September 2005

eBay solved Phishing! (joke, which is reality)

> your registered name is included to show this message originated from ebay. learn more.

we are saved, ebay solved phishing.

i suppose that is why i got this spam email message in my inbox the other day:

> *ebay sent this message from kathy halmoes. (samsungltd).*
> sender registered name is included to show this message originated from ebay.
> learn more .

ahh, so much for that assurance that it came from ebay. the ideas some people come up with…

gadi evron,
ge@beyondsecurity.com.

Online extortion (bahh) and a new buzzword – “Ransomware”

i really like it when people invent new terms.

it can be spit and spim for spam coming from sources other than email. it can be pharming for phishing that is done by “misusing” dns. it’s always “new” and always invented by a commercial company.

annoying, but it’s how things are. one has to find ways to get media attention.

the latest invented term is “ransomware”:

http://www.networkworld.com/buzz/2005/092605-ransom.html

basically, a trojan horse will get on your machine and without warning will at some point encrypt your files. then the attacking party will demand some cash for the files to be restores/opened.

it’s a pretty cute idea, but it is nothing new. the whole idea behind trojan horses is to be able to do stuff such as this, covertly, whether for quiet spying or for overt annoying and destroying.

true, this way of employing the said trojan horse is fascinating, but no more than that.

leaving the trojan horse itself behind, let us discuss the concept of online extortion for a bit.

online extortion is one of the silliest ideas i ever heard. not because it doesn’t work out for the bad guys, but because it simply makes no sense to the good guys.

say you are in meat-space and you run a convenient store in down-town [bad city here]. a gang comes by and threatens that if you don’t pay them protection money they will burn down your store.
it is pretty clear that in fact:
1. they will burn down your store if you don’t pay up.
2. it is likely that they will not burn down your store if you do.
3. they will come back for more if you pay them.
4. it is also likely that if another gang comes by and demands some money, the original gang will protect you from the new one.

online, you have no face. you never really know who you are talking to. you have no guarantee that they are real, what they mean toward you and if they are trust-worthy.

say somebody emails your ceo and says: “pay up 10k bucks or we will ddos you out of business”.
that can be rough on any company and especially on companies whose business models are based on being online, still –
say you pay up:
1. what prevents the bad guys from attacking you anyway?
2. what prevents that bad guys from not attacking you regardless, wasting their resources on someone who won’t pay?
3. the bad guys cannot protect you from other bad guys.
4. there are so many bad guys out there, who is to say others won’t attack you?

and besides, meat-space basics apply here – if you give them money, they will come back and they will also bring friends. unlike real life they cannot burn down your store. whatever they do you can most likely come back from it and you can most likely also prepare for it.

the solution is simple. if your business model demands internet access and you make money off the internet, you should invest in protecting yourself accordingly.

ddos is a problem, but one that you can cope with, especially if you plan ahead and consult with the right people, beginning with your uplink isp and ending up with people who actually understand ddos and security.

trojan horses? “ransomware”? it all comes down to planning security for your organization – in-depth.

besides, as part of your business continuity plan (plan security, it’s not a bad idea) you could.. *shock* backup your files regularly?

i can’t teach anyone how to do security in one blog entry, but the points i am trying to make are:
1. security is something you need to invest in, over time and as part of a through plan.
2. online extortion is a scam,

any of these threats can hurt you but you can either respond to them as a micro-issue and make sure that because somebody smuggled something on an airplane using their shoes no one will ever again smuggle anything on an air plain using their shoes, or you can make sure airline security is better all-together. there is always a new threat out there, dealing with each on-the-spot doesn’t really work and will end up draining more funds.

as to online extortion, i do not belittle the issue in any way. i do believe though that most who are forced to deal with it do not really understand the problem.

the times come where meat-space organized crime is getting involved with a lot of what’s going on online, and if we don’t get ready now, we will simply fall behind.

i’d like to thank paul schmehl for a conversation we had on the subject a couple of years back, he gave me some very good ideas to consider.

also, i am waiting to hear from dan hubbard from websense to find out what really happened in the story discussed (see url to article above).
[ having just heard from dan this issue is dated back to may 2005:
http://www.websensesecuritylabs.com/alerts/alert.php?alertid=194 ]

gadi evron,
ge@beyondsecurity.com.

Analysis of the Texas Instruments DST RFID

Although the article isn’t new, it is still good reading material to those that are looking into implementing some sort of RFID for security or identification.

The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below.

To summarize the article you can do almost anything with their DST simulator and reader:

  • Sniff a DST tag in a victim’s pocket
  • Crack the key in a DST tag
  • Start a car
  • Buy gas

Side-channel attacks and listening to keyboards

this item recently hit the news:
http://blogs.securiteam.com/index.php/archives/65

about how by listening to keyboard key strokes, one can re-build the original message typed.

i recently posted about this somewhere else.

side channel attacks are not new. you can listen to the keyboard, cpu, hdd, etc. you can go with em radiation. you can use a telescope to view through a window a reflection off a wall. all you have to do is google. :)

but yes, side channel attacks are cool. thing is, there are usually *much* easier ways of doing things.

a trojan horse can also be considered a side-channel attack if we are talking encryption, which is exactly the difference between how crypto guys and security guys think.

if you ask a crypto guy what the best way of breaking rsa is, you’d get a complicated answer with if’s, maybe’s and math. if you ask a security guy (or in this case, me), i’d just say use a trojan horse.

for crypto guys, once an algorithm is found weak it is no longer trusted and they try and develop new ones, which is good for their science. as security people the more vulnerabilities are found and fixed the more secure we feel (except for worrying that the coders suck and the holes will keep showing).

back to side-channel attacks, try googling for what adi shamir has to say on them. i love this subject. it’s way cool.

jeremy richards from ncircle recently posted the following links to a mailing list i am on, detailing just a few of the possible side-channel attacks out there:
1) acoustic cryptanalysis.

“adi shamir, eran tromer have done some remarkable research into a side
channel attack that is able to extract private rsa keys just by monitoring the
sound output of your computer!”

2) power analysis.

“dpa is a powerful tool that allows cryptanalysts to extract secret keys
and compromise the security of smart cards and other cryptographic devices
by analyzing their power consumption.”

3) led leakage.

“a previously unknown form of compromising emanations has been
discovered. led status indicators on data communication equipment, under certain
conditions, are shown to carry a modulated optical signal that is significantly
correlated with information being processed by the device….experiments show that
it is possible to intercept data under realistic conditions at a considerable distance. many different sorts of devices, including modems and internet protocol routers, were found to be vulnerable.”

try also googling for tempest for the classics.

gadi evron,
ge@beyondsecurity.com.

Practical Exploiation of MD5 Collisions

A post at Code Project brings to light the first case I have seen to making two binary version of two different pieces of software that while both have the same MD5, one is dubbed evil while the other is dubbed good.

The evil piece of software can do anything good or evil that the good piece of software doesn’t, while still having the same MD5 signature.

For the time being the resulting binary files require an extractor to “release” the piece of software embedded within it, but this is no big deal as most of software you download from the Internet comes packed and requires some sort of an extractor or running an installation program.

Orbital Electronic Warfare

http://www.washtimes.com/national/20050921-102706-1524r.htm

the us put a satellite in space to help jam other satellites.

naturally, technology such as this exists for many years now and out dates information warfare by a few years.

however, by putting active targeted weaponry in space, what’s next? just because it is em radiation does not mean it is not a weapon.

i believe that weapon development to counter satellites is going to become more and more in the spot light in the next few years.

from blinding spy satellites through disturbing ground communication all the way to (maybe) herf and emp.

it’s not all about missiles, however much americans like them. one thing i do know is – if the americans have them, soon china and the eu will as well if they don’t already.

gadi evron,
ge@beyondsecurity.com.