A weakness in the way ATMs verify customers' personal ID numbers means that a corrupt bank worker could steal over £2m in one lunch hour.
In a paper entitled Decimalisation table attacks for PIN cracking, Mike Bond and Piotr Zielinski note that there is a vulnerability in the way offline ATMs verify PINs. This vulnerability allows an attacker to successfully guess a PIN in 24 or even 15 attempts.
The paper, which was published in 2003, suggests that the long term solution is to protect or remove decimalisation tables. A much more recent paper demonstrates the attack, while also including nice examples using the classic 70s game Mastermind.
Monday, 31 October 2011
Friday, 28 October 2011
Online banking security: Good for you or your bank?
When banks implement new online banking security measures they have a problem.They have to persuade customers that the often inconvenient new ways of accessing their accounts is actually for their own benefit. They do that by claiming that the new ways of doing things makes your money safer, which is surely for your own good.
First let's look at chip authentication programmes, one of which is Barclays Bank's PINsentry (from 2007). Another is Nationwide's Card Reader (from 2008).
If you have an account with either of these banks you'll receive a device that looks a little bit like the reader you see in high street retail outlets. You put your card into the slot, type your PIN and the transaction is authenticated.
This makes complete sense when paying for goods in a supermarket because, with the best will in the world, the average till operator is not really qualified to compare your signature on a receipt with the one on the card, as used to happen in the 'old days'.
However, when banking customers have to use these devices to access their online bank account from home, it becomes an inconvenience. Instead of just booting up the laptop, you need to find your card and your reader. If you are travelling then you're probably going to be unable to access your account at all.
But surely, if these readers make your money safer, they are a good thing? Firstly, your money is safe, in that the bank has to refund you any losses made (as long as you've not been really careless with your banking details).
Secondly, throwing extra levels of technology at the problem does not necessarily make it safer. Let's take the example of a regular traveller. They will have to take their card reader with them if they want to access their accounts online. So what's to stop a mugger grabbing this device, along with the wallet and laptop?
Card readers can even be used by muggers to prove if a victim is lying about their PIN, which is convenient for the bad guy but not so great for the bank's unfortunate customer.
Things get even darker, though, when we look deeper into the security provided by these card readers. There are weaknesses in the protocol that they use. There is a fascinating paper on the subject by Saar Drimer, Steven J. Murdoch, and Ross Anderson. It is available from The University of Cambridge's website.
Just to lighten the mood, when Barclays launched PINsentry I was asked to participate in a promotional video. To be clear, I received no payment for this and I even pointed out the problems with using card readers at the time. I can't imagine why they did not include my points in the advert below...
Thursday, 27 October 2011
Mac, PC, whatever
Macs are PCs running a different operating system. They have Intel processors in them these days, and have had for a around five years now, so there really is little difference.
You can even install Windows on a Mac. The only reason you can't install Apple's OS X on a PC is because Apple doesn't want you to. It is possible, though, with some hacking around.
Tablets can be a little different. For example, the Asus Eee Pad Transformer is not based on an Intel processor. It uses an ARM-based CPU instead. As a user there's no way to tell, though.
This is because you're using Google Chrome most of the time, regardless of the underlying hardware and operating system. Apps are written in Java, which means that they are largely independent of the operating system (Android). It's about the browser and the programming platform, not the boring old operating system.
This is what Microsoft has been worried about since Netscape brought out its first browser. And Sun brought out Java. There were a couple of court cases about this.
There are some obvious security consequences of this. When people ran different operating systems on different hardware, the bad guys had to decide which were of most interest. If personal computing devices converge much more, and we all end up running Google Chrome and Java, that decision is going to become much less important.
But even if the attackers continue to hammer away at the operating system, there are significant similarities between some of the most popular. This makes life easier for the bad guys.
OS X is a UNIX-based operating system. So is Linux. As is Android. Their similarities mean that a single threat can affect more than one of these systems. We've already seen cases where old Linux threats are tweaked to work with OS X. The Register reported on one yesterday.
Quick-and-dirty website blocker
If you want to avoid a chunk of deeply unpleasant websites, you could compile a list of their URLs and put them in your computer's hosts file, pointing them to the localhost. This effectively blocks them.
Dan Pollock has done the dirty work for you, so download the pre-configured hosts file and spare your eyes while also improving your computer security for free.
I wish I'd had this the other day, when someone suggested I visit a certain site with Lemon in its name. Which I did while sat on the train. Next to a young woman.
Dan Pollock has done the dirty work for you, so download the pre-configured hosts file and spare your eyes while also improving your computer security for free.
I wish I'd had this the other day, when someone suggested I visit a certain site with Lemon in its name. Which I did while sat on the train. Next to a young woman.
Anti-virus myths busted
A few people have asked for access to the basic information that I used, so here it is. The talk lasted for around 40 minutes so this really is a bare-bones summary.
Myth #1: Anti-virus protects 100%
Real-world protection tests by Dennis Technology Labs (DTL) and other testers show that even well-known brands of security software can be compromised by malware.
Myth #2: Anti-virus slows PCs
In performance tests conducted by DTL, most popular anti-virus software makes virtually no impact on general system performance.
However, system startup (boot) times can be affected, as can shutdown times. These are important because they are very noticeable by users.Myth #3: I don’t need it (I’ve never been infected)
Current threats tend not to make themselves known to the casual observer. Rootkits make it hard, even for experts.Myth #4: Viruses stay in the bad bits of the internet
While some areas of the internet are riskier than others, legitimate sites can be infected. We demonstrated a real, legitimate site infecting our test PC.Myth #5: Protection costs a lot
Free products are OK, while commercial products often come with multiple licenses.Myth #6: Avoid Internet Explorer
All popular browsers have security holes. Internet Explorer has fewer known issues than Opera and Firefox. Chrome and Safari are not immune*.Myth #7: My ISP will save me
There is no business reason why it would, without raising subscription costs. We covered various options to reduce exposure to threats, including ISP-like techniques such as using special DNS services.Myth #8: Salvation is a Mac, Linux or Android
Attackers go for popular systems. As Mac and Android users become more prevalent so will the threats to those systems. There are more known sets of vulnerabilities for OS X and Linux than there are for Windows*.
The following video clip was taken by one of the audience. Special thanks to PDTalkinTech for providing the photos and this video footage from part of the presentation:
* Data on software vulnerabilities was provided by Secunia.
Avira anti-virus detects self
Avira Premium Security Suite detected itself as a spy Trojan yesterday.
More specifically, the anti-malware software generated a false positive on a DLL called aescript.dll, mis-classifying it as TR/Spy.463227.
Avira claims that the problem can be fixed by running an update.
In the last 24 hours the dodgy update affected over 10,000 users (see below).
Wednesday, 19 October 2011
QR code of death
 |
| This is not the QR code of death |
Re-installation and deletion of data/keys was necessary.
The "issue [was] caused by an invalid character '1' in the "secret" parameter in the URL encoded in the QR-code."
A few more details, plus the offending QR code, are available on the Google Authenticator project's Issues page.
My high-tech approach to presentation
Unaccustomed as I am to public speaking...The accompanying multimedia extravaganza that will be my LITS presentation is a little more polished than my set of personal notes.
The dangers of speech recognition
Speech recognition systems can delete your data and email porn to your Mum.
When Windows Vista launched, Symantec produced a fun video showing how the in-built speech recognition system could be abused by a malicious website. Basically, a web page loads and plays an audio file containing instructions to delete data.
Importantly speech recognition needed to be enabled, the speakers needed to be turned on, the microphone needed to be close enough to the speakers and the user had to allow the audio file to run until completion.
Now the new iPhone's personal assistant application, Siri, has (potentially) joined in the act:
When Windows Vista launched, Symantec produced a fun video showing how the in-built speech recognition system could be abused by a malicious website. Basically, a web page loads and plays an audio file containing instructions to delete data.
Importantly speech recognition needed to be enabled, the speakers needed to be turned on, the microphone needed to be close enough to the speakers and the user had to allow the audio file to run until completion.
Now the new iPhone's personal assistant application, Siri, has (potentially) joined in the act:
Anti-virus myths
On Friday I will be busting a few anti-virus myths at the London International Technology Show.We'll take a look at performance, both in terms of how much anti-virus software impacts a system's speed and its ability to protect against threats.
We will also attempt to kill off a few platform prejudices (e.g. "I'm safe if I have a Mac"), explore common types of internet threats and reveal some shocking statistics.
If all goes well I'll be able to show a real drive-by attack that would be invisible to a real victim.
There will also be a few tips on improving security in what seems to be an impossibly insecure world.
UPDATE: Gain an exclusive insight into my revolutionary presentational techniques!
Tuesday, 18 October 2011
Pentesting for the masses
Want to run a penetration test but don't have the budget to call in a specialist group, nor the time to get to grips with the Metasploit console? Rapid7 has today launched Metasploit Community Edition, which combines the features of the free Metasploit Framework with a cut-down version of its commercial interface.
Metasploit Pro provides a relatively simple interface to the powerful but complex vulnerability testing system that is Metasploit Framework. But it costs money. If you have to ask how much, you probably can't afford it. Just to give you an idea, Metasploit Express (a cut-down version of Pro) costs $3,000. In contrast, Metasploit Community Edition is free.
Metasploit Community Edition's features include:
You can see a comparison chart on Rapid7's site. What sticks out to me is that if you want to run a deep pen test (potentially for/against a third party) you really should be looking at Metasploit Pro or Framework. Express and Community don't provide features such as, "Mimic... APTs", "advanced evasion techniques" and "social-engineering campaigns."
HD Moore says:
Metasploit Pro provides a relatively simple interface to the powerful but complex vulnerability testing system that is Metasploit Framework. But it costs money. If you have to ask how much, you probably can't afford it. Just to give you an idea, Metasploit Express (a cut-down version of Pro) costs $3,000. In contrast, Metasploit Community Edition is free.
Metasploit Community Edition's features include:
- A simple graphical user interface
- Network discovery
- Integration with vulnerability scanners (e.g. Nmap)
- Basic exploitation
- Module browser (providing access to lots of exploits)
You can see a comparison chart on Rapid7's site. What sticks out to me is that if you want to run a deep pen test (potentially for/against a third party) you really should be looking at Metasploit Pro or Framework. Express and Community don't provide features such as, "Mimic... APTs", "advanced evasion techniques" and "social-engineering campaigns."
HD Moore says:
"Metasploit Framework users fall into two camps: first, there are security researchers and developers who want a powerful platform to build custom tools and processes. The command-line interface works very well for them today, and we continue to invest in this interface.
Second, Metasploit Framework is used by security and IT professionals to verify vulnerabilities and to conduct security assessments.
For this group of users, the command-line console may not be the best fit. Metasploit Community Edition provides a much more accessible solution for this group – for free."
Friday, 14 October 2011
What's infecting today?
When you run real-world virus tests, it's best to use malware that people are really experiencing. That's what we do, but our approach is a little different to some. We find our own samples, independently of the anti-malware vendors.
As a result, it's always interesting when we see research that suggests what the common threats are. These reports usually reflect our own findings, which is not that surprising. However, sometimes they explain why we are seeing certain threats come and go.
When we locate malware for testing purposes we endeavour to find a selection of samples that provides a reasonable representation of what lots of people are finding. That way we can make the claim that, "if you were online today (e.g. 14th October 2011), visited this website (www. somethingbad. tld/ exploit.php) and your PC had Product X installed then the threat would have:
This approach produces an interesting, honest, realistic result. It's worth mentioning again that we don't take malware or malicious URL feeds from any anti-virus vendors. When our observations match their security reports it confirms that, by and large, we're all seeing the same bad stuff.
Here's one example: Earlier this week I attended the RSA conference in London. In a presentation called The Geography of Cybercrime, Kaspersky's Darya Gudkova noted that the fake AV threat had fallen off dramatically in June of this year because the man allegedly behind the scam had been arrested. We too had noticed that the fake AV threat had all but disappeared since June, but we did not know why - until now.
Similarly, in the current tests that we are running we've seeing fewer drive-by attacks and more direct downloads than in previous months. We hadn't seen fake codec attacks for a while, but here they are again, turning up in our own malware lists just like three years ago.
Microsoft has just published the 11th volume of its Security Intelligence Report. It claims that malware requiring user interaction far outweighs drive-by downloads, which in turn are even outnumbered by USB autorun threats. Yet again, a further indication that what we find matches what much larger organisations are seeing.
We don't test USB-based threats anymore. Maybe we should.
As a result, it's always interesting when we see research that suggests what the common threats are. These reports usually reflect our own findings, which is not that surprising. However, sometimes they explain why we are seeing certain threats come and go.
When we locate malware for testing purposes we endeavour to find a selection of samples that provides a reasonable representation of what lots of people are finding. That way we can make the claim that, "if you were online today (e.g. 14th October 2011), visited this website (www. somethingbad. tld/ exploit.php) and your PC had Product X installed then the threat would have:
- been blocked
- run but then have been neutralised or
- successfully compromised your system.
This approach produces an interesting, honest, realistic result. It's worth mentioning again that we don't take malware or malicious URL feeds from any anti-virus vendors. When our observations match their security reports it confirms that, by and large, we're all seeing the same bad stuff.
Here's one example: Earlier this week I attended the RSA conference in London. In a presentation called The Geography of Cybercrime, Kaspersky's Darya Gudkova noted that the fake AV threat had fallen off dramatically in June of this year because the man allegedly behind the scam had been arrested. We too had noticed that the fake AV threat had all but disappeared since June, but we did not know why - until now.
Similarly, in the current tests that we are running we've seeing fewer drive-by attacks and more direct downloads than in previous months. We hadn't seen fake codec attacks for a while, but here they are again, turning up in our own malware lists just like three years ago.
Microsoft has just published the 11th volume of its Security Intelligence Report. It claims that malware requiring user interaction far outweighs drive-by downloads, which in turn are even outnumbered by USB autorun threats. Yet again, a further indication that what we find matches what much larger organisations are seeing.
We don't test USB-based threats anymore. Maybe we should.
Thursday, 6 October 2011
Web-controlled Android malware
An Android Trojan is controlled remotely via 'command and control' (C&C) websites.
I think it was only a couple of months later before we started seeing that very behaviour. Many years later it seems that Android malware writers are adopting this effective technique.
Karl Dominguez from Trend Micro has written up an article about an e-book reader that downloads commands and payloads from two hard-coded web servers.
Until recently most of the Android malware we've seen has made us feel like we've been time travelling back to 1999 - Trojans that rely completely on social engineering; dialers; and relatively harmless but annoying jokes.
While it took the bad guys less ten years to evolve their anti-Windows programs, the Android guys have moved a lot faster. This is most likely because the principles of operating have already been proven to be very successful. And they are probably the same guys...
The next step? Removing the hard-coding. Fast-flux Android botnets, anyone?
Wednesday, 5 October 2011
How to automate virus scan on a USB drive
I'm increasingly seeing anti-malware products that either automatically scan USB drives on insertion or that offer to do so.
It has just come to my attention that Didier Stevens has written a script that can launch a program (like an virus scanner) when a USB drive is plugged in. So if you want this feature, your anti-virus doesn't have it and you use Windows then USBVirusScan is one solution.
USBVirusScan was first created around five years ago. That is how up to date I am.
It has just come to my attention that Didier Stevens has written a script that can launch a program (like an virus scanner) when a USB drive is plugged in. So if you want this feature, your anti-virus doesn't have it and you use Windows then USBVirusScan is one solution.
USBVirusScan was first created around five years ago. That is how up to date I am.
Kaspersky rescue CD
If your system becomes badly compromised by malware then one approach to fixing it is to boot from a read-only disk (such as a CD disc) and run a scanner from a safe, uninfected environment.
Kaspersky provides a free bootable rescue CD that includes an anti-virus scanner. Other vendors do the same, but I mention Kaspersky here because a previous article, about an older version, is one of the most popular posts on this blog and still attracts large numbers of visitors. Hence the belated update.
The disc contains a live Gentoo Linux operating system that can run in text or graphical mode. It is compatible with 32- and 64-bit x86 systems (i.e. normal PCs). As you might hope, you can download updates before running a scan.
Interestingly, if you are scanning a system that already has a Kaspersky anti-virus program installed the updater will check the update files already available and only download those that are not available locally.
A utility called Kaspersky USB Rescue Disk Maker is also available from the site. It takes the contents of the Rescue Disk and copies it to a USB device, which you can then use to boot an infected PC.
More documentation is available from Kaspersky's Technical Support site.
Kaspersky provides a free bootable rescue CD that includes an anti-virus scanner. Other vendors do the same, but I mention Kaspersky here because a previous article, about an older version, is one of the most popular posts on this blog and still attracts large numbers of visitors. Hence the belated update.
The disc contains a live Gentoo Linux operating system that can run in text or graphical mode. It is compatible with 32- and 64-bit x86 systems (i.e. normal PCs). As you might hope, you can download updates before running a scan.
Interestingly, if you are scanning a system that already has a Kaspersky anti-virus program installed the updater will check the update files already available and only download those that are not available locally.
A utility called Kaspersky USB Rescue Disk Maker is also available from the site. It takes the contents of the Rescue Disk and copies it to a USB device, which you can then use to boot an infected PC.
More documentation is available from Kaspersky's Technical Support site.
Lottery funds WWII codebreaker base
The site, which is not too far from where I live, has been decaying for some time but it receives no external funding. Earlier this year Google provided some cash when it bought some of Alan Turing's papers.
Bletchley Park is also home to The National Museum of Computing.
The gift shop sells all sorts of interesting things, but my favourite is the Engima mug (see above), which is my regular drinking vessel of choice.
QR code vulnerabilities
Buffer under/overflows #evilqr
A paper on QR code security examines ways in which QR codes can be used to "attack both human interaction and automated systems."
The document, published by Secure Business Australia, notes that while people may fall foul of phishing attacks automated systems "are most likely vulnerable to SQL injections and command injections."
Two main approaches for attack are explored: buffer underflows and buffer overflows.
The QR readers are naturally a source of concern:
A paper on QR code security examines ways in which QR codes can be used to "attack both human interaction and automated systems."
The document, published by Secure Business Australia, notes that while people may fall foul of phishing attacks automated systems "are most likely vulnerable to SQL injections and command injections."
Two main approaches for attack are explored: buffer underflows and buffer overflows.
The QR readers are naturally a source of concern:
"As QR Codes are a standardized way of encoding information we strongly believe that the majority of software developers do not treat the encoded information as possibly insecure input."The paper's authors are: Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Lindsay Munroe, Sebastian Schrittwieser, Mayank Sinha, Edgar Weippl
QR code readers analysed
They do what? #evilqr
I recently noted the unsurprising potential for abuse that QR codes provide. One significant part of the problem is the QR code reader software itself. It may be vulnerable to exploits delivered directly by the QR code, for example. Or it might just take you to a potentially-hostile website without asking for permission.
The code readers also have the potential to help, perhaps by providing information about the code's 'payload' (e.g. URL) before taking further action, such as visiting that URL.
AppSec-Labs has compiled a table of QR code readers in a blog article entitled Security assessment of mobile QR readers. Of the 18 tested, five directed users to websites automatically with no user confirmation. One even parsed JavaScript.
The AppSec-Labs article includes two 'evil' QR codes for those who want to test the code reading software that they use.
I recently noted the unsurprising potential for abuse that QR codes provide. One significant part of the problem is the QR code reader software itself. It may be vulnerable to exploits delivered directly by the QR code, for example. Or it might just take you to a potentially-hostile website without asking for permission.
The code readers also have the potential to help, perhaps by providing information about the code's 'payload' (e.g. URL) before taking further action, such as visiting that URL.
AppSec-Labs has compiled a table of QR code readers in a blog article entitled Security assessment of mobile QR readers. Of the 18 tested, five directed users to websites automatically with no user confirmation. One even parsed JavaScript.
The AppSec-Labs article includes two 'evil' QR codes for those who want to test the code reading software that they use.
How to use Metasploit
Two easy-to-follow guides.
Rapid7, the company that owns Metasploit, dropped by the lab yesterday to demonstrate some of its impressive products.
This prompts me to list two excellent sources of information on how to actually use Metasploit. For those new to the software, you could do much worse than read the free Metasploit Unleashed online tutorials at Offensive Security.
Additionally, the book entitled Metasploit: The Penetration Tester's Guide provides similar (but more detailed) information. It weighs more than my laptop, but that's a small price to pay!
Rapid7, the company that owns Metasploit, dropped by the lab yesterday to demonstrate some of its impressive products.
This prompts me to list two excellent sources of information on how to actually use Metasploit. For those new to the software, you could do much worse than read the free Metasploit Unleashed online tutorials at Offensive Security.
Additionally, the book entitled Metasploit: The Penetration Tester's Guide provides similar (but more detailed) information. It weighs more than my laptop, but that's a small price to pay!
Tuesday, 4 October 2011
Linux may be rooted
Linux developers have been asked to check their systems for signs of rootkits. The warning comes after Linux leaders discovered that important servers had been compromised.
The advice given to developers is to re-install their operating systems. Alternatively the alerting email lists three Linux anti-rootkit tools. Then it's a matter of double-checking the package signatures and other onerous tasks.
The rootkit tools mentioned are:
The advice given to developers is to re-install their operating systems. Alternatively the alerting email lists three Linux anti-rootkit tools. Then it's a matter of double-checking the package signatures and other onerous tasks.
The rootkit tools mentioned are:
- chkroot
- ossec-rootcheck
- rkhunter (link updated 27th April 2018)
The email thread includes some useful and interesting tips for securing Linux systems, and handling those that one suspects as being compromised.
No Computer Viruses: an end to malware?
I received the following press release yesterday:
I hope it's not going to just advocate, "install Linux and forget about malware" because, as many of us know, malware is not restricted to the Windows platform. I'm struggling to think of a current consumer computing platform that does not have at least basic malware samples available in one form or another. I'm pretty sure that IOS, Android, Linux and Mac OS X all receive their fair and generous share of security updates.
I am also pretty sure that if the majority of computer users migrated from using Microsoft operating systems to Some Other Operating System (SOOS) then we'd see a slew of SOOS malware before long. Nevertheless, the press release (emphasis and paragraphs added for clarity) continues:
* I would hope so. I pity the security firm that doesn't understand software vulnerabilities.
"CORRY, Pa. (MMD Newswire) October 3, 2011 - - "No Computer Viruses: No Antivirus Software Needed" (ISBN 1466274077) by J. Lynn takes readers through more than 25 years of computer technology history and offers a comprehensive argument for virus and malware prevention through the use of non-Windows operating systems."It will be interesting to see the content of this book, which is not yet available but promises to be on Amazon.com in the near future.
 |
| J Lynn's solution to malware |
I hope it's not going to just advocate, "install Linux and forget about malware" because, as many of us know, malware is not restricted to the Windows platform. I'm struggling to think of a current consumer computing platform that does not have at least basic malware samples available in one form or another. I'm pretty sure that IOS, Android, Linux and Mac OS X all receive their fair and generous share of security updates.
I am also pretty sure that if the majority of computer users migrated from using Microsoft operating systems to Some Other Operating System (SOOS) then we'd see a slew of SOOS malware before long. Nevertheless, the press release (emphasis and paragraphs added for clarity) continues:
"According to Lynn, Microsoft computer operating systems inadvertently grant administrative permissions to intruders in an effort to improve user experience while browsing the web. Moreover, Lynn argues that virus protection firms are well aware of these inherent flaws* and offer an endless series of costly solutions to the PC-owning public.
With this in mind, Lynn offers detailed instructions for obtaining and installing alternative operating systems. Lynn contends that this system offers far more sophisticated protections for users, is extremely inexpensive and won't require frequent and expensive updates.
This new system can be installed without removing your current operating system. Then you can choose if you want to keep your current system, replace it, duel (sic) boot both systems, or only use the new system when you want temporary protections in place for your computer before logging on to the Internet."I've not read this book. I don't know what solution Lynn is offering. I want to know and I will find out. But I predict that I will be disappointed.
* I would hope so. I pity the security firm that doesn't understand software vulnerabilities.
ISP warns of 'virus' infection
In the lab we download a lot of malware, including the exploits that are often used to install them. We do this using standard consumer ADSL internet connections to reduce the chances of detection by the malware authors and distributors.
Last summer we had just completed a test that involved visiting at least 100 infected websites and allowing them to infect systems. We performed each task at least 12 times, so we potentially downloaded 12,000 threats in one month.
Towards the end of July we received the following (edited) email from our ISP:
Security Notification
---------------------
We have received notification that your IP (xxx.xxx.xxx.xxx) appears to have been compromised.
The IP has likely been infected with a kind of 'virus' known as a rootkit.
...
Infection: torpig
...
It was interesting to see the attached log file, which recorded the ports and hosts used by the Torpig botnet rootkit (aka Sinowal, Anserin). While I think it's great that some ISPs are taking to trouble to monitor and report malware infections to users, I'm amazed that in the 12 months of using this service (and using it the way that we do!) we've received just one alert.
Related US news: Infosecurity magazine reports that the US Departments of Homeland Security and Commerce is requesting comments on a voluntary programme whereby ISP would notify users of botnet infections.
Hacking is easy
I can't work out if this is a spoof or just old. I can confirm that some of these techniques work, though*.
 |
| Click to run Vimeo video |
* When I used them legally. Once.
Gambling website admits hack, finally
When Betfair was hacked last year, thieves stole 3.5 million account names, 2.9 username with email addresses and nearly 90,000 account usernames with bank details. The company has now admitted to customers that its defences were breached - 18 months later.
Betfair claims that the leak was not a threat to its customers because it has recovered the data.
Claiming to have recovered stolen goods is one thing, but how do you reclaim easily-copied stolen data?
Betfair claims that the leak was not a threat to its customers because it has recovered the data.
Claiming to have recovered stolen goods is one thing, but how do you reclaim easily-copied stolen data?
HTC logger exposes Android user data
A researcher has found that software added by HTC to its Android devices exposes the following data:
- Phone numbers
- GPS data
- SMS messages
- Email messages
- Addresses
- Much more...
Basically Trevor Eckhart has found that HTC preinstalls a logging application that 'sniffs' a lot of information from the phone. It provides access to its own logs in a fairly loose manner. The upshot is that other applications could use the logger as a proxy and so read the above data.
Technical details, including a video showing a proof of concept attack, are available from Android Police.
UPDATE: An HTC spokesperson said that the company is "working very diligently to quickly release a security update that will resolve the issue on affected devices." Users will be able to download the fix over-the-air.
Call to evil QR arms
Seen something interesting about QR code abuse? Have a Twitter account? #evilqr
I'll take the most interesting content you find and compile it into a report.
I'll take the most interesting content you find and compile it into a report.
Monday, 3 October 2011
Facebook links scanned for malware
Facebook has joined forces with security firm Websense to protect users from links to malicious web sites.
Websense's Advanced Classification Engine (ACE) will analyse links that users click on in real time. If it considers them to be dangerous the page will be blocked and a warning message will appear. Reckless users may still choose to click through to the site.
Websense's Advanced Classification Engine (ACE) will analyse links that users click on in real time. If it considers them to be dangerous the page will be blocked and a warning message will appear. Reckless users may still choose to click through to the site.
 |
| Source: Websense |
Testing pages dynamically is an interesting approach. Many similar types of systems, such as those offered by desktop anti-virus programs, use website reputation rather than looking through the content each time the site is visited.
QR codes abused
First, why was the predictable? Because QR codes are similar to URL shortening services, in as much as they offer convenience by replacing a hard-to-type string of characters with something that is simpler to handle by the user. The negative side effect in both cases is that they also obscure the details of the 'payload'. Criminals have been using URL shortening services for a while now, so it's hardly surprising that they've taken up with an equivalent system for mobile devices.
Interestingly, the fact that most PCs aren't set up to read QR codes means that the attacker can make some fairly safe assumptions. Anyone visiting the malicious website via the QR code is likely to be using a mobile device. They are most likely using IOS or Android, but if not then their phone is probably of limited interest. So the attacker can configure the malicious site to contain exploits only for Android and IOS devices.
The attacker could also set up the site to appear innocent to those who visit directly, by typing in the URL. This would filter out a few client-side honeypots for a start.
Denis Maslennikov from Kaspersky has produced a short report that demonstrates real-life examples of these types of attacks. He agrees that this was a predictable situation:
"Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it."In the examples that Denis explains, the QR codes direct the devices to JAR and APK files, rather than exploits, so currently this is an exercise in social engineering: The victim blithely scans in a code and installs the program provided. I predict that we'll see exploits before very long that will perform this installation automatically, in a drive-by download style.
If you want to play with QR codes but, like me, don't have a suitably advanced mobile device you may find the following links useful:
- QR-Code Tag Google Chrome extension: Install this extension and then visit a website using Google Chrome. Click this program's toolbar icon to generate a QR code containing the URL. This is how I generated the QR code for this blog that you should see at the start of this article.
- ZXing Decoder Online: Enter a URL for a QR code or upload it as an image file, and this site will decode it. Save the QR code from the top of this page and upload it, or paste its URL into the appropriate field and you should see it decode as:
http://simonedwards.blogspot.com/
You get more information if you direct the decoder to a URL. See the output below. - Desktop QR Code Reader: An Adobe AIR application that lets you use your computer's webcam to capture a QR code. I have not used this.
ZXing Decoder Online output:
Raw text http://simonedwards.blogspot.com/
Raw bytes 42 16 87 47 47 03 a2 f2 f7 36 96 d6 f6 e6 56 47 76 17 26 47 32 e6 26 c6 f6 77 37 06 f7 42 e6 36 f6 d2 f0 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 11 ec 11 ec 11 ec 11
Barcode format QR_CODE
Parsed Result Type URI
Parsed Result
http://simonedwards.blogspot.com/
Microsoft treats competing web browser as banking Trojan
Microsoft's anti-malware software has mistakenly classified Google's Chrome web browser as a 'Severe' banking Trojan.
According to The Register, "On Friday, a faulty signature update for both Microsoft Security Essentials and Microsoft Forefront incorrectly detected the Chrome executable file for Windows as a component of the notorious ZeuS trojan."
While it seems that so far both Google and Microsoft are saying little about the alleged incident, there is an interesting note at the top of Microsoft's Malware Protection Center's Threat Research and Response Encyclopedia:
"NOTICE: September 30, 2011: MMPC has identified an incorrect detection for PWS:Win32/Zbot affecting Google Chrome. Signature version 1.113.672.0 or higher addresses the issue."
Update: 03/10/2011 11:22 Both Microsoft and Google have acknowledged the situation [The Register].
According to The Register, "On Friday, a faulty signature update for both Microsoft Security Essentials and Microsoft Forefront incorrectly detected the Chrome executable file for Windows as a component of the notorious ZeuS trojan."
While it seems that so far both Google and Microsoft are saying little about the alleged incident, there is an interesting note at the top of Microsoft's Malware Protection Center's Threat Research and Response Encyclopedia:
"NOTICE: September 30, 2011: MMPC has identified an incorrect detection for PWS:Win32/Zbot affecting Google Chrome. Signature version 1.113.672.0 or higher addresses the issue."
Update: 03/10/2011 11:22 Both Microsoft and Google have acknowledged the situation [The Register].
Air traffic control details leaked via eBay
A network switch sold on eBay has been found to contain sensitive information about a network belonging to the National Air Traffic Services (NATS) centre in Prestwick.
The Cisco Catalyst switch was sold on eBay for £20. The buyer found that it held:
"The password policies associated with the device are simple (I’m not providing pasword (sic) details in an open forum, but it’s a Cisco device so have a guess eh?) and it really was an absolute treasure trove of data no older than 18 months old (yes, we did get the last power cycle data)."
As the screenshot below indicates, the switch had previously been used by Serco PLC. Serco provides management services to NATS.
Michael points out on his Lo-Fi Security site that someone could plug a rogue switch configured this way into Prestwick ATC's network and "monkey" with it.
He also notes that the eBay seller was also offering a further 13 switches. One can only speculate as to whether or not these were sanitised before being sent to successful bidders. One can also only speculate as to why such hardware was sold in this condition rather than being wiped or even destroyed, because it should have been. According to Channel 4 news, NATS responded with a statement that includes the following:
""We have a contract with a specialist firm to handle the secure destruction and disposal of our equipment. We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online."
The Cisco Catalyst switch was sold on eBay for £20. The buyer found that it held:
- Details of the VLANs in use and associated services
- Full VTP trunking data
- Device management accounts
- Read and Write SNMP community strings
- Full details of upstream switching
"The password policies associated with the device are simple (I’m not providing pasword (sic) details in an open forum, but it’s a Cisco device so have a guess eh?) and it really was an absolute treasure trove of data no older than 18 months old (yes, we did get the last power cycle data)."
As the screenshot below indicates, the switch had previously been used by Serco PLC. Serco provides management services to NATS.
Michael points out on his Lo-Fi Security site that someone could plug a rogue switch configured this way into Prestwick ATC's network and "monkey" with it.
He also notes that the eBay seller was also offering a further 13 switches. One can only speculate as to whether or not these were sanitised before being sent to successful bidders. One can also only speculate as to why such hardware was sold in this condition rather than being wiped or even destroyed, because it should have been. According to Channel 4 news, NATS responded with a statement that includes the following:
""We have a contract with a specialist firm to handle the secure destruction and disposal of our equipment. We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online."
Subscribe to:
Posts (Atom)
