Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Grab a Coffee and Sit Back

The increased paranoia since the London attacks on July 7 is seeing a number of efforts to implement higher levels of monitoring and privacy data access by various Government agencies. One of the programs being implemented is a graphical overlay of security incidents over satellite imagery. The admission that the information might be up to 50 layers deep could prove more hindrance than benefit in the long run, by contributing to the information overload. Recently, the US TSA (Transportation Security Administration) were caught out overstepping their information collection provisions, and then caught out lying about it. The program in question is the successor to the CAPPS system, now known as Secure Flight. While the first two incidents are not related directly to the London attacks, the increased interest in CCTV proliferation and physical searching of travellers is a more direct response.

A new claim, by the same firm that claimed that $200 billion USD in productivity was lost by websurfing at work, is that free web space services are being used to a greater extent to carry spyware, malware and other inappropriate content. While the news from Websense is being widely reported, it does not come as a surprise to security professionals. Any time that a resource is available for free, people will come along and abuse it. At the same time, others who can not afford their own space will use it to distribute their own valid content. Seasoned Internet users will understand how simple it is to obtain free Internet space without requiring any form of identity validation, and they will understand that it is this capability which attracts the seamier side of the Internet.

This highlights a unique property of URLs. As a namespace, they are also a brand space, which allows site visitors to quickly identify the trustworthiness of a site based on the name in the address bar. Unfortunately, this is also open to exploitation, as seen by URL obfuscation attacks and phishing exploits, which appear in the browser as a legitimate URL, with a lot of gibberish attached to the end, but in reality are actually obscured addresses of other sites.

Arising in a discussion which followed the above news was an anecdote which suggests that the lack of trust with these sort of services nearly brought an individual's undoing. While they were applying for a job, they were contacted by someone claiming to be from the recruitment agency and to expedite their application, they could fill out a set of electronic forms. The forms covered some fairly personal details, and the email address did not match up with the recruiting firm. The end result was that the forms were legitimate, but it is an excellent example of a social engineering attack (i.e a con) which would be more likely to succeed than most.

An early controversy from the current DefCon conference in Las Vegas involves rumoured attempts at censorship by Cisco. The researcher in question has resigned their position with a commercial security research company (ISS), in order to present the information about Cisco router vulnerabilities. The content of his presentation, meant to be included in the conference notes, had been physically ripped out of each copy of the notes, and the suspicion is that Cisco applied pressure to ISS and DefCon to prevent the presentation which would publicly damage them. Cisco and ISS went so far as to file a restraining order against the researcher, and DefCon. DefCon is one of the best known hacker conventions held each year, and public announcement of security vulnerabilities in the forum is guaranteed to attract interest from both sides of the Information Security spectrum.

The researcher in question ignored these actions in order to present on how vulnerable Cisco networking equipment was to compromise. But, in order to do this, he submitted his resignation from ISS in order to present as an independent. The vulnerability used to demonstrate the attack had been patched in April, but it was stressed that the attack would succeed against any memory overflow vulnerabilities.

Because Cisco hardware supports a significant percentage of the Internet's infrastructure, the vulnerabilities disclosed at DefCon could have significant, wide ranging effects. Historical weaknesses have largely been only Denial of Service style attacks. The recently announced vulnerabilities are much more serious, allowing the attacker to run code of their choice on the equipment (essentially a total compromise of the hardware). The difference with attacks targeted at network hardware is that attacks directed at computers allow for control of a computer, but attacks directed at network hardware allow for control of the complete network.

The recommendation for operators of Cisco equipment is to continually ensure that they keep their hardware up to date with the latest patches and updates.

The fallout from the announcement of the vulnerabilities has caused deep division in the security community, lining those who believe in Full Disclosure up against everyone else. The release of the information is a perfect example of information wanting to be free. The attempt to suppress the release only made it more desirable for people to get possession of it. It guaranteed that far more attention will now be directed at Cisco products where, before, the content of the presentation might have been lost in the background noise at DefCon.

According to at least one analyst, the information released at DefCon was the result of information previously published on a Chinese site. The advisory released by Cisco supposedly protects against the actual vulnerability that was being investigated at the time (but does not prevent the theory being described from working against other flaws), and is in relation to the IPv6 implementation on their hardware. If router owners have applied the update from April, they will be protected for this one instance of the flaw. IPv6 is the next generation of Internet addressing, and is designed to provide enough address space for all possible devices that could connect to a network / the Internet. The current Internet addressing model, IPv4, is rapidly running out of space for new devices, and it has resulted in the creation of NAT addressing, which allows one public IP, even though numerous other devices are accessing the network from behind it.

Some people are annoyed that Cisco did not announce the fix, instead they 'streamlined' it with the April update. It looks like the spin being applied by Cisco and ISS PR representatives is contradictory. If the techniques described are not critical, as these companies are trying to elaborate, then why are they entering crisis mode in trying to suppress the availability of the information released? Cisco representatives even posted to security mailing lists telling everybody to ignore the document that most had in their possession, and to forget what they had read. This technique doesn't work, as various companies have found, such as Microsoft losing part of their Windows source code (via a third party breach), Cisco having their IOS source code stolen, Valve having the source code to Half-Life 2 stolen, and many other cases. Paranoid people have already suggested that this flaw has long been used for Intelligence agencies and other bodies to surreptitiously tap into traffic of interest, without alerting network managers that anything is out of place.

Microsoft has released to MSDN members the first beta release of their upcoming Windows release. Originally known as Microsoft Longhorn, the renamed version is Microsoft Vista, and also includes the first beta released of Internet Explorer version 7. For web developers and standards advocates, it appears that the rendering engine for Internet Explorer 7 has not been modified from the previous versions. Enhancements that it introduces include tabbed browsing, and a phishing detector.

The early reviews of the releases do little to instill faith in the upcoming products. It appears that IE 7 maintains most of the flaws that bugged web developers from IE 6, and earlier. The tabbed browsing enhancement brings it into line with most current browsers, but the User Interface modification that allows the tabs has caused some confusion and consternation amongst reviewers. The menus (File, Edit, etc) have been removed from the top of the active window to the line just above the rendered page. This places them below the tabs, and below the address bar. Unfortunately, this gives the impression that the menus are specific to those tabs, when they are application-wide. This is a major problem from a UI perspective, and will only cause confusion from less-experienced users. At least it is only the first beta, so there is some hope that these issues will be resolved prior to the final release.

The phishing filter is also a concern for security minded reviewers. The filter works by reporting the website address being viewed back to Microsoft, which then compares it against a list of known bad sites, before reporting whether it is a phishing site. The downside is that there needs to be a certain number of users who succumb to the phish before the Microsoft solution will be able to identify the site to others. This requires an extra set of connections for each website being visited, slowing down the user experience, and has the ability for Microsoft to identify an IP address and browsing habits even closer than any Internet marketing firm or spyware. The other concern from this is that phishers rarely establish dedicated domains for their efforts, preferring to use hacked sites, compromised cable or business systems, or elements of their bot networks. The blacklist established by Microsoft will have the same potential for abuse which spam blacklists have, and it will be more effective at trapping legitimate sites than phishing sites.

In an effort to slow down the spate of illegal network connections via unsecured wireless hotspots, people are beginning to be charged for accessing them without the express permission of the network owners. While using network bandwidth and resources without permission may be morally reprehensible, and laws exist which dictate penalties for such access, the rapidly changing nature of small scale networks, and laptop Internet connection technology is a threat to these laws. The rapid increase in people connecting to networks, in particular the Internet, who are not particularly Information Technology savvy has created a strange void where a user may be unknowingly connecting to a wireless access point that another person has unknowingly left unsecured.

For people who actively seek out unsecured networks, increasing the size of their receiving antenna helps them to pick up weak signals, such as might arrive in a carpark after being attenuated by the walls of a building, or it allows them to access networks at a range much longer than normal. One of the most common, and cheapest techniques for increasing the size of an antenna is to use a "Pringles" can. The obvious advantages of this approach is that they are commonly available, cheap, and people carrying them do not draw too much attention, at least until now. A representative of the Sacramento Sheriff's Departmen Sacramento Valley Hi-Tech Crimes Task Force stated that "They're[Pringle can antennas] unsophisticated but reliable, and it's illegal to possess them" (later reporting suggests that this is a mis-quote and the officer was not inferring that it was illegal to own or use them, but they should be - by treating them like burgling tools which are illegal to possess). While this statement appears counter-intuitive, it actually relates back to use of the electromagnetic spectrum for transmission of data.

With most wireless Internet access operating on the 2.4 GHz band (the same as your microwave), there are strict rules and compliance required to operate a transmission station. Modification to an approved device will render the device non-approved (as per section 15 of the FCC rules), and it should then cease to be used for transmission purposes. The other aspect is illegal network usage and resource consumption, as covered by a number of anti-hacking and computer misuse laws. However, given that most antenna modifications are homebuilt, another section of the FCC rules (15.23) appears to allow the use of them, provided that basic restrictions are followed.

TippingPoint, a subsidiary of 3Com, has announced that they will be buying vulnerabilities from security researchers, in an effort to stop them from publicly releasing security vulnerabilities which can be turned into active exploits by hackers. Various security lists have debated the ethics and morals behind such an idea, and how it can introduce unwanted liability for the purchasing party. With payment for vulnerabilities, it forces researchers, who want to get paid, to lose their anonymity. Quite a number of independent researchers have had poor working relations with the major software vendors, and are likely to balk at the suggestion that they hand over their hard work for someone else to work with, knowing that the software vendors will know who they are. Because of the perceived bad treatment, quite a number of security researchers have developed a strong desire to be a thorn in the side of some software vendors, either out of spite, or as an attempt to force them to acknowledge their software flaws, and improve upon them. Anecdotal evidence suggests that this is not the first time that 3Com has taken to paying for vulnerability reports. A number of other companies also offer bounties to internal teams for discovering bugs in flagship products.

The oft-repeated reason for implementing a plan like this is that if someone is capable of breaking in to your systems, then you would be better off paying them to keep your systems safe from other hackers (and themselves). The drawback to this approach is that it is essentially a willing form of 'protection money', or legalised extortion, and only lasts until the next hacker with a chip on their shoulder comes along and breaks in. Historically, this was known as 'Danegeld' in the British Isles - the protection money payed to the Vikings to get them to stay away.

The idea of paying researchers for newly discovered vulnerabilities has opened a proverbial can of worms amongst security minded individuals, with a fair mix of individuals arguing vehemently for both sides of the argument - that such actions are, and aren't, ethically and morally permissible.

Some have come out to say that the vast majority of security fixes amount to a single character in a single line of code being changed. They then go on to argue that the delay in creating and distributing these fixes causes problems as ethically bound security researchers run out of patience for an official move from the vendor.

The intentions of the company that is going to pay for the vulnerabilities has been called into question. Their main commercial product is an IPS, an Intrusion Protection System. The company would stand to gain significantly from suppressing announcement of vulnerabilities reported to them. By sharing this privileged information with their customers, protecting them against the exploits for that particular vulnerability, it gains them more value for the longer periods that they can extend the time before public announcement.

Finally, in Russia it appears that some people have finally had it with Spam in their email . The Russian spammer responsible for the most Russian spam, Vardan Kushnir, was found beaten to death in his Moscow apartment at the start of last week. Vardan was responsible for spamming almost every Russian email address with spam for his English learning centres, 'The Centre for American English', 'The New York English Centre', and 'The Centre for Spoken English'. It is estimated that more than 200 million emails were sent out for these centres. A number of observers have opined that it is impossible to annoy so many people and not expect some sort of retribution once you get discovered, even if that retribution was, itself, illegal.

Rumours are surfacing that the spammer's death was the responsibility of the Russian Mafia, and that, due to his profile in the spamming business, he was killed because of some indiscretion. The Russian Mafia appears to be the leading organised crime body which is utilising modern technology as a part of their crime activities. Distributed Denial of Service attacks are threatened against online casinos or other high cashflow online entities, spam is sent for profit, worms and viruses are created and distributed to obtain machines for zombie networks, and to leak personal financial data, phishing takes place to gain access to banking accounts online, and an ability to drain them at will.

1 August 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.