Month: May 2012

In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII.

However it’s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong.

Take American Express for example:

An email from them asking you to send a copy of your passport/driving licence/etc… to confirm your identity suggests that you may reply via email however:

Please note that the internet can be insecure. You must use a secure encryption method when sending personal data and/or documentation to us via email to safeguard your personal data

Great… you encourage your customers to encrypt their personal data.

So I’ll just send over a truecrypt volume encrypted with twofish-aes-serpent shall I?

Or perhaps a PGP encrypted volume, whats your public key?

What about just an AES256 encrypted zip?

Okay so that’s point 1.

• They’ve suggested that it is on the customers own head to protect their data. However they have not listed the accepted formats of encryption that they use.

So we’re assuming because they’ve not provided us with a public key they don’t want pgp or gpg encryption. They want something simple that doesn’t require too much infrastructure in place so we’ll go with the AES256 encrypted zip, which providing they have winzip/7zip/*ziprarace client means they can enter in a password and decrypt the contents.

Great, so how do I get the password to you?

AMEX are right, internet communication via email is all in the clear, so if someone was in the middle of my traffic (i’m on a corporate network, chances are they’re monitoring it at least so files could be logged or archived in an antivirus mail gateway for example) they could intercept the cleartext data and have my passport details.

So I encrypt it and send it via email, attacker or corporate network now only has an encrypted zip file.

How do AMEX suggest I send a password to them? I call their customer service desk, expecting them to give me a number to SMS it to or a voice service that instead reads me a password when I dial the number and enter my reference code?

Oh you just send it via email. I think you’re meant to send it all together

…I explain my concerns..

Erm, I’ve never been asked that before I guess I could give you another email address to send it to

Point 2:

• Sending encrypted data along with the password in the same email is as good as sending cleartext data.
• Sending encrypted data along with the password via the same mechanism is as good as sending cleartext data.

So despite all of AMEX’s good advice above “You must use a secure encryption method…” actually there is no way to use a secure encryption method to keep your data safe when dealing with them.

Extra Note:Along the same lines, as I mention above I regularly get asked to encrypt reports that are deemed commercially sensitive. So I email out the encrypted zip file, and they request that I SMS them the password.

2 minutes later, their blackberry chirps… twice*.

*Did you guess what just happened?

Their blackberry received both the encrypted zip and the plain text password. Loss/Theft of the blackberry once again could result in the loss of commercially sensitive data.

Figured I’d keep a copy of this on here for the next time I need to do malware investigation. 

http://www.urlvoid.com – checks URL’s against lots of blacklists, emergingthreats, malwaredomainlist and zeustracker/etc…

http://www.ipvoid.com – Same as above but for IP addresses

http://support.clean-mx.de – Searches above databases and records logs of abuse claims. Useful as it can sometime give you extra URI’s for a host to comb your logs for. Also usefully gives you the date that its crawler last was able to pull down the malicious binary.

http://hosts-file.net/ – Provides an assessment according to the type of nastiness a domain or IP is associated with.

http://www.malwaredomains.com – Provides a blacklist DNS entry head to the downloads page, open the text file version and CTRL-F to search. Will give reason for blocking (i.e. listed in emergingthreats.net) along with the date.

http://www.malwaredomainlist.com – Provides a listing of hosts and ip’s known to be associated with malware.

http://www.emergingthreats.net – Provides snort rules configured to detect malicious traffic/hosts.

http://www.robtex.com – Advanced DNS lookups, links hosts to nameservers, can give aliases and associated subdomains as well as any shared hosts.

http://www.network-tools.com – Basic network tools, whois, dns, traceroute, etc… useful for performing checks NOT from your own ip 🙂

http://www.zeustracker.com – lists zeus C&C nodes

http://www.spyeyetracker.com – lists spyeye C&C nodes

Be careful if you use any of these tools on the affected network as often it will contain the hostname or IP you’re looking for in the request parameters which means they’ll flag you up as an infected laptop without looking at the actual URL you’re browsing to (happened to me previously).

*10/06/12 – Correction courtesy of Steven B: I originally had “hp-hosts.com” listed instead of hosts-file.net, thanks for the heads up.