Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Share

Vanishingly small utility …

This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype - rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

Share

Severe T-Mobile Data Breach

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

Share

C-level execs ignorant of Web 2.0 dangers

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

Share

Madoff, insiders, internal controls, and fraud

The Madoff story is extremely interesting, for a number of reasons.  However, primarily, the tales now coming to light of ongoing suspicions and investigations (such as this Wall Street Journal piece) point out the weaknesses and limitations of audit and internal controls in controlling insider attacks and fraud.

Share

AVG’s NOPslide

AVG's NOPslide

AVG Technologies (formerly Grisoft) has been through a lot the last 17 years. Its almost considered an adult! From specializing in security software to… well actually they still do the same thing, they just focus greatly on antivirus and antimalware technology today.

In April 2006, AVG acquired Ewido Networks and bumped up their own antivirus’s version from version 7.1 to 7.5. Soon thereafter, Microsoft (!@#$) stated that AVG’s products would even be DIRECTLY available from the Windows Security Center in Vista.

Not cutting many corners, lets shift our focus now on AVG’s acquisition of Exploit Prevention Labs in late in 2007. AVG liked their ‘LinkScanner’ code and later released it in the next huge ‘revision’ of the AVG antivius suite, AVG 8. Now before I bash AVG 8, I will tell you that I used to be a big AVG fan. I always recommended it to everyone, whenever I had the chance. It WAS great — AVG offered advanced protection and ran so smooth and so clean. But at the moment, its bloated, clunky, very slow, a huge resource hog, and I am glad that I don’t have to use it. LinkScanner seems to have great intentions but has, so far, gotten off to a rocky start (or finish). A friend of mine warned me about it when it first was released, and I tried to give it the benefit of the doubt, keeping it on the ‘good’ list. I just simply don’t like the fact that it has been near ruined recently, thanks to AVG’s poor decisions.

Just like in poker, “Its about making the best decisions”, and how true that is when you think about it for the software industry too. Everyone makes mistakes, but AVG: PLEASE BE GOOD AGAIN!

Share

Kaspersky’s SAFE Internet

Kaspersky

Recently Kaspersky, the company who makes your favorite, or not-so-favorite anti-malicious software, called upon government and banking institutions to be more secure. But is it really up to these agencies to make draw the perfect picture of security, or should the end users stop making such bad decisions, both on and offline?

If these ‘safety nets’ are deployed, it won’t going to make the best out of security situation, but it will help. On the other side of the packet, using outdated software or insecure browsers (cough!*IE*cough!) that do little or nothing to protect the web surfers, directly and indirectly, should also be of major concern. Wouldn’t it be something if, when accessing one of these websites running INSECUREBROWSER, it suggested you use MORESECUREBROWSER, FOR SECURITY REASONS IF NOTHING ELSE? Woah, wouldn’t that be a different color light bulb. Especially if it was something like, say, Internet Explorer VS Firefox (Yes, I am saying that Firefox’s security is better than Internet Explorer. I believe both core and rendering engines are better, too).

Now, if they try to regulate the internet with security laws and cyber architecture boundaries, its just going to be one big mess. If you’d like one reason it wouldn’t work, just think about how outlawish the internet already is, and has been, since its inception. Then take a break and elaborate on it. I’m sure you’ll find more than one reason we can’t import some crazy set of regulations and actually believe they are going to work and/or solve our problems.

Here is some more fuel for thought: How about separating the internet for low and high bandwidth data flow. Interconnected, but bridged. Not a good idea? Well why not? As long as we are on the same network, there will be fighting over who owns what (more than just headers and footers). But as long as we put the big with the small, there is going to be controversy. There are going to be debates. This last part may have been a little off topic, but I feel like it needed to be said. Security isn’t made, its planned and implemented before regulation begins.

Share

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Share

SCADA Security

SCADA Operator

I’ve been registered with the SCADA Security Mailing List for a while now, and I must say it is very informative and has some solid discussion about SCADA systems and security. If you are not familiar with what SCADA is, it stands for Supervisory Control And Data Acquisition. SCADA systems are generally used for controlling and maintaining public services and private sector systems such as but not limited to nuclear plants, environmental systems, industrial stations, etc. You can google for more information or check our SCADA’s Wikipedia Page.

Security has and also been a big issue with running SCADA systems, especially those connected and maintained over the internet, or really any kind of network. Firewalls and IDS’s can only do so much; the integrity of the applications must be a part of the solution, AND NOT COLLAPSE! There are also many books at amazon that deal with SCADA systems. Could the internal workings of outdated coding practices and weak security in the systems, that control our precious resources and way of life, prove to be insecure? You better believe it.

Share

Purolator knoweth not privacy

My wife happened to go and pick up the book parcel today.  My wife knows about security and privacy.  (Not only does she have to listen to me at the dinner table, but she does her own research.)  One of the things I found out from her, was that it’s legal, in Canada, to ask for and look at a driver’s licence as ID, but it’s illegal, in Canada, for retailers to write down and keep that information.

So when the Purolator staff asked for her driver’s licence, she gave it to them, but made a point to ask them not to write it down.  The Purolator staff member then took the licence and input the details into their computer system.  When my wife complained, the Purolator staff member’s response was insulting and sarcastic.

So, Purolator, is that corporate policy?

Or maybe your need a little more staff training?
(Oh, and Purolator also uses those boxes to collect a digitized sample of your signature.)

Share

Wired network compromised during the Google developer conference in Israel

Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.

According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.

The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.

Share

That device on my work computer – was it there yesterday?

Bank robbers using remote control device to control the mouse cursor of bank employee have been jailed now, report the headlines.

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious – and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often

Share

Plan B

The Daily WTF has a good story that may sound a little too familiar to some:

How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker’s fix:
#!usr/bin/python
# Paying someone $10 to pull a power cord for $3500
print “(C) [Name Removed] 2008.”

The moral of the story: when all else fails, use social engineering.

Share

Remote-control device – the new gun of bank robbers

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident – no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

Share

Statistics vs. Probability – Did POTRIPPER Cheat?

This is a bit pointless, as I’m blogging about a “controversy” that has already been settled. I do think there are useful tools to take from this incident, though.

For those out of the loop, a few days ago players of online poker site “Absolute Poker” (no link, deal with it) accused a player called “POTRIPPER” of playing while being able to see the hole cards. I’ll save the poker laymen’s task of trying to figure out what that means (as I had to) – in that variant of poker some of the cards are shown, while others are hidden. People were accusing POTRIPPER that (s)he was playing while being able to see everyone’s hidden cards.

I should point out that this is a settled controversy. Absolute Poker admitted that this is the work of an internal security breach. I am less interested in the specific case, however, than I am in looking at tools designed to answer the “how can we know” question. (more…)

Share

ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.: http://www.afilias.info/
icann: http://www.icann.org/
the internet society: http://www.isoc.org/
shinkuro, inc.: http://www.shinkuro.com/

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,
ge@beyondsecurity.com.

Share