Vietcombank: Spam or Ham
November 17, 2008 by lamer · Leave a Comment
Here’s the plain message. Of course I masked my email address.
from: Vietcombank <ibanking@vietcombank.com.vn> to: **************@***** date: Thu, Nov 13, 2008 at 4:38 PM subject: Thông báo thay đổi giao diện VCB-iB@nking mailed-by: vietcombank.com.vn Vietcombank trân trọng kính chào Quý khách hàng! Với mục tiêu mang đến khách hàng những tiện ích và sự thân thiện trong sử dụng dịch vụ Ngân hàng trực tuyến – VCB-iB@nking, kể từ ngày 15/11/2008, Vietcombank sẽ đưa vào sử dụng giao diện VCB-iB@nking mới cùng với một số tính năng bổ sung. Quý khách vui lòng xem Hướng dẫn sử dụng dịch vụ <a href="http://www.vietcombank.com.vn/EBanking/IBanking/">tại đây </a> để biết thêm chi tiết. Vietcombank rất mong nhận được ý kiến đóng góp của Quý khách hàng để dịch vụ VCB-iB@nking ngày càng được hoàn thiện. Cảm ơn Quý khách hàng đã quan tâm và sử dụng dịch vụ của Vietcombank!
And here’s the obligatory source code. And again, my email address is masked off.
Delivered-To: **************@*****
Received: by 10.142.48.6 with SMTP id v6cs81057wfv;
Thu, 13 Nov 2008 02:25:03 -0800 (PST)
Received: by 10.110.50.19 with SMTP id x19mr12266688tix.53.1226571902167;
Thu, 13 Nov 2008 02:25:02 -0800 (PST)
Return-Path: <ibanking@vietcombank.com.vn>
Received: from exchange.vietcombank.com.vn (exchange.vietcombank.com.vn [210.245.5.227])
by mx.google.com with ESMTP id 2si377017tif.0.2008.11.13.02.25.00;
Thu, 13 Nov 2008 02:25:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of ibanking@vietcombank.com.vn
designates 210.245.5.227 as permitted sender) client-ip=210.245.5.227;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of
ibanking@vietcombank.com.vn designates 210.245.5.227 as permitted sender)
smtp.mail=ibanking@vietcombank.com.vn
Received: from ho.vcb.com ([10.1.2.15]) by exchange.vietcombank.com.vn with Microsoft
SMTPSVC(6.0.3790.1830);
Thu, 13 Nov 2008 16:43:32 +0700
Received: from HO-DBWEB01 ([10.1.1.97]) by ho.vcb.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 13 Nov 2008 16:38:54 +0700
MIME-Version: 1.0
From: Vietcombank <ibanking@vietcombank.com.vn>
To: **************@*****
Date: 13 Nov 2008 16:38:55 +0700
Subject: =?utf-8?B?VGjDtG5nIGLDoW8gdGhheSDEkeG7lWkgZ2lhbyBkaeG7h24gVkNCLWlCQG5raW5n?=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Return-Path: ibanking@vietcombank.com.vn
Message-ID: <EXFESVR01WP5RvITt7Q000079c2@ho.vcb.com>
X-OriginalArrivalTime: 13 Nov 2008 09:38:54.0970 (UTC) FILETIME=[A5114DA0:01C94573]
PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04IiAvPg0KPC9oZWFkPg0KPGJvZHk+DQo8cD5W
aWV0Y29tYmFuayB0csOibiB0cuG7jW5nIGvDrW5oIGNow6BvIFF1w70ga2jDoWNoIGjDoG5n
ITwvcD4NCjxwPlbhu5tpIG3hu6VjIHRpw6p1IG1hbmcgxJHhur9uIGtow6FjaCBow6BuZyBu
aOG7r25nIHRp4buHbiDDrWNoIHbDoCBz4buxIHRow6JuIHRoaeG7h24gdHJvbmcgc+G7rSBk
4bulbmcgZOG7i2NoIHbhu6UgTmfDom4gaMOgbmcgdHLhu7FjIHR1eeG6v24g4oCTIFZDQi1p
QkBua2luZywgPGk+a+G7gyB04burIG5nw6B5IDE1LzExLzIwMDg8L2k+LCBWaWV0Y29tYmFu
ayBz4bq9IMSRxrBhIHbDoG8gc+G7rSBk4bulbmcgZ2lhbyBkaeG7h24gVkNCLWlCQG5raW5n
IG3hu5tpIGPDuW5nIHbhu5tpIG3hu5l0IHPhu5EgdMOtbmggbsSDbmcgYuG7lSBzdW5nLiBR
dcO9IGtow6FjaCB2dWkgbMOybmcgeGVtIEjGsOG7m25nIGThuqtuIHPhu60gZOG7pW5nIGTh
u4tjaCB24bulIDxhIGhyZWY9Imh0dHA6Ly93d3cudmlldGNvbWJhbmsuY29tLnZuL0VCYW5r
aW5nL0lCYW5raW5nLyI+dOG6oWkgxJHDonk8L2E+IMSR4buDIGJp4bq/dCB0aMOqbSBjaGkg
dGnhur90LjwvcD4NCjxwPlZpZXRjb21iYW5rIHLhuqV0IG1vbmcgbmjhuq1uIMSRxrDhu6Nj
IMO9IGtp4bq/biDEkcOzbmcgZ8OzcCBj4bunYSBRdcO9IGtow6FjaCBow6BuZyDEkeG7gyBk
4buLY2ggduG7pSBWQ0ItaUJAbmtpbmcgbmfDoHkgY8OgbmcgxJHGsOG7o2MgaG/DoG4gdGhp
4buHbi48L3A+DQo8cD5D4bqjbSDGoW4gUXXDvSBraMOhY2ggaMOgbmcgxJHDoyBxdWFuIHTD
om0gdsOgIHPhu60gZOG7pW5nIGThu4tjaCB24bulIGPhu6dhIFZpZXRjb21iYW5rITwvcD4N
CjwvYm9keT4NCjwvaHRtbD4NCg==
Okay, so, is it a spam? It pretty much fits common criteria. First of all, it doesn’t know my name. Why did I provide VCB with my full name for? Addressing emails to clients by their names is the best differentiation of genuine and fake emails. Didn’t they know that? Secondly, it has a link to an iBanking facility that doesn’t even start with “https”!
Well, the fact is, it is not a spam message. And that saddened me. Come on, you can do better than this, VCB. Please give me some hope. You are better than ACB, aren’t you?
Clickjacking revealed
October 27, 2008 by lamer · Leave a Comment
I just came back from the first day of OWASP AppSec Asia 2008 in Taipei. Beside two t-shirts, I got to be among the first privilege group to preview Robert Hansen’s presentation on Clickjacking. The show is scheduled for the second day, tomorrow, but I have to fly to Kuala Lumpur. How lucky am I!
Getting back to the issue, clickjacking basically borrows the user’s mouse click to click on another unintended object such as a link, or a button. For example, the website shows you a link, you click on it thinking that you will be taken to the intended location. But hey, the browser sends a request to another location!
But that’s doable with plain JavaScript too. What’s new here is the click you made could be placed on a button of an ActiveX. Scary, no? The demo showed me that, with clickjacking, bad guys could force Flash player to turn on the microphone. When you visit a HTML page, some JavaScript activates a Flash component. This component asks the Flash player to turn on the microphone and starts recording. Normally, Flash player will pop up a dialog with an OK button to ask for your permission before doing so. Now, your mouse click, that you made on the HTML page, is borrowed and used to click on that OK button. And Flash player turns on the microphone. Or maybe the webcam. Or, wait, maybe something more than that. Whatever you can do with a mouse click, clickjacking allows the attacker to “help” you do that, silently.
Thank you Robert for the preview. It was way cool!
For the HITB 2008 KL goers, Jeremiah Grossman will be presenting the keynote “The art of Click Jacking” on the first day. And I will see you there too.
Reminiscence of a half year past
July 2, 2008 by lamer · 5 Comments
So, it’s been half a year. It’s been half a year in turbulence.
On Jan 1st, I was so eager, excited, and hopeful on my flight home. I had a plan, a simple plan, and it was rolling well. You see, what could be easier than finding a job, working for a few years, and then taking a higher degree? I thought this’d gotta be it, that I found my future.
Then it all broke apart. It’s funny though, cuz I was afraid of exactly this from the beginning. I could tell it was too good to be true, that everything was like arranged, granted, not earned, and so something got to be missing. I mean, come on, you don’t expect to see a perfect world, do you? The problem was it happened too late! I was so into it. I bet on it with everything I had.
I lose my bet. My plan went to trash. I declined a few job offers to open my own consulting firm. I am still not sure why I did that. I might have thought the market demand was high, or it might be cool to do it, or it was just a rebelious action to satisfy my ego. Regardless, I have a firm now. And it is the reason I write this piece.
The firm is doing well according to plan. Before you ask, no, this is not the plan I talked before. This has its share of late night’s oil burning, sweats and a few grey hairs. It has ups and downs, cheers and cries. And it is not perfect. It is so much different from going to work at 09:00, coming back at 18:00, having dinner till 20:00, spending a few hours doing god-knows-what in front of the monitor, and finally lying on the floor till tomorrow. It is no longer a pleasant life for me at all.
Thinking about the firm reminds me of all the good times in the island country, where I didn’t have to think about anything. I miss the nights we hung out. I miss the trees along the road. I miss the breezy cool wind on the way home. I miss the flat. I miss late night movies/series. I miss the nights I slept on the floor. I miss the morning green bean dessert and bean curd. Life was a pleasure ride in the park. I earned a comfortable salary so I didn’t have to think twice before spending. I lived in a spacious and windy flat. I owned a motorbike. I had everything I needed. I was contended.
Now, my head is full of questions. What is the next step, how to move forward, who is the next customer, how to approach them, who to partner with, where to find money to do those stuffs… Infrastructure, marketing, human resource, finance, law, etc. all come pouring down on me. These questions don’t seem to end at all. Instead, they become more and more challenging, they push me closer and closer to the wall.
Sure I have doubts. Is the market ripe for us? Isn’t it better to do business elsewhere? Was coming back just plain wrong? These questions keep whirling wildly. My thoughts are all interwound, messed up.
Fortunately, everytime I think about them, I always come to the same answer: that I can’t change what happened, I can only fix them. So that’s exactly what I’m doing. I founded a firm, so I’ve gotta take it high. I failed a plan, so I’ve gotta work another one.
Though I’ve lost the eagerness and excitement of the flight that day, I still have hope. When the turbulence is over, we’ll have a safe landing on the long runway.
Sử dụng bộ công cụ SysInternals “live”
May 30, 2008 by lamer · Leave a Comment
Những nhà quản trị đã quá quen thuộc với bộ công cụ của SysInternals như Process Explorer, TcpView, Rootkit Revealer. Các công cụ này đã rất dễ được tải về và sử dụng, giờ đây lại càng dễ hơn nữa. Ví dụ như bạn có thể chạy ngay công cụ Process Explorer mới nhất bằng cách gõ dòng lệnh:
\\live.sysinternals.com\procexp.exe
Quá đơn giản, phải không? Danh sách tất cả các công cụ có thể được xem tại http://live.sysinternals.com.
Salami attack at Asia Commercial Bank
May 15, 2008 by lamer · 5 Comments
Sáng nay khoảng 10:00 mình ra ngân hàng ACB ở đường Xuân Hồng, ngay phía sau khu triển lãm Tân Bình để đổi 100 đồng Mỹ ra tiền Việt.
Theo tỉ giá của ngày hôm nay thì mình sẽ nhận được 1,616,300. Trong giấy chi cũng ghi rõ con số này.
Thế nhưng nhân viên ở quầy chỉ đưa mình 1,616,000. Tức là thiếu 300 đồng.
Mình hỏi lại nhân viên đó rằng tại sao lại làm tròn xuống thế này và nhận được câu trả lời là cho dù mình có 499 đồng thì cũng vẫn làm tròn xuống như vậy.
Trước hết, ở những ngân hàng khác mình thường lui tới thì không bao giờ có chuyện làm tròn số như thế này. 1 cent là 1 cent. 100 đồng là 100 đồng. Họ sẽ đưa đủ. Mặc dù mình chưa thấy trường hợp nào họ đưa “dư” :-D nhưng thiếu thì chắc chắn là không.
Thứ hai, không biết là chính sách làm tròn xuống gây thiệt hại cho khách hàng như thế này là của chính nhân viên quầy tự ý vì mục đích riêng, hay là của toàn ngân hàng.
Đây rõ ràng là một ví dụ điển hình và thực tế về “bòn rút” (salami attack) trong lĩnh vực an toàn thông tin. Salami attack là những sự việc nhỏ nhặt nhưng xảy ra trên một quy mô lớn ví dụ như hàng trăm ngàn tài khoản trong ngân hàng bị bòn rút 100 đồng thì kết quả sẽ là một thiệt hại cỡ vài trăm triệu đồng. Đối với từng chủ tài khoản, sự hao hụt 100 đồng này không dễ phát hiện ra cho nên salami attack thường ít khi bị phát hiện.
Dù sao đi nữa thì ACB cũng đã mất đi một khách hàng (cho dù là nhỏ) cho tới khi mình nghe được tin tức khác. Bởi vì đã không làm tròn lên thì chớ có chuyện làm tròn xuống. Câu nói khách hàng là thượng đế ở đâu rồi?
-
Need support from us? Get all of your questions answered here
