Phishing Evolves
Although countries such as the United States have introduced various legislation to ensure the protection of vulnerable personal information such as financial and medical data, breaches and disclosures continue to take place based on poor security design and implementation. The FBI has been involved in investigating claims of a breach to sensitive medical systems after it was discovered that there had been unauthorised access to so-called 'back office systems' in at least one medical practice. The ensuing investigation showed that a breach had occurred where the hacker had come through an existing VPN connection, and then used a hardcoded backdoor to gain access to sensitive information from a web-based application. It was not disclosed how many practices were running that particular software, but it could be assumed that other applications in use by medical practitioners could also have hardcoded backdoors in them.
It was also reported recently that a 20 year old in the United States was arrested and was being charged for creating and operating a botnet, which managed to include systems from a hospital in Seattle, amongst others. What attracted significant attention on the case was that the compromised systems in the hospital were claimed to have resulted in systems in the Intensive Care Unit going offline, doors to the Operating Theatres failing to work, and numerous pagers and other systems failing to operate. Accountability for the breach rests with the perpetrator, but hospital administrators must also take some responsibility for leaving sensitive systems connected to the greater Internet. The ideal practice is to have sensitive systems separated from external networks by 'air gaps', physical separation - which can not be remotely bypassed.
It has been common practice for some time now to warn computer users not to click random links from emails that they haven't been expecting, particularly those from financial institutions. If users need to visit the site to verify that the need is real, then they should manually type in the web address, and confirm that the site appears legitimate, and the correct details are shown when the lock icon is clicked (for sites with SSL support).
This advice to users is now out of date, and could potentially be harmful to victims of the latest family of phishing scams.
In recent reporting from a handful of sources, new phishing attempts have been circulating where following the current best generic advice would not prevent a user from being tricked into supplying their account details. Even most third party protective products and systems would not be able to protect against this new phishing technique.
Not only do some of the new emails contain valid card data, such as the first 4-8 digits of a credit card (easy to obtain from public sources - they are fairly standardised across systems and institutions), but they also provide a realistic-looking URL to click on. Even without redirection trickery, the realistic-URL is a valid site that the phisher has set up to mimic the legitimate institution being targeted. Because of the lax requirements to secure an SSL certificate (allows for https:// traffic), the phisher is able to set up an SSL certificate which passes all known checks for being issued to a legitimate organization. NetCraft have been reporting for some time on the increasing usage of SSL in phishing attacks, and it is considered likely that the attempts at phishing are only going to improve, with fewer spelling and design mistakes, more accurate reproduction of targeted sites, and better targeted mass emailings.
Thus, even if the user carefully validates each step of the process, the phishing attack will still appear as a legitimate approach from a financial institution, and will be more likely to succeed. It is important to remember that SSL only protects the data in transmission between the victim and the phisher, but it can do nothing to protect you from the attacker at the other end of the connection. It does not appear that any company or organisation is offering protection against these better developed attacks. S?nnet Beskerming's Nabu online financial protection tool has always been able to prevent these attacks from being effective against clients of financial institutions that apply the solution.
Microsoft's Black Tuesday Security Patch release for February saw a number of patches released, with a range of criticality. Ranging from Denial of Service through to complete compromise via remote code execution, the several vulnerabilities patched have already had exploit code publicly released for at least two of them. Unfortunately for Windows users, the vulnerabilities being targeted by the exploit code released so far are the more serious ones, which allow for complete compromise of vulnerable systems. It is strongly recommended that all Windows users apply patches MS06-004 through to MS06-010 as soon as possible, to keep their systems safe from the latest exploit code that is circulating.
In other news from the last week, a video surveillance company in the United States has started implanting ID tags into workers who need to access sensitive work areas (in this case, an area which stores data for the Government). The ID tags are small chips encased in glass which are then implanted into the right bicep, and which are read by passing closely to a proximity detector. The idea is to limit access to only those individuals who are implanted with the device, but like many other security measures it has several fatal flaws. The particular technology which has been selected has been publicly compromised already by security researchers, and it has been demonstrated that it is possible to remotely obtain the security codes from the device without the owner's knowledge - allowing later reproduction, and thus security bypass. For the less technical threats, the implant requires any attacker to escalate force in order to gain access to the facility, either by physically extracting the tag, or by kidnapping the worker, which is far more likely to result in violence against the employee.
To round out the week's column, a number of shorter stories and news items that might have otherwise have been missed.
The commercial DVD release of 'Mr. & Mrs. Smith' in at least one country allegedly contains a hidden rootkit as part of its copying protection. When an infected DVD is played in a Windows PC, it installs a hidden software application that is part of the Settec Alpha-DISC copy protection system. While it does not hide itself from the file system, it will hide what processes it is running (so it can not be seen from the Task Manager). Settec are providing an uninstaller application so that affected users can remove the software.
Finnish Information Security company, F-Secure, has announced the discovery of a new proof-of-concept worm for OS X, the second in as many days. The new worm, dubbed OSX/Inqtana.A makes use of a known BlueTooth vulnerability to spread. As a proof of concept, the worm does not actually do anything other than demonstrate an ability to spread, and even that is limited - as it is tied down to a specific library which ties it to a specific BlueTooth address, and is set to self-expire on February 24. It would appear, however, that the vulnerability being used to spread has been patched in earlier Security Patch releases from Apple.
The first proof-of-concept worm for OS X was the OSX/Leap.A worm which appeared on the forums of the popular site, macrumors.com last week. Tantalising readers with hints that the file they were about to download contained sneak preview images of Apple's next Operating System release, 10.5 (dubbed Leopard), the file was a compressed application which masqueraded as a jpg file. When executed, the file would install code into the victim's library which would then be activated whenever an application was launched, preventing infected applications from functioning again, and using the opportunity to spread itself to more victims via the user's iChat buddy list. The worm does not appear to have spread very far, and has only caused very minor damage.
Reporting has surfaced that Apple's OS X Operating System designed for their new x86 line of systems has been cracked to run on non-Apple x86 systems. While hardware support is still limited, a number of key components to the Operating System need to be removed in order to get it running, which makes it debatable as to how much capability the modified Operating System actually retains. The site which originally announced the news was then requested by Apple to remove links to specific tools and descriptions to allow other users to achieve the same result.
Following the release of Apple's Intel-based systems, there has been a rush on from enthusiasts to get alternative Operating Systems to boot on the machines. The current efforts to boot Windows appear to leave the machines unbootable, but it has been announced that Linux is now booting on the new machines. While it does not appear that the system boots to a usable interface, the difficult steps of ensuring that the system initially loads have been completed. More information is expected to be released over coming days to allow a fully functional system, and to allow others to achieve the same result.
The last week has also seen a large number of reported Identity data losses across the United States. Almost 375,000 individuals have had sensitive personal data leaked by accident. 350,000 tobacco farmers had their Social Security Numbers and Tax IDs released by mistake in a Freedom of Information Act release, and more than 25,000 employees, vendors and contractors who have worked for the Blue Cross have had their Social Security Numbers and names exposed after a contractor sent a copy of the records to his home system.
The Australian moguls skier who recently won Australia's first gold medal at the 2006 Torino Winter Olympics is rumoured to have made his Internet millions through spam and spyware. Media reporting suggests that his Internet company is worth millions of dollars, but the only acknowledgment of this claim was a cryptic statement from the skier that "It is complicated... I don't do anything that pops up. I just make software". Comments to multiple security mailing lists suggest that some of the companies linked to him have been responsible for the distribution of spyware. Various Internet forums have also been busy discussing the same reports, with many confident that the money came from the shadier side of online business.
In the ongoing antitrust suit between the EU and Microsoft, the EU has recently raised accusations that Microsoft's effort to release code and documentation to comply with the EU rulings falls short. This means that Microsoft is due to start having daily fines of $2.4 million USD levied against them, after the extension to the time allowed for them to comply with the original ruling passed on Wednesday. Microsoft have accused the EU of contributing to the problems they have encountered in trying to comply with the demands, and have called for an oral hearing in their latest attempt to delay the introduction of fines.
Finally, in a followup to earlier reported news of privacy data on 19,000 Honeywell employees being exposed on a public website, Honeywell have announced that they have identified the individual responsible for the leak and publication of the information. The now ex-employee, from Arizona, has been accused of accessing Honeywell systems and then causing the 'transmission' of the sensitive data.
20 February 2006
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.