security

Microsoft’s BitLocker could be used for DRM

From Bruce Schneier’s “Microsoft’s BitLocker” (Crypto-Gram Newsletter: 15 May 2006):

BitLocker is not a DRM system. However, it is straightforward to turn it into a DRM system. Simply give programs the ability to require that files be stored only on BitLocker-enabled drives, and then only be transferable to other BitLocker-enabled drives. How easy this would be to implement, and how hard it would be to subvert, depends on the details of the system.

Microsoft’s BitLocker could be used for DRM Read More »

THE answer to “if you’re not doing anything wrong, why resist surveillance?”

From Bruce Schneier’s “The Eternal Value of Privacy” (Wired News: 18 May 2006):

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

THE answer to “if you’re not doing anything wrong, why resist surveillance?” Read More »

Exploits used for corporate espionage

From Ryan Naraine’s “Microsoft Confirms Excel Zero-Day Attack Under Way” (eWeek: 16 June 2006):

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The company’s warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a “super, super targeted attack” against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

Exploits used for corporate espionage Read More »

Change the AMD K8 CPU without authentication checks

From Bruce Schneier’s Crypto-Gram Newsletter (15 August 2004):

Here’s an interesting hardware security vulnerability. Turns out that it’s possible to update the AMD K8 processor (Athlon64 or Opteron) microcode. And, get this, there’s no authentication check. So it’s possible that an attacker who has access to a machine can backdoor the CPU.

[See http://www.realworldtech.com/forums/index.cfm?action=detail&id=35446&threadid=35446&roomid=11]

Change the AMD K8 CPU without authentication checks Read More »

Quick ‘n dirty explanation of onion routing

From Ann Harrison’s Onion Routing Averts Prying Eyes (Wired News: 5 August 2004):

Computer programmers are modifying a communications system, originally developed by the U.S. Naval Research Lab, to help Internet users surf the Web anonymously and shield their online activities from corporate or government eyes.

The system is based on a concept called onion routing. It works like this: Messages, or packets of information, are sent through a distributed network of randomly selected servers, or nodes, each of which knows only its predecessor and successor. Messages flowing through this network are unwrapped by a symmetric encryption key at each server that peels off one layer and reveals instructions for the next downstream node. …

The Navy is financing the development of a second-generation onion-routing system called Tor, which addresses many of the flaws in the original design and makes it easier to use. The Tor client behaves like a SOCKS proxy (a common protocol for developing secure communication services), allowing applications like Mozilla, SSH and FTP clients to talk directly to Tor and route data streams through a network of onion routers, without long delays.

Quick ‘n dirty explanation of onion routing Read More »

AT&T’s security tv station

From Stephen Lawson & Robert McMillan’s AT&T plans CNN-syle security channel (InfoWorld: 23 June 2005):

Security experts at AT&T are about to take a page from CNN’s playbook. Within the next year they will begin delivering a video streaming service that will carry Internet security news 24 hours a day, seven days a week, according to the executive in charge of AT&T Labs.

The service, which currently goes by the code name Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company’s customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T’s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner’s Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. “It’s like CNN,” he said. “When a new attack is spotted, we’ll be able to offer constant updates, monitoring, and advice.”

AT&T’s security tv station Read More »

DIY worm kits

From Jose Nazario’s Anatomy of a worm (Computerworld: 15 September 2004):

Now imagine a world where worm attacks frequently occur because hackers and rogue developers have access to “worm kits” or development tools that provide the basic building blocks for rapid worm development.

Historically, worms were basic clones of one another that didn’t change after their original development. Simple mechanisms were used to propagate them, such as mass-mailing worms using a single subject line.

Today’s worms are more sophisticated. They have the ability to mutate after development based on knowledge of how to thwart new security processes. For instance, an early worm, Code Red, attacked only Internet Information Server servers. The Nimda worm, which came later, expanded to include at least three additional attack methodologies: mail-based attacks, file-sharing-based attacks, and attacks against the Internet Explorer Web browser.

The potential for this worm-a-day nightmare comes from several factors: the dozens of vulnerabilities that are ready to be exploited, the availability of worm source code, recycled exploits and the ease of editing existing worms.

DIY worm kits Read More »

Search for Microsoft Money data files on P2P networks

From Greg Brooks’s more on DIY phishing kits hit the Net (Interesting People: 21 August 2004):

Turn on Kazaa or your p2p app of choice and search for .mny files — the data stores for Microsoft Money.

Most of these files won’t be password protected — just download, open and you’ve got a trove of personal financial data to work with. Stumble across a protected file? There are inexpensive utilities for recovering the password.

Search for Microsoft Money data files on P2P networks Read More »

Remote fingerprinting of devices connected to the Net

Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: “There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting … without the fingerprinted device’s known cooperation.”

The potential applications for Kohno’s technique are impressive. For example, “tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces.” …

Another application for Kohno’s technique is to “obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device.”

The technique works by “exploiting small, microscopic deviations in device hardware: clock skews.” In practice, Kohno’s paper says, his techniques “exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device’s clock skew and thereby fingerprint a physical device.”

Kohno goes on to say: ” Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall.”

And the paper stresses that “For all our methods, we stress that the fingerprinter does not require any modification to or cooperation from the fingerprintee.” Kohno and his team tested their techniques on many operating systems, including Windows XP and 2000, Mac OS X Panther, Red Hat and Debian Linux, FreeBSD, OpenBSD and even Windows for Pocket PCs 2002.

Remote fingerprinting of devices connected to the Net Read More »

A profile of phishers & their jobs

From Lee Gomes’s Phisher Tales: How Webs of Scammers Pull Off Internet Fraud (The Wall Street Journal: 20 June 2005):

The typical phisher, he discovered, isn’t a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag.

If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.

Phishers with different skills will trade with each other in IRC chat rooms, says Mr. Abad. Some might have access to computers around the world that have been hijacked, and can thus be used in connection with a phishing attack. Others might design realistic “scam pages,” which are the actual emails that phishers send. …

But even if a phisher has a “full,” the real work has yet to begin. The goal of most phishers is to use the information they glean to withdraw money from your bank account. Western Union is one way. Another is making a fake ATM card using a blank credit card and a special magnetic stripe reader/writer, which is easy to purchase online.

A phisher, though, may not have the wherewithal to do either of those. He might, for instance, be stuck in a small town where the Internet is his only connection to the outside world. In that case, he’ll go into an IRC chat room and look for a “casher,” someone who can do the dirty work of actually walking up to an ATM. Cashers, says Mr. Abad, usually take a cut of the proceeds and then wire the rest back to the phisher.

Certain chat rooms are thus full of cashers looking for work. “I cash out,” advertised “CCPower” last week on an IRC channel that had 80 other people logged onto it. “Msg me for deal. 65% your share.”

The average nonphisher might wonder what would prevent a casher from simply taking the money and running. It turns out, says Mr. Abad, that phishers have a reputation-monitoring system much like eBay’s. If you rip someone off, your rating goes down. Not only that, phishers post nasty notices about you on IRC. “Sox and Bagzy are rippers,” warned a message posted last week.

Phishers, not surprisingly, are savvy about their targets. For instance, it wasn’t just a coincidence that Washington Mutual was a phisher favorite. Mr. Abad says it was widely known in the phishing underground that a flaw in the communications between the bank’s ATM machines and its mainframe computers made it especially easy to manufacture fake Washington Mutual ATM cards. The bank fixed the problem a few months ago, Mr. Abad says, and the incidence of Washington Mutual-related phishing quickly plummeted. …

Mr. Abad himself is just 23 years old, but he has spent much of the past 10 years hanging out in IRC chat rooms, encountering all manner of hackers and other colorful characters. One thing that’s different about phishers, he says, is how little they like to gab.

“Real hackers will engage in conversation,” he says. “With phishers, it’s a job.”

A profile of phishers & their jobs Read More »

Spammers causing problems to DNS

From Dennis Fisher’s Spammers’ New Tactic Upends DNS (eWeek: 10 January 2005):

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

“Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that,” said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. “I’ve seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it’s becoming very common to see a large spam load cripple the DNS infrastructure.”

Spammers causing problems to DNS Read More »

Do it yourself phishing kits

From John Leyden’s DIY phishing kits hit the Net (The Register: 19 August 2004):

Do-it-yourself phishing kits are being made available for download free of charge from the Internet, according to anti-virus firm Sophos.

Anyone surfing the Web can now get their hands on these kits, launch their own phishing attack and potentially defraud computer users of the contents of their bank accounts. These DIY kits contain all the graphics, web code and text required to construct bogus websites designed to have the same look-and-feel as legitimate ecommerce sites. They also come with spamming software.

Do it yourself phishing kits Read More »

Al Qaeda hijacks web server to distribute video

From Matt Tanase’s Don’t let this happen to you:

Smaller companies often assume they have nothing of interest to hackers. Often times that is the case, but they are still after resources, as in this case. Unfortunately, the hackers in this case are tied to Al Qaeda. They placed the recent hostage video on a California companies server. Imagine all of the lovely publicity this brought in.

From New24’s US firm spread hostage video (17 June 2004):

Video images of a US engineer taken hostage in Saudi Arabia, possibly by the al-Qaeda network, could have been put on the internet via a US firm based in California, Der Spiegel magazine reported on Thursday.

The video was released on Tuesday and shows relatively high-quality film of hostage Paul Johnson, who kidnappers from a group called “al-Qaeda in the Arabian Peninsula” have threatened to kill by Friday.

The origin of the video was traced to Silicon Valley Land Surveying Incorporated, a California land surveying and mapping company, said Spiegel online, the internet service for the respected German weekly.

The magazine said that according to its research the move was the first time al-Qaeda had “hijacked” a website to broadcast its propaganda.

Al Qaeda hijacks web server to distribute video Read More »

Providing an opening for criminals without realizing it

From Bush, Kerry cross paths in Iowa (BBC News: 4 August 2004):

US President George W Bush and his Democratic rival John Kerry have spent the day hunting votes within blocks of each other in the state of Iowa.

Mr Bush met supporters at a rally in the town of Davenport, while Mr Kerry held an economic roundtable discussion with business leaders nearby. …

Political pundits were not the only ones taking advantage of the day’s events.

Three local banks were robbed as the campaigns hit Davenport.

The first robbery occurred just as Mr Bush stepped off his plane, local police say.

The second and third robberies – at different banks – took place while the two candidates were addressing their respective Iowa crowds.

Providing an opening for criminals without realizing it Read More »

Friendster doesn’t get security

From Annalee Newitz’s Cracking the Code to Romance (Wired: June 2004):

Moore’s buddy Matt Chisholm chimes in to tell me about a similar hack, a JavaScript app he wrote with Moore that works on Friendster. It mines for information about anyone who looks at his profile and clicks through to his Web site. “I get their user ID, email address, age, plus their full name. Neither their full name nor their email is ever supposed to be revealed,” he says.

Notified of the security holes Moore and Chisholm exploit, Friendster rep Lisa Kopp insists, “We have a policy that we are not being hacked.”

Friendster doesn’t get security Read More »

Offshoring danger: identity theft

From Indian call centre ‘fraud’ probe (BBC News: 23 June 2005):

Police are investigating reports that the bank account details of 1,000 UK customers, held by Indian call centres, were sold to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each. …

The Sun alleged the computer expert told the reporter he could sell up to 200,000 account details, obtained from fraudulent call centre workers, each month.

Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.

Offshoring danger: identity theft Read More »

Evil twin hot spots

From Dan Ilett’s Evil twin could pose Wi-Fi threat (CNET News.com: 21 January 2005):

Researchers at Cranfield University are warning that “evil twin” hot spots, networks set up by hackers to resemble legitimate Wi-Fi hot spots, present the latest security threat to Web users.

Attackers interfere with a connection to the legitimate network by sending a stronger signal from a base station close to the wireless client, turning the fake access point into a so-called evil twin.

Evil twin hot spots Read More »

Most PCs are rife with malware, & owners don’t know it

From Robert Lemos’s Plague carriers: Most users unaware of PC infections (CNET News.com: 25 October 2004):

A study of home PCs released Monday found that about 80 percent had been infected with spyware almost entirely unbeknownst to their users.

The study, funded by America Online and the National Cyber Security Alliance, found home users mostly unprotected from online threats and largely ignorant of the dangers. AOL and the NCSA sent technicians to 329 homes to inspect computers. …

Nearly three in five users do not know the difference between a firewall and antivirus software. Desktop firewall software regulates which applications on a PC can communicate across the network, while antivirus software detects malicious code that attempts to run on a computer, typically by pattern matching. Two-thirds of users don’t have a firewall installed on their computer, and while 85 percent of PC owners had installed antivirus software, two-thirds of them had not updated the software in the last week. The study found one in five users had an active virus on their machines.

Most PCs are rife with malware, & owners don’t know it Read More »

Identity theft method: file false unemployment claims

From Michael Alter’s States fiddle while defrauders steal (CNET News.com: 21 June 2005):

More than 9 million American consumers fall victim to identity theft each year. But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims.

It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve made a quick $1.04 million. It’s tough to make crime pay much better than that.

The victims in this crime–the state work force agencies that tirelessly oversee our unemployment insurance programs and the U.S. Department of Labor–are reluctant to discuss this topic for obvious reasons. …

The slow response of state and federal agencies is quickly threatening the integrity of the unemployment insurance system. It turns out that crime is a very efficient market and word spreads quickly. Got a stolen Social Security number? You can more easily turn it into money by defrauding the government than by defrauding the credit card companies.

The net result of this fraud is that unemployment taxes are going up, and that makes it that much harder for small businesses and big businesses to do business. Even more, higher payroll taxes slow down economic growth because they make it more expensive to hire new employees.

Identity theft method: file false unemployment claims Read More »