Bill’s Security Blog

A snapshot of topics of personal interest that have been talked about in the IT Security realm over the past week.

NOTE: I have changed the name of this weekly post from “this week in infosec” to “last week in infosec” to capture the obscenely obvious.

NOTE 2: Last two weeks have been crushingly busy. Will try to catch up this coming week, but have doubts about my capability :)

Threats/Countermeasures

New core networking vulnerability in TCP on the horizon

Thought things were over when Kaminsky’s bug got fixed? Guess again.

From Rich Mogul’s Securosis blog: Massive TCP Flaw Looming (selected quotes)

Basically, it’s a massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention.

From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection).

Rich points to other material:
Dark Reading Room: New DOS Attack Is a Killer
SearchSecurity: New attacks reveal fundamental problems with TCP

Rich followed up with a post on October 3: Why The TCP Attack Is Likely Bad, But Not That Bad - again, quoting selectively:

Here’s what I think you need to know:

1. It is almost certainly real.
2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
6. This is the kind of thing we should be able to filter, once our defenses are updated.

Countermeasures -
None at the moment - prayer might be a good start. From the SearchSecurity article:

“The best advice I have right now is don’t allow anonymous connections. Make whitelist so only certain IP addresses can come in,” Lee said, acknowledging the impracticality of that for a Web server or mail server or virtually any other TCP-enabled device. “There’s no real workaround right now.”

Verizon - Security FAIL
From BugTraq:
Verizon FIOS (and DSL?) wireless access point insecure default WEP key

By default, the 40-bit WEP key for the wireless router provided by
Verizon to FiOS (fiber optic) and possibly DSL customers is set to the
last 40 bits of the router’s 48-bit MAC address. This is significant
because the router’s MAC address (the MAC address of it’s WAN-side
ethernet port) is easily discoverable using kismet without even
needing to know the WEP key.

When I got my FIOS, I was excited to see that they at least had WEB enabled by default.

Because I don’t trust any wireless connection, I didn’t even bother looking too closely at the default WEP key. The built-in firewall is enabled, and it seemed much better of a default configuration than I expected.

But using the MAC as the WEP key… Uh… FAIL

Countermeasure - Change your WEP key. Do it… 5 minutes…

Yes, you can crack WEP easily, but why make it obscenely obvious. Changing the default at least makes the attacker have to work more than 30 seconds.

Attack Vectors/Trends

Exploiting web trends to serve malware
From ZDNet’s ZeroDay blog post: Cybercriminals syndicating Google Trends keywords to serve malware

In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google’s Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live’s Spaces.

One method for distributing malware is getting people to visit your malicious website and then using browser hacks or other tactics to get the user to download and install your app.

This technique takes advantage of popular search terms to seed their malware pages, increasing their relevancy in searches.

Cute.

A snapshot of topics of personal interest that have been talked about in the IT Security realm over the past week.

Threats/Countermeasures

Browser Security
While reading about the new attack vector called Clickjacking, I came across a useful article by US-Cert titled Securing Your Web Browser.

The guide covers specifics for both IE and Firefox, and is a must read.

Social Engineering
Get your passwords here, less than $10 USD
Brits Give Up Passwords For a £5 Gift Voucher

Attack Vectors/Trends

Clickjacking
Discovered by Robert Hansen and Jeremiah Grossman.  From: Clickjacking: Researchers raise alert for scary new cross-browser exploit

With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

Seems to rely on DHTML which cannot be disabled in browsers easily.

Work around - for the trusting types: don’t visit un-trusted sites and fill out any forms - be safe and wait for vendor patches.

Work around - for the paranoid: use Lynx or Links.

More info from US-Cert: Multiple Web Browsers Affected by Clickjacking

US-CERT is aware of public reports of a new cross-browser exploit technique called “Clickjacking.” According to one of the reports, Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

An additional report suggests that Firefox users consider using the NoScript plug-in as an added preventative measure. Disabling IFRAMEs by default, as outlined in the Securing Your Web Browser document, is reported to protect against the vulnerability.

News and Analysis

Blackberry
India’s government: At last, we’ve cracked Blackberry’s encryption

If this is true, why are we trusting Blackberry devices in the enterprise?

Good: We know they’ve cracked it.
Bad: Brings home the point that government knows everything about us.

Oh, I guess this is good:

“… still unable to crack BlackBerry Enterprise Service’s end-to-end AES or Triple DES, doesn’t really count as cracking Blackberry’s encryption.”

Google Chrome
Still more vulnerabilities coming out about this beta product.

Makes me think bout something - one positive about “old” code is that it’s been fully tested - most of the low-hanging-fruit should be worked out.

Much of Chrome is established code - but it looks like in the parts Google had to write - lots of issues.

Apple + Security == NULL
Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent applets from accessing file:// URLs, which allows remote attackers to execute arbitrary programs.

National Cyber Security
Estonia posts their national Cyber Security Strategy

I’ll be reading it this week.

I think it’s pretty compelling to have a national strategy guide. I wonder how long the US document would be. I think it would take more than a decade to write, given the myriad of federal agencies that would need to be involved.

Bureaucracy = security fail.

It’s been a busy last week, and this week looks no less busy. I’ve missed out on some of my favorite blogs this past week, but will hopefully catch up if I can!

See you next week

A snapshot of what’s been talked about in the IT Security realm over the past week.

Attack Vectors/Trends

This weekend I was listening to an episode of hmm… I think it was SecuraBit.

In any event, they spent some time talking about something I have posted about before: GIFAR.

GIFAR is combining Java JAR applets inside a GIF image.

When I first heard of it, I thought it was a neat vector, but didn’t fully consider the threat until I was listening to the podcast.

How many sites let users upload a profile image? Or how many social networking sites allow people to upload images and make galleries?

So, this bug is back on the radar.

News and Analysis

Microsoft, Apple, and age old bugs

This week @RISK listed a series of Microsoft image processing buffer overflows.

Buffer overflows. Yep, you heard it right.

Microsoft still doesn’t get it. Boundary checking is to a software developer what firewalls are to a network admin.

Shame on you, Microsoft.

The part that really gets my goat on this is that these are being discovered by researchers. Not by Microsoft. You can run automatic code checkers that will tell you that you have assignments with improper bounds checking.

This means that not only have Microsoft’s developers not gotten the clue, but also that Microsoft isn’t even doing the due diligence to do automated validation.

Fail.

Now, to be fair, there are several similar bugs this week in Apple products, including both host OS and iPhone.

But Apple is not enterprise ready, and it should not be used in the enterprise, and if it is, you get what you get.

Microsoft, on the other hand, explicitly bills themselves as the enterprise product. I expect more.

Google Chrome

I wrote a little about Chrome in last week’s This Week in Infosec.

Many more bugs have been discovered.

This is odd coming from Google that traditionally has pretty tight code.

Either they were rushing to market, or hoping that the community would debug for them.

Either way, they lost credibility with me. Yes, it’s still beta software, but some of these bugs are pretty basic stuff, like buffer overflows, which are insanely easy to find in the code.

A snapshot of what’s been talked about in the IT Security realm over the past week.

Threats/Countermeasures

Storm Worm
Inevitably, lots of scam hurricane relief sites are popping up :(

• Here we go again - Hurricane Relief Sites
• More Hurricane Domains

Attack Vectors/Trends

Malware

Malware is morphing much faster than any antivirus can keep up, as evidenced by an ISC handler’s diary entry: “Malware Analysis: Tools are only so good

If you want to be able to sleep at night, don’t rely solely on your AV to keep you save.

News and Analysis

The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months

I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets. One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled. During the same time period, there isn’t an appreciable increase in new malware, new viruses or anything that would obviously indicated why this is so.

Google Chrome
Google released a beta of their new Internet browser, Chrome.

A very good overview of the Google Chrome can be found over at SecuraBit.

Naturally, security folks have already been pounding on the product.

Security thoughts: It’s a beta product, what do you expect. Lots of bugs have been discovered.

Privacy minded folks don’t like the EULA that basically says that Google owns everything you do in the browser. Blog posts, sites visited, anything you do in the browser is Google’s.

Naturally, Google is backing away, and vows to change the EULA.

A smattering of vulnerabilities:

• Google Chrome Arbitrary File Download Vulnerability
• Google Chrome Remote Denial of Service Vulnerability

Several exploits for Chrome are showing up in Milw0rm.

See you next week,
Bill

On June 11, Core Security Technologies released a remotely exploitable CitecSCADA ODBC vulnerability. (US-CERT VU#476345)

Exploit code is now in the wild.

A patch is available upon request from the vendor.

Bill

A snapshot of what’s been talked about in the IT Security realm over the past week.

Who’s responsible for Cyber Sec?

Lots of talk lately over who’s responsible for Cyber Security - the government or the private sector.

I suspect that since this is an election year, everyone’s trying to position themselves to be in the best position to get the ear of the next administration.

A smattering of articles

• National Cybersecurity Responsibilty: Public v. Private. Where Do You Stand?
• Disconnect Between Private Sector and Government on Cybersecurity

Threats

BGP Vulnerable
Some articles about the BGP hack executed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at DefCon.

Revealed: The Internet’s Biggest Security Hole

No one seems to be freaking out about this like they were with the DNS vulnerability discovered by Dan Kaminsky, but time will tell.

Perhaps it’s because you need a BGP router :)

Dan actually posted some good details on the actual threat:
The Emergence Of A Theme
Worth a read, start at the section titled: “Kapela and Pilosov’s BGP flaw”

Microsoft ActiveX
I didn’t even bother to read the bulletin on this one, but the vulnerability is another example of why we should focus on attack surface reduction…

Microsoft Windows Media Services “nskey.dll” ActiveX Control Remote Buffer Overflow

The description leads to perhaps the most useful piece of documentation from Microsoft:
How to stop an ActiveX control from running in Internet Explorer

Note, The article fails to mention how to uninstall the controls for the safest form of mitigation.

To be fair to Microsoft, there were a few other ActiveX vulnerabilities disclosed this week as well.

See you next week.

Bill

A weekly snapshot of what’s been talked about in the IT Security realm over the past week.

Attacks

Adobe Flash ads launching clipboard hijack attack - From the ZDNet Zero Day blog:

Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

We’ve all got Flash.  Keep it patched, though I haven’ t yet heard if there is a patch available for this attack vector.

Bypassing .NET’s ValidateRequest security feature

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).

This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

We have a lot of .NET here, and my team is studying this paper.

Breaking News
From the Scottish Sunday Herald, “Revealed: 8 million victims in the world’s biggest cyber heist”

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

This raises (again) some important issues for the IT and corporate space.  How much data should you keep about your clients, and for how long?

Now matter how good your defense-in-depth, someone will get through.  What will you allow them to find?

I’ll blog more on this later.

Older News
Students from MIT that were going to do a talk at DefCon were stopped by a court order.

Their research showed how to subvert the Massachusetts Bay Transit Authority payment card system.

As a part of court filings, their full research was included.  Court documents are public domain, so, MBTA essentially released what they were trying to hide.

On the 19th, a judge lifted the restraining order, so the students are free to talk.

Will be interesting to see what happens.

I think this is the second time in the past few months where ‘private’ information was included in court filings and hence into the public domain.

Tools

Grendel-Scan - released at DefCon, this is a sophisticated, automated, Open Source web application penetration testing tool.

It appears to rival commercial tools.

I’ll be playing with this soon, I hope.

Countermeasures

Reduce attack surface!
Why allow access to anything by anyone who doesn’t absolutely need it.

Cyber Warfare
Some discussions resulting from the attacks of Georgian IT infrastructure by Russian hackers during the past few weeks.

Conclusion seems to be: we don’t have a real definition of what cyber war is, so it isn’t really warfare.

In my mind, true cyber warfare is using attacks against IT infrastructure as a force multiplier, or as a means of applying coercive pressure to an enemy of the state.

I do not think that the attackers have to be state sponsored.

Some would debate whether or not a DDOS is an act of warfare.  I say it is if it is intended to achieve: apply a coercive pressure to an enemy of the state.

A DDOS against a critical communications network, or safety critical control system would certainly qualify.  A DDOS against a n00b’s website, perhaps not.

On the Horizon

With elections right around the corner, I’m sure we will see the debate over electronic voting heat up.

Bill

I had a long list of titles for this one…

• Tax dollar - Fail
• How to spend a whole lot of money for nothing
• Movie plot software (in a nod to Schneier’s Movie Plot Threats)

Below are some quotes from the article.  I’ll focus on the simple capability of the system, and will leave to others a discussion of the significant privacy issues involved.

Source: “Dalhousie to help U.S. catch cyber terrorists” - The ChronicleHerald Metro section on August 22…

 A major software project is underway by the U.S. Department of Homeland Security to monitor levels of Internet traffic and detect possible security breaches — and Dalhousie University is going to help build it.

“We’re just looking at bytes and addresses.”

Mr. McHugh said the new software will be used by government and businesses to monitor who’s trying to access their computer networks. It will look at the amount of information being sent from network to network and turn that complex raw data into some type of graph or chart.

Analysts will read those charts and look for patterns that can help reveal the work of hackers, spammers and cyber terrorists. Mr. McHugh said shady characters on the web will often contact hundreds of different Internet addresses, trying to look for weaknesses or important places to target. Sometimes they’ll try to contact addresses that aren’t even hooked up to a machine.

“If you try to make contact to a lot of addresses where there are no machines, it indicates you’re probing around the network because you don’t know what’s there,” Mr. McHugh explained Thursday.

The technology could eventually be used to track child pornographers, Mr. McHugh said. From a known child pornography site, the program could follow the trail back to an offender’s computer.

Carrie Gates is a Canadian computer scientist and Dalhousie alumnae working at CA Labs in New York. Researchers there and in Halifax work together on the project. She said once the software is complete, it will be released to the public so anyone can use it to monitor their computer networks.

Ok, so let me summarize:

• The system will be used by: government, companies, and individuals.
• The system will only look at source, destination, and packet size.
• The system will only reveal the ISP source.

I have lots of issues with this.

First, if you are a company or individual, then this system is nothing more than a glorified firewall.  It’s not even an IDS, since it does not do anything but reporting.

Install a firewall and Snort, and call it a day.  If you are really interested, look at the logs/alerts once in a while.  This new system is useless for you.

If you are the Government, then you can, if you can get this thing installed in the right place, monitor traffic at a high enough level to determine some anomalous or suspect activity.

But can you tell the source of the attacker?

This leads to my second issue, suppose you can get this device at some sort of critical juncture in the Net, can you really track a hacker?

Let’s consider this for a second.  They may really be on to something.

Oh, wait: TOR, okbye.

Third.  Well, now that I think this device is completely useless, they could tweak it a little and make it useful.

They could put some content filtering on it and use it to kill spam.

But I think there might already be solutions for this, blink, blink.

Ah well, back to the drawing board.

Bill

Black Hat/Defcon Coverage

Lots of analysis of the Black Hat presentation by Mark Dowd of IBM’s ISS and Alexander Sotirov of VMWare about circumventing Vista security.

Essentially, they discovered a way to completely subvert most of Vista’s built in low-level security systems.

Let’s hope Microsoft gets it right in their next OS…

Note, there’s some people saying it isn’t a big deal.  Time will tell.

Here’s the summary from speaker’s list of Black Hat USA 2008:

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

More coverage:

• Bruce Schneier - Bypassing Microsoft Vista’s Memory Protection
• Search Security - Researchers use browser to elude Vista memory protections

Attack Trends

I keep up to date on the NIST’s National Vulnerability Database, updates to the milw0rm exploit database, and many others.

Though I don’t read all the alerts in detail (there are usually about 40 per day), I do try to scan enough to get an idea of what’s being disclosed.

The bulk seem to be SQL Injection Vulnerabilities or Cross Site Scripting (XSS).

These attacks can be very potent.

SQL injection can lead to information disclosure, unauthorized data modification, and data loss.

SQL injection attacks run through the browser and web server directly to the database.

XSS involves, generally, inserting script into URL’s or user input form fields that, when viewed by others, causes the script to run.  The scripts can run in the context of the user’s browser security zone, and has access to all cookies and whatnot.

Both types of attacks are difficult to deal with using “security tools.”  Most host-based intrusion detection systems (antivirus, anti-spiware, etc) are useless.

In both cases, application modifications need to be made.  Additionally, layer 7 firewalls can be employed to try to prevent these types of attacks.

From a defense-in-depth perspective, both approaches should be employed.

On another front, attacks against social networking sites continue.

As more and more private data gets into these online resources, they become a more attractive target for attackers.

New Attack Vectors

Kris Kaspersky of Kaspersky labs has uncovered flaws in Intel processors that allow remote attackers to execute arbitrary code on any computer that uses the flawed processor.

Man, that’s crazy stuff…

I wrote a blog post about it, “Why agro the OS when you can pwn the hardware?”

Bill

A brief, somewhat-weekly post for non-security people who want to know what’s going on in the security space.

Black Hat / Defcon
Lots of goodness coming out of Las Vegas.

I. Owning the Virtual Infrastructure
Joanna Rutkowska and Rafal Wojtczuk of Invisible Things Labs gave a series of talks about owning virtual infrastructures.

Joanna builds on techniques she used in the Blue Pill Project to install a root kit on a running machine with zero user assistance.  The root kit essentially virtualizes the host OS, sliding the Blue Pill between the hardware and the host OS.  Scary stuff.

Please, for the love of god and all that is holy, don’t assume that since you went virtual, that you were safe.

If you can own the hypervisor, you can own the hardware, and all the virtual machines.

Joanna and Rafal show how to do it.  Though they talk about Xen, assume their research applies to any virtualization platform.

Good stuff.

Posts with more details:
Owning Xen in Vegas!
Our Xen 0wning Trilogy Highlights
Presentations

II. GIFAR
Combining a GIF image and Java JAR applet into a single attack package.

Rich Mogul of Securosis explains best in his blog post, “The Risks of Trusting Content:”

GIFs (and most image file formats) include their header information (the part that helps your system know how to render them) at the beginning of the file, and JARs (java applets, really ZIP files) include their header information at the end. A GIFAR is simultaneously a valid GIF and a valid JAR (albeit with extra bits), meaning that when the file is loaded, it will look like an image (because it is), but as it’s rendered at the end it will run as an applet. Thus you think you’re looking at a pretty picture, since you are, but you’re also running an application.

Note, the application is running in the context of the logged in user, and in the security domain of the website serving the picture.

What happens if one of these is uploaded to your bank’s website?

No reports of this in the wild, but neat stuff.

I’ll likely have more next week, after I get through all the material coming out of Vegas.

New Tools
Karmetasploit

A combination of two awesome tools, Karma and Metasploit.

Karma is a wireless penetration testing tool, and Metasploit is a  penetration testing tool that automates exploit payload delivery.

Together these two tools can do tremendous things.

The basics are, you set up a laptop running Karmetasploit.  Then, let the owning begin.  The box can act like any requested access point, and all traffic will be routed through the laptop…  All your bits are belong to us!

Here’s a quick list of fun things you can do with Karmetasploit from Metasploit creator HD Moore on the Metasploit blog:

• Capture POP3 and IMAP4 passwords (clear-text and SSL)
• Accept outbound email sent over SMTP
• Parse out FTP and HTTP login information
• Steal cookies from large lists of popular web sites
• Steal saved form fields from the same web sites
• Use SMB relay attacks to load the Meterpreter payload
• Automatically exploit a wide range of browser flaws

That’s it for now.

Bill