SecurityTeam.us

The Increasing Complexity of the New Spyware Landscape

Mon, 29 Oct 2007 09:59:08 -0400

The ubiquity of computers, particularly home computers, has led owners to treat them like refrigerators or toasters -- plugging them in, adjusting some initial settings, and using them until they break or until a different set of features is desired. This is a recipe for disaster because without education and the right security software, the end user doesn't stand a chance. Spyware was originally designed to observe users' Internet Over 800,000 High Quality Domains Available For Your Business. Click Here. patterns and deliver pop-up ads based on their individual browsing and shopping preferences. Now, although pop-up ads continue to be a nuisance, hackers are far more focused on spyware as crimeware: computer programs designed expressly to facilitate illegal activity online. This change in approach is largely due in part to monetary gain. Hackers, once satisfied with infamy as their reward, wrote viruses with little to no financial gain. Now, it's all about the money. Criminal enterprises are willing to pay top dollar for the latest and greatest in spyware, and there is no shortage of programmers willing to participate. The Painful Truth and What Lies Beneath In the U.S., it is estimated that 80 percent of home computer users have some form of potentially unwanted software in their systems. Moreover, the longer spyware stays on a system undetected, the more data it can transmit back to its creators who, in turn, sell that personal information to other criminals. As such, it is essential that consumers protect themselves and their assets. Programmers have come a long way since "plain vanilla" adware. Here are some of the most dangerous online threats used by cyber criminals today: * Botnets: A botnet is a collection of compromised, broadband-enabled PCs, hijacked during virus and worm attacks and infected with software that links them to a server The HP ProLiant DL380 G5 Server with Systems Insight Manager (SIM). where they receive "instructions" from a bot herder -- a criminal who controls the network. A computer can be "inducted" into a botnet, an army of computers that, although their owners are unaware of it, have been remotely configured to transmit spam or viruses to other computers via the Internet. The purpose of a botnet is to steal a small percentage of all of the "zombies''' computing power and use it aggregately to distribute spam, launch denial of service attacks, install malicious software on ever more computers, or embed keyloggers, which capture sensitive data from infected computers. Worse, while the users' computing power is being stolen, their passwords, bank information and credit card numbers are also being stolen and sold repeatedly. * Phishing attacks: Phishing is a kind of e-mail Email Marketing Software - Free Demo fraud wherein the perpetrator sends out legitimate-looking e-mails, typically with links to fraudulent Web sites that appear to come from well known and trustworthy sources. Phishers attempt to gather personal and financial information for purposes of identity theft. Phishers can replicate Web sites and other branding of businesses, banks, merchants and credit card companies so well that an estimated 3 to 5 percent of recipients unknowingly furnish Phishers with data. Moreover, many Phishing sites host spyware. While these criminals are stealing identities, they are setting the PC up for future malicious activities. * Trojans (or back door programs): Trojans are designed to disrupt computer activity and send information to an unauthorized third party for the purposes of identity theft. This type of spyware attempts to gain complete control over computer systems. If a system is infected, there is virtually no limit to what these programs can do. While Trojans are not capable of spreading by themselves, there are some worms that carry Trojans, using them to infect machines as they spread. Some of the functions that a remote access trojan can perform include: uploading and downloading potentially unwanted files in stealth; making changes to the registry; deleting files, stealing passwords, account numbers and other personal identifiers and confidential information; logging keystrokes; and more. This technique works particularly well if a hacker has infiltrated legitimate Web sites, such as YouTube, MySpace and other sites where users let down their guard, thinking they are among like-minded "friends." * Keyloggers: A keylogger is a hardware device or software program that records to a log file (usually encrypted) every keystroke the user makes. The log file created by the keylogger can then be sent to a specified third party. A keylogger recorder can capture instant messages, e-mail and any information typed on a keyboard. Some keylogger programs also record e-mail addresses and Web site URLs. Although there are legitimate applications for keyloggers -- such as law enforcement monitoring criminals' activities, employers ensuring that employees use work computers for business purposes only, and parental supervision -- they are most often used to record personal data for identity theft and other fraudulent activities. Hackers can deliver keyloggers to unsuspecting users as a Trojan or as part of a worm or virus. * Browser exploits: Because it is the most widely used browser by far, Internet Explorer is a top target for hackers. The Internet relies heavily on ActiveX, a Windows technology that enables Web sites to run programs on PCs. Once running on the system, an ActiveX control can perform the same tasks as other Windows applications, including opening files, connecting to a network and calling up other programs. Although security has been upgraded with Service Pack 2 and Internet Explorer 7, hackers will always find flaws; the size of the user base and therefore the number of users they can infect make finding exploits irresistible. * Rootkits: These malicious software programs can be used to gain unauthorized remote access to PCs and launch additional attacks. Rootkits can use many techniques, including monitoring keystrokes, changing system log files or existing system applications, creating a back door into the system, and starting attacks against other computers on the network. Rootkits are generally organized into a set of tools programmed to target a particular operating system. * Malicious Web sites: Hackers are increasingly spreading spyware and other malicious code via infected Web sites rather than e-mail. Sometimes they create their own malicious Web sites -- sites on which users can become infected just by visiting. More often, they find exploits in legitimate Web sites and, without the site owners' knowledge, embed malicious code into the site. The sites most likely to infect include free adult sites, unauthorized celebrity sites, disreputable online pharmacies, free casinos, gaming and song lyrics sites. * Rogue antispyware: Posing as legitimate software applications, rogue antispyware programs typically offer free PC scans, ostensibly to detect spyware. The software generates false positives and displays alerts in order to scare the consumer into purchasing their product. Rogue antispyware makers usually deliver their offers via pop-up ads. Not only do these programs fail to remove spyware, but most will actually download spyware and other malicious software onto the PC. If purchased with a credit card, that information is compromised as well. Some common rogues are System Doctor, Spyhealer, SpyAxe, Winfixer and DriverCleaner. For a comprehensive list of rogue anti-spyware applications, see Spyware Warrior. Education and Protection Most users do not understand the nature of today's threats and therefore cannot be on guard against them. The ubiquity of computers, particularly home computers, has led owners to treat them like refrigerators or toasters -- plugging them in, adjusting some initial settings, and using them until they break or until a different set of features is desired. This is a recipe for disaster because without education and the right security software, the end user doesn't stand a chance. Prevention is the best way to cope with hacking and it starts with following these simple rules: 1. With a wireless network, buy a router with a built-in firewall. The default settings should suffice for most users. 2. Use good anti-spyware and anti-virus software. Make sure the anti-spyware blocks trojans and keyloggers. 3. Make sure you are running the latest definitions (updates) of all your security software. 4. Buy software only from reputable vendors. 5. If a site prompts a software download in order to view it, don't. 6. If a site prompts a codec install, don't. 7. Ensure the wireless network is encrypted. The newest type of wireless encryption is WPA2. 8. Do not click on links that are not identifiable (for example, URLs that are random strings of numbers). 9. Store the URLs of favorite e-commerce sites in "Favorites" to reduce typing errors. 10. Do not respond to e-mails from financial institutions or other businesses asking for personal information, especially passwords, account numbers or credit card numbers. 11. Be vigilant! Hackers know that the weak link in the security chain is always the end-user, and they are counting on a lack of education and attention. In Conclusion Robust computer security requires strict maintenance, and safe surfing requires a firewall, anti-virus, anti-spyware and phishing protection. All this software needs to be updated continually with the latest definitions. Users need to make sure their browsers and operating systems are running the latest security updates provided by the manufacturers. With good software protection and less than a half an hour a week of maintenance, anxious criminals will have difficulty accessing and exploiting vulnerabilities. By Robert Scaduto TechNewsWorld

Poisoned Web sites soar sixfold, Sophos says

Thu, 26 Jul 2007 08:22:00 -0400

The number of infected Web pages has soared nearly sixfold since the first of the year, according to security company Sophos PLC. Detailed in a just-released threat report, the spike shows just how widespread Web attacks have become, Sophos said today. In June, the company detected an average of almost 30,000 newly-infected pages each day; earlier in the year, the tally was as low as only 5,000 new pages daily. The vast majority of pages serving up malicious content are in fact hosted on legitimate Web sites, Sophos also said. About 80% of all Web-based malware is on innocent, albeit compromised, sites. A recent example: The June attacks launched from a collection of more than 10,000 legitimate Web sites, the bulk of them hosted on Italian servers. The servers were compromised using an unknown vulnerability, then loaded with Mpack, a multiple-exploit tool kit that hackers deploy to hijack PCs visiting those sites. "It begs the question as to why Web hosts are not taking the necessary steps to properly secure their servers," said Graham Cluley, senior technology consultant at Sophos, in a statement. "Simple measures such as keeping up to date with security patches will go a long way towards thwarting this problem; the fewer holes in server setups, the lower the risk of infection. "Hosts not behaving responsibly must bite the bullet and take better care of their sites," he said. Just over half -- 51% -- of the infected sites are on servers powered by the Apache open-source Web server software, Sophos reported. Microsoft Corp.'s Internet Information Services (IIS) Web server, meanwhile, accounted for 34% of compromised or malicious systems. Both numbers are in line with Web server market share, according to the U.K.-based Internet measuring company Netcraft Ltd. Its figures put Apache at 50% of all servers, IIS at 35.5%. "Malware is not just a Microsoft problem," Cluley said. The Italian incident, he continued, is a textbook example of a threat that targets and exploits all kinds of vulnerable sites, not just the usual suspects. "Web security solutions must go beyond blocking sites based simply on category," Cluley said. "A gambling site may seem more of a threat, but sometimes the most innocuous-sounding site can pose the greatest danger." Sophos' threat report is available online (download PDF). http://www.sophos.com/reportjul2007 Gregg Keizer, ComputerWorld

IPhone Flaw Lets Hackers Take Over, Security Firm Says

Mon, 23 Jul 2007 09:04:00 -0400

A team of computer security consultants say they have found a flaw in Apple�s wildly popular iPhone that allows them to take control of the device. The researchers, working for Independent Security Evaluators, a company that tests its clients� computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain. Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, �Once you did manage to find a hole, you were in complete control.� The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem. A spokeswoman for Apple, Lynn Fox, said, �Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.� �We�re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security,� she said. There is no evidence that this flaw had been exploited or that users had been affected. Dr. Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone�s Web browser to visit a Web site of his own design. Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages � including one that had been sent to the reporter�s cellphone moments before � as well as telephone contacts and e-mail addresses. �We can get any file we want,� he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device. Steven M. Bellovin, a professor of computer science at Columbia University, said, �This looks like a very genuine hack.� Mr. Bellovin, who was for many years a computer security expert at AT&T Labs Research, said the vulnerability of the iPhone was an inevitable result of the long-anticipated convergence of computing and telephony. �We�ve been hearing for a few years now that viruses and worms were going to be a problem on cellphones as they became a little more powerful, and we�re there,� he said. The iPhone is a full-fledged computer, he noted, �and sure enough, it�s got computer-grade problems.� He said he suspected that phones based on the Windows mobile operating system would be similarly �attackable,� though he had not yet heard of any attacks. �It�s not the end of the world; it�s not the end of the iPhone,� he said, any more than the regular revelations of vulnerabilities in computer browser software have killed off computing. �It is a sign that you cannot let down your guard. It is a sign that we need to build software and systems better.� Details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today. Hackers around the world have been trying to unveil the secrets of the iPhone since its release last month; most have focused their efforts on unlocking the phone from its sole wireless provider, AT&T, and getting unauthorized programs to run on it. The iPhone is a closed system that cannot accept outside programs and can be used only with the AT&T wireless network. Some of those hackers have posted bulletins of their progress on the Web. A posting went up on Friday that a hacker going by the name of �Nigh*censored*ch� had created and started an independent program on the phone. The Independent Security Evaluators researchers were able to crack the phone�s software in a week, said Aviel D. Rubin, the firm�s founder and the technical director of the Information Security Institute at Johns Hopkins University. Mr. Rubin, who bought an iPhone the day after the cellphone was released, said in an interview that he had approached three colleagues, Dr. Miller, Joshua Mason and Jake Honoroff, and offered them an enticing prize if they would try to crack the iPhone. �I told the guys I would buy them iPhones.� Dr. Miller had already been exploring weaknesses in the computer versions of Safari, Apple�s Web browser, and was planning to reveal that vulnerability, a relatively common kind of flaw known as a buffer overflow, at the Black Hat computer security conference next month. Dr. Miller instantly thought to see whether the phone, which uses a version of Safari, would be as vulnerable. Mr. Rubin said the research was not intended to show that the iPhone was necessarily more vulnerable to hacking than other phones, or that Apple products were less secure than those from other companies. �Anything as complex as a computer � which is what this phone is � is going to have vulnerabilities,� he said. There are far more viruses, worms and other malicious software affecting Windows systems than Apple systems. But Mr. Rubin said that Apple products have drawn fewer attacks because the computers have fewer users, and hackers reach for the greatest impact. �Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows,� he said. �The other 5 percent have enjoyed a honeymoon that will eventually come to an end.� The iPhone is becoming a victim of its own success, he said. �The irony is that the more popular something is, the more insecure it becomes, because popularity paints a large target on its back.� Mr. Rubin said his goal was to discover vulnerabilities and warn of them so that companies would strengthen their products and consumers would not be lulled into thinking that the technology they use was completely secure. Mr. Rubin said, �I will think twice before getting on a random public WiFi network now,� but his overall opinion of the phone has not changed. �You�d have to pry it out of my cold, dead hands to get it away from me,� he said. By JOHN SCHWARTZ, The New York Times

Microsoft falls victim to shady 'scareware'

Tue, 20 Feb 2007 15:43:11 -0500

Microsoft said it moved quickly to remove a banner advertisement that appeared on its instant-messaging program for a software application that falsely hypes security threats on a user's computer. "We immediately investigated the reports and removed the offending ads, as this is a violation of our ad-serving policy," wrote Microsoft spokeswoman Whitney Burk, in an e-mail Tuesday. Last week, computer security analysts noticed two advertisements for Winfixer -- a self-described security program that also goes by the name ErrorSafe -- on Windows Live Messenger. Security companies have labeled it as a "potentially unwanted program." They believe the program falsely alerts users to problems with their computer and encourages them to purchase the application. It falls into an informally named category of program called "scareware," whose creators try to bully users into downloading their program or face problems with their computer. Microsoft, which called Winfixer "malware," did not detail how the ads appeared. However, the Center for Democracy and Technology (CDT), a civil liberties and consumer group in Washington, D.C., has investigated how questionable ads promoting spyware and other malicious software have appeared on ad networks. The incident highlights how even a well-resourced company such as Microsoft can be vulnerable to the vagaries of complex associations of Internet advertising networks. "There are often a host of parties involved in the advertising chain, making it difficult to track the journey an advertisement takes from its original source to a user's computer," according to a CDT report released last year. It's extremely hard to police advertisements, as the organizations which supply them could suddenly substitute new ones, said Graham Cluley, senior technology consultant for Sophos, a security software company. "There remains a risk that advertisements may be vetted and approved when first placed with an advertising network only to be later 'updated' to advertise less savory products," Cluley said. "This isn't just a problem for Microsoft, it's a problem for any company which is delivering advertisements to its userbase." The U.S. Federal Trade Commission (FTC) has undertaken several actions against companies that have created special programs designed to exploit security vulnerabilities in computers, that -- like Winfixer -- purport to repair the machine. The Winfixer incident sparks concerns over user security and could be especially important for Microsoft. The company seeks to use advertising to subsidize the cost for free services such as Windows Live Mail, formerly Hotmail, and other Web-based services it's using to compete with online offerings from Google. "For years I have been holding up MSN Messenger banner advertisements as an example of how advertisements can be safely served up to end users without putting them at risk of malware," wrote Sandi Hardmeier, a Microsoft Most Valued Professional and specialist in Internet Explorer, on her blog. "Now, everything has changed. This simply shouldn't have happened." Winfixer, which sells for around $39.95, has a shady history, experts says. It's a persistent program, constantly popping up on newly-created domains under various aliases, including ErrorSafe, WinAntiVirus and DriveCleaner, said Chris Boyd, security research manager for FaceTime Communications. The changing names and versions are hard to keep up with for security analysts, let alone for ad network managers who may have no idea of the true nature of the program, Boyd said. "The suspicions are that it [Winfixer] is a quite sophisticated operation," Boyd said. At one time, Winfixer was one of several bad programs installed in a bundle by hackers on vulnerable machines, wrote Ben Edelman, a malware researcher and doctoral candidate at Harvard University, on his Web site. The hackers exploited the Windows Metafile (WMF) problem, a particularly dangerous security hole that appeared in December 2005 and prompted Microsoft to hurriedly issue an off-schedule patch. As always, users should be careful. "The responsibility ultimately falls on the users to be wary of advertisements which may be selling inappropriate or potentially damaging -- to data or finances -- goods," Cluley said. By Jeremy Kirk, IDG News Service

Chinese hackers assault US systems

Tue, 20 Feb 2007 15:34:11 -0500

Attacks by Chinese hackers on US military computer infrastructure have reached the level of sustained cyber-warfare, and are likely to be government-backed, a senior US Navy official said last week. The Naval Network Warfare Command official, who spoke on condition of anonymity, said that Chinese attacks far outnumber those from any other nation in frequency and sophistication, according to a report in Federal Computer Week. "They will exploit anything and everything," the official said, according to the report. The attacks are so deliberate that "it's hard to believe it's not government-driven". The report is the latest warning on the vulnerability of government systems to organised attacks from China. The most serious such attack against UK government targets occurred at the end of 2005, when messages exploiting an unpatched Windows WMF flaw were sent to around 70 recipients in parliament and other parts of the government. The attacks were later traced back to China, though government involvement was never confirmed. Earlier this month, the Ministry of Defence admitted its systems have been penetrated at least nine times since 2002, with five of the successful attacks taking place last year. The government did not say whether China was involved in those attacks, but China is the largest single source malicious software designed to covertly infiltrate systems - according to Sophos, 30 percent of such malware originates in China. The MoD said it had taken steps to avert further attacks. "We focus on those attacks which have penetrated our gateways and have triggered incident-response actions designed to limit any damage and reduce risk of a recurrence," the ministry said in a statement. Beginning in 2003, US defence agencies have been the target of a series of intrusions, code-named Titan Rain, that was traced to a team of researchers in Guangdong Province. Titan Rain was first reported publicly in 2005, and is still ongoing, according to Federal Computer Week. In November 2006 another attack originating from China disabled the Naval War College's network, according to the report. In a recent speech at the Air Warfare Symposium, Gen. James Cartwright, commander of the Strategic Command (Stratcom), said US strategy around internet warfare is hobbled by poor coordination among offensive, defensive and reconaissance efforts. By Matthew Broersma, Techworld

TomTom points the way to malware

Mon, 29 Jan 2007 15:44:33 -0500

A number of TomTom GO 910 satellite navigation devices have been shipped with pre-installed malware, according to internet reports. TomTom's Linux-based sat-nav devices carry software that activates when connected to a Windows PC using USB, according to antivirus firm Sophos. Graham Cluley, senior technology consultant at Sophos, said that there was currently no advisory on TomTom's website despite the reports. "There are a number of postings on the internet from TomTom purchasers asking for advice about the viruses going back as far as September 2006, but they are the lucky ones who were running an antivirus product and caught the infection before it could cause too much harm," said Cluley. "What's more worrying is that there may be many innocent consumers out there who are unaware they have passed an infection onto their Windows PC." Cluley said that floppy disks, CD ROMs, USB keys, external hard drives and other devices were all capable of carrying malicious code that could infect computers, and recommended that any storage device is checked for virus and other malware before use. In October last year it was discovered that some Apple video iPods shipped with the Troj/Bdoor-DIJ Trojan, and the Japanese subsidiary of McDonald's recalled 10,000 MP3 players after discovering that they contained a spyware Trojan. Matt Chapman, vnunet.com

US, China behind two-thirds of computer security threats

Tue, 23 Jan 2007 10:02:53 -0500

The United States and China host nearly two-thirds of spam, viruses and other computer security threats delivered around the world in 2006. Computer security firm Sophos said 34.2 percent of the so-called malware last year originated from the United States, with 31 percent from China. Russia was third, accounting for 9.5 percent of the threats. "The enormous number of computers based in North America probably makes it no surprise that the US heads the list, and is hosting over a third of all websites containing malicious code," the report said Monday. Sophos said it identified 207,684 different threats, ranging from spam, viruses and "trojans" that download programs to infect computers, to "ransomware" designed to "kidnap" data by encrypting it, and provide the password once a ransom has been paid. The report said 90 percent of all spam is now relayed from "zombie computers" infected with some kind of malicious code. Sophos said its "dirty dozen" list of worst spam-relaying nations was again headed by the United States, accounting 22 percent of the spam sent worldwide. China was second with 15.9 percent, followed by South Korea (7.4 percent), France (5.4 percent), Spain (5.1 percent), Poland (4.5 percent), Brazil (3.5 percent), Italy (3.2 percent), Germany (3.0 percent), Britain (1.9 percent) and Russia and Taiwan (each with 1.8 percent). Sophos noted however that because spam is mostly relayed from zombie computers, the relaying PC does not need to be based in the same country as the computers being used to send the spam. Sophos predicts that 2007 is likely to see a significant shift away from the use of e-mail security threats, with cyber criminals instead looking to infect computers through contaminated websites. "The number of websites being infected with malware is on the rise," the report said. "SophosLabs is currently uncovering an average of 5,000 new URLs hosting malicious code each day." � 2007 AFP

Cross-Site (XSS) flaw found in GMail

Tue, 02 Jan 2007 15:05:51 -0500

A serious flaw is discovered in Google's free email service allowing hackers to steal users' entire contact lists. To exploit the flaw, the hacker would add a piece of code to their website server, which in turn gave them access to the Gmail contacts of passing browsers, so long as they were also signed in to their Gmail account in another window. The hacker could then add the stolen contacts to an email spam database, or sell them to other spammers. Gmail, the third most popular free web-based email service, has been embraced by both personal and business users alike, largely because it allows for easy access to messages from any computer worldwide. Google's security team appeared to have fixed the flaw within hours, but various subsequent reports suggested the fix didn't address the full extent of the issue. Further, it is understood that spammers were exploiting the security hole for quite some time before it was discovered. The simplest way to avoid being exposed is to sign out of Gmail when it is not in use. News of the flaw came just days after another, separate Gmail security issue was revealed. From late December, some Gmail users - 60, according to Google - logged in to their accounts to find all of their emails and contacts had been automatically deleted. User complaints soon flooded Google's Gmail support discussion board, but some of the lost data could not be retrieved. Google was then forced to work with each affected user to help them restore their messages from any personal backups they may have made. But it is not just Gmail security flaws that have been detrimental to Google's goodwill leading into 2007. It has also been accused of monopolistic behaviour, through listing its own products at the very top of search results for terms such as "calendar", "blog" and "photo sharing". This practice is shared with other internet search providers such as Yahoo and Ask, but Google's actions in particular have caught the ire of internet users who expect the company to live up to its idealistic corporate motto - "Don't be evil". Most notably, Blake Ross, a co-founder of the Firefox web browser, last week criticised Google in his blog, suggesting it had lost its moral compass. Matt Cutts, head of Google's webspam team, responded to Mr Ross' claims on his own blog. Surprisingly, he agreed with many of Mr Ross' conclusions. "I'd remove these tips or scale them way back by making sure that they are very relevant and targeted," Mr Cutts wrote. Google also came under fire last month when it was accused of manipulating the results of its top 10 search term list, published yearly. Google later clarified that the list was compiled based on changes in the most popular searches on a year-to-year basis. Generic and offensive terms were not included. Technology industry commentators have suggested that, when combined, the relatively minor issues could have a profound effect on Google's public perception, which has remained largely untainted since the company's inception. "This subtle shift in public attitude could signal a tidal wave of negativity down the road," said Michael Arrington, author of the popular TechCrunch blog. By: Asher Moses, The Age

Security flaw found in MS Word

Thu, 07 Dec 2006 10:53:53 -0500

A newly disclosed flaw in Microsoft Word could let malicious hackers take control of victims' computers by sending them e-mail with a Word document attached. Microsoft Corp. informed computer users of the problem Tuesday, though the company classified it as a security "advisory." That makes it a less urgent warning than other security disclosures, though the company is investigating attacks that exploited the vulnerability. As of Wednesday evening, the company had not released a patch to fix the problem. The vulnerability affects versions of Microsoft Word sold from 2000 through 2006. Microsoft Word 2007, which is currently available only to businesses, is not vulnerable, the company said. To fall prey, a computer user would have to open a Word document attached to an e-mail. Microsoft advised people not to open or save attachments from unknown correspondents. Security experts consider that standard e-mail advice under any circumstances, but Microsoft also suggested rejecting unsolicited attachments even from friends and colleagues. This vulnerability appeared no more dangerous than other flaws that have emerged previously in Microsoft Office applications, said Dan Hubbard, vice president of security research at Websense Inc. Even so, the threat is worth taking seriously, said Justin Bingham, chief technology officer for network monitoring company Intrusic Inc. He noted that it would be very easy for a con artist to call someone in a company, state a legitimate-sounding pretense - posing as a vendor or a jobseeker, for example - and then send an e-mail with an benign-seeming Word attachment that exploited the security hole. "The gravity of this problem is very big," he said. He added that when Microsoft issues a patch for the security hole, companies should install it immediately rather than waiting until their next regularly scheduled update. By Associated Press

Wi-Fi hijack risk for Macs

Fri, 22 Sep 2006 09:48:00 -0400

A trio of security flaws in Apple software that runs wireless-networking hardware could allow Macs to be hijacked over Wi-Fi, Apple said on Thursday. The Mac maker released security updates to repair the problems, which together affect the AirPort wireless driver in Mac OS X 10 Panther version 10.3.9 and Mac OS X Tiger 10.4.7, according to Apple's security alert. Both Intel-based and Power PC-based versions of the Mac operating system are affected, on regular computers as well as on servers, it said. Apple said in the alert describing one of the flaws: "Attackers on the wireless network may cause arbitrary code execution." 'Arbitrary code execution' means the intruder can commandeer the system. The other two flaws allow the same type of compromise but can also cause system crashes or, in one case, privilege escalation, it added. There are no known exploits for the vulnerabilities addressed by the update, Apple said. This means Mac users should not be under immediate threat of attack. Apple's security patches come a month after security researchers at SecureWorks demonstrated at the Black Hat security confab how an attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer. They showed a video of a successful attack on an Apple MacBook. The researchers used a third-party wireless card in the MacBook for their demonstration but said the AirPort wireless technology built into the laptop was also vulnerable, creating controversy in the Apple community. In a statement released after Black Hat in August, Apple critiqued SecureWorks for saying Macs were insecure. A company representative said at the time: "Despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is." But Apple's security patches are not related to the Black Hat presentation, a company representative said on Thursday. Instead, the company itself hunted for bugs in its wireless software and uncovered the vulnerabilities, according to the representative. The representative said: "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs. They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit. "Today's update pre-emptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac." A SecureWorks representative did not have an immediate comment. The three vulnerabilities addressed by Apple all have to do with how the AirPort wireless driver handles "frames". An attacker could exploit the flaw by crafting a malicious frame and making it available on a wireless network used by vulnerable Macs, Apple said. The first of the flaws, identified by CVE-2006-3507, affects Power Mac, PowerBook, iMac, Mac Pro, Xserve and Power PC-based Mac Minis equipped with wireless capabilities. The second issue, identified by CVE-2006-3508, impacts Intel-based Mac Mini, MacBook and MacBook Pro computers equipped with wireless. CVE, or common vulnerabilities and exposures, is a list that provides an index of standardised names for vulnerabilities. The third problem, identified by CVE-2006-3509, is specific to how the AirPort wireless driver interacts with third-party wireless software, according to Apple. It also impacts Intel-based Mac Mini, MacBook and MacBook Pro systems equipped with wireless. Apple did not list the iBook on its list of affected systems but it also did not mention the iBook as one of the machines not affected by any of the three flaws. The Mac OS security updates are available via Apple's software update utility in the operating system, and from Apple's download site. Only one update is required, and the utility will present the applicable fix, Apple said. By Joris Evers, CNET News

Spot a Bug, Go to Jail

Wed, 10 May 2006 19:40:56 -0400

A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. By Jennifer Granick, Wired News

Computer researchers warn of powerful new Internet attacks

Mon, 20 Mar 2006 16:41:24 -0500

Security researchers are warning about a new variety of unusually powerful Internet attacks that can overwhelm popular websites and disrupt e-mails by exploiting the computers that help manage global Internet traffic. First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope. In one of the early cases examined, the unknown assailant apparently seized control of an Internet name server in South Africa and deliberately corrupted its contents. Name servers are specialized computers that help direct Internet traffic to its destinations. The attacker then sent falsified requests to the compromised directory computer, which unleashed overwhelming floods of amplified data aimed wherever the attacker wanted. Experts traced at least 1,500 attacks that briefly shut down commercial websites, large Internet providers and leading Internet infrastructure companies during a period of weeks. The attacks were so targeted that most Internet users did not notice widespread effects. Ken Silva, the chief security officer for VeriSign Inc., compared the scale of attacks to the damage caused in October 2002 when nine of the 13 computer "root" servers that manage global Internet traffic were crippled by a powerful electronic attack. VeriSign operates two of the 13 root server computers, but its machines were unaffected. "This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said. Silva said the attacks earlier this year used only about six per cent of the more than one million name servers across the Internet to flood victim networks. Still, the attacks in some cases exceeded eight gigabits per second, indicating a remarkably powerful electronic assault. "This would be the Katrina of Internet storms," Silva said. The U.S. Computer Emergency Readiness Team, a partnership with the Homeland Security Department, warned network engineers in December to properly configure their name servers to prevent hackers from using them in attacks. It called the attacks "troublesome" because name servers must operate to help direct Internet traffic. Experts call the attack technique a "distributed reflector denial of service." Ted Bridis, Canadian Press

Arbor Networks stops DDoS attacks against broadband sites in the Netherlands

Thu, 09 Mar 2006 12:20:39 -0500

Arbor Networks has tracked a malicious botnet that has been trying to wreak havoc against broadband sites hosted in the Netherlands. The Arbor security team decoded the botnet on 1st March and, after logging its activities, correlated a series of distributed denial of service (DDoS) attacks against broadband sites hosted in the Netherlands as having emanated from the network of compromised hosts. The Arbor security team contacted the Dutch Computer Emergency Response Team (CERT), GOVCERT.NL, the next day and provided them with all the gathered intelligence to assist in the shutdown of the botnet. Bot software often employs the Internet Relay Chat (IRC) network protocol to communicate. The IRC server - likely a compromised host - that was used in these attacks resides on a network hosted in the Netherlands. During the Arbor security team's analysis of the botnet, data was discovered suggesting that the botnet "controller" was either an individual or group of individuals who spoke Dutch, and were employing Arabic-named IRC channels, usernames and passwords to control the botnet. courtesy: SecurityPark.net

Mac OS X hacked in under 30 minutes

Mon, 06 Mar 2006 14:43:00 -0500

Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On Feb. 22, a Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications. Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced." The hacker who won the challenge, who asked ZDNet Australia to identify him only as "gwerdna," said he gained root control of the Mac in less than 30 minutes. "It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain misconfigurations and other obvious things but then I decided to use some unpublished exploits--of which there are a lot for Mac OS X," gwerdna told ZDNet Australia. According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple. "The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server--with various remote services running and local access to users? There are various Mac OS X hardening guides out there that could have been used to harden the machine, however, it wouldn't have stopped the vulnerability I used to gain access. "There are only limited things you can do with unknown and unpublished vulnerabilities. One is to use additional hardening patches--good examples for Linux are the PaX patch and the grsecurity patches. They provide numerous hardening options on the system, and implement non-executable memory, which prevent memory based corruption exploits," gwerdna said. Gwerdna concluded that OS X contains "easy pickings" when it comes to vulnerabilities that could allow hackers to break into Apple's operating system. "Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," gwerdna added. Apple's OS X has come under fire in recent weeks with the appearance of two viruses and a number of serious security flaws, which have since been patched by the Mac maker. In January, security researcher Neil Archibald, who has already been credited with finding numerous vulnerabilities in OS X, told ZDNet Australia that he knows of numerous security vulnerabilities in Apple's operating system that could be exploited by attackers. "The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms...If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time. An Apple Australia representative said Monday the company was unable to comment at this stage. Apple in the U.S. could not be reached for comment. Munir Kotadia of ZDNet Australia CNet News

PHP Apps A Growing Target for Hackers

Thu, 02 Feb 2006 12:07:00 -0500

Security holes in PHP-based content management and forum apps are an increasingly active front in Internet security, as hackers target unpatched weaknesses. The latest example is Monday's hack of chip maker AMD's customer support forums, in which an older version of Invision Power Board was compromised and used to distribute malware using the Windows Metafile (WMF) exploit. While Windows flaws like the WMF vulnerability are useful to hackers assembling armies of compromised desktop computers, security holes in PHP applications provide access to more powerful servers hooked directly to high-speed network connections. Internet criminals have targeted unpatched vulnerabilities in open source CMS apps including phpBB, PostNuke, Mambo, Drupal and others, hoping to build botnets for use in phishing scams and distributed denial of service (DDoS) attacks. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005 (as noted in our Year in Phishing roundup). The DDoS capabilities of server-based zombies was demonstrated in a December attack by a large botnet of Linux machines, in which attackers flooded their target with more than 6 gigabytes of data per second. Hosting providers with multiple IP addresses being used in the botnet included Level 3, Savvis, AT&T WorldNet, 1&1 Internet, Interland and The Planet. The network used in the December attack was assembled by exploiting known security holes, including a vulnerability in the Limbo CMS that had been patched at least six weeks earlier. The growth of PHP-based content management systems is a testimony to the success of the open source movement, which has created a lengthy list of powerful, user-friendly applications that can be installed by web site operators with little or no PHP coding experience. Active support communities for these projects offer templates and mods for easy customization, and mobilize to deploy fixes for security holes. But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software. Some programs with consistent security problems continue to grow in popularity. The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts. The MSN search engine recently began returning no results for the search term "phpBB" to deter hacker scans. That hasn't prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets. Most of the security issues with PHP-driven programs are found not in PHP itself, but rather in the libraries and applications built atop the server-side scripting language. The most widespread of these, a flaw in XML-RPC libraries identified in July, affected a lengthy list of popular programs including WordPress, Drupal, PostNuke, Serendipity, phpAdsNew and phpWiki. More than four months later, hackers were actively targeting the flaw. Netcraft provides security monitoring of dedicated servers as well as web application security testing that can identify outdated software and other common security risks on networks. Netcraft News

ISF Warns Of Spit And Other New Security Threats From VoIP

Mon, 12 Dec 2005 07:50:00 -0500

A new report from the Information Security Forum (ISF) warns that along with existing security problems associated with IP networks, VoIP will present new and more sophisticated threats - such as caller ID spoofing, voice modifiers, SPIT (voicemail SPAM) and packet injections. With VoIP now poised to hit the business market in a big way, the ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information. With a combination of caller ID spoofing and freely available voice modification software, it is relatively easy to pose convincingly as someone else ? similar to web site spoofing and phishing. But the ISF believes that one of the most virulent problems posed by VoIP will come about as a direct result of the low cost of sending voice messages over the Internet. SPIT ? spam over internet telephony ? could become a huge problem for companies. This could range from staff wasting time clearing unwanted voicemail messages to a total loss of service. Other VoIP security issues highlighted in the ISF report range from redirection of calls and packet injections where words are inserted into the data stream mid ?conversation, to the interception of sensitive voice traffic in transit and theft of VoIP bandwidth. In surveying ISF members to research the report, concerns were also expressed that as VoIP becomes more popular, organised criminals will turn their attention to sabotaging businesses by disabling phone systems through DoS attacks or spreading malicious viruses or worms. The problems of poor quality transmission and loss of service are gradually being overcome, which is expected to lead to more widespread adoption and reliance on VoIP in the future. This trend is also being driven by cost savings, improved functionality, ease of access and low cost of entry. ?Although VoIP is being increasingly used in the home environment, most businesses are still reliant on the Public Switch Telephone Network,? said Nick Frost, Consultant at the ISF. ?We take it for granted but it is extremely resilient, something that VoIP can not currently deliver. But it is inevitable that eventually VoIP will take over as the voice service of choice, bringing with it these additional new security risks.? This latest ISF report along with over 150 authoritative reports on information security issues is available to ISF members.

Hackers, Scammers Hide Malicious JavaScript On Web Sites

Thu, 20 Oct 2005 16:14:00 -0400

Hackers and scammers have suddenly turned to a new technique to hide malicious JavaScript on compromised or criminal sites, a security researcher said Thursday. According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks. "For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites." It's not uncommon to see hackers and scammers try to hide their malicious JavaScript code, said Hubbard. They want the code to be invisible to both Internet users and site operators. But the scale Websense is seeing is unprecedented. For the most part, the JS/Wonka routines rely on converting characters to and from their respective Unicode values. JavaScript does those conversions automatically, so it's a small-footprint method that doesn't require much expertise on the part of the code writer. Oftentimes the JavaScript code's hidden within an IFRAME that's been defined with zero values, making it invisible to the naked eye. Internet Explorer has several IFRAME vulnerabilities -- both patched bugs and flaws reported but not yet patched -- which the attackers leverage. Attackers have sometimes created Byzantine paths between Web sites to further obscure their work, sending users from one site to another via IFRAME exploits and hidden JavaScript. Sites seen using the JS/Wonka routines include those that spoof search engine results, disable pop-up blockers, falsely claim that the PC is infected with spyware, and market spammed products such as fake pharmaceuticals, low-rate mortgages, pornography, and illegally-copied software. Internet Explorer isn't the only browser vulnerable to JS/Wonka, however. Alternate browsers, including the popular Firefox, can be fooled with JavaScript tricks, too, and have been victimized by numerous JavaScript vulnerabilities in 2005. "The interesting thing here is the sheer climb in volume of sites using these routines," said Hubbard. "It's either a toolkit or coordination between hackers. There's no public toolkit we've found, but there are banks of domain names using JS/Wonka that are registered to similar names." About half of the more than 10,000 sites using JS/Wonka are either compromised or malicious Web sites attempting to stick malware or spyware on unsuspecting users' PCs, said Hubbard. The other half of the sites use the encoded, obfuscated JavaScript to display spoofed search results which link to sites selling products typically shilled through spam, or used by sites trying to hide their URLs from affiliate advertising vendors because those sites may be breaking contractual agreements. Some Web advertising and/or adware firms, for instance, have blamed their wide-flung affiliates for secretly installing software, including some programs that verge on spyware, when they're accused by users and anti-spyware vendors for infecting PCs. Such affiliates may want to hide their URLs to make it harder for their partners to check up on their installation practices. Three out of four of the sites found using JS/Wonka are hosted in the U.S., said Websense, another indication that either a group of scammers is working together, or that a obfuscation toolkit has just been made available, and hasn't had time to spread overseas. The Websense alert, which includes samples of the JavaScript code -- useful for site operators, said Hubbard, since they can search for characters in the samples to see if their site is infected -- can be downloaded in PDF format from the San Diego-based firm's Web site. By Gregg Keizer Courtesy of TechWeb News

Firefox URL Domain Name Buffer Overflow

Fri, 09 Sep 2005 18:05:08 -0400

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

SOFTWARE:
Mozilla Firefox 1.x

SOLUTION:
Don't browse untrusted web sites.

PROVIDED AND/OR DISCOVERED BY:
Tom Ferris

ORIGINAL ADVISORY:
http://security-protocols.com/advisory/sp-x17-advisory.txt

VERIFY ADVISORY:
http://secunia.com/advisories/16764/

Secunia Security Advisories

The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)

Mon, 29 Aug 2005 20:08:00 -0400

"An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets" by TIME Magazine It was another routine night for Shawn Carpenter. After a long day analyzing computer-network security for Sandia National Laboratories, where much of the U.S. nuclear arsenal is designed, Carpenter, 36, retreated to his ranch house in the hills overlooking Albuquerque, N.M., for a quick dinner and an early bedtime. He set his alarm for 2 a.m. Waking in the dark, he took a thermos of coffee and a pack of Nicorette gum to the cluster of computer terminals in his home office. As he had almost every night for the previous four months, he worked at his secret volunteer job until dawn, not as Shawn Carpenter, mid-level analyst, but as Spiderman--the apt nickname his military-intelligence handlers gave him--tirelessly pursuing a group of suspected Chinese cyberspies all over the world. Inside the machines, on a mission he believed the U.S. government supported, he clung unseen to the walls of their chat rooms and servers, secretly recording every move the snoopers made, passing the information to the Army and later to the FBI. The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat. Methodical and voracious, these hackers wanted all the files they could find, and they were getting them by penetrating secure computer networks at the country's most sensitive military bases, defense contractors and aerospace companies. Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key." Goaded by curiosity and a sense that he could help the U.S. defend itself against a new breed of enemy, Carpenter gave chase to the attackers. He hopped just as stealthily from computer to computer across the globe, chasing the spies as they hijacked a web of far-flung computers. Eventually he followed the trail to its apparent end, in the southern Chinese province of Guangdong. He found that the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet. It was a stunning breakthrough. In the world of cyberspying, locating the attackers' country of origin is rare. China, in particular, is known for having poorly defended servers that outsiders from around the world commandeer as their unwitting launchpads. Now Chinese computers appeared to be the aggressors. If so, the implications for U.S. security are disturbing. In recent years, the counterintelligence community has grown increasingly anxious that Chinese spies are poking into all sorts of American technology to compete with the U.S. But tracking virtual enemies presents a different kind of challenge to U.S. spy hunters. Foreign hackers invade a secure network with a flick of a wrist, but if the feds want to track them back and shut them down, they have to go through a cumbersome authorization process that can be as tough as sending covert agents into foreign lands. Adding in extreme sensitivity to anything involving possible Chinese espionage--remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the fear of igniting an international incident, it's not surprising the U.S. has found it difficult and delicate to crack these cases. In Washington, officials are tight-lipped about Titan Rain, insisting all details of the case are classified. But high-level officials at three agencies told TIME the penetration is considered serious. A federal law-enforcement official familiar with the investigation says the FBI is "aggressively" pursuing the possibility that the Chinese government is behind the attacks. Yet they all caution that they don't yet know whether the spying is official, a private-sector job or the work of many independent, unrelated hands. The law-enforcement source says China has not been cooperating with U.S. investigations of Titan Rain. China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute." Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab and defense- contractor facilities tell TIME that Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced. TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. So far, the files they have vacuumed up are not classified secrets, but many are sensitive and subject to strict export-control laws, which means they are strategically important enough to require U.S. government licenses for foreign use. Beyond worries about the sheer quantity of stolen data, a Department of Defense (DOD) alert obtained by TIME raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks. Although he would not comment on Titan Rain specifically, Pentagon spokesman Bryan Whitman says any attacks on military computers are a concern. "When we have breaches of our networks, it puts lives at stake," he says. "We take it very seriously." As cyberspying metastasizes, frustrated network protectors say that the FBI in particular doesn't have enough top-notch computer gumshoes to track down the foreign rings and that their hands are often tied by the strict rules of engagement. That's where independents--some call them vigilantes--like Carpenter come in. After he made his first discoveries about Titan Rain in March 2004, he began taking the information to unofficial contacts he had in Army intelligence. Federal rules prohibit military-intelligence officers from working with U.S. civilians, however, and by October, the Army passed Carpenter and his late-night operation to the FBI. He says he was a confidential informant for the FBI for the next five months. Reports from his cybersurveillance eventually reached the highest levels of the bureau's counterintelligence division, which says his work was folded into an existing task force on the attacks. But his FBI connection didn't help when his employers at Sandia found out what he was doing. They fired him and stripped him of his Q clearance, the Department of Energy equivalent of top-secret clearance. Carpenter's after-hours sleuthing, they said, was an inappropriate use of confidential information he had gathered at his day job. Under U.S. law, it is illegal for Americans to hack into foreign computers. Carpenter is speaking out about his case, he says, not just because he feels personally maligned--although he filed suit in New Mexico last week for defamation and wrongful termination. The FBI has acknowledged working with him: evidence collected by TIME shows that FBI agents repeatedly assured him he was providing important information to them. Less clear is whether he was sleuthing with the tacit consent of the government or operating as a rogue hacker. At the same time, the bureau was also investigating his actions before ultimately deciding not to prosecute him. The FBI would not tell TIME exactly what, if anything, it thought Carpenter had done wrong. Federal cyberintelligence agents use information from freelance sources like Carpenter at times but are also extremely leery about doing so, afraid that the independent trackers may jeopardize investigations by trailing foes too noisily or, even worse, may be bad guys themselves. When Carpenter deputized himself to delve into the Titan Rain group, he put his career in jeopardy. But he remains defiant, saying he's a whistle-blower whose case demonstrates the need for reforms that would enable the U.S. to respond more effectively and forcefully against the gathering storm of cyberthreats. A TIME investigation into the case reveals how the Titan Rain attacks were uncovered, why they are considered a significant threat now under investigation by the Pentagon, the FBI and the Department of Homeland Security and why the U.S. government has yet to stop them. Carpenter thought he was making progress. When he uncovered the Titan Rain routers in Guangdong, he carefully installed a homemade bugging code in the primary router's software. It sent him an e-mail alert at an anonymous Yahoo! account every time the gang made a move on the Net. Within two weeks, his Yahoo! account was filled with almost 23,000 messages, one for each connection the Titan Rain router made in its quest for files. He estimates there were six to 10 workstations behind each of the three routers, staffed around the clock. The gang stashed its stolen files in zombie servers in South Korea, for example, before sending them back to Guangdong. In one, Carpenter found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in August. On the night he woke at 2, Carpenter copied a huge collection of files that had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force. Even if official Washington is not certain, Carpenter and other network-security analysts believe that the attacks are Chinese government spying. "It's a hard thing to prove," says a network-intrusion-detection analyst at a major U.S. defense contractor who has been studying Titan Rain since 2003, "but this has been going on so long and it's so well organized that the whole thing is state sponsored, I think." When it comes to advancing their military by stealing data, "the Chinese are more aggressive" than anyone else, David Szady, head of the FBI's counterintelligence unit, told TIME earlier this year. "If they can steal it and do it in five years, why [take longer] to develop it?" Within the U.S. military, Titan Rain is raising alarms. A November 2003 government alert obtained by TIME details what a source close to the investigation says was an early indication of Titan Rain's ability to cause widespread havoc. Hundreds of Defense Department computer systems had been penetrated by an insidious program known as a "trojan," the alert warned. "These compromises ... allow an unknown adversary not only control over the DOD hosts, but also the capability to use the DOD hosts in malicious activity. The potential also exists for the perpetrator to potentially shut down each host." The attacks were also stinging allies, including Britain, Canada, Australia and New Zealand, where an unprecedented string of public alerts issued in June 2005, two U.S. network-intrusion analysts tell TIME, also referred to Titan Rain--related activity. "These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication," warned Britain's National Infrastructure Security Co-Ordination Center. Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident. That's why Carpenter felt he could be useful to the FBI. Frustrated in gathering cyberinfo, some agencies have in the past turned a blind eye to free-lancers--or even encouraged them--to do the job. After he hooked up with the FBI, Carpenter was assured by the agents assigned to him that he had done important and justified work in tracking Titan Rain attackers. Within a couple of weeks, FBI agents asked him to stop sleuthing while they got more authorization, but they still showered him with praise over the next four months as he fed them technical analyses of what he had found earlier. "This could very well impact national security at the highest levels," Albuquerque field agent Christine Paz told him during one of their many information-gathering sessions in Carpenter's home. His other main FBI contact, special agent David Raymond, chimed in: "You're very important to us," Raymond said. "I've got eight open cases throughout the United States that your information is going to. And that's a lot." And in a letter obtained by TIME, the FBI's Szady responded to a Senate investigator's inquiry about Carpenter, saying, "The [FBI] is aggressively pursuing the investigative leads provided by Mr. Carpenter." Given such assurances, Carpenter was surprised when, in March 2005, his FBI handlers stopped communicating with him altogether. Now the federal law-enforcement source tells TIME that the bureau was actually investigating Carpenter while it was working with him. Agents are supposed to check out their informants, and intruding into foreign computers is illegal, regardless of intent. But two sources familiar with Carpenter's story say there is a gray area in cybersecurity, and Carpenter apparently felt he had been unofficially encouraged by the military and, at least initially, by the FBI. Although the U.S. Attorney declined to pursue charges against him, Carpenter feels betrayed. "It's just ridiculous. I was tracking real bad guys," he says. "But they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain." Worse, he adds, they never asked for the passwords and other tools that could enable them to pick up the investigative trail at the Guangdong router. Carpenter was even more dismayed to find that his work with the FBI had got him in trouble at Sandia. He says that when he first started tracking Titan Rain to chase down Sandia's attackers, he told his superiors that he thought he should share his findings with the Army, since it had been repeatedly hit by Titan Rain as well. A March 2004 Sandia memo that Carpenter gave TIME shows that he and his colleagues had been told to think like "World Class Hackers" and to retrieve tools that other attackers had used against Sandia. That's why Carpenter did not expect the answer he claims he got from his bosses in response to Titan Rain: Not only should he not be trailing Titan Rain but he was also expressly forbidden to share what he had learned with anyone. As a Navy veteran whose wife is a major in the Army Reserve, Carpenter felt he could not accept that injunction. After several weeks of angry meetings--including one in which Carpenter says Sandia counterintelligence chief Bruce Held fumed that Carpenter should have been "decapitated" or "at least left my office bloody" for having disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit, Sandia was reluctant to discuss specifics but responded to TIME with a statement: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences." Carpenter says he has honored the FBI's request to stop following the attackers. But he can't get Titan Rain out of his mind. Although he was recently hired as a network-security analyst for another federal contractor and his security clearance has been restored, "I'm not sleeping well," he says. "I know the Titan Rain group is out there working, now more than ever." By NATHAN THORNBURGH, Time Magazine --With reporting by Matthew Forney/Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/Washington Copyright ? 2005 Time Inc.

Windows Flaw May Let Hackers Hide Code From AV Scanners

Fri, 26 Aug 2005 23:16:00 -0400

A flaw in how Windows handles entries in the all-important registry can be used by hackers to hide evidence of malicious code from a wide swath of commercial anti-virus and anti-spyware scanners, the SANS Internet Storm Center reported Friday. While the disclosure of the bug by Danish vulnerability tracker Secunia on Wednesday got little attention, Internet Storm Center (ISC) analysts believed it was far more dangerous than it looked. "Once we started to play with [the vulnerability], the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32," wrote ISC handler Daniel Wesemann on the group's alert site. "Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well." Other security professionals agreed. "This newly-discovered vulnerability can hide other entries in the registry, hiding malicious code 'autorun' entries, for example, behind this long registry key," said Mitchell Ashley, the chief technology officer of Colorado-based StillSecure. "I'd compare it to the early days of buffer overflow of DNS and Bind requests," added Ashley. "If your security software doesn't catch this, you're wide open today. If it can't find evidence of malware, you could very easily be the next target." Extra-long key entries (those greater than 254 characters) are mishandled by the Windows registry editor, and essentially "disappear" from view, as do others added to the key after that because the editor stops at that too-long key, thinking it is the last in the section. Worse, many malicious code scanners have a similar blind spot, and also stop processing the registry for anomalous entries when they come to a too-long key. The technique would let attackers add their malicious software to the "Run" registry key (at "HKey_Local_MachineSoftwareMicrosoftWindowsCurrentVersionRun") which lists the programs or components that automatically launch at Windows' boot. Typically, worms post changes to the registry there so that they run at Windows startup; anti-virus and anti-spyware scanners often look for these unanticipated changes to the registry to detect fishy activity. "It's crucial that [scanners] be able to see into the registry," argued Ashley. The weakness, said Secunia, affects Windows 2000 and XP, including fully patched XP SP2 systems. "We have started to see some possible reports of malware which utilizes this concealment technique in the wild," said the ISC in its Friday bulletin written by handler Robert Danford. "We expect this trend to continue over the life-cycle of the next few weeks as vendors patch their products as necessary to allows these keys to be visible to their scan engines." Ashley confirmed that his firm had found code in the wild that was exploiting the vulnerability, but added that no infections had been reported as of mid-day Friday. ISC has also assembled a partial list of those scanning engines which detect the "invisible" registry keys, and those which don't (or do, but crash while doing so). Among the former, claimed the ISC, are StillSecure's SafeAccess, while the latter category included Spybot Search & Destroy, Symantec's SystemWorks, and Microsoft's Windows AntiSpyware. "Although the vulnerability is in Windows, I think it's a programmatic error that other [security vendors] have made in limiting the length of registry keys they examine," said StillSecure's Ashley as he touted SafeAccess' ability to handle the bug. "We built our product to accommodate unusual or anomalous entries. To keep up with attackers, you definitely have to think outside of the box, because they do." By Gregg Keizer, TechWeb News