Everything within Reason

It has been a couple of weeks since the scammers website Entac Direct [2] popped up on my radar. It seems that they have faith that they’re not going away either. Their SSL certificate is only 10 days old.

Entac Direct SSL certificate

On the positive side: it seems that they have been ‘banned’ from Google Ads. Haven’t seen them in the last couple of days on the well-known photography websites/forums.

UPDATE: They are gone as well.

GoDaddy Secured Seal

But not as you might think.

Many websites carry this nice badge stating the website is secure. Well, it’s not the website that’s secure (or even trusted). It’s the connection from your browser to the server serving the website which is secure.

With the cheap GoDaddy SSL certificates, GoDaddy only verifies the domain name ownership. Not if the domain name owner is legit.

So yes, you’re personal information (if you enter any) is transmitted in a secure way, but in some cases to a bunch of scammers.

The criminals use these cheap SSL certificates to give you a false sense of security. Therefor, ALWAYS check, and double check websites selling cheap electronics etc. And when you’re in doubt;

If it seems too good to be true, it usually is...

It seems that the SSL certificate of www.e-holater.com has been removed from the website. If you try an SSL connection you get a warning that the certificate isn’t correct. Further investigation reveals that a wildcard certificate of the hosting company is presented (Yahoo! in this case).

Initial Warning

SSL Certificate Details

Either they moved their scammers website, or someone removed the SSL certificate. Either way, one relatively large part of their credibility is gone (at least for the average triggerclick-happy Joe).

I wonder how many people actually fall for these scams….. Not too many, I hope (as in ZERO).

It seems that scammers are also using valid and trusted SSL certificates nowadays. It seems that it’s quite simple to get a certificate, since the only verification is the domain name ownership.

Domains can be bought in many ways through lot’s of domain registry offices. People doing the verification can screw up, and they can be paid for by using stolen credit cards. This means that getting a SSL connection without any warnings doesn’t mean that the site your connecting to is actually legit.

Is the WebTrust crumbling down? It’s almost as if a student can run a SSL affiliateship/reseller business from his or hers dorm room. Who is checking procedures? What is being done when things go wrong?

It wouldn’t surprise me if this is some sort of conspiracy of the large SSL brokers. Allow cheap uncontrollable SSL certificates. Cause ‘fear and distress’ among the Internet users by issuing certificates when you’re not supposed to, and sell lot’s of those overpriced Extended Validation (EV) certificates to make people feel good.

Sure, encryption (by using SSL) of user id’s and passwords while traveling the net is a good thing. Same goes for knowing that you’re on the right website. But when they’re issuing a certificate for less than $30 US (which is almost 5 euro nowadays ). You can’t expect them to do a lot of work in verifying the certificate buyer.

I think that there’s gonna be some security issues with el-cheapo SSL certificates in the near future (Mozilla issue, or the PlayStation 3 versus MD5 case). Just to ‘guide’ the sys-ops and security people to the overpriced EV certificates, because more expensive is probably much better.

/me is getting my aluminium hat

A couple of months ago I found several websites selling electronics and photo gear for ridiculous low prices (which also ended my Google Adsense account). Prices were less than half the lowest legal price. Those websites were all scams, and were advertising through Google Ads. Trying to pry you from your hard earned money.

The last couple of days new scam-websites are showing up on the Internet. This time they are more advanced. They even have had VALID SSL certificates (issued from a GoDaddy CA), and still use Google Ads to target the victims.

e-holater SSL Certificate

Why are they scam-websites? Well, If it’s to good too be true, it probably is. And somehow you can’t pay by credit card from abroad (so no insurance).

Holater currently ONLY accepts international payment via Bank Wire Transfer.International credit cards and checks are not accepted.

So you’re left with money transfers, and we all know what the insurance is on that. None, nada, zip.

Note that the following websites are considered fraudulent by ME (and some of the victims of these websites). They will be portrayed like this unless several others prove me otherwise.

The following section gets updated when necessary. Websites found so far:

WARNING: When these websites are taken offline, a domain forwarder might be used to redirect you to other non-relevant websites. These sites may include offensive material. Please follow these links at your own risk. If you find such a link, report them in the comments, and I’ll remove the link.

Active Scammer Websites

PE Export / Export Panama / Hexport

URL: http://www.pe-export.com [mirror] (http://www.hexport.com [mirror])
Nick is back. ‘Nick Naylor’ was also the guy behind Panama Export (which seems offline). According to the whois, this domain is his new playground. Prices are low (as usual), and the layout etc. are exactly the same as his former website panama-export (contact page).When I write this (May 27, 2009), the website seems to be closed (or they’re filtering on my IP range again). They use a script to transfer me to Panama-Export.com (which forwards to an ads-page or something). My guess is that the website will be operational soon (and offline soon afterward).

UPDATE: Finally found the hexport.com screenshots I needed (ain’t the Internet a wonderfull thing). Anyway, what I already suspected is that hexport.com and pe-export.com are identical. Only the name is different.

The hexport.com screenshots: index (with video playing), products, Contact Us, FAQ, Guarantee, Testimonials The pe-export.com movie (Seems that ‘Nick’ is really going pro with the ads), As seen in…

Wootech Worldwide

URL: http://www.wootechworld.com / http://www.wootech-world.com [mirror]
A duplicate form the ‘older’ scam websites like e-holater etc. Prices are still too good to be true. Even the Nikon 14-24 lens is back with a new default product id (1090485). Just compare the Anepax and Wootech screenshots for the Nikon 14-24 lens.

According to the whois database information they ‘exist’ since May 5th, 2009. I have found the cheap GoDaddy SSL certificate (details).It seems that the website (hosted @ 194.165.4.81) won’t resolve @ my local ISP’s DNS server. I can access the website using TOR. I guess they’re blocking IP ranges now :). They’re gonna miss out on lot’s of XS4ALL customers this way :).

I ‘purchased’ a Nikon D300 at the website for a lousy €790. Just to get my hand on some additional screenshots and the banking information on these scammers.

Note that even though they have an SSL certificate, they don’t use it (yet). The entire account registration process and ordering is done without the use of SSL.

Good Electronics Shop

URL: http://www.goodelectronicsshop.com (mirror)
Chinese and prices too good to be true. Also, no Credit Card payments possible. Only Western Unions and Bank Transfers (contradicting payment info 1, 2). And we all know what happens with those….. Besides, what’s the difference between these [1, 2] items?No https connections during the (spam enabling bogus) registration and ordering process, and the domain name was registered on April 6, 2009.

digsaleltd@yahoo.com, digsaleltd@gmail.com, digsaleltd@hotmail.com

Any sales offerings with these e-mail addresses can be considered fraudulous.

Camera Giants Inc.

URL: http://www.cameragiantsinc.com (mirror)
Prices are too good to be true. Domain was registered 18-jan-2009, and the SSL certificate is one of the cheapest available from Comodo. No address available, only a PO Box in Emeryville.

Sonic Cameras

URL: http://soniccameras.com (mirror)
Shady

My Affordable Camera

URL: http://myaffordablecamera.com (mirror)
Resides in Russia, ultra low prices, and accepts Western Union only -> Scammer (in my opinion).

If you find other websites with the same characteristics, please report them in the comments, and I’ll add them to the list. Read more…

I’ve been a PGP user for quite a while now. A couple of years ago I bought the software (before that I used the free PGP versions). My original license was for version 8.x. Every once in a while that would be a message indicating that there was a new version available.

The last couple of months there were no new messages, and when I checked for updates from the application the default message was “you’re running the latest version”.
But according to the PGP website there were newer versions (9.8, 9.9). So I ‘registered’ for an evaluation version and installed that over my existing 9.7 version.

After the reboot everything worked. My (old existing) license is still valid. So why is PGP not telling that there’s an upgrade available?

PGP Desktop v9.9

PGP License Overview

I guess the fun will end with the release of version 10.
B.t.w. I still find it frustrating that they removed the SIGN and ENCRYPT buttons/functionality from within Apple Mail.app. I don’t want to sign all my outgoing mail (which happens when you configure the mail proxy settings). I want to be in total control

WebTrust broken?

When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn’t the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You’re no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it’s a Comodo affiliate that’s screwed up (there’s no other way of describing this), but what are the chances that some of those trusted 100+ CA’s make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you’re using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn’t know…. You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

While in the mids of my Juniper exam preparation I ran into a problem with my Apple equipment. Managing the Juniper firewall (SSG5 in this case) with SSH was not possible from OSX. The connection itself would work, but after entering the password the connection was closed by the remote host (the firewall).
Trying this from a Windows laptop (with SecureCRT) everything worked as expected.

Some searching revealed that this is an OpenSSH bug. To manage your Juniper with SSH from OSX you need to add a parameter to the ssh command (or edit the SSH config file).

Parameter to add:

-o ControlMaster=auto
e.g. ssh willem@127.0.0.1 -o ControlMaster=auto

Or add the following line to the global SSH config (/etc/ssh_config) or the user config (~/.ssh/config).

ControlMaster auto

Juniper has a knowledgebase article (KB12409) on the issue.

While the installation of the SafeSign software is relatively easy, the removal of the software is a bit harder. The installation package lacks an automated removal feature. So removing the driver/application must be done by hand.

The removal of the software (both the SafeSign as well as the TokenLounge software) can be reconstructed by analyzing the original packages/installation scripts. Read more…

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

The package I received contained TokenLounge software and the SafeSign v3.0 drivers for OSX. After installation of the software, you’re left with Token Administration, and TokenLounge Software. The software installation took place on an iMac running OSX 10.5.5. Read more…