Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Bluetooth Insecurity and Apple - Intel Rumours

The Bluetooth protocol may not be as secure as once thought. In a paper that is due to be released in the next few days, a number of cryptographic researchers believe that they have discovered a method which allows them to hijack the communications between two Bluetooth enabled devices (such as a Bluetooth headset and phone, or Bluetooth keyboard and base) even when the security features are enabled. Previous attacks against the secured Bluetooth mode required interception of the first data packet between the devices, while the new attack method can be successfully used at any time.

There is some conjecture as to the mechanism which allows for this attack to take place, given that the research hasn't been fully published. What appears to be the mechanism of the attack is an attacker introducing a third device to the network, which then pretends that it is one of the original devices. This additional device then sends out a command stating that it has lost the link key, which is required to interpret the information flowing between the paired devices. This then should force a re-pairing of the Bluetooth devices to establish a solid communications link again, using a PIN to generate the link key. At this stage, a user may be prompted to re-enter their PIN to re-establish the link.

This is the point where the attack can be defeated.

By refusing to re-enter the PIN, the third device can not crack the connection. Unfortunately, this results in a loss of secure mode Bluetooth usage, essentially allowing the attacker success through denial of service. The PIN crack process can take as little as 0.06 seconds for a 4 digit PIN, so the recommendation is to use longer PINs which will take longer to crack, but will also be eventually defeated. The actual key size is 16 bytes, which need not be limited to alphanumeric characters, providing a means to extend the time required to crack the key. What can be done to avoid this attack is to use all 16 bytes of the available key code, force the devices to notify the user of the need to re-pair the devices, and allow the use of non-alphanumeric keys (if possible with the devices).

In a move which would satisfy conspiracy theorists everywhere, along with Wintel diehards who refuse to purchase an Apple product, C|Net published an article late on Friday, US Pacific Time, claiming that Apple will be ditching IBM as their chip supplier to move towards Intel as their chip supplier. Rumours over the last few months have hinted at secret negotiations between Apple and Intel, but the wider consensus is that a move from IBM to Intel would be a death knell for Apple. The report from C|Net hints at Steve Jobs unveiling this information at the upcoming WorldWide Developers' Conference (WWDC), being held in San Francisco over the next week. The C|Net article appears to have a single, unnamed source, and is the only reporting of this topic available. Reports from other agencies are derived from this original report.

Initial analysis suggests that it is an inaccurate report, and may be being used for some nefarious purpose, such as a means to artificially depress Apple's stock price (AAPL) prior to, and just after, Steve Job's Keynote address at the WWDC (10 am US Pacific Time, Monday). The timing of the article seems especially suspect, being positioned after the close of business for the continental United States, and the longest timeframe from the WWDC Keynote without the scope for other reporting agencies to investigate. Having said that, what is quite likely is that Apple is going to be using Intel chipsets as part of their solutions, but not as the primary CPU. Intel develop more than the x86 line of CPU chips, and in all likelihood, it is one of these products that Apple may use in their systems. For example, some of the Airport range of base stations from Apple use AMD chipsets, and it is rumoured that some of the XServe line have Intel chips inside (but not as the CPU). It is also a possibility that Apple will licence Intel to produce PPC chips based on the difficulties in supply from IBM. IBM, Intel and Apple refused to comment to C|Net which could indicate the regard that they hold the rumour in (or, it could just be a tacit admission of the veracity of the information). Technology forums and Apple rumour sites lit up following the news, and it is likely to continue through to the end of the Keynote address.

Historically, the WWDC Keynote has been used to introduce new, ground breaking, products, such as the G5 line of CPUs based on the PPC 970 chip line from IBM which is based on their POWER technology.Other rumours are suggesting that the big announcement will be dual-core PPC 970 chips from IBM to power the professional line of Apple products (i.e. models with the prefix 'power' - PowerBook, Power Macintosh).

In a strange occurrence last week, the New York Stock Exchange closed four minutes early on the first of June. Traders were recalled to the trading floor long after the technical close time of the exchange to possibly complete the remaining four minutes of trading while the source of the early close was being sought out. According to a Reuters report, the disruption was caused by an error message which flooded the primary and backup systems with millions of copies of itself, overloading the systems and causing a localised denial of service. For a system which had been touted as being extremely reliable and tolerant of multiple failure points across it, failure due to an uncontrolled error message is almost ironic. The exchange opened at the normal time the next morning, but the loss of trading time could have significant financial cost, not only for the exchange, but also for the trading firms, as many orders timed for the close of business would not have been filled.

Interestingly enough, a Tom Clancy novel explored the possible outcomes from a disruption to the electronic systems that controlled major stock exchanges (it was a cornerstone of the plot in "Debt of Honour"), although the outcomes from this disruption have been nothing like what was described in the novel.

Although reported more than a week ago, the news that the latest version of the Netscape Internet browser (Version 8) broke Microsoft Internet Explorer support for various XML products has led some posters in various Internet forums to opine that it is only a fair turnabout for Microsoft, given their history with intentionally disabling previous versions of the Netscape browser. Other anticompetitive practices of Microsoft have been under scrutiny recently in the European Union, where issues were raised with respect to the Media Player integration, and how Real and other media format providers were not afforded the same access for inclusion with the default Windows installation. Microsoft were given time to comply with the ruling to provide a reduced media edition of Windows (the default Windows installation minus Windows Media Player and some other components), along with some other requirements, and they were threatened with fines if they did not comply. Microsoft has thrown legal attempts at getting an extension or overturn of the ruling, and a decision regarding the imposition of fines should be due soon.

Sticking with Microsoft news, the final ever mainstream update for Windows 2000 will be released shortly (security fixes will continue until 2010). One of the significant applications that will not be upgraded is Internet Explorer. The current version (IE 6) will remain as the final supported version for Windows 2000, with the forthcoming IE 7 not being made available for it. This means that customers who will be remaining with Windows 2000 will not get the additional benefits from the newer version of Internet Explorer, such as tabbed browsing. To gain this and other functionality, customers will need to use a third party browser such as Opera or Firefox. Windows 2000 was never released to the consumer market, despite many users who believe that Windows 2000 was the best Operating System ever released by Microsoft, so the cessation of support should not affect too many home users.

One of the important considerations that come from not supporting IE 7 is that web application developers may need to ensure backwards compatibility to IE 6 from their software. While IE 6 is a relatively new application, the standards support is lacking in several key areas, such as CSS 2 and 3 compliance. While all software gets EOL'ed at some stage, some of the more cynical observers are declaring that the reason why Windows 2000 is being EOL'ed now is that it is a threat to the uptake of the future Windows Longhorn release, as, in their opinion, Windows 2003 and Windows XP are not up to the quality of Windows 2000 as server Operating Systems.

Data loss from major banks continues, with Investment Bank UBS recently announcing that they have lost one of their hard disks from their Tokyo office. The disk went missing while upgrades were being made at Hong Kong and Tokyo. Although it was marked for destruction, the loss of the disk has caused some consternation. The carrier that held the disk has been located, but not the disk itself. It is not known what the disk held - it is feared that it may contain trading histories for corporate clients of UBS.

Though not a story from the past week, the patent system in the United States has been under fire from technical researchers and companies for allowing predatory patents which are obvious and not unique to be patented, not that it stops them from applying for patents themselves. With the Free Trade Agreement with Australia, the Australian patent system is expected to be brought more in to line with the US model. The EU is currently debating whether to allow software / business process patents in their patent system, and the impending defeat of the EU constitution may delay any uptake.

One of the key issues revolves around the concept of a software or business process patent. Technically, these patents are for ideas, not devices, which many argue is contradictory to the actual definition of a patent. Software patents are even more under fire, with patents being granted for 'inventions' that have obvious prior art, or for concepts so technically simple that they are considered obvious to anyone skilled in the art. These two tests should fail a patent from being granted according to the definition of a patent, but many patents are still being issued, irrespective.

Although many large corporates, such as Microsoft and IBM, are patenting everything they can, industry leaders have gone on record stating how the current Intellectual Property situation actually stifles innovation, and is forming a barrier to entry for smaller companies and independent researchers.

Smaller companies with genuine breakthroughs are being crushed by major companies who can drain them legally, or merely steal the implementation / ideas and claim that they had developed the ideas independently (Microsoft has a terrible track record for this). A case is currently developing where the CSIRO has sought royalties for a networking technology implementation, and is being fought by major global technology companies such as IBM, Microsoft, Dell, and Apple, who are seeking to break the patent issued to the CSIRO. The technology in question is a component of the 802.11a and 802.11g implementations. 802.11 is more commonly known as wifi, or wireless network connection, such as Apple's Airport implementation. The hypocritical aspect of the situation is that these companies, and others, seek to enforce their own patent collections, suing those who unknowingly breach them, but band together to try and crush one that they have been breaching.

At a recent security conference held by AusCERT on the Gold Coast, the founder of Kapersky Labs, Eugene Kapersky spoke of the changing trends in virus and worm writing and propagation. The trend that he described was that virus and other malware authors are moving towards creating, managing and selling botnets. This viewpoint echoes others in the security community, including Mikko Hypp?nnen from F-Secure, a Finnish based security company. Once a computer is compromised by malware, be it a virus, worm or trojan, it is possible that the computer is able to respond to external commands from the person(s) responsible for the malware propagation. If this happens, the system is regarded as a bot or a zombie, where the computer responds to commands and performs actions at the discretion of someone other than a local user. Co-ordination of multiple computers under one controller forms a botnet. A common botnet may range from 5,000 to 10,000 unique compromised systems, and they are commonly used to further infect other systems, or as spam delivering networks.

The difficulty for companies trying to fight this trend is that the software used to compromise the systems may only be used on a one off basis, and the 5,000 to 10,000 compromised systems may not appear to have any discernible slowdown or damage to the local users. With such a small rate of infection from all the millions of computer systems connected to the Internet worldwide, the infections can get lost in the background noise, which is one of the aims - to keep them out of sight of the companies fighting them.

To counter this issue, anti-virus and anti-spyware companies utilise a range of passive and active searching measures to try and catch as many infection vectors as possible. Microsoft has recently joined in this approach, looking to discover exploits in their systems that may be circulating on the Internet.

After the above information was drafted, Computer Associates (CA) came out with a claim that a large coordinated attack on the internet is imminent, through the use of botnets. CA researchers believe that the botnet is being established through three different trojans, and access to the botnet is being sold for as little as 5 US cents per compromised system:

In addition to the above names, some other anti-virus companies are identifying them as Bagle downloader variants. These downloaders usually arrive via email, much like Gibe.F variants, which is just one of a class of worms that pass themselves off as valid security updates or other software patches from Microsoft. Most of these worms do not attempt to actually update the applications that they claim they are for, but operate as any other worm, which,once executed, aim to deactivate common anti-virus and other protective software, prior to opening a backdoor for the remote hackers. Some variants go so far as to install spyware, adware and other malicious software such as keyloggers.

In other news from the past week, alternative internet browser company, Opera, recently carried out a poll where they found that around half of all internet users felt that the browser choice was an important factor in online security, but only 11% had switched browsers as a direct result of seeking more security. Disturbingly, of the internet users polled, one third admitted that they didn't know whether browser choice made a difference whether a computer was more susceptible to infection from malicious software, and a further 17 percent did not believe that it had any effect whatsoever.

A new Top Level Domain (TLD) has been recently announced, .xxx - ostensibly for adult content sites. This is useful for people who manage internet filters (such as NetNanny), but it is debatable as to what the effectiveness of the new TLD is going to be. The cost of registering domain names on this TLD is ten times that for a .com or .net domain, and it is expected that companies will not shut down their .com addresses in order to move across to the .xxx addresses. A domain name merely points to an address, so multiple domain names can point to the same IP address, and thus the same site. The initial reason for different TLDs was to share the load of DNS requests on root servers whenever a local server would not hold a cache of the address. Initially, .com was for commercial sites, .net for network providers and related companies, .org for non-profit organisations, and so on. With the growth of the internet, this model broke down, and the importance of specific TLDs declined, with .com becoming the ubiquitous TLD. A practical example of this is BigPond, Telstra's Australian ISP. Technically, their website should appear at the following address:

http://www.bigpond.net.au/
http://bigpond.net.au/

Instead, their site appears at:
http://www.bigpond.net/
http://www.bigpond.com/
http://www.bigpond.com.au redirects to http://www.bigpond.com

According to German technical magazine, C'T, and reported in The Register, it may be possible to upgrade XP Home to essentially an XP Pro Lite, which includes the capability for Remote Desktop, User management, and improved security features. The specific details are reported in the print version of the magazine (German only), and are replicated on The Register's website. Essentially, it is the simple change of a couple of registry values and setup files. While it may seem strange that it is so easy to obtain the Pro version features so simply from the Consumer version, it is actually quite a common practice for product manufacturers (and software developers) to develop one version, but switch off various capabilities through configuration setups for multiple sales points. This allows them to streamline their development / production chains. This is also the same thing that forms the basis for most basic overclocking procedures, such as flashing DVD players to be region free. In a specific case, USRobotics had released two modems which were exactly the same hardware - the Sportster (low end) and the Courier (high end). The difference between the modems was a simple initialisation string which, when leaked, allowed consumers who owned the low end modem to upgrade for free. With the XP Home to XP Pro Lite modification, support for SP2 is lost unless it gets streamlined with the installation CD. This code may actually have been left over from the NT 4 codebase (2000, XP, 2003 are all derived from the NT codebase, while 98, 98 SE, ME are derived from the 9x codebase), where a similar hack allowed NT 4 Workstation to be changed into the Server version.

Sony has announced that they are releasing a new protection technology to prevent multiple copies being made from their CD-R disks. Another disk protection device was defeated through the use of a simple black marker pen to cover a single track on the disk. The use of a marker pen, or holding down of the shift key to avoid the autorun protection on other disks, could be considered illegal under the United States Digital Millennium Copyright Act (DMCA), as it is a means of circumventing access control placed by the vendor.

Finally, mainstream media appear to be picking up on the idea that once information is computerised - in particular placed on the internet, then it may always exist, especially if it attracts popular interest. A recent column by CNN discussed the long term storage of information by Google, and how it may cause issues for some customers and become a source of potential abuse due to privacy regulations that change the accessibility of information after certain periods of time. Even though Google's corporate mantra is 'Do No Evil', they have basically become the tacit gatekeepers of the world's electronic information. Indeed, Google is the hacker's best friend. It is trivial to access information that should be protected, and Google has innocently indexed and archived copies of information that should never have been exposed to public view in the first place - this is the problem of the administrator, not Google. Perhaps the simplest approach is to consider any information placed on the internet to be unprotected, and could be read by anybody, good or evil. If it could possibly be used to embarrass you, then perhaps it shouldn't be placed on the internet.

6 June 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.