Recently in Security Category

This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.

What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.

 

 

Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.

From ZDNet Blogs:

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]

This is especially interesting after attending an IC3 talk on Tuesday morning on the various common types of online fraud. It's true that most of the victims of these scams are complicit in the get-rich-quick schemes, but barring the ones who commit criminal acts such as money laundering or forwarding shipments to Nigeria, it would be difficult to classify them as criminal.

From the Sydney Morning Herald:

THE Nigerian high commissioner says people who are ripped off by so-called Nigerian scams are just as guilty as the fraudsters and should be jailed.

*  *  *
"People who send their money are as guilty as those who are asking them to send the money," he said. [From smh.com.au: Jail the 'greedy' scam victims, says Nigerian diplomat]

This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.

From ComputerWorld:

Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".

* * *

Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]

The stakes have been raised in the battle against online crime. A Turkish hacker who was working with authorities was captured, tortured, and released in reprisal for his cooperation.

From Wired Blogs:

A Turkish computer hacker who was helping that country's media and national police investigate computer crimes was kidnapped and tortured by a notorious ATM hacker, according to a report from the Turkish press.

The victim, known online as "Kier," had been leaking information to Turkish reporters about an underground figure called Cha0, when he briefly disappeared. He resurfaced in May, and described being abducted and beaten by Cha0 and his henchmen. [From Wired Blogs: Hacker Reportedly Kidnaps and Tortures Informant, Posts Picture as a Warning to Others]

 

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Technorati Tags: microsoft,windows,vulnerability,exploit

It looks like glitches in Apple's MobileME rollout and the accompanying user frustration have created opportunities for phishing scams. I think Apple has already burned through their security goodwill. It's time for the company to step up and start dealing with the rapidly emerging threat that targets its customers.

From The Register:

Data obtained by CardCops, a credit card protection service owned by the Affinion Group, shows sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers' maiden names, credit card numbers and other sensitive information.

The graphic to the right, which has been edited to remove personally identifying details, shows some of the data that's been available.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as "Billing problem." Following the link as recently as Tuesday while using Apple's Safari browser, we were taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering a dizzying array of personal details. (Interestingly, while Internet Explorer warned us the page was a scam, neither Safari nor Firefox flagged it.) [From The Register: Apple faithful snared in phishing scam targeting Mac.com users]

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

According to Wired, the Airforce has stopped work on "Cyber Command" just prior to being declared operational. The new command was controversial, since it was a unilateral move by the Airforce to snap cyberspace into their portfolio.

From Wired's defense blog:

The Air Force is about to suspend its controversial effort to reorganize its forces to "dominate" cyberspace. The provisional, 8,000-man Cyber Command has been ordered to stop all activities, just weeks before it was supposed to be declared operational.

"Transfers of manpower and resources, including activation and reassignment of units, shall be halted," according to an internal e-mail obtained by Nextgov's Bob Brewin -- and confirmed by Air Force sources. Instead, the Air Force's new leadership -- including incoming Chief of Staff Norton Schwartz -- will be given time to rethink how big the command will be, and what exactly it will do. [From Wired.com: Airforce Suspends Controversial Cyber Command]

Despite being delicately handled and patched at an unprecedented rate, Kaminsky's DNS vulnerability researc may have opened up a huge can of worms. Russian developer Evgeniy Polyakov has announced that fully patched DNS systems are still vulnerable to poisoning.

From his blog, Zbr's Days:

Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... [From Zbr's days.]

This has also been mentioned in the New York Times and the Inquirer. He has posted his proof of concept code here.

Is anyone really surprised that social networking sites such as Facebook and Myspace were discussed at this year's Blackhat in Vegas? The entire purpose of the genre is to share data, which can be difficult to do securely. According to one presentation, though, they aren't really even trying.

From Information Security Magazine:

Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

* * *

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.[From MySpace, Facebook ignoring basic principles of security]

It looks like the Chinese government has problems with hackers from behind the Great Firewall. It's actually astounding that this hasn't been a larger and more public before now, especially considering the quality and quantity of hackers that keep coming out of China.

From Dark Visitor:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers. [From The Dark Visitor » Chinese hackers eating Chinese hackers…with a side of government]

It looks like the Apple security problems that have been buried in the news this year are adding up. According to IBM's annual security report, they have more disclosed vulnerabilities than any other vendor.

While Microsoft has been making their security practices progressively more transparent, Apple is notoriously close-lipped; one can only speculate about the actual numbers.

From InfoWorld:

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla.

Final results were close, according to the IBM X-Force 2008 mid-year report , with Apple achieving vulnerability disclosure score of 3.2 percent, followed by Joomla with 2.7 percent and Microsoft at 2.5 percent. [From Apple gets bruised in vulnerability report | InfoWorld | News | 2008-08-06 | By Darren Pauli, Computerworld Australia]

I am reminded of the Active Directory issue several years ago, in which all domains in a forrest were only as secure as the most poorly defended domain. In both that and this case, a fundamental architectural choice by Microsoft made patching impossible; only a complete shift in strategy and redesign can fix the problem.

With Microsoft's newfound religion around security, it is going to be very interesting to see how they handle this. It's the first major test of how seriously they take it (and of Ray Ozzie's leadership).

From Information Security Magazine:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

* * *

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. [From Windows Vista security 'rendered useless' by researchers]

Consumer Reports has recommended that Mac users avoid using the Safari Browser due to a lack of phishing protection. While the report isn't as detailed or useful as some, it does tackle the human element, noting that while Apple touts it inherent security, users fall for online schemes just as often as Microsoft customers.

From CyberInsecure:

According to this year's State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple's Safari, has no phishing protection. Consumer Reports says that until Apple beefs up Safari, users should use a browser with phishing protection, such as the latest version of Firefox or Opera. They also offer free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.

This is not the first time Apple's Safari has been criticized for lacking built-in phishing protection. Earlier this year, PayPal's Chief Information Security Officer Michael Barrett, said that Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Paypal recommended to use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or Opera. [From Mac users are advised not to use Safari by Consumer Reports | CyberInsecure.com]