piotr Kleśnicki)

And as always, there is a prize to be won.

See you at the meeting!

As probably most of you guys, I’m not spending my day fuzzing stuff, but, probably as most of you again, I’m bumping over a software glitch from time to time. Sometimes, when I’m in the mood, I’m poking the hole to see what happens.

And I was in the mood that day.

..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp%00.txt

a victim will most likely end up sending a winnt.bmp file from their windows directory instead of what they actually intended to send. The actual content of a file that the victim is trying to attach is of course irrelevant.

I wouldn’t be me if I left it at this. So, as an enhancement to the basic idea, we can add some more jumps to the upper directory to have better chance that we get to the root level of the file system:


..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp

And to add some more fun we can, say, get ourselves someone's SAM file from the windows\repair directory:


..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Frepair%2Fsam%00.bmp

The .bmp extension ensures proper encoding of a binary file (I've been really impressed how perfectly the %00 gets its job done).

Finally we can do some obfuscation:


%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%49%4E
%44%4F%57%53%2F%72%65%70%61%69%72%2F%73%61%6D%00%.bmp

As for the severity of this flaw, it certainly couldn’t be called serious as 1) it takes a lot of user interaction (i.e. downloading the funny named file and then sending it as an attachment) and 2) an attacker needs to be able to sniff the sent email off the wire. I can think of some highly directed attacks under which this bug can potentially result in exploitable conditions, but my guess is that one would rather find an easier way to get the job done.

Even though it’s nothing serious this time, it gives us some food for thought. Firstly, there is no such thing as "we know this kind of bugs for ages and they don’t happen anymore". Secondly, a well thought over architecture, a robust coding framework and a proper code quality assurance shouldn’t be optional. And finally, you can never have enough of code quality assurance.

Thank you! Thanks to all of you who made it to the meeting despite the fact that we have changed the location twice. And my apologies to all of you, who didn’t. We will do our best to make sure it doesn’t happen anymore.

Despite all the trouble, the meeting was fun. We totally run out of schedule due to discussions that broke out during the first talk. Oh, and the cookies were awesome! Not to mention the coffee.

We have one piece of slides this time, so, for all of you who would like to go through the presentation again and for others that didn’t make it to the meeting, here it is.

Thanks again and see you next month!

Let me invite you to another ISSA meeting in Wroclaw. It’s the third meeting already and this time we’ll be discussing Computer Forensics and Incident Response. We’ll be having a discussion panel as the last time and we’ll let you guys win some prizes in a competition.

All that and even more on Mar 11, 2008 at 6pm.

Where? At BZ WBK Wroclaw HQ, Rynek 9/11 (second door if you look from the pl. Solny direction). At Politechnika Wroclawska, Janiszewskiego 11/17, building C3, room 118 (enter either through building C-1 or C-5).

An important note: you need to register for the meeting before Feb 4, 2008, 9pm at the latest. In order to register, please use the following link.

UPDATE: This time we meet at Politechnika Wroclawska, Janiszewskiego 11/17, building C3, room 118 (enter either through building C-1 or C-5).

Tons, and I mean TONS, of "undeliverable message" bounces together with quite a lot of my favourites – out of office notes. When you think about it, quite a lot of information is being thrown at you in such messages. Here are some sanitised examples (all in German, as my email address sells on a German market, apparently).

Automatische Antwort - Zur Zeit nicht erreichbar

Vielen Dank für Ihre Anfrage, die uns erreicht hat.

Für eilige Rückfragen können Sie sich auch direkt an mich unter

Tel. +49 (0)4XXX / XX XXX
Mob. +49 (0)17X / XXX XX X5
Fax. +49 (0)4XXX / XX XX0

wenden.

Mit freundlichen Grüßen aus XXXX,

Ihre XXXX

Some names and email addresses (you can’t have too much of it):

Automated reply from XXX@XXX.de

Ich habe Ihre Mail betreffend 'Man Lebt nur einmal - probiers aus !' erhalten.

Von Freitag, dem 8. Februar bis Freitag dem 15. Februar bin ich nicht im Büro zu erreichen. Bitte wenden Sie sich in dieser Zeit an meine Kollegin Susanne XXX (s.XXX@XXX.de). Ihre Mail wurde nicht weitergeleitet.

Mit besten Grüßen,

XXXX
---------------------------------
XXXX GmbH
XXXX 1
XXXX XXXX (Germany)

Fon: ++49(0)XXXX.XXXX5
Fax: ++49(0)XXXX.XXXX6

Mail: XXX@XXX.de
Web: http://XXXX.de
Web: http://XXXX.com

GF: YYYY YYYY, ZZZZ ZZZZ
XXXXXXXXX
---------------------------------

And some more names together with phones and email addresses:

Susanne XXX nicht erreichbar. Ihre E-Mail wird nicht gelesen.

Ich werde ab 29.01.2008 nicht im Büro sein. Ich kehre zurück am
05.05.2008.

Sehr geehrter Damen und Herren

Ich bin in Elternzeit.
Ihre E-Mail wird nicht weitergeleitet.

Bitte wenden Sie sich entweder an
Alexandra XXX, Tel. 089 - XXX XX - XXX
e-mail XXX.a@XXX.de
oder an
Carolin XXX, Tel. 089 - XXX XX - XXX oder e-mail
XXX.c@XXX.de

Vielen Dank und viele Grüße
Susanne XXX

It’s not much, is it? But still some people would argue that together with some background info about what the particular people are responsible for in the organisation it may be enough to snatch some goodies from them.

It’s never wise to underestimate the power of people’s natural friendliness and urge to help others. Maybe sparing a few details wouldn’t defeat the purpose and would make it more difficult to carry out a successful social engineering attack. Specific procedures and awareness trainings also help, obviously.

After an indubitable success of the first ISSA Polska meeting in Wroclaw I’d like to invite you to the secondo one. This time the topic will be Two Factor Authentication. As kind of an innovation, we’ll be having a discussion panel after a series of short talks.

And as another innovation, we’re planning to squeeze the whole meeting into two hours, so that we'll have more time for the after-party.

Hope to see you at the meeting!

When? Feb 12, 2008 at 6pm.

Where? At BZ WBK Wroclaw HQ, Rynek 9/11 (second door if you look from the pl. Solny direction).

An important note: you need to register for the meeting before Feb 4, 2008, 9pm at the latest. In order to register, please use the following link.

A big thanks goes to BZ WBK for hosting our meeting and to all those without whose help the meeting wouldn’t have happened. Also, special thanks to Patryk Gęborys, President of ISSA Polska for coming from far Warsaw just to be at the meeting and, of course, to all of you guys, who were with us.

See you in a month! And in the meantime help yourselves to the slides below.

Cheers!

What do you think about public speaking? Are you, by any chance, one of those people who feel entirely confident when performing on stage? No trembling hands at all? Maybe you feel like you were born to motivate people and encourage them to excel? Do you? Statistics say you most likely don’t. And you know why? Because people aren't usually born ready and prepared to get on stage and give a wonderful emotional performance. And if they think they do, they usually give a pretty crappy one. You are not born a speaker, you become one.

So, to rephrase, have you ever thought of becoming a successful public speaker? Have you ever wanted to overcome your fears? If you did and you haven’t heard about Toastmasters yet, it’s something you should definitely try. Find a club near you and go to the meeting. See how it is and if you like it, join and start amazing even yourself!

If you live in Wroclaw area, Poland, you’re lucky, as there are two clubs currently forming in Wroclaw – an English speaking one and another, Polish speaking. If you’re interested, feel free to subscribe to our mailing list and sign up to our Goldenline group, as these are the places where you can hear the news. You may also like to visit our website. And of course, be sure to visit our demonstration meeting soon!