[AfrICANN-discuss] On phishing, IPv6 flaw et la Fraude a l'annuaire sur les ccTLDs

Dr Yassin Mshana ymshana2003 at gmail.com
Sun May 13 15:45:23 SAST 2007

Cher AR et al,

Thank you for sharing the information regarding security issues that may
put  the usage of IPv6 at higher risk. I hope that the community will
provide all that is needed by engineers to solve this impending problem and
also their R&D activities should be given the necessary  attention - it very
important to keep pace with individuals who put us at risk.


Yassin Mshana

On 11/05/07, Anne-Rachel Inné <annerachel at gmail.com> wrote:
>  *par Nicolas SIMONIN*
> nicolas.simonin at indom.com
> *Le .CA dénonce une fraude à l'annuaire.*
> *Après la France, le Canada est aujourd'hui la cible de Deutscher
> Adressdienst GmbH, une société allemande proposant à un tarif très coûteux
> votre inscription dans un annuaire "officiel".*
> •  *Combien de .CA aujourd'hui ?*
> On compte 833 958 .CA enregistrés au 7 mai 2007
>   Nous vous avions alerté des agissements d'une société allemande qui, en
> échange de 960€<http://www.domainesinfo.fr/actualite/1180/un-annuaire-a-prix-d-or.php>,
> proposait aux internautes français d'intégrer un "soit disant" annuaire
> professionnel du registre français.
> Cette même société s'attaque depuis peu au territoire canadien par
> courrier postal. Le registre du .CA a pris l'initiative de lancer un message
> d'alerte pour informer ses internautes du caractère douteux de ces
> courriers.
> L'Autorité canadienne pour les enregistrements Internet (ACEI) demande aux
> titulaires de .CA de ne pas répondre aux lettres, aux fax ou aux autres
> communications provenant de la firme DAD Deutscher Adressdienst GmbH, une
> entreprise allemande qui opère sous la bannière trompeuse de "Registre
> Internet du Canada" (Canadian Internet Registry). Cette dénomination
> rappelle bien sûr celle de "Registre Internet français"
> <http://www.domainesinfo.fr/actualite/1180/un-annuaire-a-prix-d-or.php>utilisée pour tromper le public français.
> *1457$ de frais d'inscription à un annuaire !*
> Les lettres ou fax en français sont envoyés à des titulaires de .CA sous
> le prétexte de mettre à jour leurs enregistrements de noms de domaine. Il
> s'agit d'un stratagème visant à inciter les titulaires à acheter un ensemble
> de services marketing, au coût de 1 457 $.
> * Affaire à suivre...*
> L'ACEI met donc en garde ses titulaires et leur déconseille fortement de
> fournir tout renseignement ou de verser tout paiement à cette entreprise.
> Elle a porté cette affaire à l'attention des autorités policières et
> continuera à tenir les titulaires de noms de domaine en .CA au courant des
> développements dans cette affaire.
>  Publié le lundi 7 mai 2007
>  *Les liens de l'article* - Vérifiez la disponibilité d'un .CA ?
> http://www.indom.com
>   Copyright (c) *DomainesInfo*. Tous droits réservés. Imprimé le 11/05/2007
>  The Phisher King - http://www.darkreading.com/document.asp?doc_id=123671
>    The Phisher King
> MAY 9, 2007 | You see phishing attack attempts nearly every day, but what
> you don't see is the face behind the attack. In a rare glimpse into the mind
> of a phisher, hacker and security expert RSnake recently engaged an attacker
> who says he makes $3,000 to $4,000 dollars a day and was willing to share<http://ha.ckers.org/blog/20070508/phishing-social-networking-sites>a bit about himself and how he operates.
> RSnake, a.k.a. Robert Hansen, CEO of SecTheory and *Dark Reading*<http://www.darkreading.com/blog.asp?blog_sectionid=403>blogger, asked the phisher, called "lithium," how he operates, what
> technology he uses, and just how much money he makes off these scams.
> Lithium, who says he's 18 and has been phishing since he was 14, said he has
> stolen over 20 million identities, mostly via social networking worms. "I
> have so many hundreds of thousands of accounts to many websites I haven't
> even got a chance to look through," he wrote to RSnake, who today published
> the responses on the ha.ckers.org blog.
> While RSnake admitted he can't verify all of lithium's actual numbers, he
> said in response to comments on his ha.ckers blog that the phisher's story
> "jives" with that of traditional phishers.
> RSnake also confirms that lithium is an actual phisher: "I found one of
> his old phishing sites," RSnake says. "I can't comment on the numbers, but
> yes, he was definitely really a social networking phisher."
> Lithium says he got interested in phishing after realizing the scam emails
> his parents were getting were weak, but still basically worked. "So, I knew
> automatically I could come up with more efficient methods and have a far
> greater outcome."
> Lithium only phishes about three or four times a week, and he targets
> social networking sites, mostly those frequented by the teen crowd. "5 times
> out of 10 the person uses the same password for their email account," he
> wrote. "Now depending what is inside their email inbox determines how much
> more profit I make. If an email account has one of the following
> paypal/egold/rapidshare/ebay accounts even the email account itself, I sell
> those to scammers."
> The phisher said he typically tries to locate a domain name that looks
> "realistic" to the target, and then finds an anonymous host, typically
> offshore. "Although, I do tend to use compromised hosting accounts," he
> wrote. "Secondly, I view the page source. Then I alter the source code to
> post the forms information to my pishing [*sic*] site. Thirdly, I create a
> php file which will POST the current forms information to a text file on my
> server. I use the same php file with every site...Just minor alterations are
> needed since it's mearly [*sic*] a few lines of php code."
> RSnake asked him how many people he typically phishes per day. Depending
> on the size of the Website, lithium said, it's usually about 30,000.
> HD Moore, director of security research for BreakingPoint Systems, says
> while lithium does match the typical profile of phishers, his "numbers seem
> a little on the high side."
> Plus, lithium's days as a phisher could be numbered if he isn't careful.
> "Running a phishing site attracts attention -- it has to, or it won't work.
> Bragging about how much money you make is a sure sign you are going to get
> busted in the near future," Moore says.
> Using freelance programmers is also a liability, Moore notes. "If any of
> them get audited on where their money comes from, you can bet they would
> turn over this guy in a heartbeat."
> Lithium, meanwhile, told RSnake he uses a dedicated server, VPN, network
> encryption software, and a 1-Mbit/s ADSL line. Tool-wise, the phisher said
> he uses MyChanger for most social networking sites: "This makes pishing [*
> sic*] so much faster on social networking sites. Everything is automated!
> messaging/bulletins/comments/profile modifications it's great. Other than
> that, I get ALOT [*sic*] of custom programs built to suite [*sic*] my
> needs from freelance developers," he wrote.
> How does he remain in the shadows? "I use VPN's, Dedicated servers,
> Proxies and my network traffic is encrypted. All payments are made through
> egold."
> Interestingly, he admitted Internet Explorer 7 and Firefox 2.0's
> anti-phishing filters "cause the most irritation" of phishing deterrents
> available today.
> But security experts say not much seems to hurt lithium and other phishers
> in the end. It's still always a game of catch-up for the good guys, says
> Jeremiah Grossman, founder and CTO of WhiteHat Security. "Microsoft and
> Mozilla spend years figuring out a workable solution, then a short time
> later, it's all for not. Bad guys can adapt a lot faster than the good guys,
> which is why our job is so much harder."
> And the wealth of Web application bugs is keeping lithium in business --
> for now, anyway: "Lazy web developers are the reason I'm still around
> pishing," lithium wrote.
> — Kelly Jackson Higgins, Senior Editor, *Dark Reading*<http://www.darkreading.com/>
> BreakingPoint Systems<http://www.darkreading.com/complink_redirect.asp?vl_id=9560>
> WhiteHat Security<http://www.darkreading.com/complink_redirect.asp?vl_id=9014>        Copyright
> (c) 2000-2007 Light Reading Inc. - All rights reserved.
> Experts scramble to quash IPv6 flaw
> Robert Lemos, SecurityFocus 2007-05-09
> A flawed feature that could amplify denial-of-service attacks on
> next-generation networks has vendors and engineers rushing to eliminate the
> potential security issue.
> This week, experts sent two drafts to the Internet Engineering Task Force
> (IETF)--the technical standards-setting body for the Internet -- proposing
> different ways of fixing a problem<http://www.securityfocus.com/bid/23615>in the way that Internet Protocol version 6 (IPv6) allows the source of
> network data to determine its path through the network. The drafts recommend
> that the IPv6 feature should either be eliminated or, at the very least,
> disabled by default.
> The specification, known as the Type 0 Routing Header (RH0), allows
> computers to tell IPv6 routers to send data by a specific route. Originally
> envisioned as a way to let mobile users to retain a single IP for their
> devices, the feature has significant security implications. During a
> presentation at the CanSecWest conference on April 18, researchers Philippe
> Biondi and Arnaud Ebalard pointed out that RH0 support allows attackers to
> amplify denial-of-service attacks on IPv6 infrastructure by a factor of at
> least 80.
> "In rough terms, it makes everything we thought was bad, a thousand times
> worse," Paul Vixie, president of the Internet Systems Consortium<http://www.isc.org/index.pl>,
> said in an e-mail interview with SecurityFocus. "It can be exploited by any
> greedy Estonian teenager with a $300 Linux machine."
> The security issues comes as more organizations are making the switch to
> IPv6 from the current Internet routing standard (IPv4). The U.S. federal
> government and many major corporations are transitioning to the standard by
> the end of the decade. The U.S. Department of Defense and the White
> House's Office of Management and Budget have mandated that the military
> services and federal agencies move their backbone systems<http://www.whitehouse.gov/OMB/egov/b-1-information.html#IPV6>to IPv6 by June 30, 2008.
> However, the standard is already widely supported by routers and operating
> systems. Apple's Mac OS X, the Linux operating systems, and Microsoft's
> next-generation operating system, Vista, uses the standard as the default
> networking protocol. Microsoft supports wrapping IPv6 packets inside of IPv4
> data, known as 6to4 tunneling, so that networks sending data using IPv6 can
> communicate across the Internet, but attackers could use the technique to send
> covert data <http://www.securityfocus.com/brief/427>.
> The RH0 security issues has its roots in the current Internet protocol
> implementation. The specification for IPv4 allows the sender of data to
> specify one or more routers through which the data must travel. Known as
> source routing, the technique allows up to 9 other addresses to be included
> in an IPv4's extended header, requesting that the packet be routed through
> those specific addresses. While source routing can be beneficial for
> diagnostics, it can also be used to amplify a denial-of-service attack by a
> factor of 10 by alternating two target Internet addresses in the header,
> ping-ponging the data between two machines.
> While source routing has been accepted as a bad security risk by most
> companies and most routers disable the feature by default, the IETF has not
> eliminated the option from the specification and extended it to IPv6.
> "IPv6 is really neat, but I think we are going to see a number of these
> gotchas because it is still so new," said Jose Nazario, senior security
> researcher with Arbor Networks. "It will likely shake out over the next
> couple of years."
> Under IPv6, the impact of allowing users to specify some of the addresses
> to which data must be sent, known as loose source routing, is more dire.
> Because more addresses can be included in the header, rather than magnifying
> an attack by 10, Biondi and Ebalard calculated that it could amplify attacks
> by a factor of 88. In addition, RH0 also could allow an attacker to dodge a
> distributed technology, known as AnyCast, for protecting the 13 DNS root
> servers from attack and could be used to create a backlog of packets that
> could spike traffic to a server at a specific time.
> "It is exactly that: The reintroduction of the IPv4 loose source routing
> mechanism in the IPv6 world and on steroids," said a network engineer that
> asked not to be identified.
> The IETF reaction may have set a new speed record for the
> standards-setting body. With engineers arguing technical merits and
> peer-reviewing others' work while vendors push their specific requirements,
> the IETF is not known for making quick decisions.
> Yet, after debating the issue since the CanSecWest presentation, engineers
> have published two proposals: get rid<http://www.ietf.org/internet-drafts/draft-jabley-ipv6-rh0-is-evil-00.txt>of the feature or make everyone turn
> it off<http://www.netcore.fi/pekkas/ietf/draft-savola-ipv6-rtheader-00.txt>unless its really needed.
> "In practice it, it will be disabled, whether it gets left around for
> future usage, that's up in the air," said Robert Hinden, co-chair of the
> IPv6 Working Group for the IETF and a Nokia Fellow at the networking and
> phone giant.
> Yet, companies and the engineering group responsible for a large portion
> of the IPv6 routing code have moved quickly to disable the feature. By late
> April, the Kame Project, which has created the code used in many flavors of
> the BSD operating system as well as routers, had disabled the Type 0 Routing
> Header in its own code.
> "They don't just avoid walking the RH0 header, but they also now drop
> packets that contain it," said Theo de Raadt, project leader for OpenBSD.
> Cisco has issued a security advisory<http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml>on the issue. Both Cisco and Juniper declined to provide a representative to
> discuss the issue.
> Because IPv6 has not been fully deployed in most networks, it will likely
> only take two or three years for almost all Internet service providers to
> fix the issues, de Raadt said.
> ISC's Vixie agreed that the problem should be almost completely eliminated
> in three years.
> "I'd say in three years this will be a footnote," Vixie said.
> Privacy Statement <http://www.securityfocus.com/privacy>
> Copyright 2006, SecurityFocus
> _______________________________________________
> AfrICANN mailing list
> AfrICANN at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/africann

c/o DFID-Nigeria
No. 10 Bobo Street

Skype: yassin mshana
Mobile: +234-803 970 5117
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20070513/aa2fbedc/attachment-0001.htm

More information about the AfrICANN mailing list