Logo Background
  • Phishing attacks on the rise in the United Arab Emirates (UAE)
    By on December 30, 2010 | Comments Off  Comments
    Phishing attacks are on the rise in the UAE; Mashreq (bank) appears to be the prime target. Take a look at the below screenshots for some of the more recent samples.

    Figure 1 – Mashreq bank phishing email
    Figure 2 – HSBC phishing email
    Figure 3 – Llyods TSB phishing email
    Figure 4 – Abu Dhabi Commercial Bank – ADCB phishing email
    The attack targeting Mashreq customers is out of the ordinary. It does not link back to any external phishing page but instead provides an html page as an attachment and looks quite convincing. The attachment is done nicely that fetches images and other html elements directly from the official website – mashreqbank.com. Once the victim fills in the login information, it is emailed to the attacker using the free formbuddy.com web to mail gateway – a simple yet effective trick that even demonstrates how virtual screen keyboard security control deployed by Mashreq can be bypassed.
    Figure 5 – Fake Mashreq bank login page attached with the phishing email

    Figure 6 - Source of the fake Mashreq login page reveals username and password is emailed to attacker using formbuddy.com

    The cyber criminals behind Mashreq bank phishing attacks were likely responsible for the incident reported today in the local daily, Gulf News. It is a shame that the bank did not pickup on the series of transactions which were likely scheduled beforehand; even worse is the fact that it denied all liability. Certainly there are several technical controls that could have been placed by the bank in this case to avoid such an incident in the first place.
    Bottom line: how does an average person protect against  such threats ? Nothing beats simply staying alert and not responding to a seemingly legitimate email request that calls for any action resulting in having to send login credentials over the Internet. Combine this with use of a computer system that can be deemed trustworthy and you have reasonable assurance that you are protected.
  • Status update.
    By on November 10, 2010 | Comments Off  Comments

    Whoa, I didn’t realize that it’s has been over an year since my last post! Sorry folks, I have been extremely busy at work.

    There’s a lot of work to be done in the region for cyber security of critical infrastructure. Thankfully, I am fortunate enough to get all the support I need here in Qatar.  The Government here already laid out great foundations with formation of Q-CERT, and is actively involved in ensuring all the necessary resources are available to critical infrastructure operators to secure their environments. It is no wonder that Qatar was least affected by the much discussed and controversial Stuxnet threat.

    That’s all for now. Looking forward to bringing you fresh content from here on out.

  • The Daily Telegraph website hacked
    By on March 7, 2009 | Comments Off  Comments

    The Romanian group, HackersBlog, has struck again and this time it is not an infosec firm. It is the website of the highest selling national daily newspaper of the United Kingdom, The Daily Telegraph.

    The Property section of the website suffered a serious SQL injection vulnerability which was disclosed by the group. The affected section of the website is currently offline:


    Figure 1: Telegraph.co.uk's Properties section was taken offline after the compromise


  • Oracle to issue patch for 41 security issues
    By on January 12, 2009 | Comments Off  Comments

    Oracle is to release a patch tomorrow that fixes 41 security vulnerabilities across hundreds of its products. According to the announcement, the affected supported products are:

    • Oracle Database 11g, version
    • Oracle Database 10g Release 2, versions,,
    • Oracle Database 10g, version
    • Oracle Database 9i Release 2, versions,
    • Oracle Secure Backup version,
    • Oracle Secure Backup version,,
    • Oracle TimesTen In-Memory Database version,,,
    • Oracle Application Server 10g Release 3 (10.1.3), version
    • Oracle Application Server 10g Release 2 (10.1.2), versions,
    • Oracle Collaboration Suite 10g, version 10.1.2
    • Oracle E-Business Suite Release 12, version 12.0.6
    • Oracle E-Business Suite Release 11i, version
    • Oracle Enterprise Manager Grid Control 10g Release 4, version
    • PeopleSoft Enterprise HRMS versions 8.9, 9.0 and 9.1
    • JD Edwards Tools version 8.97
    • Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA
    • Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3
    • Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
    • Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
    • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA
    • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3
    • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6

    This release dwarfs Microsoft’s one-patch fix that affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

  • Rogue Certification Authority certificates a reality
    By on December 31, 2008 | Comments Off  Comments

    A team of researchers presenting yesterday at the 25th Annual Chaos Communication Congress held in Berlin,  have successfully demonstrated an attack against X.509 digital certificates signed by a trusted Certification Authority (CA) using the MD5 hashing algorithm. The attack method makes use of MD5 collision techniques which were known to exist since 2004 but demonstrated in practice for the first time.

    Read more about the details here.

    The discovery, however, does not post a serious security risk as the technique has not been disclosed. Furthermore, most CAs are already using at least SHA-1 for the hashing function instead of MD5. The slow mover, VeriSign, acknowledged the attack today and confirms that all certificates issued are not vulnerable to the new attack.

    If you are still paranoid, get hold of an Extended Validation Certificate.

    Happy New Year 2009! :-)


  • Microsoft to dump OneCare subscription model
    By on November 19, 2008 | Comments Off  Comments

    Microsoft’s Windows Live OneCare service never really received good reviews despite being one of the first entrants in to the retail Windows PC security marketplace with a all-in-one solution. Why not? Many reasons but primarily because it relies on products that are already available for free and does not work well with third-party programs.

    Things could change for Microsoft with the introduction of “Morro” – a free solution that Microsoft describes as “comprehensive protection from malware including viruses, spyware, rootkits and trojans…will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs”. “Morro” would be available in the second half of 2009; Windows Live OneCare subscription service will be discontinued effective June 30, 2009.

    According to Microsoft’s official press release:

    “Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously,” said Amy Barzdukas, senior director of product management for the Online Services and Windows Division at Microsoft. “This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware.”

    It would be interesting to see how Symantec and McAfee respond to this move by Microsoft.

  • Dodgy domain registrar de-accredited by ICANN
    By on October 30, 2008 | Comments Off  Comments

    The Internet Corporation for Assigned Names and Numbers (ICANN) has terminated its Registrar Accreditation Agreement (RAA) with EstDomains.com after the President of the company was convicted for credit card fraud, money laundering and document forgery.

    This comes as welcome news by the cyber security community as EstDomains.com has been used by cyber criminals for years to hide their identities and conduct various malicious activities such as using domains for bot command & control servers, drive-by downloads as well as spamming.

    Here are some links of interest that provide more information on this story:

    1. F-Secure Weblog - “Case EstDomains” 
    2. The Washington Post Company – “ICANN De-Accredits EstDomains for CEO’s Fraud Convictions”
    3. Notice sent to EstDomains.com by ICANN (pdf)

  • Yahoo! fixes cross-site scripting vulnerability
    By on October 28, 2008 | Comments Off  Comments

    Yahoo! has fixed a cross-site scripting vulnerability affecting the HotJobs website. The vulnerability, first reported by Netcraft allowed injection of malicious code that stole session authentication cookie of Yahoo! users and submitting them to a US-based webserver. Yahoo!’s statement found on Netcraft states:

    The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

    As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

    The session authentication cookies could have been used for accessing Yahoo! services such as Yahoo! Mail and Yahoo! HotJobs amongst others.

  • US forms task force to combat defense data leaks
    By on October 28, 2008 | Comments Off  Comments

    A special task force has been setup by the US Army to combat theft of sensitive military information stored on computer systems of private-sector contractors. The task force, Defense Industrial Base Cyber-Security Task Force, came in to being earlier this year without much noise.

    According to an army document produced in August this year for the Pentagon’s Department for Acquisition, Technology and Logistics and first reported last week by Inside Defense:

    “Exfiltrations of unclassified data from [military contractor computer] systems have occurred and continue to occur, potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force,”

    “Current … efforts largely focus on mitigating risks of compromise to war-fighting technologies as a result of traditional espionage or industrial theft,”

    “hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap.”

    Sure this initiative will bear fruit but I think more needs to be done within the Government security departments to combat potential cyber security threats. Only this week I saw Airport Security personnel hooked up on MSN.com at the Chicago O’Hare International Airport on a light day. Open Internet is a risky area for airport security personnel don’t you think?

    More on the story here

  • UK defense ministry in possible identify theft scare
    By on October 10, 2008 | Comments Off  Comments

    CNN is reporting that the Ministry of Defense of the UK has lost track of a portable hard drive which according to a tabloid carries information on some 100,000 British military personnel and 600,000 potential recruits.

    One can only wonder whether the information on the hard drive was encrypted or not…