August 2008 Archives

This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.

What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.

 

 

Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.

From ZDNet Blogs:

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]

This is especially interesting after attending an IC3 talk on Tuesday morning on the various common types of online fraud. It's true that most of the victims of these scams are complicit in the get-rich-quick schemes, but barring the ones who commit criminal acts such as money laundering or forwarding shipments to Nigeria, it would be difficult to classify them as criminal.

From the Sydney Morning Herald:

THE Nigerian high commissioner says people who are ripped off by so-called Nigerian scams are just as guilty as the fraudsters and should be jailed.

*  *  *
"People who send their money are as guilty as those who are asking them to send the money," he said. [From smh.com.au: Jail the 'greedy' scam victims, says Nigerian diplomat]

This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.

From ComputerWorld:

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".

* * *

Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]

The stakes have been raised in the battle against online crime. A Turkish hacker who was working with authorities was captured, tortured, and released in reprisal for his cooperation.

From Wired Blogs:

A Turkish computer hacker who was helping that country's media and national police investigate computer crimes was kidnapped and tortured by a notorious ATM hacker, according to a report from the Turkish press.

The victim, known online as "Kier," had been leaking information to Turkish reporters about an underground figure called Cha0, when he briefly disappeared. He resurfaced in May, and described being abducted and beaten by Cha0 and his henchmen. [From Wired Blogs: Hacker Reportedly Kidnaps and Tortures Informant, Posts Picture as a Warning to Others]

 

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Technorati Tags: microsoft,windows,vulnerability,exploit

It looks like glitches in Apple's MobileME rollout and the accompanying user frustration have created opportunities for phishing scams. I think Apple has already burned through their security goodwill. It's time for the company to step up and start dealing with the rapidly emerging threat that targets its customers.

From The Register:

Data obtained by CardCops, a credit card protection service owned by the Affinion Group, shows sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers' maiden names, credit card numbers and other sensitive information.

The graphic to the right, which has been edited to remove personally identifying details, shows some of the data that's been available.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as "Billing problem." Following the link as recently as Tuesday while using Apple's Safari browser, we were taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering a dizzying array of personal details. (Interestingly, while Internet Explorer warned us the page was a scam, neither Safari nor Firefox flagged it.) [From The Register: Apple faithful snared in phishing scam targeting Mac.com users]

This is a couple of years old, but I just saw it for the first time and got a good laugh about it.

Replay video | Share video | Watch more videos

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

According to Wired, the Airforce has stopped work on "Cyber Command" just prior to being declared operational. The new command was controversial, since it was a unilateral move by the Airforce to snap cyberspace into their portfolio.

From Wired's defense blog:

The Air Force is about to suspend its controversial effort to reorganize its forces to "dominate" cyberspace. The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.

"Transfers of manpower and resources, including activation and reassignment of units, shall be halted," according to an internal e-mail obtained by Nextgov's Bob Brewin -- and confirmed by Air Force sources. Instead, the Air Force's new leadership -- including incoming Chief of Staff Norton Schwartz -- will be given time to rethink how big the command will be, and what exactly it will do. [From Wired.com: Airforce Suspends Controversial Cyber Command]

Georgian President Mikheil Saakashvili will be giving an open press conference via telephone this afternoon. As far as I know, this event is unprecedented in providing access to online and community; sponsorship by a major news organization is not required to directly interact with a head of state.

From RBN:

Tbilisi, Georgia - Mikheil Saakashvili, President of Georgia, will be giving a briefing for international media via teleconference on Monday, August 11, at 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET).

WHEN: The call will take place on Monday, August 11, at 13:00 Tbilisi Time (11:00 Central European Time, 10:00 UK Time, 05:00 Eastern Standard Time); the call will run for approximately 30 minutes.

HOW TO JOIN THE CALL: To join the call, dial +1.706.679.3044 (internationally) or 877.810.6130 (in the USA) Provide the operator with this conference ID: 59983245 [From Russian Business Network (RBN): RBN - Georgia CyberWarfare - Conference Call]

Despite being delicately handled and patched at an unprecedented rate, Kaminsky's DNS vulnerability researc may have opened up a huge can of worms. Russian developer Evgeniy Polyakov has announced that fully patched DNS systems are still vulnerable to poisoning.

From his blog, Zbr's Days:

Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... [From Zbr's days.]

This has also been mentioned in the New York Times and the Inquirer. He has posted his proof of concept code here.

Is anyone really surprised that social networking sites such as Facebook and Myspace were discussed at this year's Blackhat in Vegas? The entire purpose of the genre is to share data, which can be difficult to do securely. According to one presentation, though, they aren't really even trying.

From Information Security Magazine:

Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

* * *

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.[From MySpace, Facebook ignoring basic principles of security]

Audio recordings from the Last HOPE conference are available online here. It's a long and diverse list of topics that really reflects the history of both the conference and 2600 magazine. I'm sure you can find something that matches your interests and skill level.

I've tossed some onto an iPod for listening this week.

It looks like the Chinese government has problems with hackers from behind the Great Firewall. It's actually astounding that this hasn't been a larger and more public before now, especially considering the quality and quantity of hackers that keep coming out of China.

From Dark Visitor:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers. [From The Dark Visitor » Chinese hackers eating Chinese hackers…with a side of government]

It looks like some cyberwar is accompanying boots on the ground as Russian troops and tanks invade. The Georgian Ministry of Foreign Affairs website has been defaced, containing photos of President Mikheil Saakashvili alternating with images of Hitler. Here is a screen capture:

It looks like the Apple security problems that have been buried in the news this year are adding up. According to IBM's annual security report, they have more disclosed vulnerabilities than any other vendor.

While Microsoft has been making their security practices progressively more transparent, Apple is notoriously close-lipped; one can only speculate about the actual numbers.

From InfoWorld:

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla.

Final results were close, according to the IBM X-Force 2008 mid-year report , with Apple achieving vulnerability disclosure score of 3.2 percent, followed by Joomla with 2.7 percent and Microsoft at 2.5 percent. [From Apple gets bruised in vulnerability report | InfoWorld | News | 2008-08-06 | By Darren Pauli, Computerworld Australia]

I am reminded of the Active Directory issue several years ago, in which all domains in a forrest were only as secure as the most poorly defended domain. In both that and this case, a fundamental architectural choice by Microsoft made patching impossible; only a complete shift in strategy and redesign can fix the problem.

With Microsoft's newfound religion around security, it is going to be very interesting to see how they handle this. It's the first major test of how seriously they take it (and of Ray Ozzie's leadership).

From Information Security Magazine:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

* * *

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. [From Windows Vista security 'rendered useless' by researchers]

Consumer Reports has recommended that Mac users avoid using the Safari Browser due to a lack of phishing protection. While the report isn't as detailed or useful as some, it does tackle the human element, noting that while Apple touts it inherent security, users fall for online schemes just as often as Microsoft customers.

From CyberInsecure:

According to this year's State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple's Safari, has no phishing protection. Consumer Reports says that until Apple beefs up Safari, users should use a browser with phishing protection, such as the latest version of Firefox or Opera. They also offer free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.

This is not the first time Apple's Safari has been criticized for lacking built-in phishing protection. Earlier this year, PayPal's Chief Information Security Officer Michael Barrett, said that Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Paypal recommended to use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or Opera. [From Mac users are advised not to use Safari by Consumer Reports | CyberInsecure.com]

Dan Kaminsky has posted his Blackhat slides on the bailiwacked dns vulnerability along with a fabulous animation of DNS servers being patched across the globe. His blog entry is here.

UPDATE: I should have noted that red means unpatched, yellow means patched but NAT is interfering, and green means good

The EFF announced today a new project to shelter developers from legal threats while working on new and emerging technologies.

From LWN:

The Electronic Frontier Foundation (EFF) today launches its Coders' Rights Project -- a new initiative to protect programmers and developers from legal threats hampering their cutting-edge research.

* * *

"Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats," said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. "EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities." [From EFF's Coders' Rights Project [LWN.net]]

Germany's CERT has issued a warning about Linux rootkits.

From Robert Penz:

The CERT of the Germany`s National Research and Education Network (DFN – Deutsches Forschungsnetz) warns about attacks on Linux servers, which hide with a root kit. This root kit hides directories and processes from the administrator. The attack is most likely carried out by stolen SSH keys.

Their experts found the directory /etc/khubd.p2/ on the compromised systems but this directory did not show up with ls -l /etc/. But it was possible to change into that directory. [From DFN CERT warns about Linux root kits | Robert Penz Blog]

The Department of Justice has announced charges in the largest identity theft case ever. Interestingly, the defendants are both domestic and foreign. Its going to be interesting to see how the case is prosecuted between jurisdictions, especially China.

The U.S. Department of Justice announced Tuesday that 11 people have been charged in connection with the theft and sale of more than 40 million credit and debit cards from major retailers, including TJX Companies Inc.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," Attorney General Michael B. Mukasey said in a prepared statement. Three of the defendants are from the U.S., one is from Estonia, three are from Ukraine, two are from China, and one is from Belarus. [From TJX hacking ring charged in federal indictment]

It looks like Ray Ozzie has been making even more changes at Microsoft. First, he embraced the PHP community, joined the Apache Foundation, and released code under a GNU license. Now he is opening up the security patching process to give security vendors a head start on developing signatures.

For those without the budget or influence to be on the vendor list, he's also rating patches with a "exploitability index."

From Information Security Magazine:

The idea behind the early-access program is to give security vendors a head start on developing signatures and filters for attacks that follow the release of a new set of Microsoft patches on the second Tuesday of the month. Microsoft will announce its new plans at the Black Hat conference in Las Vegas this week.

Known as the Microsoft Active Protection Program (MAPP), the new plan will be open to security companies that provide defensive technology to large customer bases, meaning antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) vendors. This kind of early notification is something that other companies have been calling for, and Microsoft officials said they've gotten to the point where they could use some help from the rest of the security community.

* * *

In addition to the MAPP announcement, Microsoft also plans to add a new component to its monthly security advisories: an exploitability index. The index will rank vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. [From Microsoft to revamp patching, add exploitability index]

Clearly, the mortgage industry had its hands full before Friday's arrest of a Citywide Financial Corp. employee for allegedly stealing sensitive personal information for up to two million mortgage applicants.

From CyberInsecure:

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company. [From Countrywide Financial Insider Steals And Sells Thousands Of Private Customer Records | CyberInsecure.com]

Congress has decided to look into behavioral advertising. It will be interesting to see how the committee proceeds -- Congress doesn't have a sterling record in dealing with complex issues. On one hand, I hope they decide to forbid ISPs from the practice as the neutral carriers of traffic that they should be, but I'm not sure that intrusion would be warranted if the behavior tracking is internal to a site's operation (such as Amazon, Google, or Microsoft).

From arstechnica:

"Committee on Energy and Commerce" and "rampage" don't often appear in the same sentence, but the House committee is certainly on a tear when it comes to behavioral advertising. Not content with firing off a bipartisan list of sharp questions to ISPs who installed NeduAd traffic analysis hardware, the Committee on Friday expanded its nastygram list to include "33 leading Internet and broadband companies" including Google, Microsoft, Time Warner, AT&T, Verizon, and Comcast. Legislation on the issue could be coming. [From Congress wants privacy answers from Google, MS, AOL]

If Apple keeps touting their (self-proclaimed) nigh-invulnerability as a sales feature, they really need to pay more attention to security than this.

Apple on Thursday released Security Update 2008-005, a collection of 17 fixes for security vulnerabilities in its Mac OS X operating system. Among the fixes is what looks to be a patch for the DNS cache poisoning vulnerability that security experts spent most of July warning about.

But according to security researcher Swa Frantzen from the SANS Internet Storm Center, Apple's fix hasn't quite done the trick. [From Apple Security Patch Flubs DNS Fix -- Mac OS X -- InformationWeek]

Another set of bothearder arrests have been made. What's interesting here is that if the story is accurate, the Dutch pair are being held under European authority, which the Brazilian is being extradited to face US charges.

From The Register:

Dutch police have arrested two Dutch brothers suspected of running a botnet controlling 40,000 to 100,000 computers, with only a small portion (1,100 computers) based in the Netherlands.

The FBI has been investigating this case for a while before contacting the Dutch authorities. The arrests were made shortly after the two young bot-herders from the Frisian town of Sneek sold their network of compromised machines to a person in Brazil for €25,000 on Tuesday. The 35-year-old Brazilian man from Taubate (near Rio de Janeiro) has also been arrested and is awaiting extradition to the US. [From Dutch botnet herders arrested | The Register]

Almost seven years after 911 and six years after Congress mandated it, the Department of Homeland Security released an 83-page plan yesterday to unify emergency response communications in most jurisdictions.

From Federal Computer Week:

The department's 83-page plan released July 31 outlined these goals:

• By 2010, 90 percent of all 60 high-risk urban areas designated under the Urban Area Security Initiative must show the ability to communicate across multiple jurisdictions and agencies within an hour of a multi-jurisdictional event.
• By 2011, 75 percent of all urban areas must be able to demonstrate emergency communications within one hour for routine events involving multiple jurisdictions and agencies.
• By 2013, 75 percent of all jurisdictions must be able to demonstrate response-level emergency communications within three hours of a significant event.

"This is a comprehensive plan designed to drive measurable and sustainable improvements to operable and interoperable emergency communications nationwide over the next three years. It emphasizes the human element and cross-jurisdictional cooperation, going beyond simply buying new equipment," Homeland Security Undersecretary Robert Jamison said in a statement. [From "DHS plans to unify emergency communications" -- fcw.com]

It took seven years to write a plan to do something most bloggers and travelers do already -- communicate seamlessly across multiple municipalities. This is possibly the least difficult lesson from 911 to fix, yet it has taken this long. I don't even want to think about how long the difficult challenges such as airport security are going to take to get right.

Timed to coincide with the FCC's decision against Comcast over network netutrality, the Free Software Foundation has released a tool that can test your ISP for violations.

From fsf.org:

"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit."

"Until now, there hasn't been a reliable way to tell if somebody -- a hacker, an ISP, corporate firewall, or the Great Firewall of China -- is modifying your Internet traffic en route," said Peter Eckersley, EFF Staff Technologist and designer of Switzerland. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier." [From EFF Releases "Switzerland" ISP Testing Tool - eff.org]

It looks like deniability may become a thing of the past, in which case the FCC might have it's hands full in the forseeacble future. Perhaps some still fines would serve as a better deterrant then a slap on the wrist ...

The FCC has stopped short of fining Comcast over the p2p network throttling I mentioned several weeks ago.

From ZDNET:

The Federal Communications Commission on Friday ruled 3-2 that Comcast overstepped its network management authority by blocking BitTorrent peer to peer traffic, but stopped short of fining the cable company. The move clarifies the boundaries a bit for other carriers and sends the message that the FCC enforces network neutrality principles. [From FCC slaps Comcast's wrist over network neutrality; sets precedence -- zdnet.com]

While a demonstration of teeth behind the net neutrality principals would have sent a clearer message to ISPs. Hopefully, the FCC will also start looking at mobile providers as well as home ISPs.