Steve Goodbarn

Charge your battery and lose control of your PC

2010-03-08T15:12:04-07:00

Energizer and USCERT report that a backdoor has been found on USB battery chargers that could allow an attacker to have remote access and take control of Windows based PCs: Energizer DUO USB battery charger software allows unauthorized remote system access:

Overview

The software included with the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dllin the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dllcomponent for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Elinor Mills of CNET writes further:

The Trojan may have been in the software since it was first offered three years ago, according to Symantec.

"We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007. It is impossible to say for sure that this Trojan has always been in this software, but from our initial inspection it appears so," Symantec wrote in a blog post. "The Trojan still operates whether this device is found or not, so a USB charger doesn't need to be plugged in for the Trojan to be functioning."

A battery charger than may have been compromising PCs for 3 years is not comforting. What new malware discoveries await us?

Network World Reports "Former NSA tech chief: I don't trust the cloud"

2010-03-05T16:19:43-07:00

And neither should anyone else. Cloud computing offers big savings but without better authentication of users (including use of DNSSEC) it is folly to rely on the cloud for anything that is critical or private.

The Network World article by Tim Greene can be found here:

The former National Security Agency technical director told the RSA Conference he doesn't trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. "You don't know what else is cuddling up next to it," he says.

Even the most secure cloud platform in the world, such as Google's, has been compromised by lack of user authentication. That is how Twitter was victimized. Improving our infrastructure is not all rocket science.

E-banking: Just say NO

2010-02-24T14:39:31-07:00

I must applaud Brian Krebs for continuing to report on small businesses that are victimized by online banking fraud. His last several posts at Krebs on Security make me wonder why this problem does not get more publicity: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss and IT Firm Loses $100,000 to Online Bank Fraud.

Small business cannot survive if banking is not secure. If your money is stolen from a bank during a holdup you don't go bankrupt, but if it is account-specific bank fraud you do.

Small businesses need to have the same protections as consumers. If online banking is not secure it should not be allowed. It's that simple.

Shoddy software & lack of authentication facilitates "Broad New Hacking Attack"

2010-02-18T15:31:01-07:00

Siobhan Gorman of The Wall Street Journal writes today about a widespread hacking attack that stole vast amounts of corporate, personal, and government data, including data from at least 10 federal agencies. And the attack is ongoing. See: Broad New Hacking Attack Detected Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running :

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

These attacks are getting worse because the fundamental software and hardware running the web is not secure and never will be. Let's look at just a few examples TODAY of these weaknesses:

Adobe Reader and Flash - essential for reading documents and watching videos online: Adobe offers flawed version of Reader to masses after update.
Cisco - Cisco patches multiple holes in its security products
Microsoft: Got Bluescreen? Check for Rootkits
Mozilla Firefox - Attack code for Firefox zero-day goes wild, says researcher

This is just from today and I have to stop myself before I unplug this laptop and head for the hills. We will never be secure online with these products.

But these weaknesses tell only part of the story. Notice my bold in the Wall Street Journal article. The attacks were carried out "by enticing employees to click on contaminated web sites, email attachments or ads purporting to clean up viruses". No software can stop that.

Human engineering will always be a vulnerability. But if the web had authentication, so the employee could validate the email and authenticate the web site, the chances of this attack succeeding are greatly diminished. And with email authentication it is unlikely the spam bot could survive to send the bad email in the first place. It is odd to me that DNSSEC adoption - which provides the needed authentication - gets so little mention in these articles. It is the obvious and least expensive, least disruptive solution.

DNSSEC deployment status within .gov is online

2010-02-11T15:21:10-07:00

The US Commerce Department's National Institute of Standards (NIST) has a DNS operations group that is shepherding deployment of DNSSEC within the Federal Government. They recently set up a site to monitor DNSSEC adoption status within agencies. The site can be found here: USG DNSSEC Deployment Status.

The list is not 100% complete, with OMB.gov missing, and including several state and local .gov sites. But it does offer a way to follow compliance with the OMB memo that required adoption by the end of 2009. There may be slow progress on compliance but at least it is progress.

Wall Street Journal: Small business is the online bank fraud target

2010-02-10T12:47:21-07:00

The Wall Street Journal Reported Monday on increasingly focused cyber attacks on small businesses. See Wanted: Defense Against Online Bank Fraud Small businesses have been hit by a wave of cybercrimes. Here's how to protect your accounts.

I'm happy to see this topic get some coverage but the advice on how to protect against these attacks is more of the same "band aids", "bodyguards", "be really diligent" suggestions that do nothing to change the current unsatisfactory nature of cyber security.

Brian Krebs has a series of articles on specific attacks that circumvent much of our current defenses. Follow this link and view some of his other postings for more: Comerica Phish Foiled 2-Factor Protection, Krebsonsecurity.com.

What makes these attacks so scary is that there are no statutory requirements for banks to reimburse businesses for losses. If this happens in an individual account you are usually protected.

Many of these attacks begin with spoofed emails that direct you to spoofed sites that load malware onto your computer. Authenticated email would make this type of attack very difficult if not impossible. And how about having the bank site do some authentication beyond 2 factor?

Banks should be required to improve online authentication or they should be prevented from offering on-line banking to businesses. Times are difficult enough for a small business without the added risk of on line bank fraud. We can do a better job with existing technologies, including DNSSEC.

Denial of Service Attacks a continuing menace

2010-01-23T15:12:49-07:00

Arbor Networks released their annual Infrastructure Security Report last week. The report details the concerns and security threats faced by large telco and ISP service providers. Denial of service attacks on cloud based services, botnets, identity and credential theft, and DNS cache poisoning topped the list of concerns. Going forward, the pending adoption of DNSSEC and IPV6 represent infrastructure changes that are going to tax not only service providers but customer and enterprise networks.

The most ominous trend is the increased sophistication and the targeted nature of attacks. In the past it appeared simple disruption was the goal of attackers. Now it is more commercially oriented. If you depend on the Internet, including email or cloud services for your operations you could be specifically targeted.

To read the full article requires registration, but Information week has a good recap: Denial-of-Service Attack Intensity Grows"

A survey of 132 network operators and telecommunication providers reveal that Distributed Denial-of-Service (DDoS) attacks is the top day-to-day security challenge facing service providers.

The report also cites several multi-hour service provider outages caused by attacks targeting distributed domain name system (DNS) infrastructure, load balancers and large-scale SQL server back-end infrastructure.

The Arbor Networks blog goes on:

"Beyond sheer attack size, respondents indicated that they are continuing to see attacks become more sophisticated, with attackers expressly aiming to exhaust resources other than bandwidth, such as firewalls, load-balancers, back-end database infrastructure and associated transaction capacity, cached data serving algorithms, etc. This increasing sophistication is a disconcerting trend that has been captured in previous editions of the survey as well, and one that continues to worry network operators. With observable consolidation of content sources and migration to multi-tenant cloud or hosted infrastructure and services (e.g., DNS), the risk of attacks that impact multiple entities and more commonly induce collateral damage is heightened.

Another resounding theme network operators expressed was that of considerable concern over the combinatorial effects of pending DNSSEC deployment, IPv4 address space exhaustion, corresponding IPv6 deployment acceleration, and 32-bit ASNs for the Internet’s inter-domain routing system, all within the next 12-24 months."

Some pundits do not take DDoS attacks seriously because we have had few serious outages. Yet they are underway all the time. Why don't they have a more pronounced effect? Service providers and ecommerce companies have developed enormous overcapacity to deal with these attacks. Overcapacity adds a lot to expenses and power consumption. If we could run closer to the red line it would be much more efficient, green, and cost effective. At the end of the day consumers pay for all of this overcapacity.

Google hack in the wild - Gmail accounts at risk

2010-01-18T18:54:44-07:00

FoxNews is reporting that the attack code used in the Google hack last week has been published. Gmail accounts can be compromised through this attack, which is specific to Microsoft Internet Explorer.

DNSSEC would have made this attack very difficult if not impossible, as I pointed out in my post on this hack last week. DNSSEC provides the foundation for authentication for the internet, including email. Without DNSSEC you can't be certain who sent email or that you are on the correct web site. These weaknesses were key to the success of these attacks, which hit at least 34 major firms (see my post from 1/13/10).

The article is linked here: Google Hack Leaked to Internet; Security Experts Urge Vigilance:

The code that was used to hack Gmail accounts in China is now publicly available on the Internet, and security experts are urging computer users throughout the world to be highly vigilant until a patch can be developed.

The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system that, while outdated, still powers millions of businesses and home computers and is now dangerously compromised.

On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to malware-analysis Web site Wepawet. By Friday, security site Metasploit had posted a demonstration of just how easily the exploit can be used to gain complete control over a computer.

Metasploit is intended to let security professionals test out security threats.

"Normally these frameworks are designed for the good guys for our assessment. The problem is, it's open source and available to anyone," said Michael Gregg, head of Superior Solutions Inc., a Houston-based cybersecurity consultancy.

"And the scary thing about Metasploit is, anybody can pull this stuff down and anybody can launch it. It's not the skilled hacker working for the government, it's the kid next door."

George Kurtz, CTO of the security firm McAfee, agrees. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," he wrote late week. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

If hackers can get into the heart of Google then the average bank or business has little chance of considering itself secure. It was only a matter of time before this surfaced. What concerns me even more is the response to this threat. The article continues:

Microsoft's next scheduled security update is Feb. 9 -- so unless the company expedites an "out of cycle" security patch, more than three weeks will elapse before this vulnerability is fixed. Without a patch in sight, security experts urge vigilance, and not just for government agencies and huge businesses like Google.

"This is something that affects businesses in the U.S. as well as individuals. The Internet knows no borders," Gregg warned.

Gregg said that years ago, software companies had months to solve a security flaw after it was uncovered. Today, it's hours. Protecting yourself and your business is substantially harder today than it was in years past, too, due both to the accelerated pace of these exploits and also to hackers' reliance on social engineering, where an individual is tricked into providing confidential information.

Gregg calls it spearphishing: "They target the user with an e-mail that would appeal to them, one that leads to a site that launches malicious code onto your system." And the IE 6 exploit makes it particularly easy to slip that code on your computer.

Staying on top of current security patches, using firewalls, updating Web browsers and running intrusion detection software is the first part of staying safe. But since most attacks rely upon spearphishing or some similar end-user exploit, Gregg suggests a training program that would warn users that if an e-mail link looks too good to be true, it probably is -- don't click on it.

Wouldn't it be nice if you could authenticate email so you would know the spearphish email was fake? And if you were careless and clicked on the email, wouldn't you like the site to be authenticated so you would have some idea that it was malicious? Then you understand why DNSSEC is so important because it could be used to do this for you.

You would not be entirely dependent upon your security administrator skills by ". . . using firewalls, updating web browsers and running intrusion detection software . . ." Which as he notes are largely irrelevant anyway if you click on a spearphish email. Security needs to be on the net and not dependent solely on the user.

The Google hack

2010-01-13T19:18:10-07:00

Last evening's headline news that Google was considering an exit from China in the wake of certain hacking activities may finally shake us out of cyber security complacency. Before getting into the story I have 3 points to make:

According to Google it appears phishing emails were used as part of the attack, and we have no good way of authenticating email today without having DNSSEC in place. Gmail just made https a default email setting, which helps to close an encryption gap. But https, SSL, and VPN are not foolproof without DNSSEC (see earlier posts here and here). Tools to make email much more secure are at hand, but few take them seriously. We can do better to secure email and stop SPAM with minimal cost.
According to Google an attack vector may have been malware or "malicious software" placed on victims computers. How did the malware get there? Possibly by visiting a spoofed site. Without authentication you can't be sure a site is real or that there is no "man in the middle" spying on you while you visit a legitimate site (which would enable them to steal your login credentials or other data). DNSSEC is the only internet-wide authentication method we have and it could virtually eliminate this problem. DNSSEC is not expensive or difficult to install, yet adoption is incredibly slow and non-existent in the financial sector or health care.
We have no leadership on cyber security. There is a lot of posturing and policy, but real money spent on actual solutions - secure software and hardware, rather than "band aids and bodyguards" - is quite low. I have built a company around the premise that malware-immune software is required for mission critical functions, but security features are very difficult to sell in the market - even to the US government. Performance and ease of use is what gets us sales and security is an afterthought.

Most US Government agencies have yet to adopt DNSSEC despite a requirement to do so by the end of 2009. Someone needs to step up in government. Industry is "milking the cow" on security by selling insecure products and then making money trying to protect us. Are product liability attorneys listening?

The Wall Street Journal Headline on the Google attack:

Google Warns of China Exit Over Hacking

Cyber Attack Targeted as Many as 34 Firms, Email of Human-Rights Activists; Investigators Probe Link to Chinese Government

I'd like to know a little more about the 34 other firms, one of whom appears to be Adobe. Adobe released a huge update for reader today covering several critical vulnerabilities.

Google's explanation is posted on their blogs: A new approach to China and Keeping your data safe.

Excerpt from the official Google blog (my bold):

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google,we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties.These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more hereabout our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this report (PDF) by the U.S.-China Economic and Security Review Commission, as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve's blog and thispresentation on the GhostNet spying incident.

Note that Google is telling users "get to work to protect yourself and be careful". That is great if you are a network administrator. Is Steve Jobs the only one who has figured out that people just want it to work? Consumer and business focused systems should pass the grandmother test of usability. That should be our goal.

From the Google Enterprise blog:

This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.

So what's up with the chemical companies? That's a bit unsettling to me.

As this and other attacks demonstrate, even the most secure systems can be compromised if the people accessing the system can be compromised. Therefore cloud computing is no more secure than the weakest user's PC. A scary thought.

I believe more details about the Google hack and the other victims will emerge over the coming days.

Stay tuned.

DNS attack takes Baidu offline

2010-01-12T14:47:00-07:00

Baidu is China's largest search site. Security researchers are pointing to an attack on its DNS registrar as the source of yesterday's's outage. See The New York Times: ‘Iranian Cyber Army’ Strikes Chinese Site:

Less than a month after a group calling itself the “Iranian Cyber Army” attacked Twitter, users of China’s most popular search engine, Baidu, were redirected on Tuesday morning to a Web page displaying a message claiming that the same group had blocked access to that site as well.

China’s official news agency, Xinhua, reported:

Internet users attempting to open the site were greeted with a graphic stating that the site had been attacked by the Iranian Cyber Army. According to a report on the People’s Daily website, hackers changed Baidu’s DNS records, redirecting traffic to another site. As the BBC explained, “DNS records are like a telephone book, converting Web site names like baidu.com into a sequence of numbers understandable by the Internet.”

The security firm Praetorian Prefect details the DNS attack on their site:

A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.

Baidu is a big company and this attack appears to have been accomplished through vulnerabilities in the United States. I can't quantify the financial or disruptive impact on Baidu or those who depend on it for search but it is not trivial.

This attack highlights the continuing worldwide vulnerability to DNS attacks. No matter how secure or reliable a web site, email system or VoIP system may be, it is still dependent upon the DNS to direct you to the proper site. If the DNS directs you to another site, you presently (without DNSSEC to provide authentication) have no way of knowing that the site is fake.

In this case the perpetrators wanted you to know the site was fake - but imagine if they took you to a fake search engine site that further directed you to sites that downloaded malware or logged your passwords or other credentials. This is called Cache Poisoning. It happens all the time and is the basis for a thriving crime business.