Commentary

General ideas about the world of security

YASCCL (Yet Another Stupid Computer Crime Law)

Over the years I have seen numerous attempts at addressing the serious problems in computer crime with new laws.  Well-intentioned, I know, but all too many of these attempts are flawed.  The latest is from Nova Scotia:

Bill 61
Commentary

“The definition of cyberbullying, in this particular bill, includes “any electronic communication” that ”ought reasonably be expected” to “humiliate” another person, or harm their “emotional well-being, self-esteem or reputation.””

Well, all I can say is that everyone in this forum better be really careful what they say about anybody else.

(Oh, $#!+.  Did I just impugn the reputation of the Nova Scotia legislature?)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Outsourcing, and rebranding, (national) security

I was thinking about the recent trend, in the US, for “outsourcing” and “privatization” of security functions, in order to reduce (government) costs.  For example, we know, from the Snowden debacle, that material he, ummm, “obtained,” was accessed while he was working for a contractor that was working for the NSA.  The debacle also figured in my thinking, particularly the PR fall-out and disaster.

Considering both these trends; outsourcing and PR, I see an opportunity here.  The government needs to reduce costs (or increase revenue).  At the same time, there needs to be a rebranding effort, in order to restore tarnished images.

Sports teams looking for revenue (or cost offsets) have been allowing corporate sponsors to rename, or “rebrand,” arenas.  Why not allow corporations to sponsor national security programs, and rebrand them?

For example: PRISM has become a catch-phrase for all that is wrong with surveillance of the general public.  Why not allow someone like, say, DeBeers to step in.  For a price (which would offset the millions being paid to various tech companies for “compliance”) it could be rebranded as DIAMOND, possibly with a new slogan like “A database is forever!”

(DeBeers is an obvious sponsor, given the activities of NSA personnel in regard to love interests.)

I think the possibilities are endless, and should be explored.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

*Hello,*
*
How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://tinyurl.com/o2vlrxx>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               “Microsoft HelpDesk” <microsoft@helpdesk.com>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://dktxxxkgek.webs.com/

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Click on everything?

You clicked on that link, didn’t you?  I’m writing a posting about malicious links in postings and email, and you click on a link in my posting.  How silly is that?

(No, it wouldn’t have been dangerous, in this case.  I disabled the URL by “x”ing out the “tt” in http;” (which is pretty standard practice in malware circles), and further “x”ed out a couple of the letters in the URL.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

(Photo) Copyist’s error?

Students of the classics and ancient documents are used to checking for copyist errors, but a photocopier?

And, of course, you can’t trust the machine to check the copy against the original, since it will probably make the same mistake every time.

Actually, with absolutely everything in the world going digital, this type of problem is becoming inevitable, and endemic.  Analogue systems have problems, but digital systems are subject to catastrophic collapse.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Thoughts at the library drop slot

A couple of days ago, I happened to walk over to the library in order to return some items.  When I got there, as all too often is the case, a parent was allowing two of his children to put their returns back into the (single) drop slot.  He noticed me, and offered to take my stuff and return it when they were done.  (Parenthetically [as it were], I should note that, in the five years since the new system was put in place, this is only the second time that a parent, in such a situation, has taken any notice of the fact that they were delaying matters.  The previous one, about a year ago, asked her children to stand aside and let me through.  I digress, but not completely.)

I immediately handed over my pile (which included a recent bestseller, and a recent movie).  (We are all creatures of social convention, and social engineering is a powerful force.)  But, being a professional paranoid, as soon as I walked away I started berating myself for being so trusting.

I was also thinking that his actions were pedagogically unsound.  While he was, at least, assisting me in avoiding delay, he was, just as much as the majority of the parents at that slot, teaching his children that they need have no regard for anyone else.

(And, yes, before I left the library, I checked my account, and determined that he had, in fact, returned my items.  Auditing, you know.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.

 

Lest you think I exaggerate any of this, you can read the actual report.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Fuzzing Samsung Kies

Android fuzzing is always fun – seems that whenever we fuzz an android app it crashes within seconds.

Samsung Kies was no different. With the help of the talented Juan Yacubian (who built the Kies module in no time) we launched beSTORM against Kies… And saw it crash in record 23 seconds (just over 1,100 attack combinations).

Next on the agenda: install gdb for Android and build the proper payload.

Samsung Kies Crash

 

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.