- http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592&subSection=End+user/client+security
- http://www.scmagazineus.com/URLZone-touted-as-most-sophisticated-banking-trojan-yet/article/151096/
- http://news.cnet.com/8301-27080_3-10363836-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
- http://www.wired.com/threatlevel/2009/09/rogue-bank-statements/
Monday, October 5, 2009
URLZone Malware, New Techniques
New, sophisticated malware is making it harder to detect some fraudulent online bank transactions. The URLZone Trojan horse program communicates with a command server to find out precisely how much money to take from the accounts it is plundering to evade detection and where to send the money; the Trojan also alters users' online bank statements so the fraudulent transactions do not show up. The Trojan exploits a vulnerability in Firefox, Opera, Internet Explorer 6, IE 7, and IE 8.
Security Essential, Only On Microsoft Original
Microsoft Security Essentials Not Available to Pirates.
Users running unlicensed or improperly licensed copies of Microsoft Windows will not be able to install the company's newly-released Security Essentials antivirus software. To install the software, users will be required to validate their copies of Windows operating systems.
Microsoft does allow users running pirated copies of Windows to download Internet Explorer 8 (IE 8), touted as the company's most secure browser yet. Microsoft also allows patches to be downloaded to pirated copies of Windows through Windows Update. There are other free anti-virus alternatives available, but the patches are available only from Microsoft.
Users running unlicensed or improperly licensed copies of Microsoft Windows will not be able to install the company's newly-released Security Essentials antivirus software. To install the software, users will be required to validate their copies of Windows operating systems.
Microsoft does allow users running pirated copies of Windows to download Internet Explorer 8 (IE 8), touted as the company's most secure browser yet. Microsoft also allows patches to be downloaded to pirated copies of Windows through Windows Update. There are other free anti-virus alternatives available, but the patches are available only from Microsoft.
Malware Break FaceBook CAPTCHA
Malware purveyors have managed to break the Facebook CAPTCHA (completely automated public Turing test to tell computers and humans apart), allowing them to automate the creation of Facebook pages. The malicious pages are being used to send links to malicious websites that promote scareware. The pages all have the same photograph, but have different user names. Facebook is taking steps to identify the rogue pages and disable them.
Thursday, September 10, 2009
DCHP Security
-=[ DHCP Concept
Dynamic Host Configuration Protocol (DHCP) is used to automatically configure client machines with a dynamically assigned IP address and other network configuration parameters, such as the default gateway and DNS server addresses, during their boot time. It eliminates the need for network administrators to keep track of individual client IP addresses.
In the past (without DHCP), network administrators have to statically assign an IP address to each client machine, and users have to configure their computers with the assigned IP address manually. This process not only requires the users to be knowledgeable but also makes mis-configuration common.
DHCP is particularly useful in environments where computers are frequently added to or removed from the network. For example, ISPs use DHCP to
configure their dial-up clients. When a client machine logs in, it will be automatically assigned an IP address, when it logs out, that address will be reclaimed. The good things about this dynamic address assignment are twofold. To the users, they do not need to care about the configuration of network parameters. Since most computers are DHCP ready by default, they just need to enter their username and password to log in to their ISP. To the ISP, since an IP address will be reclaimed when the client logs out, that address can be assigned to another future user. It helps combat the problem of the shortage of IP address.
The correct operations of DHCP are critical. If it is exploited, users may be configured with fake network information such as wrong name server address, causing security threats.
-=[ DHCP Operations
The general idea of the DHCP operations are summarized below.
1. The network administrator just needs to configure the DHCP server with a pool of IP addresses and other desired network configuration information.
2. When a client machine is booted up, as long as it is DHCP enabled, it will automatically ask the DHCP server to obtain an IP address.
3. The server will then select an available address from the pool and response the client with the selected address and other network configuration information.
The DHCP operations involve a number of message exchanges:
1. The client broadcasts the DHCPDISCOVER packet to the network.
2. The server sends back the client a DHCPOFFER packet which contains the offered address.
3. The client broadcasts a DHCPREQUEST packet, informing the server that it could like to be assigned the address offered in step 2.
4. The server sends the client a DHCPACK packet which contains network configuration parameters, such as default gateway and DNS server addresses.
5. At this point, the client has been configured with the offered IP address and the other network configuration parameters.
Since the client has not been preconfigured with any network information (including the DHCP server address) when it is booted up, it has to use broadcast message (DHCPDISCOVER) to reach the DHCP server in step 1. However, you may wonder why, in step 3, the DHCPREQUEST packet is broadcasted instead of unicasted as the client already knows the DHCP server address in step 2. The reason is that, if there are more than one DHCP servers in the network, the client may receive more than one DHCPOFFER packets in step 2. The client broadcasts the DHCPREQUEST packet is, on the one hand, to request the offered address from the specified server, and, on the other hand, to implicitly decline the offers from other servers.
-=[ Attacks
As can be seen, like DNS, DHCP has no provisions for security, making it vulnerable to attacks. Address starvation and server impersonation are the
well-known DHCP attacks. The principle of the former is to request all of the available DHCP addresses so that new clients are not able to get IP addresses, whereas the latter is to set up a rogue DHCP to return fake network information to clients so that man-in-the-middle attacks can be achieved.
Denial of Service Attack using Address Starvation When a DHCP server receives a DHCP request from a client, it will pick one available address in the address pool and assign it to the client. However, since this service is openly available, and there is no authentication mechanism in DHCP, attackers can easily exploit this simple operation to stop the DHCP service.
The attacker can do it by sending a large number of DHCP requests with different (forged) MAC addresses to the DHCP server. Since the server regards
each request with a new MAC as a new network client and assigns it an IP address, when the attacker has sent a sufficient large number of requests, the server’s address pool will be eventually fully allocated. As a result, any new legitimate client will not be able to obtain an IP address as there is no more available address.
It is a kind of denial of service attack -- denial clients from having DHCP service. This attack takes not only a very short time to complete (as the pool has a limited number of addresses) but also a very small amount of bandwidth. Nonetheless, this attack can be easily mitigated with the security functions in today’s sophisticated switches. For example, Cisco switches can limit the number of MAC addresses a switch port can use. Suppose that the client machine attached to the port tries to use different MAC addresses, when the number of the addresses reaches the limit, the port will be shut down permanently or for a specified time. It can stop the DHCP address starvation attack.
Dynamic Host Configuration Protocol (DHCP) is used to automatically configure client machines with a dynamically assigned IP address and other network configuration parameters, such as the default gateway and DNS server addresses, during their boot time. It eliminates the need for network administrators to keep track of individual client IP addresses.
In the past (without DHCP), network administrators have to statically assign an IP address to each client machine, and users have to configure their computers with the assigned IP address manually. This process not only requires the users to be knowledgeable but also makes mis-configuration common.
DHCP is particularly useful in environments where computers are frequently added to or removed from the network. For example, ISPs use DHCP to
configure their dial-up clients. When a client machine logs in, it will be automatically assigned an IP address, when it logs out, that address will be reclaimed. The good things about this dynamic address assignment are twofold. To the users, they do not need to care about the configuration of network parameters. Since most computers are DHCP ready by default, they just need to enter their username and password to log in to their ISP. To the ISP, since an IP address will be reclaimed when the client logs out, that address can be assigned to another future user. It helps combat the problem of the shortage of IP address.
The correct operations of DHCP are critical. If it is exploited, users may be configured with fake network information such as wrong name server address, causing security threats.
-=[ DHCP Operations
The general idea of the DHCP operations are summarized below.
1. The network administrator just needs to configure the DHCP server with a pool of IP addresses and other desired network configuration information.
2. When a client machine is booted up, as long as it is DHCP enabled, it will automatically ask the DHCP server to obtain an IP address.
3. The server will then select an available address from the pool and response the client with the selected address and other network configuration information.
The DHCP operations involve a number of message exchanges:
1. The client broadcasts the DHCPDISCOVER packet to the network.
2. The server sends back the client a DHCPOFFER packet which contains the offered address.
3. The client broadcasts a DHCPREQUEST packet, informing the server that it could like to be assigned the address offered in step 2.
4. The server sends the client a DHCPACK packet which contains network configuration parameters, such as default gateway and DNS server addresses.
5. At this point, the client has been configured with the offered IP address and the other network configuration parameters.
Since the client has not been preconfigured with any network information (including the DHCP server address) when it is booted up, it has to use broadcast message (DHCPDISCOVER) to reach the DHCP server in step 1. However, you may wonder why, in step 3, the DHCPREQUEST packet is broadcasted instead of unicasted as the client already knows the DHCP server address in step 2. The reason is that, if there are more than one DHCP servers in the network, the client may receive more than one DHCPOFFER packets in step 2. The client broadcasts the DHCPREQUEST packet is, on the one hand, to request the offered address from the specified server, and, on the other hand, to implicitly decline the offers from other servers.
-=[ Attacks
As can be seen, like DNS, DHCP has no provisions for security, making it vulnerable to attacks. Address starvation and server impersonation are the
well-known DHCP attacks. The principle of the former is to request all of the available DHCP addresses so that new clients are not able to get IP addresses, whereas the latter is to set up a rogue DHCP to return fake network information to clients so that man-in-the-middle attacks can be achieved.
Denial of Service Attack using Address Starvation When a DHCP server receives a DHCP request from a client, it will pick one available address in the address pool and assign it to the client. However, since this service is openly available, and there is no authentication mechanism in DHCP, attackers can easily exploit this simple operation to stop the DHCP service.
The attacker can do it by sending a large number of DHCP requests with different (forged) MAC addresses to the DHCP server. Since the server regards
each request with a new MAC as a new network client and assigns it an IP address, when the attacker has sent a sufficient large number of requests, the server’s address pool will be eventually fully allocated. As a result, any new legitimate client will not be able to obtain an IP address as there is no more available address.
It is a kind of denial of service attack -- denial clients from having DHCP service. This attack takes not only a very short time to complete (as the pool has a limited number of addresses) but also a very small amount of bandwidth. Nonetheless, this attack can be easily mitigated with the security functions in today’s sophisticated switches. For example, Cisco switches can limit the number of MAC addresses a switch port can use. Suppose that the client machine attached to the port tries to use different MAC addresses, when the number of the addresses reaches the limit, the port will be shut down permanently or for a specified time. It can stop the DHCP address starvation attack.
Tuesday, August 25, 2009
Microsoft Suspend Attach-Photo Feature in Hotmail
Microsoft Suspends Hotmail Attach-Photo Feature
Microsoft has temporarily suspended the Attach-Photo feature in Hotmail because of security issues. The problem lies in the way the feature interacts with Internet Explorer (IE). Hotmail users can still attach photos to their messages through other methods. Attach-Photo was disabled in late July; Microsoft plans to restore the feature by the end of September. Users complained because they were not notified that the feature would be removed.
http://www.theregister.co.uk/2009/08/21/hotmail_attach_photo_pulled/
http://www.computerworld.com/s/article/9136958/Microsoft_Hotmail_users_angry_over_pulled_photo_feature?source=rss_news
Microsoft has temporarily suspended the Attach-Photo feature in Hotmail because of security issues. The problem lies in the way the feature interacts with Internet Explorer (IE). Hotmail users can still attach photos to their messages through other methods. Attach-Photo was disabled in late July; Microsoft plans to restore the feature by the end of September. Users complained because they were not notified that the feature would be removed.
http://www.theregister.co.uk/2009/08/21/hotmail_attach_photo_pulled/
http://www.computerworld.com/s/article/9136958/Microsoft_Hotmail_users_angry_over_pulled_photo_feature?source=rss_news
Criminal Targeting Smaller US Firms
Cyber Criminals Targeting Smaller US Firms; Get Millions
Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.
The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one.
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews
Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.
The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one.
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews
Wednesday, August 12, 2009
Facebook and Twitter, Spam Campaign?
The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. The social networking and blogging sites suffered deteriorating service as spam recipients clicked on links that pointed to accounts belonging to the blogger known as Cyxymu. The links pointed to Cyxymu's accounts on YouTube and LiveJournal as well. The blogger has written an open letter asking Russian President Dmitry Medvedev to launch an investigation to find the culprits.
- http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/
- http://www.computerworld.com/s/article/9136379/Security_researchers_zero_in_on_Twitter_hackers
- http://www.theregister.co.uk/2009/08/10/cyxymu_letter_to_medvedev/
- http://news.bbc.co.uk/2/hi/technology/8194395.stm
- http://voices.washingtonpost.com/securityfix/2009/08/twitter_facebook_google_attack.html
Subscribe to:
Posts (Atom)
