|
Internet Security News
Breaking news and updates in Internet security
Last Updated: July 29th, 2010 21:24:01 CDT -0500
Windows XP Security Patch
This week, Microsoft released a new security patch for issues affecting the XP and Server 2003 operating systems. The vulnerabilities were all related to remote code execution, though only the XP patches were listed as critical by the Microsoft Security Bulletin.
 | | Windows XP Security Patch |  |
On June 5, Tavis Ormandy, a Google security researcher discovered a zero-day vulnerability in Windows Help that he reported to Microsoft. When Microsoft and Ormandy could not agree on the terms of creating a fix, he published the vulnerability four days later, creating a huge media storm. There were people on both sides, some arguing that Ormandy acted irresponsibly by spoon feeding a security exploit to hackers who would use it to cause harm. Others argued that without full disclosure, Microsoft would not have taken this threat seriously and wouldn't act towards fixing the issue.
Whether or not Ormandy was right in his actions, the outcome speaks in his favor. This past Tuesday, Microsoft released Microsoft Security Bulletin MS10-042, which addresses these vulnerabilities. This is an amazingly quick turnaround. The normal time frame for "responsible disclosure" is to allow the software manufacturer a 60 day window to fix the problem before public release. To have a fix only five weeks after the bug was brought to Microsoft's attention makes a strong argument for the proponents of full disclosure.
On the other hand, since the release of this particular bug, Microsoft has reported over 10,000 computers have been affected by hackers using this security hole. This is a significant amount of people being affected by a previously unpublished issue. The fact that it was unpublished does not necessarily mean that it was unknown to the people who could exploit it. It is unlikely that Ormandy was the only person that would ever discover this problem. Thanks to his actions, we now have a solution to what could have become a serious problem for more than just the 10,000 people who were unfortunately targeted.
iTunes Store to Receive Security Makeover
Apple is in the news this week about the new security measures it will be implementing in the wildly popular iTunes store. Granted, this is not a major security upgrade, but it does help to prevent the kind of security holes that have been recently exposed.
 | | iTunes Store To Receive Security Makeover | |
This all began when a Vietnamese app developer named Thuat Nguyen's apps covered 42 of the top 50 apps in the app store. This raised a few red flags, especially after people commented on the apps that they never purchased them. After some investigating, Apple determined that Nguyen had obtained account information from 400 accounts with stored credit card information and had used them to purchase his apps from the App Store. He then used these accounts to purchase his apps, driving up sales and his revenue.
In order to combat this type of security breach, iTunes will now require an extra step be taken by its customers. On accounts with saved credit card information, customers will need to enter their CCV code from the back of their card more frequently. That's it. Admittedly, this is not a full security overhaul, but the truth is that that would be unnecessary. The "hacked" accounts are more than likely victims of fishing attacks, as Apple has stated that their servers were unaffected by any kind of security breach.
Overall, the damage caused by this problem was minimal (assuming you are not one of the 400 accounts that were targeted). 400 accounts out of 150 million comes to roughly 0.0003% of accounts worldwide. This coupled with the fact that Nguyen and his apps have been banned from the App Store makes this a fairly open and shut case. For anyone who was affected by this fraud, Apple recommends that you contact your credit issuing agency about canceling your card and issuing a charge back for unauthorized transactions.
The "New" Paper Trail
These days, with threats of computer hackers stealing data to insurance companies "accidentally" publishing hundreds of thousands of peoples most sensitive information on the internet, data security is a very prevalent issue. A CBS news investigation recently turned up a new source of potential data leakage, the standard office copy machine.
 | | The "New" Paper Trail | |
Unknown by the majority of Americans, almost every single copier built since 2002 has an internal hard drive which stores a digital copy of each document copied, scanned, or printed using the machine. This can be a useful feature for storing fax cover sheets and other commonly used documents. The problem comes when personal information is copied for office use. For example, doctors making copies of medical records, insurance companies making copies of claims information, or employers making copies of drivers licenses. Each time a copy is made, that information is stored in a way that is easily retrievable by anyone with access to the machine.
There are numerous rental services which rent out copiers to businesses with no set policies on dealing with this kind of security. Some offer to scrub the hard drive when it is returned, but they can charge up to $500 for the service. There are also refurbished copiers for sale containing data from any previous owners. At least in these cases, the owner has physical access to the machine to be able to take steps on their own, such as purchasing an encryption service for the internal hard drive, or their own data deletion tools. What is more worrisome are the copy and print shops where there are no guarantees on document security. Anything copied there is stored on their machines, where it is unlikely that any measures are taken to wipe the drives on a regular basis, if ever.
If your office handles private information, or anything else that doesn't need to be shared with others, steps should be taken to make sure that the information stored inside your copier is safe. There are usually services available from the manufacturers to have the data removed from the device after each job is completed, or at least encrypted, although this can significantly add to the cost of the machine.
Security Holes Fixed by iOS 4
Apple has released the newest version of the iPhone/iPod/iPad software, collectively known as iOS. Formerly known as iPhone OS, the new name is not the only change to be had with this update.
 | | Security Holes Fixed By IOS 4 | |
On Apple's website, there is a list of 64 security risks which have been fixed in this new version. The area of the operating system which was apparently the most vulnerable to security breaches is WebKit. WebKit is the browser engine which powers mobile safari on iDevices, and was the cause for 50 of the security patches. That's three quarters of the errors fixed. Of the security holes in WebKit, over half of them would allow "arbitrary code execution" which is a nice way of saying run a program on your device which could either harm your device or access your personal information, just by pointing your mobile browser at the wrong website.
There were 14 non-WebKit related security updates. Safari itself receives the blame for a few of these. There were problems with cookies being accepted when they should have been disabled. There were also issues with URLs during redirects between http and https sites. Furthermore, there were vulnerabilities when viewing "maliciously crafted" BMP, TIFF, and JPEG images. These images could cause data from Safari's memory to be sent to the web server or for more "arbitrary code execution" on the device.
Another severe security vulnerability relates to the passcode lock on iDevices. The first issue is with the Remote Lock via MobileMe. In this instance, the device must be unlocked due to receiving a text message or voicemail, then locked with Remote Lock. The next time the device is unlocked, the passcode will be displayed, thereby granting access to anyone who is in physical possession of said device. The other vulnerability comes in the form of pairing devices with a new computer. As it stands, this can only be done while unlocked. There is a chance for a race condition when the device is initially booted, if it was unlocked when shut down. This can allow the device to be paired with a new computer without unlocking the device first.
All of these issues have been fixed with the release of iOS 4. Now the only question is whether or not there will be more opportunities for these security holes to be exploited before the iPad version is released this fall, especially now that they have been published.
The History Of NSA Computers, Up Until 1964. Part III.
Recently a formerly classified document was declassified describing how the NSA used computers to crack codes.
In Part II, we covered the ATLAS II, the second type of computer used by the NSA for code cracking. The next computer built, ABNER, was very different from its predecessors.
After the Pendergrass Report was published in December of 1946, the Army Security Agency made plans to acquire a computer similar to the Navy's proposed ATLAS. In 1948, ASA analysts visited the three major computer installations currently in existence. The analysts performed experiments using different programming order codes. They concluded that four-address logic (RAYDAC and EDVAC) was preferred over one-address logic (ATLAS and UNIVAC). The ability to use binary notation was found to be a necessary requirement (this disqualified UNIVAC).
The Reeves Instrument Corporation provided the design of ABNER. Mercury delay lines with access time between 48 and 348 microseconds were used to compose a 1024 word memory bank. Basic logic was based on the EDVAC design of 16 four-address instructions and 45-bit words.
ABNER's memory was based on the idea that electric pulses would be converted to an analog acoustic signal that could travel through tubes of mercury that used amplifiers at the opposite end to reconstruct the analog wave into an electrical signal. This digital to analog conversion and subsequent analog to digital conversion allowed the storage of data as the signals moving through the mercury could only move at the speed of sound, much slower than electrical signals. A tank of mercury was a glass tube around two feet long. Two cabinets containing 64 mercury delay lines each made up the memory bank. Each tube was held eight words of 48 bits at one-megacycle-per-second with the aforementioned delay time of 384 microseconds.
ASA engineers worked closely with programmers to build ABNER. This allowed the ASA to incorporate new feature improvements as ABNER was constructed. This was preferred rather than waiting for the next successor computer. Paired stream comparison, data stream manipulation, and character transformations as modular additions were a few of the logic features added. Besides the new logic features, ABNER, had several input-output features including: a console with status lights, an input-output typewriter, a data conversion unit, punched card and punched paper-tape readers and punches, and it could utilized up to six magnetic tape drives.
The construction of ABNER took about two years. The first ABNER was delivered in 1951, followed by a second ABNER in 1955 using quartz instead of mercury for its memory banks. NSA engineers also constructed an clone of of ABNER's logical design, but with parallel circuits called BAKER. BAKER was a slow-speed analog of ABNER, based on the design of ATLAS I. Unfortunately, BAKER was never reliable enough to really use in training or debugging, but BAKER was a great achievement. It is thought however, that BAKER's use of parallel circuits to simulate a powerful serial computer should not have been attempted.
Next time, we'll cover more NSA computers of the past, the successors to ABNER and BAKER.
For more in depth reading see: http://www.governmentattic.org/3docs/NSA-HGPEDC_1964.pdf.
114,000 iPad 3G Owners' Email Addresses Exposed by ATandT
A group called Goatse Security was able to grab 114,067 personal email addresses of iPad buyers from ATandT's website.
 | | 114,000 IPad 3G Owners' Email Addresses Exposed By AT&T | |
Some of the Email addreses leaked include White House Chief of Staff Rahm Emanuel, New York City Mayer Michael Bloomberg, Diane Sawyer of ABC News, and many CEOs, CFO, and CTO's. A number of the email addresses exposed were even those of DARPA reesarchers and high-ranking military officials.
Each iPad comes with an ICC-ID or an "integrated circuit card identifier." The subscriber's SIM card and ICC-ID are linked to uniquely identify them. Normally this data would not be publicly accessible.
AT&T goofed big time and left a script on their website that allowed anyone to query it. If an ICC-ID was provided to the script, it responded with a the subscriber's email address. This script was intended to be used with AJAX apps, but obviously had no protections built in.
This lack of security allowed researchers to write a simple PHP script that used the iPad browser agent string to grab potentially millions of addresses. This would not have been possible with out all the pictures of iPad's online that helped them to guess the ICC-IDs. Like any exploit group that wants fame, these guys shared the script and corresponding info with many others like them before reporting the gaping security hole to AT&T.
So now Steve Jobs has a bit of a problem. Hundreds of thousands of customer's and potentially millions of email address have been made available to groups that could use them for malicious purposes. Not only that, but the iPad 3G looks rather unappealing now even if it was not Apple that was responsible for the breach.
If you bought an iPad 3G and have an email address that doesn't reveal your identity and a strong password for it, you might be safe. However, now is as good a time as any to change your email password to something stronger. Also, if your email is firstname.lastname@mysite.com or something similar, just be very cautious about who you open PDF's from and the links you click in emails. Its easier than you might think for criminals to target a victim with a specially crafted convincing email that appears to be from co-workers or friends.
References: http://security.goatse.fr/
The History Of NSA Computers, Up Until 1964. Part II.
Recently a formerly classified document was declassified describing how the NSA used computers to crack codes.
 | | The History Of NSA Computers, Up Until 1964. Part II | |
In Part I, we talked about ATLAS I. The NSA's first real computer. The successor to ATLAS I was named, appropriately enough, ATLAS II.
Even before ATLAS I arrived, ATLAS II's construction was being planned. ATLAS II had several important improvements over ATLAS I. Instead of drum storage, it had high speed electronic static storage in the amount of 1,024 words. The word size was 36 bits instead of ATLAS I's 24, two address logic instead of one, more sophisticated instruction code, and the basis of all computing today, input-output program controlled instructions. Having two-address logic instead of one was very powerful for computers of this age. The new instruction codes included another first, a 'repeat' instruction, some arithmetic instructions, a scaling factor ability, and index jumping capability.
There were actually two ATLAS II's. One arrived in October of 1953 and another in December of 1954. The second ATLAS II's only modification to the original design was the replacement of the electro-static tube memory with high-speed ferrite-core memory. In the planning of ATLAS II, the design had originally planned to use Raytheon magnetic-tape with one character per frame. But to conform to the established data representation that required three frames per character, the change was made to use three. Later, the NSA seems to have regretted this decision as they tried to redesign the magnetic-tape operations, but never succeeded in making the system more efficient.
The ATLAS II computers were very reliable systems for the most part, but the first ATLAS II required a bit more maintenance because of its electrostatic tube storage. The first UNIVAC commercial line of computers the 1101 and the 1103 were based on ATLAS I and ATLAS II respectively. The SOLO, the first transistorized computer, was based on ATLAS II. The two ATLAS II computers were taken out of operation in 1960 and 1962.
Next time, we'll cover the NSA's computers called ABNER and BAKER.
For more in depth reading see: http://www.governmentattic.org/3docs/NSA-HGPEDC_1964.pdf.
The SSL security model is falling apart at the seams
Can anyone with the right resources hijack your connection? If so then what good is SSL?
 | | The SSL Security Model Is Falling Apart At The Seams | |
It was only less than a year ago when Dan Kaminsky and Moxie Marlinspike wired.com showed just how easy it is to trick a Certificate Authority (CA) and a web browser into faking an SSL certificate by simply dropping a null character into the name to be registered. Simply placing a null character after the name of the site to fake as a sub-domain of the site before the real domain name would accomplish this. An example would be amazon.com\0.evildude.com. Even worse is the fact that ANYONE could just register what is called a wildcard domain, ex. *\0.evildude.com, and masquerade as any site on the Internet they pleased.
After that CA's cleaned up their act by stopping the issuance of such certificates but previously issued certs would continue to work until new versions of web browsers were released that would check for such flaws. Today we should all be safe from such attacks using modern web browsers, Firefox 3.5+ is not vulnerable to this type of attack, but the researchers example should make it quite clear that such a gaping hole in SSL security could happen again.
As if I could not rain down on the SSL parade any more, recently, a paper was released by Christopher Soghoian paranoia.dubfire.net detailing how governments, law enforcement, and potentially malicious entities can easily hijack SSL connections through coercion or even policy. As many governments have been given their own CA's so that they may control their own encryption needs they can just issue themselves a certificate for a real site and pretend to be that site. Then if a device existed to load that certificate onto that could be located between the victim to be spied on and the real site, then there's nothing stopping them from eavesdropping.
Such a device does exist. In fact, the only currently known commercial entity that produces them, called Packet Forensics, attempted to deny their existence for some time. For this to be true, it must mean two things. One, that through some means, coercion, theft, or otherwise, CA's are allowing such certificates to be collected and used on these devices. And two, that there must be a market for these type of devices. There may be other companies producing these devices as well that are just unknown to the general public.
So, there you have it, if you were paranoid about government spying before, then this should help push you over the edge. I'm not just talking about governments though, corporations, employers, family, ANYONE who can get their hands on such a device, or build one for that matter, and can buy, coerce, or steal the certificates needed to spy on their targets can do just that! On the other hand, I can hear the sound of new private eye shops opening up, based on this technology. Go-Go-Gadget SSL Circumvention!
"I still lock my doors even though I know how to pick the lock" - Matt Blaze, http://crypto.com/
-quoted from http://www.wired.com/threatlevel/2010/03/packet-forensics/
Avsim Hacker (Maybe) Brought Before Cops
Perhaps people who like to spend their spare time in the cockpits of imaginary F-16s should be left alone. The man in charge of a flight simulator site that was attacked claims to have identified the hacker and forwarded information to the authorities.
 | | Avsim Hacker (Maybe) Brought Before Cops | |
Avsim is one of the best-known flight sim communities in existence. It's been around for a long time, too. Unfortunately, a hacker managed to wipe about a decade's worth of modification info and forum posts from the site's servers back in May.
Now, though, Tom Allensworth, the publisher and CEO of Avsim, has told the BBC, "We . . . have incontrovertible evidence of the individual that performed the hack. We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case."
Allensworth is confident in the outcome, too, adding, "We fully expect that the criminal complaint . . . will result in the perpetrator spending some time behind bars - under UK law." (Since Avsim's located in the US, this means he's not pushing for extradition or anything of that sort.)
Neither London's Metropolitan Police Service nor the accused individual (who hasn't been publicly named) has made any comment yet.
Email Password Hackers Present Real Threat
The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.
 | | Email Password Hackers Present Real Threat | |
Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."
Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.
Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.
And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.
So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.
|
