Sunday, October 28, 2012

Monitoring GSM Networks with SNORT

Last December, during the annual Computer Chaos Congress, I was testing out OsmocomBB and monitoring the CCC test GSM base stations. It gave me a chance to monitor a GSM network being used in a test environment. Since the network was run by OpenBTS and OpenBSC I expected the network to exhibit some differences to more traditional equipment from Ericsson, Siemens, etc. I wanted to try to fingerprint the differences in GSM equipment in order to detect anomalies to assist in identifying rogue GSM towers and/or  what are often referred to as "IMSI-catchers". Within a few minutes of monitoring I realized I wouldn't be disappointed. The very first thing that caught my eye was this very interesting frame...

Wednesday, October 3, 2012

Learning from Spam

Occasionally I like to look at the dark side of the internet. And spam does a great job of bringing plenty of malware-laden websites to my spam folder for me to stroll through. Today I stumbled upon a very nicely crafted email from "YouTube":

What caught my attention was that the sender took the time to craft this naughty email with care. If you look closely, when hovering over the links that I expected to take me to, my email client didn't show a link to something naughty, but rather a hover text showing a legitimate link to YouTube:

It looks strangely legitimate...

Upon closer inspection it seems that the sender hid the links in a nifty way - by assigning a "title" attribute to the style property within the <a> tag that linked to the sender's website:

<a href=""style="text-decoration:none; color:#1C62B9;"title="">inbox</a>.

This is the kind of subtle change that can make it difficult for a common user to detect anomalies in their email. When confronted with suspicious emails I often hover over links to see where they really go and I was surprised to see what looked like a legitimate link show up in the hover text. Very nice job, Mr. Attacker. I learned something new from you today.