12 computer security tips

The bad guys can try to break in using computers only or they can try to trick you into providing them with access. Or they can use a mixture of tactics. Let's consider two main types of attack:

* Technical – breaking in via computers only
* Human – tricking people into aiding the attack

For the technical attacks you might consider the following, in order of priority/effectiveness:

Pre-infected smartphones

Some Android mobile phones are being sold pre-infected with malware.

According to a blog post by Lookout's Jeremy Linden, "DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries."

Some of the most important points from his report include:

• Detections are moderate in volume.
• Detections are global.
• The Trojan pretends to be a ringtone app.
• The Trojan downloads SMS and WAP content.
• The downloaded content can be used to trick users.
• Most of the affected devices are counterfeit or uncommon models (in the West).
• Anti-malware software cannot remove it.

The main lesson to learn here is to buy non-counterfeit devices from reputable sources. You might also consider installing an anti-malware product to alert you to problems. And watch for unexpected charges on your mobile phone bill.

[Image: Sad Android by Justin Marden]

QR code drive-by one step closer?

A vulnerability in the majority of Android devices allows an attacker to take remote control of a victim's phone or tablet.

According to a blog post by Rapid7's Tod Beardsley, researchers have demonstrated a combination of a QR code and malicious Javascript that can provide an attacker with a remote shell to the target.

Just to get some facts clear, the attack is not QR code-based. We're not talking about exploiting a QR code scanner to launch an attack. The user still has to choose a browser and proceed to a website that contains the malicious Javascript.

However, it makes sense to initiate the attack with a QR code because that's one way mobile device users visit websites. QR codes are also very visual and so help make demonstration videos more dramatic.

The really important point to take away from this attack is that users do not have to allow any new (malicious) application to run. This is not a social engineering attack in which the user is tricked into installing a malicious application.

They simply need to visit a website (QR code-initiated or not) and the attacker is able to run commands on their device.

It is possible that there are earlier demonstrations of Android-based automatic (aka 'drive-by') attacks, but I've not seen any until now.

Exploring web threats

How to examine malicious websites and their effects - for professional beginners.

If you want to capture a live sample of a phishing website, or a site that is infected with malware, the techniques covered will help.

These tips are particularly useful considering how malicious websites can come and go very quickly.

I wrote this presentation for a customer who wanted a way to analyse some of the main threats to its users and to help when problems occurred. The solutions and threats included:

1. Phishing websites designed to steal account details.
2. Sites hosting exploits and malware designed for stealing account details.
3. Malware infection detection.
4. Malware removal tips.

You can download a free PDF of the presentation I gave.

If you just want an introduction to HTTPReplay and Fiddler2 then this might be helpful also.

Secure Windows XP after updates end

Sticking with Windows XP? Here's how to secure your system to a reasonable standard.

We'll cover:

1. How attackers work.
2. The significance this has for Windows XP users who will no longer receive updates to their operating system.
3. Free solutions to help secure your PC.

2014/01/14: This article has been updated, correcting NetMarketShare figures regarding how many people use different versions of Windows. In practical terms there is little difference.

Microsoft will soon stop issuing security updates for Windows XP.

At the same time it will cease issuing updates for its anti-malware product (Microsoft Security Essentials) for Windows XP.

This is significant because a very large minority of PC users still have Windows XP installed. Should they buy a new Windows 8 PC or can they maintain a decent level of security once they are abandoned by Microsoft?

In April 2014 Microsoft will end support for Windows XP and its free anti-malware protection. However, in December 2013 29 per cent of Windows users were still running Windows XP.

To put things into perspective 44.5 per cent were running Windows 7 and only 11 per cent were running Windows 8 and Windows 8.1 combined. These figures are provided by NetMarketShare.

Clearly such a large number of people are not going to switch to Windows 7 or 8 in the next three months.

The following article explains what the threats are for Windows XP users, how they work and ways in which users can secure their old computers without having to upgrade the operating system.

How hackers do it

There are two common ways for hackers to attempt to gain access to desktop computers.

Social engineering

The first is so-called social-engineering, in which they trick victims into running a malicious program. This program may be designed to steal information, such as passwords, from the system. Let’s call this type of software ‘spyware’.

Alternatively the software might try to further trick or blackmail the victim, perhaps by claiming (ironically) that it has detected a malware infection or by locking the PC and demanding payment for releasing the system back into the user’s control. These types of threats are called ‘rogue anti-virus’ and ‘ransomware’ respectively.

For social engineering to work the user usually has to be convinced to run a program. If they are sufficiently convinced that they need to download and run a certain program (or insert a strange USB storage device) then they will probably carry on regardless of what their anti-virus program tells them.

Some may check themselves if they see a warning like, “This file is a Trojan. We recommend you should delete it.” but clearly enough users are fooled for the criminals to continue with this tactic.

No amount of patching Windows will change this situation so, for Windows XP users, this type of threat remains as significant (but probably no worse) as before.

Software exploitation

The second method is to gain access to the system using automatic attacks. These usually involve the victim visiting a website that contains some malicious code. This code, known as an exploit, runs on the target computer and gains a temporary level of control. It uses its new-found position of power to download and install malicious software, such as the aforementioned spyware, rogue security software and ransomware.

Automatic exploits only work because there are security holes, aka ‘vulnerabilities’, in the software on the victim’s computer. Vulnerabilities can exist in the applications that come included with Windows, such as Internet Explorer; in third-party applications such as Java, Flash and Adobe Reader; and even in hardware drivers (last month researchers published an exploit for Nvidia’s display driver).

If vulnerable software is updated to make it less vulnerable then exploits are less likely to work. For example, if you are still using Java version 6.x then your system is very open to attack because there are lots of known vulnerabilities for that software. Upgrading to the latest version 7.x will help, because there are fewer known vulnerabilities in the latest version of Java.

It is neither safe nor accurate to assume that any program has no vulnerabilities at all. Usually it’s just a matter of time before someone finds a new one. If a program is popular then there is more motivation for researchers to look for security holes because they affect the most number of potential victims.

Most popular exploits

It is hard to say whether attackers prefer to exploit vulnerabilities in Windows’ own files or those belonging to third-party software but, according to an update by the security blog Contagio, the exploit kits used by criminals in recent months seem very focussed on Adobe Reader, Adobe Flash and Oracle’s Java.

There are some exploits aimed at Internet Explorer 10 and earlier, many of which could affect Windows XP users. Switching from Internet Explorer to a browser that has continued Windows XP support (such as Google Chrome, Mozilla Firefox and Opera Software’s Opera browsers), and updating all other third-party applications would be a sensible move if you want to stick with Windows XP.

Updating automatically

Microsoft makes updating Windows reasonably convenient thanks to the Windows Update service. However, this does not usually provide updates for third-party software (although it does sometimes). Fortunately there is a free application that behaves in much the same way as Windows Update but for non-Microsoft programs.

Secunia’s Personal Software Inspector (SPI) will scan your PC for vulnerable applications and can automatically download and update those for which updates exist. You can also opt to have it download the updates but wait until you instruct it to install them, and you can even have it simply scan and inform you about available updates, rather than downloading anything.

How this affects users of Windows XP beyond April 2014

If Microsoft sticks to its plans then Windows XP will no longer receive security updates after April 2014. This means that any future vulnerabilities detected in Windows XP system files and the applications that come with it will remain unfixed. This appears to be great news for the attackers, who can locate security holes and use them without fear that their activities will be hindered by an impending fix.

The solution(s)

However, this is just one facet of the situation. Third-party applications and hardware drivers will still be updateable as long as their developers continue to provide support. Additionally, certain anti-malware software, including Kaspersky Internet Security and Symantec Norton Internet Security, are capable of detecting many types of exploits and can prevent them from taking control of the system.

I put together a list of anti-malware products that will continue to protect Windows XP after Microsoft withdraws support. Most, at the time of writing, were committed to the foreseeable future.

While Java is notoriously popular with hackers, you don’t need to remove it completely in order to secure your PC. You can keep Minecraft running happily on your system but simply disallow Java in the web browser.

There are at least five free and easy ways to protect against viruses and spyware. Windows XP users won’t be able to follow point #4 (i.e. update Windows) from that linked article but the rest are relevant for those sticking with XP.

Microsoft has a tool that helps to prevent the exploitation of vulnerabilities in its own software and those created by third parties. The Enhanced Mitigation Experience Toolkit is probably a little too tricky to use for everyday users but experts and the inquisitive can download it for free.

So while it is always best to fix the problem, by patching the security hole (or uninstalling the vulnerable application if you don’t need it!), there are ways to prevent the bad guys from gaining access even though the holes continue to exist.

USB condom pumped up in press

Some IT news websites have posted excited articles about a new 'USB condom' that protects devices from hostile charging stations.

Unless I'm missing something, I think this excitement is a little unwarranted.

The threat

You plug your phone into an untrusted USB charger. This is secretly connected to a computer that mounts the phone's storage and accesses its data. This is known as 'juice-jacking'.

The solution

If you must charge your devices using an untrusted charging station you may improve your security by turning them off completely. You should receive a faster charge that way, too.

Alternatively use a USB charging cable, which is like a regular cable but the data pins are not connected. You can make one of these yourself very cheaply. It's not hard but, if you don't want to DIY, ready-made options are inexpensive - frequently less than £5.

The USB condom

The USB condom works by "cutting off the data pins in the USB cable and allowing only the power pins to connect through." So, very much the same as a USB charging cable then.

Pricing for this connector is not yet available* but, if it is very much lower than £5, it'll be a worthy addition to any security-conscious traveller's cable bag.

* UPDATE (18/09/2013): Pricing for these devices is now available. The USB Micro-B and USB Type A models are $9.99 each. In my opinion that is poor value for money.

Smartphone security

In 1999 a PC this powerful
would cost twice as much and
be 100 times bigger

At the moment we are, in terms of mobile malware development, in 1998.

Remember when we all used Windows 95 and connected with modems? The threats of the day were Trojans that would dial premium numbers to generate/steal money from victims.

As far as I can tell, that’s where we are today with smartphones.

Modern, powerful mobile handsets are essentially PCs with a modem, run by users who access banks and other financially-connected sites. I've yet to see any evidence of iOS or Android-compatible drive-by attacks so right now social engineering seems to be the most significant threat.

As such, a slight variation on the advice we used to give in the late 1990s is probably suitable:

1. Keep your phone’s firmware up to date (updates from vendor, via Android Settings).
2. Keep your software up to date (via Google Play updates). These updates can be set to run automatically.
3. Only install from official stores such as Google Play. Don’t side-load (i.e. install from removable media).
4. Ensure the software comes from the original developer. Google Play lists the developer and highlights very popular ones with the ‘Top Developer’ label.
5. Check the reviews of each application you want.
6. Check the permissions that each application requires and reject it if it wants too much (in your opinion).
7. When updating manually, review any new permissions the updated application requires.
8. Avoid pirated/cracked software, whatever the source.
9. Install an anti-malware product. After all, even the official stores have been found to host malicious files.

While all this will help, I doubt that normal people will neither bother nor be able to fully understand or remember the details. That's not their fault, though. It's the fault of the mobile industry. It should be easier to be more secure.

This article updates last year's notes on Android security tips.

Howto: Bullet-proof your email account

Usernames and passwords can be guessed or stolen. You can add additional layers of security that significantly reduce the chances of an attacker accessing your account.

First of all, always use encrypted connections when using your email service. If you don't know about HTTPS/SSL, please read Howto: Handle a hacked email account first.

Popular web-based email services, such as Gmail and Yahoo! Mail, secure accounts using a username and password. Some, including both Gmail and Yahoo! Mail, allow you to use an additional security measure called two-factor authentication (aka two-step verification).

Two-factor authentication

Using two-factor authentication is easier than the system's name suggests.

You may already have used two-factor authentication if you bank online with certain banks. Essentially you log in with your username and password, but must then type in a code that changes on a regular basis.

Every time you or someone else tries to access your account from a new system (PC, Mac, phone, tablet etc.), a code is required. You may also have to re-enter a code after a period of time.

A bank may require a code every time you log in. Google Mail will ask you once every 30 days.

The code may be generated by a small handheld device; by software installed on a smartphone; or it may even be sent by text (SMS) message to your phone.

Google provides a free Android app called Google Authenticator, which generates the code. Alternatively you can use one of the other options provided by Google, such as text messaging or even a voice call.

Other services

Some other web services allow users to add this optional secondary level of security. Following an embarrassing compromise, which potentially exposed users' files, Dropbox offered a two-step verification option to users.

Dealing with an extra log-in step once every few weeks is only slightly inconvenient and the level of additional security makes it well worthwhile.

Delhi scammers bypass two-factor authentication

Although using two-factor authentication is much more secure than relying only on passwords, it is possible for sneaky people to trick their way into obtaining the code.

A pair of Indian criminals were caught recently, having conned a mobile phone company into sending them 'replacement' SIM cards belonging to customers.

They were then able to log into victims' bank accounts, using the SIMs to receive security codes sent by SMS.

Howto: Handle a hacked email account

If your friends complain that you have sent them spam, your email account has probably been compromised.

First I'll explain what has happened, then what hasn't and, finally, what you should do about it.

What has happened?

Someone has obtained the password to your web-based email account. They have logged in and sent spam, quite possibly in the form of links to dubious or even dangerous websites, to contacts you have saved in your online address book.

Your password may have been stolen when you logged into your email account, possibly because you used a public wireless service at some stage. If so you almost certainly were not logged in using an encrypted connection.

An alternative way in which an attacker can acquire your email password is to send you a fake email that purports to come from your email service (e.g. Yahoo!). Such 'phishing' emails ask that you log into a fake website. When you type in your password it saves it and the person operating the site now has your details.

Sometimes an email service will be hacked and user's passwords stolen. This happened to Yahoo! last summer. In Yahoo!'s case the passwords appear to have been stored unencrypted, which is surprisingly unprofessional if true.

What has not happened?

The attacker has not just written emails and labelled them with your email address. While such 'spoofing' is possible, the fact that the spam was sent to your contacts indicates that the attacker has accessed your account.

There is no reason to assume that a hacker or a virus has compromised your personal computer. You can discover if the email was sent by your computer or someone else's by comparing email messages you sent yourself to the spam messages received by your contacts.

To find out how to do this, see Who sent the email? below.

What can you to to fix the problem?

1. Log into your email service and enable encrypted connections if available. The setting may be labelled HTTPS or SSL. Yahoo! Mail only offered this option in January this year, and it's not on by default. This article shows how to secure a Yahoo! Mail account.

2. Once you have addressed step one, and not before, change your password to something new and not obvious. For password tips, and a reason not to re-use the same one on different sites, see here.

(If you change your password before enabling encryption your new password will travel over the internet in plain text, which increases the chance that it could be stolen.)

3. Some email accounts let you specify an associated email account. If you lock yourself out of your main email service access may be granted via this secondary account. Check that the attacker has not changed this address to one that he controls.

4. Continue to be aware of phishing email threats and avoid falling for their tricks.

5. Be wary of using public WiFi just as a general rule.

6. To guard against having your details stolen or leaked change your passwords regularly.

Who sent the email?

All email messages contain technical details about the systems that they touch, from their origin to their destination. Look at the 'headers' to see who really sent the message.

In the following example message #1 was sent by the spammer, while message #2 was sent legitimately by the victim. I've trimmed out a lot of unnecessary headers below. Look at the underlined parts. I have changed some details to protect the innocent.

MESSAGE #1
Delivered-To: simon@h@k.me
...
Received: from [77.255.73.226] by web162906.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 04:15:46 PST


MESSAGE #2
Delivered-To: simon@h@k.me
...

Received: from [64.40.54.xxx] by web162904.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 10:44:51 PST

What these tell us is that both the attacker and the victim used Yahoo! Mail using the web (HTTP) interface.

We can also see that the spammer was operating from an IP address of 77.255.73.226, while the victim was using 64.40.54.xxx.

Using an online tool like http://whois.domaintools.com we can find out where these people are based.

At the time of the attack the spammer was based in Warsaw. The tool reports the following (and more):

IP Information for 77.255.73.226

IP Location: Poland Warsaw Netia Sa

ASN: AS12741

Resolve Host: 77-255-73-226.adsl.inetia.pl

IP Address: 77.255.73.226

The victim's IP address, on the other hand, leads us to believe (correctly) that he was working from Seattle.

Thus we can conclude that the spammer was accessing the compromised email account using a web interface from Poland, rather than via the victim's PC in Seattle.

Why even experts need antivirus

[This article is written in response to Wired's recent article, Is Antivirus Software a Waste of Money? As is usually the case, when you see a headline posed as a question, the answer is usually "no".]

"I don't run anti-virus, actually," he said, "and I've never had a virus."

"Really?" I asked. "How do you know?"

"I think I'd know," he scoffed.

I had that conversation with the UK head of marketing for an anti-virus company that, while not one of the top brands, is certainly quite well known in Europe. We probably spoke around 2008.

Scroll back to the eighties and possibly even early nineties and he'd probably be at least half right. Viruses might hide for a while but they usually gave away their presence at some stage, possibly by deleting or encrypting files, sending a cheeky message or producing a graphic effect that was hard to ignore.

In the later parts of the nineties things started to change. Malware began to commercialise, and it made sense for these malicious programs to be more subtle. Dialers were one of the first such threats. They resided silently on victims' systems and made phone calls to premium numbers.

Once malware started to hide, the game changed. Without appropriate tools even an expert would not know that a system was infected. Even then, sensible behaviour, such as avoiding pirated software, license key generators and pornography websites was sufficient to avoid most problems.

Halfway through the noughties (around 2005-6) a new approach rendered the classic advice of "be careful" fairly useless.

Criminals started compromising legitimate websites, loading malware from otherwise innocent sites onto visitors' computers. In many cases users would have no idea that this was happening. Even a paranoid expert would have a tough time using the internet in a useful way without exposing their computer to such threats.

Rootkits are also now prevalent. It is hard to detect these threats even with specialised software, let alone some sort of tuned-in, Jedi-like human virus-detector sense.

In Wired's article Is Antivirus Software a Waste of Money? a startup CEO called Dan Guido was quoted as saying, "If it weren’t for [compliance] nobody in the security industry would run [anti-virus]."

I contacted Dan to see if he was happy with the angle of the article. He was, by and large, and claimed that,

"The issue with AV is that their virus detection capabilities only become effective after tens of thousands of people have been compromised with the same virus and days or weeks after that virus was first observed."

Having seen how some anti-malware tackles new attacks, sometimes involving zero day exploits, I don't agree with his blanket statement. He went on to make other very general assumptions about how anti-virus software works. One notable point of view was,

"At the time of infection, every major attack group has procedures that allow it to avoid all the known checks that AV runs through."

In other words, criminals check their malicious software before releasing it, checking to see if anti-virus will catch it. This is certainly true.

Underground versions of VirusTotal-style services exist but I find it hard to believe even the most advanced attacker is capable of running a full end-to-end test to ensure success without alerting the anti-virus vendors.

For example, they must either allow or block cloud service queries. Block these queries and the test is not complete. Allow them and information is fed back about the new threat to the vendor.

I polled a few security professionals, in an admittedly unscientific study, and found that they all used anti-virus. No one believes that anti-virus is a panacea. It's just daft to run without it.

Despite this Lance Spitzner sent me a Twitter message, guessing that maybe experts don't use anti-virus "because most security professionals use a Mac :)" Having been to very many security conferences I have to admit that he has a point.

The fake anti-virus business: in pictures

Ever wondered what the point of fake utilities like anti-virus was? Or how online crime really works?

Trend Micro has put together a handy illustration that shows how different criminals work together to steal money from victims.

It's worth noting how the different jobs are split, as is the personal risk of those involved. Plenty of individuals are contributing to the process but only a few are exposed to arrest. These will be the carders and the money mules. You can bet they will be the worst paid of the lot. 

Click on the image to see the larger, readable version.

Pirate or puppet?

When you use pirated software or services, are you acting freely or are you being used as a pawn in a larger game?

When the now-failed TV business ITV Digital (aka On Digital) went bust pirates were freely accessing its services using widely-distributed codes. The service failed to make enough money and went under.

The pirates might, in an effort to justify their actions, argue that the services were over-priced. They might claim that information should be free.

They may simply feel that they are going to do what they want and do not care about the consequences.

I have a feeling that any user of 'stolen' services/content would care a great deal if they discovered that they were being manipulated by a large corporation. BBC's Panorama claims to have discovered that this happened in the case of ITV Digital.

The documentary alleges that a News Corporation company called NDS developed a 'hacker' website and encouraged its official owner to distribute set-top access codes for its rival's service.

When ITV Digital implemented counter-measures, the website (www.thoic.com - now closed) was used to distribute information on how to defeat those measures.

If the accusations are correct then those users of the THOIC forums were not only behaving illegally but they were puppets being manipulated by one of the large corporations that they most likely despise.

This same situation could easily apply to some of the media-savvy hacking groups currently making headlines. It is impossible to know who really pulls their strings. It is quite likely that large numbers of members don't even know the answer to that.

The irony is that those who believe they are behaving with more freedom than the rest of us, accessing whatever information and other systems that choose, are not exercising their full right to free choice. They don't have enough information to know whether or not they are working to fulfil someone else's agenda.

They could be unknowing agents of criminals, corporations or even geopolitical adversaries (spies).

It's worth thinking about, before downloading that new, illegal copy of a movie, album or ebook.

[This situation reminds me about a story once told to me by a fairly well-known anti-virus company. It had put a license code for a significant length of time (say nine months or more) on the cover disc of a magazine I once worked for.

Some individuals had leaked this code to an internet forum and the anti-virus vendor had seen a large jump in user numbers. This was in the tens of thousands - I think about 30k. Those who distributed the code obviously felt that they had got one over on "the man".

This attitude became more evident when the company decided to 'leak' more of its codes to the internet on purpose. The forum distributed these semi-legitimate codes for a while before realising that it was being influenced by the company it was trying to rip off. It then removed the codes from its site, unhappy that it was being tricked.

I suppose that the thrill of stealing disappears once you know that the apparent victim is glad that you are a potential customer merely sampling the goods.]

How many dollars is a 'Like' worth?

Criminals are selling Facebook recommendations (by clicking the Like button) for $27 per 1,000 'Like's.

Companies that wish to increase their visibility by promoting their profiles can pay individuals or groups to click the Like button using multiple accounts.

The particularly sinister part to this story is that the criminals don't set up lots of their own accounts. They have found it more efficient to take over victims' accounts and abuse those instead.

In a post on Kaspersky Labs' blog, which actually focusses on a security issue with Google Chrome extensions, Fabio Assolini notes that an extension called Trojan.JS.Agent.bxo is hosted on the official Google Chrome Web Store.

The malicious extension gains control of the victim's Facebook profile. Among other features, including the inevitable ability to spread itself, "the script also has commands to use the profile of the victim to 'Like' some pages."

The reason for this ability is to make money. Fabio includes a screenshot from a website that clearly offers a Likes-for-cash service.

Android "most attacked" mobile operating system

Tom's Guide reports that the Android operating system is now under heavy attack in comparison to other mobile platforms.

When the article mentions 'threats' it means individual Trojans in almost all cases. Viruses and worms don't really feature at all in recent years.

"The number of threats directed at Android in 2011 was a sharp increase from only 9 threats in 2010 -- only trumped by the number of threats for Symbian in 2006 (188) and 2005 (125). Since 2004, F-Secure listed a total of 710 security threats for mobile device. 525 of those affect Symbian, 125 Android, 40 PocketPC, 18 J2ME and 2 iOS. The vast majority of all mobile threats were trojans (519 overall, 136 in 2011). Viruses (56 total) have not been seen since 2007 and worms (38 total) appear to have been abandoned as well."

It will be interesting to see if/when the latest Windows mobile operating system appears on the chart.

Basic QR code safety

McAfee has issued some basic security advice regarding QR codes. It's a very short article with a minimal amount of marketing content.

It should no longer be a surprise that QR codes are potentially dangerous. They can be used to offend*, defraud or even compromise the security of your phone, PC or tablet.

I've published a few pieces on QR codes here.

McAfee makes the following sensible points:

• Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.
• If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.
• Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.
• Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

* Could a QR code offend someone? How about if you encoded a QR code for a shock site and stuck it on a billboard advertising something more attractive? When someone scans it in and they will (or should) be offended pretty fast!

Opening PDF leads to network compromise

This nice demonstration of a penetration test is notable for a few reasons.

1. The attack all starts with a victim opening a PDF document. The same attack is shown to be possible when viewing a QuickTime video (at the end of the video).
2. While some passwords are cracked (very fast), access to the Domain Controller is made possible by 'passing password hashes'. This technique does not require the password to be cracked.
3. The attack demonstrated uses a printer server as an internal launch point, which might surprise some people. In this example a new network is discovered.
4. It uses Metasploit Framework, which is a powerful tool worth getting to grips with if you want to test systems and networks.
5. It uses a tool called 7Seec to scan for credit card details.

Apple unable to vet all apps

Charlie Miller sends a remote
command to vibrate his iPhone

A researcher has found a security hole that could allow unauthorised access to Apple iPhones.

The embarrassing part of this news, for Apple, is that someone was able to sneak a potentially malicious application through its code auditing process.

iPhone users rely on Apple to check through all third-party programs for security issues. Once Apple has verified that an app is malware-free, and only then, it is allowed into the iPhone Apps Store.

Charlie Miller, a well-known security researcher, wrote a stock ticker app that contained a nasty surprise. Once installed it was able to download further code. This was software that Apple had not had a chance to check.

In a video demonstration, Miller shows how the Trojan would allow an attacker remote access to an iPhone. He downloads the address book and issues a command to make the unit vibrate from a reverse shell.

Reports suggest that Apple has retaliated by banning Miller from its iOS development program. Apparently he planned to present his findings, including a live exploitation of a phone, at the SysCan conference in Taiwan.

UPDATE (08/11/2011): SecurityWeek reports that the vulnerability is due to iOS not enforcing code signing for the Nitro JIT compiler.

Malicious Android app stores

Rogue Android App stores are making Trojan applications available on purpose.

Researchers have known for some time that malicious Android applications are often distributed via online stores other than Google's official Android Market service.

This development is an interesting twist in which the entire alternative store is a scam.

Any benefit of the doubt as to the stores' motives disappears when you realise that the sites are effectively charging money for free applications. The high possibility that these applications are Trojans themselves increases the threat.

The same programs are likely to be both free of Trojans and free of charge when obtained via the safer Android Market.

The malicious stores charge unwitting users/victims by requiring them to send text messages to premium rate numbers. When they have increased their balance to a certain amount they can download their chosen apps. These in turn may well send unauthorised text messages to premium rate numbers.

Webroot's researchers expose the SMS scam

Online banking security: Good for you or your bank?

When banks implement new online banking security measures they have a problem.

They have to persuade customers that the often inconvenient new ways of accessing their accounts is actually for their own benefit. They do that by claiming that the new ways of doing things makes your money safer, which is surely for your own good.

First let's look at chip authentication programmes, one of which is Barclays Bank's PINsentry (from 2007). Another is Nationwide's Card Reader (from 2008).

If you have an account with either of these banks you'll receive a device that looks a little bit like the reader you see in high street retail outlets. You put your card into the slot, type your PIN and the transaction is authenticated.

This makes complete sense when paying for goods in a supermarket because, with the best will in the world, the average till operator is not really qualified to compare your signature on a receipt with the one on the card, as used to happen in the 'old days'.

However, when banking customers have to use these devices to access their online bank account from home, it becomes an inconvenience. Instead of just booting up the laptop, you need to find your card and your reader. If you are travelling then you're probably going to be unable to access your account at all. 

But surely, if these readers make your money safer, they are a good thing? Firstly, your money is safe, in that the bank has to refund you any losses made (as long as you've not been really careless with your banking details).

Secondly, throwing extra levels of technology at the problem does not necessarily make it safer. Let's take the example of a regular traveller. They will have to take their card reader with them if they want to access their accounts online. So what's to stop a mugger grabbing this device, along with the wallet and laptop?

Card readers can even be used by muggers to prove if a victim is lying about their PIN, which is convenient for the bad guy but not so great for the bank's unfortunate customer.

Things get even darker, though, when we look deeper into the security provided by these card readers. There are weaknesses in the protocol that they use. There is a fascinating paper on the subject by Saar Drimer, Steven J. Murdoch, and Ross Anderson. It is available from The University of Cambridge's website.

Just to lighten the mood, when Barclays launched PINsentry I was asked to participate in a promotional video. To be clear, I received no payment for this and I even pointed out the problems with using card readers at the time. I can't imagine why they did not include my points in the advert below...

Web-controlled Android malware

An Android Trojan is controlled remotely via 'command and control' (C&C) websites.

Back in the days before Windows PC threats downloaded commands from websites a friend of mine, Stephen De Vries, predicted that just such a situation would occur.

I think it was only a couple of months later before we started seeing that very behaviour. Many years later it seems that Android malware writers are adopting this effective technique.

Karl Dominguez from Trend Micro has written up an article about an e-book reader that downloads commands and payloads from two hard-coded web servers.

Until recently most of the Android malware we've seen has made us feel like we've been time travelling back to 1999 - Trojans that rely completely on social engineering; dialers; and relatively harmless but annoying jokes.

While it took the bad guys less ten years to evolve their anti-Windows programs, the Android guys have moved a lot faster. This is most likely because the principles of operating have already been proven to be very successful. And they are probably the same guys...

The next step? Removing the hard-coding. Fast-flux Android botnets, anyone?