South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:

http://stackoverflow.com/questions/8049912/how-can-i-get-the-network-time-from-the-automatic-setting-called-use-netw

and there seems to be an app for an Android phone:

https://play.google.com/store/apps/details?id=ru.org.amip.ClockSync&hl=en

(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

• The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
• He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
• He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
• The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
• He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.

SMS spam on Bell seems to have suddenly jumped.  On Tuesday, both Gloria and I got spam saying we had won something from Apple.  Today, we both got similar spam.

Today’s message came “from” 240-393-8527.  It asked us to visit hxxp://www.apple.com.ca.llhf.net [1]

Neither F-Secure nor VirusTotal had anything to say about it, but it is safe to assume that the site is dangerous.  Avast now blocks it.

In trying to contact Bell about this, I noted that Bell’s Website “contact” page lists a “Chat with us” function that simply does nothing if agents are busy, and no means of contacing Bell via email.  “How to escalate a complaint” returns the same page, with the same lack of response from the agent button.  When I finally did reach an agent, “he” was pretty clueless about the whole situation.  I strongly suspected “he” was a rather simplistic program.

Having Given the agent the information above, his response was to ask “Samuel: I understand. Have you registered under apple newsletter list?”  He then asked for my name and phone number (which I had previously given him at the beginning of the session), and then told me “Samuel: I unfortunately cannot unsubscribe that spam for you from here as I see in your account.”  He offered to cut the SMS/texting function on my account.

That’s it.  That’s the only solution.  Bell doesn’t have any spam filtering on SMS, even when the spam is as obvious, egregious, and malicious as this one.  (Yes, they do have a spam filtering option, if you want to pay them an extra $5 per month.  Given the quality of support, I think I’ll give that a miss.)

[1] Note that this isn’t apple.com, the trailing “domains” override that.  This domain is listed to:

Domain Name ………………… llhf.net
Name Server ………………… ns5.myhostadmin.net
ns6.myhostadmin.net
Registrant Name …………….. jun wang
Registrant Organization ……… wang jun
Registrant Address ………….. shang hai shi xu hui qu
Registrant City …………….. shang hai
Registrant Province/State ……. SH
Registrant Postal Code ………. 200087
Registrant Country Code ……… cn
Registrant Phone Number ……… 02178861511
Registrant Fax ……………… 02178861511
Registrant Email ……………. yaobing349@hotmail.com

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

A few people asked me about the advisory posted on exploit db (Now also on SecurityFocus) that talks about a security vulnerability in beSTORM, which would be ironic since it’s a fairly simple vulnerability to find by fuzzing, and beSTORM is, after all, a fuzzer.

I always thought security holes in security products were especially funny. You expect security companies to know better, right? Well, as usual, it’s much less funny when it happens to you. Seeing reports about a vulnerability in beSTORM wasn’t amusing.

The thing is, the vulnerability is not in beSTORM, it is not remote, and on top of all – the exploit PoC does not work as advertised. Now comes the second irony: I’ve been on the management team of a security database for the past 14 years, and I’m sure more than one vendor cursed me to walk a mile in their shoes. Well, vendors: I am! Trying to explain to vulnerability databases that just because someone posted something doesn’t mean it’s true, is not easy. But you knew that already.

Now for the details:

The vulnerability described is a problem in WizGraphviz.dll, a graphic library that has been abandoned by its developer. It is not a part of beSTORM, and never was. You could, in early versions of beSTORM, install that DLL in order to view SVG files. beSTORM would have downloaded it on request. But it hasn’t been the case in a while now.

The vulnerability is also not remote. This ActiveX is marked not safe for scripting, which means you have to manually enable it to get the exploit code to run.

In other words, you need to download an ActiveX from the Internet, go into the settings to mark it safe for scripting (and ignore the huge warnings) and then you will be vulnerable to an ActiveX attack when visiting a rogue site. And all this is only true for an old version of beSTORM which is no longer available for download.

Life is full of ironies: This attack is simple enough that we could (should?) have found it by fuzzing this DLL ourselves. Hell, there’s a good chance the good guys that published this advisory did exactly that. For being lazy, we deserve the public flogging. But just to set the record straight, a security vulnerability it ain’t.

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

I’ve used Ad-Aware in the past, and had it installed on my machine.  Today it popped up and told me it was out of date.  So, at their suggestion, I updated to the free version, which is now, apparently, called Ad-Aware Free Antivirus+.  It provides for real-time scanning, Web browsing protection, download protection, email protection, and other functions.  Including “superfast” antivirus scanning.  I installed it.

And almost immediately removed it from the machine.

First off, my machine bogged down to an unusable state.  The keyboard and mouse froze frequently, and many programs (including Ad-Aware) were unresponsive for much of the time.  Web browsing became ludicrous.

There are some settings in the application.  For my purposes (as a malware researcher) they were inadequate.  There is an “ignore” list, but I was completely unable to get the program to “ignore” my malware zoo, even after repeated efforts.  (The interface for that function is also bizarrely complex.)  However, I’m kind of a non-typical user.  However, the other options would be of little use to anyone.  For the most part they were of the “on or off” level, and provide almost no granularity.  That makes them simple to use, but useless.

I’ve never used Ad-Aware much, but it’s disappointing to see yet another relatively decent tool “improved” into non-utility.

I made a posting on the blog.

Then I moved on to checking news, which I do via Twitter.  And, suddenly, there in my stream was a “tweet” that, fairly obviously, referred to my posting.  By someone I didn’t know, and had never heard of.  From Indonesia.

This blog now has an RSS feed.  Apparently a few people are following that feed.  And, seemingly, every time something gets posted here, it gets copied onto their blogs.

And, in at least one case, that post gets automatically (and programmatically) posted on Twitter.

I would never have known any of this, except that the posting I had made was in reference to something I had found via those stalwarts at the Annals of Improbable Research.  I had made reference to that fact in the first line.  The application used to generate the Twitter posting copies roughly the first hundred characters of the blog post, so the Improbable Research account (pretty much automatically) retweeted the programmed tweet of the blog posting that copied my original blog posting.  I follow Improbable Research on Twitter, so I got the retweet.

This set me to a little exploration.  I found, checking trackbacks, that every one of my postings was being copied to seven different blogs.  Blogs run by people of whom I’d never heard.  (Most of whom don’t seem to have any particular interest in infosec, which is rather odd.)

Well, this blog is public, and my postings are public, so I really can’t complain when the material goes public, even if in a rather larger way than I originally thought.  But it does underline the fact that, once posted on the Internet, it is very unsafe to assume that any information is confidential.  You can’t delete data once it has passed to machines beyond your control.

And it passes very, very fast.

Gizmodo reports:

New “Man in the Browser” Attack Bypasses Banks’ Two-Factor Authentication Systems

Except there is nothing new about this attack. OWASP documented it in 2007 and it was widely known that malware writers used it to bypass 2-factor authentication.

More from Gizmodo:

Since this attack has shown that the two-factor system is no longer a viable defense, the banking industry may have to adopt more advanced fraud-detection methods

Given that this has been going on for more than 5 years, it’s obvious that banks already have adopted more advanced fraud detection methods.

So why are they forcing you to carry around tokens and one-time passwords that make it awkward and uncomfortable to use your own money as you wish?

Because with only few exceptions, banks’ security guys are not interested in making your life comfortable. The more you suffer, the more you think they are secure.

Maybe it’s time to ask for accountability? Which of their so-called security features is really for security, and which is for CYA or ‘make-the-regulator-happy’?

This sums up everything that is wrong with the “password policy” theme. From the t-mobile web site:

There is no way any reasonable person can choose a password that fits this policy AND can be remembered (note how they are telling you that you CANNOT use special characters. So users now have to bend according to the lowest common denominator of their bad back-end database routine and their bad password policy).

I’m sure some high-paid consultant convinced the T-MO CSO that stricter password policy is the answer to all their security problems. Reminds me of a story about an air-force security chief that claimed 25% increase in security by making mandatory password length 10 characters instead of 8, but I digress.

Yes, I know my habitat. No security executive ever got fired for making the user’s experience more difficult. All in the name of security. Except it’s both bad security and bad usability (which, incidentally, correlate more often than not, despite what lazy security ‘experts’ might let you believe.

I’ve ranted about this before.

Except it won’t be.

I’m assuming the reporter who quoted the statement in the title as coming from the Davos “Global Shapers” group was trying to make his own headline. Hey, that works (I even used it myself). But this is not the first time we’ve been warned about the Armageddon that is cyber terror, and it’s time somebody called bullshit on it.

Now don’t get me wrong, I’m not mother Teresa. I work in IT security, and have been known to scare people now and then with the “this is what might happen to you if you won’t fix your security”.  Most times I’d like to think I was calling it the way I saw it, but I’m sure more than once people that were listening to me thought I was exaggerating. And probably much more than once, I was. But this is not an “exaggeration”. It’s something totally different.

Have you been terrorized? I bet you have. You don’t have to know someone who was killed by a suicide bomber; it’s enough if you think back to when the school bully tried to take your lunch. That was terrifying. And terrorizing. You thought bodily harm will come to you, and this is why “terror” works so well: it’s scary.

Is ‘cyber terror’ really that scary? Well, lets compare. Many of us have been “victims” of cyber terror. You probably visited a web site that was defaced by political hacker wannabes. Were you terrorized?

We’ve all heard about the attacks in Estonia. That was the most effective cyberwar to date. But did anyone died? Lets compare it to the war (actual war) in Georgia. Again Russia clashing with a neighbor, but this time people died; lost their homes; forced to move their lives elsewhere. I’m sorry, but that’s not the equivalent of having to reformat your computer or losing facebook connectivity for 24 hours.

War is war: people die, suffer bodily harm, have their lives change. I’m not against the term “cyber-war” or “cyber-terror”, but can we put it in proportion please?

So no, the next ‘cyber war’ or ‘cyber terror’ attack won’t be worse like 9/11. It won’t be even mildly comparable to 9/11. Unless it kills thousands of people, in which case there will be nothing “cyber” about it.

It seems like nowadays China is the immediate suspect when it comes to hacking attempts or cyber espionage. It’s therefore interesting to know that they are suffering from as much internal attacks as anyone else.

The ‘cyber security china 2012′ is organized with ISC2, which is typically a good indicator for interesting speakers and content (at least, that’s been my past experience in other countries). The description shows that the Chinese are worried about the same things we all are:

With support from Ministry of Public Security  of  China,  and  working  with  ISC2, ITU-IMPACT and  ISFS Hong kong, Cyber Security China 2011  is successfully organized in March 24-25 in Shanghai, China.  The  2011  event convened 130+ delegates from global and local cyber security authorities, government, law enforcement  agencies, users  and  security  vendors,  and  mainly  explored  the solutions  against  evolving cyber  threats  and  attacks,  and how to fight the  cyber crimes through public-private-partnership.

More information here.

Richard Stiennon writes:

I have only one security related prediction for 2012 and that is that we are in for a year that will make 2011 look tame in terms of major targeted attacks.

He gives the 2011 examples of the break-in to Sony playstation network and an attack on Stratfor (a defense intelligence organization). Here’s one from yesterday: A saudi attacker published the details of credit cards (and other personal information such as I.D numbers and address) for hundreds of thousands Israelis.

Going to be a fun year!

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera [...] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.