Archives for the Month of September 2007 on Distilled Netsec
Toppling the Great Firewall of China
The People's Republic of China has no firewall perched on its routers to enable censors to block Internet sites.
Rather, the authoritarian regime relies on a far more sophisticated censorship system that uses a keyword blacklist and routers that reach deep into Internet traffic to find forbidden words or phrases.
"Conventional wisdom was it's a firewall—all around the border, you'd be blocked. We found that sometimes [it takes a few hops within China to get blocked], up to 13 hops. Some paths weren't filtered at all," Jed Crandall, an assistant professor of computer science at University of New Mexico's School of Engineering, told eWEEK.
In fact, the "Great Firewall of China" that researchers believe is used by the government to block users from accessing what it considers objectionable content is in reality a "panopticon"—a type of prison that relies on prisoners not being able to tell whether or not they're being observed.
source:
http://www.eweek.com/article2/0,1759,2182514,00.asp
Net gains for tiny Pacific nation
Tokelau may only have 1,500 inhabitants and be a two-day boat trip from its nearest neighbour but selling its .TK domain is reaping benefits.
The Dutch entrepreneur who bought the address now offers a free domain name service in return for targeted ads.
The deal has allowed Tokelau to add 10% to its GDP as well as gain PCs and net access for residents.
Source:
http://news.bbc.co.uk/2/hi/technology/6991719.stm
Chinese web filtering 'erratic'
China's firewall that tries to sanitise web browsing is much more porous than previously thought, says a study.
Carried out by US researchers outside China, it found that the firewall often failed to block what the Chinese government finds objectionable.
The firewall was least effective when lots of Chinese web users were online.
Often, said the study, the idea of the firewall was more effective than the technology at discouraging talk about banned subjects.
Source:
http://news.bbc.co.uk/2/hi/technology/6990842.stm
Hackers update malware tool kit, add first zero-day attack code
A new version of the IcePack hacker exploit tool kit has been released, security researchers warned today, and for the first time it includes attack code designed to exploit an unpatched, or zero-day, Microsoft vulnerability.
Three of IcePack's eight exploit tools are new, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. That's noteworthy in and of itself, Thompson said. "The mix of old and new exploits is to be expected, but three new ones in one update is pretty impressive," he noted.
But the new tool kit also sports a first. "The latest iteration has done something original," said Thompson, pointing to an exploit that attacks a zero-day vulnerability in Microsoft's DirectX software development kit (SDK)
"The closest to a tool-kit zero-day exploit [before] was for the ANI [animated cursor] vulnerability."
He was referring to a Windows bug that surfaced in early April. By the time that Mpack, an IcePack predecessor, added the ANI exploit, however, Microsoft had patched the vulnerability with an emergency out-of-cycle update.
Skype Users Slammed by New Virus
According to F-Secure, the new worm targeting Skype users creates several startup keys for itself in the Windows Registry and even modifies the Windows hosts file to block access to antivirus vendor sites. The new Skype worm also terminates processes belonging to antivirus software and copies itself to removable drives so it can replicate.
Source:
http://www.enterprise-security-today.com/story.xhtml?story_id=55236
Trojans besiege online gamers
Online games have become a major target for fraud in recent years. A study from Kaspersky Labs, published today, dissects the techniques and targets used by hackers to make "easy money" by selling stolen login credentials of users or in-game items on the black market.
Online games and fraud: using games as bait by Sergey Golovanov, a virus analyst at Kaspersky, outlines the vulnerabilities within online games; methods used to steal confidential player data; ways of protecting this data.
According to Golovanov, three main methods are used by cybercrooks to swipe online game passwords: social engineering (phishing or bogus offers of bonus or tips in exchange for registering onto rogue systems), exploiting game server vulnerabilities, and using malicious programs to obtain passwords. The study includes statistics on the volume and provenance of Trojan programs for online games, and figures which show which online games are the most popular targets.
Virus writers at first used classic key loggers to steal passwords for online games, a tactic that can be traced back to 1997. Over time, malware attacks became more sophisticated. The first Trojan specifically designed to target online games, Lmir-a, harvested passwords to "Legend of Mir". This was the forerunner of a generation of Trojans targeting a wide range of online games.
The most recent Trojans typically incorporate a dynamic library written in Delphi. When they detect the launch of an online game, they intercept the password entered via the keyboard, send this data to the malicious user's email address, and then self-delete.
More than 90 per cent of all Trojans targeting online games are written in China, and 90 per cent of the passwords stolen by these malware agents belong to players on South Korean sites.
More than 40 per cent of all Trojans for online games target Lineage 2, with World of Warcraft (20 per cent) the second most popular target. Other online games coveted by hackers include Gamania, Tibia and Legend of Mir. Each accounts for about six per cent of password-stealing Trojans.
According to Golovanov, those making a living from other people's virtual property are "almost immune" from legal sanction. Game developers should work together with antivirus companies in tacking the problem.
Source:
http://www.theregister.co.uk/2007/09/11/online_games_hacking_trends/
Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users
A Yahoo-owned advertising network became the unwitting ally of cyber crooks after it spewed millions of Trojan-laced banner ads on MySpace, PhotoBucket and other websites.
The banner ads, which were brokered by Right Media, were served an estimated 12 million times over a three-week period starting in early August, according to ScanSafe, a managed security provider. Earlier this year, Yahoo paid $650m to acquire the 80 percent of the company it didn't already own.
The banners contained a Flash file that silently installed a Trojan back door on unpatched Windows machines that visited the popular web destinations. Using an unpatched version of Internet Explorer while visiting MySpace or PhotoBucket was all that was necessary to become infected. The ads also ran on TheSun.co.uk, Bebo.com and UltimateGuitar.com.
Security Fix reported the story earlier.
How to Get Free Food at a Fast-Food Drive-In
Posted for entertainment only Please do not do this:
It's easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won't work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay and receive your food. The video demonstrates the attack at a McDonald's in -- I assume - France.
Wait until there is someone behind you and someone in front of you. Don't order anything at the first window. Tell the clerk that you forgot your money and didn't order anything. Then drive to the second window, and take the food that the person behind you ordered.
It's a clever exploit. Basically, it's a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.
It's relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system's optimization.
So if not a lot of people do this, the vulnerability will remain open.
Source:
http://www.schneier.com/blog/archives/2007/09/how_to_get_free.html
NIST prepares due diligence standards for cybersecurity
The National Institute of Standards and Technology is taking new steps to help federal agencies develop a more realistic approach to cybersecurity. In collaboration with the Defense Department and the Office of the Director of National Intelligence, NIST will create a common foundation for risk management, officials said.
Ron Ross, senior computer scientist at NIST, said that because agencies cannot avoid risk, officials should approach cybersecurity by weighing the consequences of a data breach on their agency’s mission. NIST is developing a foundation of standards and guidelines to help officials find a balance between protecting information systems and achieving their agencies’ missions.
“You’re not going to have the same answer across the federal government,” Ross said at an industry event sponsored by GTSI last month. “This is all about having to think about the problem.”
For about five years, agencies have been working to comply with the security provisions of the Federal Information Security Management Act.
“FISMA is good legislation, and we’re making outstanding progress in implementing these policies,” Ross said, but now agencies have to rethink how they fulfill those provisions.
“You’ve got to deploy a sufficient set of security controls to protect every mission that the system is supporting,” Ross said. “We’ve never before had a standard of security due diligence that we’ve been able to define and hold agencies to.” Security due diligence must be the foundation for sharing information securely with other agencies, he added.
Source:
http://www.fcw.com/article103704-09-10-07-Print
Shutting Down Botnets
Unless you have been hiding under a rock or on a walkabout in the Australian outback for the past year or so, you have probably seen the terms bot or botnet a number of times. A "bot", sometimes referred to as a "zombie", is a computer that has been infected or compromised with a bot utility. A botnet is the term used to describe the collection of compromised bots that an attacker can assemble and use for malicious means. Some estimates claim that there may be over 100 million compromised computers lying dormant and waiting to be used in an attack of some sort. It was recently estimated that the Storm worm alone has amassed a large enough botnet that the combined computing power can out-compute any supercomputer in existence. Bots are also blamed for a majority of the spam traffic. In a nutshell, bots are one of the larger threats to Internet security right now. The question is, who's job is it to stop them? Should an ISP, such as Comcast, be responsible for monitoring their network for bot activity and taking action to eradicate the bots, or is their job simply to provide a pipeline? An article in The Register examines this question. Should ISP's be responsible for policing their own networks? If not "responsible", should they at least be willing to engage and take action when an issue is brought to their attention? Or, can the ISP claim they just connect point A to point B and wash away any burden for what happens in between?
Source:
http://netsecurity.about.com/b/a/256895.htm
China hosts nearly half of all malware sites
According to a report released Monday by antivirus company Sophos, China--including Hong Kong--hosted 44.8 percent of the world's infected sites in August. The U.S. ranked a distant second, hosting 20.8 percent of sites that contain malicious code.
The number of infected Web pages has also grown. Sophos said it detected an average of 5,000 new infected pages each day in the month of August.
The company warned that simply staying clear of sites hosted in the top three countries of China, the U.S. and Russia is not an effective method of avoiding malware.
"Hackers are hijacking Web sites around the world to make them point to malware on sites based in China, the U.S. and Russia," Carole Theriault, Sophos senior security consultant, said in a statement.
Sophos also warned about a sharp rise in spam pointing people to these infected sites. Malicious senders, in an attempt to bypass attachment virus scanners, are using messages that direct people to Web sites with malicious code. Computers get infected when people click on the links in the e-mail message.
"Most malware writers...are using spam and the Web to infect users," Theriault said. "Criminals are hard at work trying to slip past filters at the corporate gateway."
June saw a spike in spam hosted on Chinese domains, when the figure rose from almost zero to 450 spam domains.
Federal Judge Strikes Down National-Security-Letter Provision of Patriot Act
From the article:
The ACLU had challenged the law on behalf of an Internet service provider, complaining that the law allowed the FBI to demand records without the kind of court supervision required for other government searches. Under the law, investigators can issue so-called national security letters to entities like Internet service providers and phone companies and demand customers' phone and Internet records.In his ruling, Marrero said much more was at stake than questions about the national security letters.
He said Congress, in the original USA Patriot Act and less so in a 2005 revision, had essentially tried to legislate how the judiciary must review challenges to the law. If done to other bills, they ultimately could all "be styled to make the validation of the law foolproof."
Noting that the courthouse where he resides is several blocks from the fallen World Trade Center, the judge said the Constitution was designed so that the dangers of any given moment could never justify discarding fundamental individual liberties.
He said when "the judiciary lowers its guard on the Constitution, it opens the door to far-reaching invasions of liberty."
Regarding the national security letters, he said, Congress crossed its boundaries so dramatically that to let the law stand might turn an innocent legislative step into "the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values."
He said the ruling does not mean the FBI must obtain the approval of a court prior to ordering records be turned over, but rather must justify to a court the need for secrecy if the orders will last longer than a reasonable and brief period of time.
source:
http://www.schneier.com/blog/archives/2007/09/federal_judge_s.html
Custom-built botnet steals eBay accounts
Online auction site eBay has been targeted by identity thieves, who are wielding a botnet that uses brute force to uncover valid account login info, an Israeli security company said Monday.
The attacks against eBay may have started as long ago as early August, said Ofer Elzam, of Aladdin Knowledge Systems Ltd. Elzam and his researchers have not been successful in notifying eBay of their weekend findings.
According to Elzam, the product manager of Aladdin's eSafe threat protection line, the brute force attacks are launched by a large botnet that the identity thieves have built using a sophisticated, multi-stage campaign that begins with compromised legitimate Web sites.
My best estimate is that there are at least 300 compromised sites," said Elzam, who noted that the sites are spread worldwide and in several languages. Two sites are based in Israel, he said, including a price comparison Web site and another operated by one of the country's largest unions. Other sites identified in a search run with information provided by Elzam included scores of real estate Web sites in Florida and Massachusetts, and a Microsoft security message forum in Italian.
Seeding genuine Web sites with malware is nothing new, but the practice has been gathering steam this year. In June, for example, hackers launched a massive bot-building attack from more than 10,000 hijacked Web sites, most of them hosted in Italy.
"These sites are compromised by SQL injection vulnerabilities, and then IFRAME attack code is inserted," said Elzam, describing a common method of hacking legitimate Web sites and infecting their visitors. "The IFRAME code redirects visitors to other sites which host a Trojan," he added. The Trojan hijacks the PC and turns it into a zombie, or bot.