BadBIOS

In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.

 

Share

Smartphone vulnerabilities

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

Share

“Zero Day”, Mark Russinovich

BKZERDAY.RVW   20111109

“Zero Day”, Mark Russinovich, 2011, 978-0-312-61246-7, U$24.99/C$28.99
%A Mark Russinovich www.zerodaythebook.com markrussinovich@hotmail.com
%C   175 Fifth Ave., New York, NY   10010
%D   2011
%G   978-0-312-61246-7 0-312-61246-X
%I   St. Martin’s Press/Thomas Dunne Books
%O   U$24.99/C$28.99 212-674-5151 fax 800-288-2131
%O   josephrinaldi@stmartins.com christopherahearn@stmartins.com
%O  http://www.amazon.com/exec/obidos/ASIN/031261246X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/031261246X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/031261246X/robsladesin03-20
http://www.amazon.com/gp/mpd/permalink/m3CQBX46DOK0AK/ref=ent_fb_link
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   328 p.
%T   “Zero Day”

Mark Russinovich has definitely made his name, in technical terms, with Winternals and Sysinternals.  There is no question that he knows the insides of computers.

What is less certain is whether he knows how to write about it within the strictures of a work of fiction.  The descriptions of digital forensics and computer operation in this work are just as confusing, to the technically knowledgeable, as those we regularly deride from technopeasant authors.  “[T]he first thing Jeff noted was that he couldn’t detect any data on the hard disk.”  (Emphasis in the book.)  Jeff then goes on to find some, and notes that there are “bits and pieces of the original operating system.”  Now there is a considerable difference between not finding any data, and having a damaged filesystem, and Russinovich knows this perfectly well.  Our man Jeff is a digital forensics hacker of the first water, and wouldn’t give a fig if he couldn’t see “the standard C: drive icon.”

Generally, you would think that the reason a technically competent person would write a novel about cyberwar would be in order to inject a little reality into things.  Well, reality seems to be in short supply in this book.

First of all, this is the classic geek daydream of being the ultimate ‘leet hacker in the world.  The Lone Hacker.  Hiyo SysInfo, away!  He has all the tools, and all that smarts, about all aspects of technology.  Sorry, just not possible any more.  This lone hacker image is unrealistic, and the more so because it is not necessary.  There are established groups in the malware community (among others), and these would be working together on a problem of this magnitude.  (Interestingly, these are generally informal groups, not the government/industry structures which the book both derides and relies upon.)

Next, all the female geeks (and there are a lot) are “hot.”  ‘Nuff said.

The “big, bad, new” virus is another staple of the fictional realms which does not exist in reality.  Viruses can be built to reproduce rapidly.  In that case, they get noticed quickly.  Or, they may be created to spread slowly and carefully, in which case they can take a while to be detected, but they also take a long time to get into place.

Anti-malware companies don’t necessarily rely on honeypots (which are usually there to collect information on actual intruders), but they do have bait machines that sit and wait to be infected (by worms) or emulate the activity of users who are willing to click on any link or open any file (for viruses).  Malware can be designed to fail to operate (or even delete itself) under certain conditions, and those conditions could include certain indications of a test environment.  However, the ability to actively avoid machines that might be collecting malware samples would be akin to a form of digital mental telepathy.

Rootkits, as described in the novel, are no different than the stealth technology that viruses have been using for decades.  There are always ways of detecting stealth, and rootkits, and, generally speaking, as soon as you suspect that one might be in operation you start to have ideas about how to find it.

A backup is a copy of data.  When it is restored, it is copied back onto the computer, but there is no need for the backup copy to be destroyed by that process.  Therefore, if a system-restored-from-backup crashes, nothing is lost but time.  You still have the backup, and can try again (this time with more care).  In fact, the first time you have any indication that the system might be corrupted enough to crash, you would probably try to recover the files with an alternate operating system.  (But, yes, I can see how that might not occur to someone who works for Microsoft.)  After all, the most important thing you’ve got on your system is the data, and the data can usually be read on any system, and with a wide variety of programs.  (Data files from a SQL Server database could be retrieved not only with other SQL programs, but with pretty much any relational database.)

Some aspects are realistic.  The precautions taken in communications, with throwaway email addresses and out-of-band messaging, are the type that would be used in those situations.  There is a lot of real technology described in the book.  (Although I was slightly bemused by the preference for CDs for data and file storage: that seems a bit quaint now that everyone is using USB drives.)  The need, in this type of work, for a level of focus that precludes all other distractions, and the boredom of trying step after step and possibility after possibility are real.  The neglect of security and the attendant false confidence that one is immune to attack are all too real.  But in a number of the technical areas the descriptions are careless enough to be completely misleading to those not intimately familiar with the technology and the information security field.  Which is just as bad as not knowing what you are talking about in the first place.

Other forms of technology should have had a little research.  Yes, flying an airliner across an ocean is boring.  That’s why the software designers behind the interface on said airliners have the computer keep asking the pilots to check things: keeps the pilots from zoning out.  I don’t know how quickly you can “reboot” the full control system in an airplane, but the last one I was on that did it took about fifteen minutes to even get the lights back on.  I doubt that would be fast enough to do (twice) in order to pull a plane out of a dive.  And if you are in a high-G curve to try and keep the plane out of the water, a sudden cessation of G-forces would mean that a) the plane had stalled (again) (very unlikely), or b) the wings had come off.  Neither of which would be a good thing.  (And, yes, the Spanair computer that was tracking technical problems at the time was infected with a virus, but, no, that had nothing to do with the crash.)

Russinovich’s writing is much the same as that of many mid-level thriller writers.  His plotting is OK, although the attempt to heighten tension, towards the end, by having “one darn thing after another” happen is a style that is overused, and isn’t very compelling in this instance.  On the down side, his characters are all pretty much the same, and through much of the book the narrative flow is extremely disjointed.

Overall, this is a reasonable, though unexceptional, thriller.  He was fortunate in being able to get Bill Gates and Howard Schmidt to write blurbs for it, but that still doesn’t make it any more realistic than the mass of cyberthrillers now coming on the market.

copyright, Robert M. Slade   2011     BKZERDAY.RVW   20111109

Share

Shaw and Spamhaus

I seem to be back on the air.

A few observations over this whole affair:

(Sorry, I’ve not had time to put these in particular order, and some of the point may duplicate or relate …)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no “bad reputation” in the specific IP address that I am currently using, only a policy listing showing one of Shaw’s address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw’s spam filtering is for the birds.  Today I got two messages flagged as spam, for no clear reason I could see.  They were from a publisher, asking how to send me a book for review.  The only possible reason I could see was that the publisher copied three of my email addresses on the same message.  A lot of people do that, but it usually doesn’t trip the spam filter.  Today it did.  (Someone else with Shaw “service” tried to send out an announcement to a group.  Since he didn’t have a mailing list server, he just sent out a bunch of messages.  Apparently that got *his* account flagged as spamming.)  I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security.  And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world.  (Oddly, during this period I’ve noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, “live chat,” and Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn’t accept direct messages by default.  (Since I pointed that out to them, they now, apparently accept them from me.)  They sent me public messages on Twitter, and I replied in kind.  Through the Twitter account they also informed me that error 554 is “poor reputation” and is caused by sending too many emails.  They didn’t say how many is too many.  (Testing by someone else indicated something on the order of 50-100 per hour, and I’ve never done anything near that scale.)

5) The “live chat” function installs some software on your (the client) machine.  At least two of the pieces of software failed the digital signature verification …

6) The “information” I got from Shaw was limited.  The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169  If you read the page, the information is almost entirely about the “network” with only a few (and not informative) pieces about the IP address itself.  (I did, separately, confirm that this was my IP address.)  The bulk of the page is a report on addresses that aren’t even in the same range as I am.  About halfway down the right hand side of the page is “DNS-based blocklists.”  If you click the “[Show/Hide all]” link you’ll notice that four out of five think I’m OK.  If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169  At the moment, it shows that I’m completely OK.  At the time I was dealing with Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending.  In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+  Again, this page showed a single negative entry, and a whole page of positive reports.  The single negative entry, if pursued, went to the same Spamhaus report as detailed above.

8) At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that “This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated ‘direct-to-mx’ email to PBL users.”  Again, Shaw’s problem, not mine.  However, that page has a link to allow you to try and have an address removed.  However, it says that the “Removal Procedure” is only to be used “If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database.”  Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/  Again, there you are told “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a ‘direct-to-MX’ email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL.”  This did not refer to my situation.  Unfortunately, THESE TWO PAGES ARE INCORRECT.  If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form  This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form.  It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had “found.”)  Of course, I’ve been in the field for over two decades.  How would the average user (or even a security professional in a non-malware field) even know that there are different types of scanners?  (Let alone the non-signature based tools.)

Share

Shaw Cable security (lack-of) support (2)

Well, multiple scanners say I have no malware, no spyware, and no rootkits.

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+ says I’m clean except for Spamhaus.

Spamhaus shows that http://www.spamhaus.org/query/bl?ip=70.79.166.169 I’m clean and it’s Shaw that’s dirty.

Shaw’s support is as inane as ever:

GoToAssist (11:43:33):
Your representative has arrived.

Stephen – 6685 (11:43:37):
Thank you for choosing Shaw Internet Chat Support, my name is Steve.  I will be happy to help you today.Before continuing, would you please confirm your home telephone number and address so that I can bring up your account information?

[If you don't mind, I've elided this, but it's the only change I've made - rms]

Stephen – 6685 (11:44:57):
Thank you, one moment please
Stephen – 6685 (11:48:07):
from what we see on the notes, it looks like your email is being blocked to due a poor reputation which means its being blocked by spam protection companies,  im just looking into this a little further for you.

Rob Slade (11:49:16):
Do you have any idea of what that means?  When I talked to “Rowell” yesteerday, he did not know anything about anti-spam technology, and just kept handing me bafflegab.  If you do not have any knowledge in thsi area, please hand me to someone who does.
Rob Slade (11:49:46):
I should let you know that I *do* know what I’m talking about: look up “Robert Slade” on Wikipedia.

Stephen – 6685 (11:49:48):
your being blocked by spamhaus
Stephen – 6685 (11:50:02):

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+

Rob Slade (11:50:18):
I’ve written two books on viruses and malware, the first book on software forensics, and a dictionary of information security.
Rob Slade (11:50:38):
I do know what spam is, and I am well aware of antipsam technology.
Rob Slade (11:51:08):
Per looking at senderbase yesterday, my specific IP address has nothing on it.  Just Shaw’s domain range.

Stephen – 6685 (11:52:03):
you would need to go here   http://www.spamhaus.org/lookup.lasso   type in your ip address to lookup, then  click the document it shows under the listed in red, and follow the steps to get it removed from spamhaus

Rob Slade (11:52:29):

http://www.spamhaus.org/query/bl?ip=70.79.166.169

Rob Slade (11:53:04):
See that it is only listed in the PBL, and if you look up the detail on that you will see that it is only the Shaw /22 range, and not my address.
Rob Slade (11:53:49):
Going back to your original list, you will see that it is *only* listed on Spamhaus (and therefore only on the PBL), and that *all* the other sites give me a clean bill of health.
Rob Slade (11:54:19):
In addition, why did I get absolutely no warning or notice from Shaw, just had my ability to send cut off without warning?

Stephen – 6685 (11:54:27):
its not blocked by us
Stephen – 6685 (11:54:31):
thats why we couldnt give warning
Stephen – 6685 (11:54:37):
its blocked by spamhaus

Rob Slade (11:54:49):
It is your SMTP server that refuses the connectionh.
Rob Slade (11:55:00):
You can’t blame Spamhaus.

Stephen – 6685 (11:55:14):
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+   please review this,  it will show you based on a search of your ip address, its listed by spamhaus-zen….

Rob Slade (11:55:52):
That is the same list as before.

Stephen – 6685 (11:56:19):
yes it is

Rob Slade (11:56:36):
As I told you, it gives me a clean bill of health, except for Spamhaus, and Spamhaus only lists the Shaw /22 range in the PBL, not my IP address specifically.

Stephen – 6685 (11:56:37):
if you look at the top.. spamhaus-zen  to the right of that it shows as listed  which means its blocked by them
Stephen – 6685 (11:57:00):
its still being listed by them, otherwise it would come up saying OK  next to spamhaus
Stephen – 6685 (11:57:16):
if you login to webmail  and try sending an email out from there, it will work because its not associated with your computer
Stephen – 6685 (11:57:30):
its not working on your computer because your ip  address is blocked by spamhaus

Rob Slade (11:57:44):
Yes, and if you look at the detail, you will see that I am *not* lsited in the SBL, *not* listed in the CBL, and *only* listed in the PBL, and if you look at the detail for *that* you will see that it is *Shaw* that violates, not me.
Rob Slade (11:58:37):
Here. chew on these: http://is.gd/VbjOIh http://is.gd/ogefIX

Stephen – 6685 (11:59:31):
im not sure what i am suppose to be seeing in those links..   Error establishing a database connection
Stephen – 6685 (12:00:07):
http://www.spamhaus.org/pbl/query/PBL164253  from there, you will need to follow the steps from clicking on remove an ip from pbl

Rob Slade (12:01:20):
In the meantime, I will be writing up more blog posts on how Shaw has inconsitent spam filtering, does not say what kind of spam filtering it does do, has a weird relationship with the blacklisting outfits.
Rob Slade (12:02:09):
Obviously you have not read the page you sent me.  This is the procedure only if you are running an email server (MTA) yourself.  I don’t.  You guys do.

Stephen – 6685 (12:05:15):
yes, from the report, its showing that its being blocked due to not using smpt authentication, that gets addressed from our side, where we communicate with spamhaus to get that resolved, however also by having you follow the link from the remove my ip address can usaully help get it resolved quicker.
Stephen – 6685 (12:06:12):
it is blocked by spamhaus, not us, which is something that will get looked into, if it was just being blocked by us, we could easily resolve it for you, however because its being blocked by a 3rd party, it will take some time, in the meantime you can use webmail to send and receive emails

Rob Slade (12:06:19):
How so?  I don’t run an SMTP server, so I can’t give them full info in filling out that form.
Rob Slade (12:07:06):
Besides, it’s not a static address.
Rob Slade (12:07:45):
Obviously you do not know what you are talkign about.  Are you going to put me through to someone who does?

Stephen – 6685 (12:08:08):
yes i do know what i am talking about Rob

Rob Slade (12:08:45):
Then how come you are asking em to fill out a form when the instructions specifically state not to do it unless this is a static IP address and I am running my own mail server?
Rob Slade (12:09:36):
http://www.spamhaus.org/pbl/removal/ “You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server”

Stephen – 6685 (12:09:37):
i am just looking to see what more we can do on this right now, i will be a couple minutes.

Share

Who’s behind Stuxnet?

Stuxnet is a worm that focuses on attacking SCADA devices. This is interesting on several levels.

First, we get to see all of those so-called isolated networks get infected, and wonder how that happened (here’s a clue: in 2010, isolated means in a concrete box buried underground with no person having access to it).

Then, we get to see how weak SCADA devices really are. No surprise to anyone who has ever fuzzed one.

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

Share

Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.

Share

KHOBE: Say hello to my little friend(*)

Guess what? You personal firewall/IDS/Anti Virus/(insert next month’s buzzword here) isn’t going to save you from an attacker successfully executing code remotely on your machine:
http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268

So no, it’s not the doomsday weapon, but definitely worthy of the Scarface quote in the title.
This isn’t surprising, researchers find ways to bypass security defenses almost as soon as those defenses are implemented (remember non-executable stack?). Eliminating vulnerabilities in the first place is the way to go, guys, not trying to block attacks hoping your ‘shields’ hold up.

(*) If you’re reading this out loud you need to do so in a thick cuban accent

Share

Finally, a workable approach to web Single Sign On


In the last 20 years, practically all the large software vendors came out with Single-Sign-On (previously “PKI”) products that were supposed to give a single login that would give you access to all the resources on the network. As good as this idea sounds, in practice that almost never works. Why Single Sign On constantly fails in corporate environments is a mystery wrapped in an Enigma. But it just doesn’t.

On the web, it seems even more logical that a single login will give you access to all the resources, and yet the situation is even worse. Microsoft, google, yahoo, AOL, and now facebook have all tried their Single Sign On initiatives that ended up having users signing up to 4-5 different ‘single sign on’ services and typically just opting for the only single sign on method that works: Using the same username and password everywhere.

Before you ask, OpenID is not a single sign on solution – it’s an identification service. So with that out of the way, are we doomed to never have a workable option to web single sign on?

Well, it seems the solution was always there: in fact, most of us have been using it for a while. Your browser.

Done well, the browser can keep the username/password combination in a secure place, protected by a single password and encrypted on your hard drive. The only risk is a Trojan using your browser to log into web sites without your knowledge – but that’s a risk you have today with keylogger rootkits, so you are not worse off letting your browser save the password for you.

The only two challenges facing the browsers to truly provide an SSO experience were web sites like paypal that refused to let the browser save username/password information (though you could bypass that restriction with bookmarklets such as “Password Saver” on firefox) and the second challenge was just the convenience of needing to login instead of having the browser login for you, as you’d expect in a “real” SSO.

It seems that firefox has picked up the glove. In a recent blog post (http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/) firefox announced an add on that will handle account management; likely not much different than what is done today, perhaps a bit more extended and automated. Facebook, google and some others won’t be happy about this move, but who cares. The best thing about this method of SSO is that you don’t need the site’s cooperation for it to work. In fact, as long as they don’t actively resist (e.g. by adding CAPTCHA’s) firefox can be the de-facto standard for account management in the not-too-far future.

Share

Police hacking

Recent news that UK government approving Police hacking into suspected home computers has caused a bubble in the info-sec world. They can hack into private computers either by sending an e-mail containing a virus to the suspect’s computer or breaking into a residence to install a keystroke logger onto a machine or simply place a surveillance van in the vicinity of a wireless network to intercept the traffic. Computers of users who are suspected of terrorism, pedophilia or identity or credit card theft will be targeted.

They have even asked the security product/services providers to stop detecting/blocking their keyloggers and other spyware tools. However few security vendors have raised an issue and expressed their inability to cooperate with the federals. As per Znet, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack. Symantec has not commented on this. However in the past they have Symantec has said that its antivirus software will not scan for the FBI’s Magic Lantern keylogging software. This is a spyware program that the Feds can hack into your machine to log and report all keystrokes back to them.

I personally find this very scary and “privacy intruded” and since conceptually there’s no difference between a malicious code and the one used for the Government, there are BIG chances that an AV can miss it!!!

This means punching a BIG hole in the security device which in turn is surely a big Boom for malware authors. If Cops drop a trojan on suspect’s system installed with antivirus software white-listing Police hacking tools and if this suspect turns out to a prestigious member of underground malware writers, then he can reverse engineer the cop-hack-tool to write his own code and compromise more such systems.

I personally feel Kaspersky Labs and Sophos are really doing a good job by taking their stand on not creating a backdoor for malware writers.

Share

Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

Share

Sinowal Trojan – difficult to catch since Feb 2006

RSA Security’s Blog has information about the seriousness of the Sinowal banking Trojan.

Like many of us know this Trojan aka Trojan-PSW:W32/Sinowal.CP and Trojan.Mebroo uses so-called MBR rootkit technique.

Link here.

Share

Cisco: We know IOS rootkits can be made – harden your system

cisco has released an updated version of its cisco security response: rootkits on cisco ios devices document after the eusecwest presentation of mr. sebastian muniz (core security).

hardening, best practices etc, it appears.

thanks Sunshine. for pointing this on mailing lists.

Share

MBR rootkit – here’s some references

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story – link here.

From the post based to Verisign iDefense data:

….

  • Oct. 30, 2007 – Original version of MBR rootkit written and tested by attackers
  • Dec. 12, 2007 – First known attacks installing MBR code
    about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

Share

Sony about rootkits: Not many USM-F sticks were sold

New information is available related to the rootkit issue of Sony MicroVault USB sticks including fingerprint reader.

One of the stories is this Computer Weekly article which states:

A Sony spokesperson said: “While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date.”

And earlier, F-Secure’s Mikko Hyppönen has reported that this issue has a lot of reasons which make it less serious than Sony BMG’s XCP issue was.

Share

Now fingerprint reader and rootkits – Sony did it again

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And – reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm – time to wear my white T-shirt with text familiar to many readers – “Most people don’t even know what a rootkit is, so why should they care about it?”

Share