CyberInsecure.com

Archive for July, 2009

A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service — called Computrace LoJack for Laptops — contains design vulnerabilities and a lack of strong authentication that can lead to “a complete and persistent compromise of an affected system,” according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Computrace LoJack for Laptops, which is is pre-installed on about 60 percent of all new laptops, is a software agent that lives in the BIOS and periodically calls home to a central authority for instructions in case a laptop is stolen. The call-home mechanism allows the central authority to instruct the BIOS agent to wipe all information as a security measure, or to track the whereabouts of the system.

For it to be an effective theft-recover service, Ortega and Sacco explained that it has to be stealthy, must have complete control of the system and must be highly-persistent to survive a hard disk wipe or operating system reinstall.

“This is a rootkit. It might be legitimate rootkit, but it’s a dangerous rootkit,” Sacco declared. The research team stumbled upon the rootkit-like technology in the course of their work on BIOS-based malware attacks. At last year’s CanSecWest security conference, the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts.

The biggest problem, Ortega explained, is that a malicious hacker can manipulate and control the call-home process. That’s because the technology uses a configuration method that contains the IP address, port and URL, all hard-coded in the Option-ROM. At first run, Sacco explained that the configuration method is copied in many places, including the registry and hard-disk inter-partition space.

The duo found that it’s trivial to search and modify the configuration, giving them the ability to point the the IP and URL to a malicious site, where un-authenticated payloads can be directed to laptop.

Because the rootkit is white-listed by anti-virus software, the malicious modifications will go unnoticed. On unsigned BIOSes, Sacco and Ortega aid modification of the configuration allows for a very persistent and dangerous form of rootkit.

The pair recommended a digital signature scheme to authenticate the call-home process.

With the help of the U.S. Computer Emergency Response Team (US-CERT) and one major laptop manufacturer, Core Security has reported the problems to Absolute Corp., the company that makes the Computrace software.

Credit: ZDNet.com Security Blogs

Update (Aug. 2): According to a representative of Absolute Software, the claims made by Alfredo Ortega and Anibal Sacco of Core Security at the BlackHat Security conference are without merit:

• The Computrace BIOS module does not allow a special undetected path into the operating system. It is not a rootkit.
• In order for the Computrace BIOS module to work, it is activated by the end-user customer, not the computer manufacturer, upon receipt of the computer and activation of Absolute Software’s products.
• The Computrace BIOS code alleged in the article to have this vulnerability is old code that was not officially released and, to Absolute’s knowledge, has never be active in the BIOS of any computer.
• If a malicious attacker were able to alter the BIOS code, any popular anti-virus software would alert the customer.
• The Computrace BIOS module currently on the market is not susceptible to the risks claimed in the article and therefore none of our customers are at risk for this specific type of attack.

Absolute has issued a statement to the public, refuting these claims and explaining their position at length: http://www.absolute.com/company/pressroom/news/2009/07/refutes_claim

The indiscriminate use of a popular online data-sharing technology has led to the disclosure of sensitive government and personal information — including FBI surveillance photos of a Mafia hit man, lists of people with HIV, and motorcade routes and safe-house locations for then-first lady Laura Bush, a congressional panel was told on Wednesday.

The information is often exposed inadvertently by people who download the technology to share music or other files, not realizing that the “peer-to-peer” software also makes the contents of their computers available to other users, experts said.

The issue is so pressing that the chairman of the House Oversight and Government Reform Committee, Rep. Edolphus Towns (D-N.Y.), said he would introduce a bill to ban such software from all government and contractor computers and networks.

“The administration should initiate a national campaign to educate consumers about the dangers involved with file-sharing software,” he said.

Robert Boback, chief executive of Tiversa, a company that scours music- and file-sharing networks on the Internet for sensitive data, said the use of such software is being exploited by foreign governments for espionage and other purposes. “Other countries know how to access this information and they are accessing this information,” he said.

Boback told the committee that Tiversa found FBI surveillance photos of an alleged hit man on the Internet while he was still on trial. The company also found the government’s confidential witness list for that trial, which included the names of some people in the government’s witness protection program. He said the company found the documents while scouring the networks for other data for a client.

Boback, who was asked by the committee not to publicly identify the hit man, said the defendant was recently convicted and sent to prison for life.

“This is not information you want to have out there,” he said.

A spokesman for the FBI said late Wednesday that he did not have enough information to comment on the surveillance photos. The Secret Service said that the motorcade routes and safe-house locations are not classified or top secret. Such data is “not of any value” after an event, said Secret Service spokesman Malcolm Wiley. “And if something like that were to emerge before an event, keep in mind, we’ve got other security countermeasures in place.”

In addition to the list of people with HIV, which included Social Security numbers, Tiversa discovered records with full psychological assessments of patients with conditions such as bipolar disorder.

Alan Paller, director of research at SANS Institute, a computer-security training group, said that health data are a new target of organized-crime groups. Experts say a copy of a medical record can fetch money on the Internet black market.

“This is unbelievably sensitive medical data,” said Deborah Peel, founder of Patient Privacy Rights, a health-privacy advocacy group. “It has people’s names on it from mental-health treatment programs, drug studies. All of these medical files have everything needed for identity theft, the most prominent and frightening consumer issue with electronic systems.”

Towns said he would ask the Federal Trade Commission to investigate whether inadequate safeguards on file-sharing software constitute an unfair trade practice.

Mark Gorton, chairman of the Lime Group, which makes LimeWire, one of the most popular peer-to-peer, or P2P, programs, told the committee that the latest version of his company’s software makes it extremely difficult to accidentally share sensitive documents.

He said that any effort to regulate the industry would be difficult, as LimeWire is one of hundreds of such software providers. “Most creators of P2P applications are not based in the United States, and may not even be corporations,” Gorton said.

The Department of Homeland Security warns that file-sharing technology exposes users’ computers to infection, attack or exposure of personal information. It recommends avoiding the software.

Credit: WashingtonPost.com

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you quickly turn the device off.

That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

“This is serious. The only thing you can do to prevent it is turn off your phone,” Miller says. “Someone could pretty quickly take over every iPhone in the world with this.”

Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn’t released a patch, and it didn’t respond to Forbes’ repeated calls seeking comment.

The iPhone SMS bug is just one of a series that the researchers plan to reveal in their talk. They say they’ve also found a similar texting bug in Windows Mobile that allows complete remote control of Microsoft based devices. Another pair of SMS bugs in the iPhone and Google’s Android phones would purportedly allow a hacker to knock a phone off its wireless network for about 10 seconds with a series of text messages. The trick could be repeated again and again to keep the user offline, Miller says. Though Google has patched the Android flaw, this second iPhone bug also remains unpatched, he adds.

The new attacks can strike a phone without any action on the part of the user and are virtually unpreventable while the phone is powered on, according to Miller and Mulliner’s research. And unlike the earlier exploits, Apple has inexplicably left them unpatched, Miller says. “I’ve given them more time to patch this than I’ve ever given a company to patch a bug,” he says.

The Windows bug he and Mulliner plan to reveal hasn’t been patched either, says Miller, though he admits that he and Mulliner discovered the Windows flaw on Monday and hadn’t yet alerted Microsoft to its existence.

The attack developed by Miller and Mulliner works by exploiting a missing safeguard in the phones’ text messaging software that prevents code in the messages’ text from overflowing into other parts of the device’s memory where it can run as an executable program. The two researchers plan to demonstrate how a series of 512 SMS messages can exploit the bug, with only one of those messages actually appearing on the phone, showing a small square. (Someone could easily design the attack to show a different message or without any visible messages, Miller cautions.) The entire process of infecting an iPhone and then using the device to infect another phone on the user’s contact list would take only a few minutes, Miller says.

The researchers’ concerns aren’t merely theoretical. Finnish security firm F-Secure says it’s found nearly 500 different variants of mobile phone malicious software since 2004, mostly using Bluetooth to hop between phones in close proximity. But in the last 18 months, cybercriminals have begun using text messages to send links to malicious Web sites that infect the phone with malware, says Mikko Hyppönen, an F-Secure researcher.

One seemingly-Chinese variant, known as “Sexy View” and currently targeting the Symbian operating system, is far more threatening than an iPhone attack, given that around 50% of cellphones use Symbian, Hyppönen says. “After years of the security industry wondering why we aren’t seeing text message worms, it’s starting to happen now,” he says.

As dangerous as his iPhone attack sounds, Miller argues that it’s important to expose flaws in SMS software before they can be exploited by more malicious actors. Texting applications’ insecurity isn’t due to the software’s complexity so much as the security community’s inattention and the expense of sending thousands of text messages to test a phone’s security, Miller says.

“The bad news is that SMS is the perfect attack vector, but the good news is that it’s probably possible to build it securely,” he says. “As a researcher, I can only show [Apple] the bugs. It’s up to them to fix them.”

Credit: Forbes.com

MI5 has closed up a flaw on its website that could have opened up visitors to malicious attacks, the UK intelligence agency said. The website suffered a cross-site scripting vulnerability that could have allowed hackers to inject code into the site and redirect users to malicious pages, MI5 admitted on Wednesday.

However, the government service insisted the website had been secured quickly, and that at no time had any intelligence operatives been exposed by the hack. “MI5 takes security very seriously,” the intelligence agency told ZDNet UK. “The website is secure and hosted in a high-security environment.”

Last week, a hacker with the handle ‘[-TE-]-Neo’ wrote that the MI5 website was vulnerable to cross-site scripting and Iframe injection. The hacker put the post on the Team Elite hacker forum last Tuesday, claiming the site was breachable through the search engine.

The MI5 site uses an embedded Google search engine, said a spokesperson for the agency, who also confirmed that the site had been vulnerable through the search tool. However, the website is hosted separately from MI5’s back-end systems and is not connected to sensitive data, the spokesperson added.

Once MI5 was informed of the vulnerability, it took action to remedy the situation, said the spokesperson. The flaw was not maliciously exploited and had been limited to that search engine.

Credit: ZDNet.co.uk Security News

On the eve of the Black Hat security conference, malicious hackers posted a 29,000-line file detailing embarrassing attacks that took complete control of servers and websites run by several high-profile security researchers, including Dan Kaminsky and Kevin Mitnick.

The file posted on security mailing lists claimed to have obtained more than four years’ worth of data from Kaminsky, and as proof, it offered a smattering of emails, instant messages, and other communications that laid out sensitive research work and intimate personal conversations. It also revealed multiple passwords Kaminsky used and back-end configurations for Kaminsky’s website (doxpara.com), which was yanked offline Tuesday afternoon and remained down at time of writing almost 24 hours later.

The data also documented attacks on the website of security expert Kevin Mitnick, who confirmed that his website was breached after hackers gained unfettered root access to machines used by his webhost. The 1MB text file capped weeks of hacks on several other security researchers, including penetration testing firm Matasano. The breaches highlight the often-overlooked reality that even seasoned security professionals are vulnerable to attacks that can expose sensitive business secrets.

“It’s the illusion of invulnerability,” said Mitnick, who said he purposely kept sensitive data off the servers that ran his website. “I was actually surprised that the other people would keep their email and work data on an internet-facing host. It appeared the boxes were actively used for work.”

The breaches also raise the possibility that previously unpublished research about critical security vulnerabilities may have leaked into the public domain. Among the data published Tuesday was a Perl script exploiting Kaminsky’s DNS cache poisoning bug. It also aired bash scripts showing security professional Jay Beale, who had an account set up on Kaminsky’s server, performing nmap scans on a variety of domain names and IP addresses (presumably belonging to clients).

Kaminsky wasn’t available for comment at time of writing. He scheduled a press conference for Wednesday evening. On his Twitter page, he wrote: “Messy, but heh. Walk onto a battlefield, you might get shot.”

The attacks are reminiscent of ones that hit security researchers last year. In all of them, the attackers appear more interested in personally embarrassing the researchers and damaging their business reputations than in exposing vulnerabilities so they can be fixed.

So far, it’s unclear how the attacks were carried out. Freelance reporter Robert Lemos, whose website was compromised Tuesday evening, said a vulnerability in blogging software WordPress is the most likely explanation. Security researchers gathered at Black Hat have revived rumors that there’s a zero-day vulnerability that’s being exploited in SSH applications, but so far, there is no evidence to support the suspicions.

Credit: The Register

A breach at Network Solutions has exposed details for more than 500,000 credit and debit cards after hackers penetrated a system it used to deliver e-commerce services and planted software that diverted transactions to a rogue server, the hosting company said late Friday.

The unauthorized software was in place from March 12 to June 8 and affected transactions Network Solutions processed on behalf of 4,343 merchant websites that mostly belonged to small businesses, spokeswoman Susan Wade said. While the company discovered the software in early June, it waited until the close of business Friday to disclose the breach. Wade said it took until July 13 for forensics investigators to crack the code and understand how it worked.

“We have been working around the clock to get this announcement ready. We’re really making an effort to be forthcoming. This is really tough on our customers that were impacted, and we feel very badly,” Wade said.

Network Solutions is working with undisclosed law enforcement agencies to figure out who is responsible for the breach and how it happened. In all details for 573,928 card holders may have been siphoned in the attack, which affected different merchant websites at different times over the three-month period that the rogue software was in place.

So far, there are no indications that any of the exposed cards have been misused.

Network Solutions has offered to foot the bill for notifying affected cardholders so those costs don’t have to be born by the merchants who used the company’s e-commerce service. In Most US states, laws require such notices to be made when breaches are discovered that expose credit card information.

The company is also making 12 months of fraud-monitoring services available free of charge to cardholders whose information was exposed. Affected merchants and cardholders can enroll by visiting http://www.careandprotect.com, which walks them through the process.

Credit: The Register

Adobe is investigating a critical vulnerability in its Flash format that is currently being exploited by hackers using malicious PDF documents, according to the company’s security team and outside researchers.

Adobe said little in a short entry to its security blog late Tuesday. “Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10,” said Brad Arkin, the company’s director for product security and privacy. “We are currently investigating this potential issue.”

Reader and Acrobat 9.1.2 are the most current versions of those applications.

An Adobe spokesman early Wednesday confirmed that the vulnerability was an issue within Flash content that is inserted into a PDF (Portable Document Format) file. Users can drop Flash movies into PDF files, for instance.

VeriSign’s iDefense said it spotted an in-the-wild attack exploiting the Flash zero-day, according to a target=”new” message posted to Twitter yesterday. “iDefense recently investigated a targeted attack using [a] embedded zero-day Flash exploit inside a PDF file,” the security intelligence company said.

Adobe has had its share of security problems this year, particularly with Reader, the popular PDF viewer. In mid-March, for example, it plugged several holes in Reader, including one that had been exploited by hackers since early January. Then in both May and June it followed that with further fixes to quash another Reader zero-day and patch another 13 bugs in the viewer.

Security was also at issue this week when Danish bug tracker Secunia noticed that Adobe continues to provide an outdated edition of Reader for download. Yesterday, Adobe reacted to Secunia’s report by saying it was reevaluating how its software updater operated.

iDefense did not immediately respond to a request for more information on its findings, while Adobe’s spokesman said details of the Flash-PDF vulnerability would be posted on the company’s security blog when they are available.

Credit: ComputerWorld.com

A hacker has discovered a critical vulnerability in open-source firmware available for wireless routers made by Linksys and other manufacturers that allows attackers to remotely penetrate the device and take full control of it.

The remote root vulnerability affects the most recent version of DD-WRT, a piece of firmware many router users install to give their device capabilities not available by default. The bug allows unauthenticated users to remotely gain root access simply by luring someone on the local network to a malicious website.

The bug resides in DD-WRT’s hyper text transfer protocol daemon, which runs as root. Because the httpd doesn’t sanitize user-supplied input, it’s vulnerable to remote command injection. While the httpd doesn’t listen on the outbound interface, attackers can easily access it using CSRF (cross-site request forgery) techniques.

What’s more, exploits need not be part of an authenticated session, making them easy to carry out. Examples of URLs that allow remote takeover include http://routerIP/cgi-bin/;command_to_execute
or even http://192.168.0.1/cgi-bin/;CMD

DD-WRT is open-source firmware that runs more than 200 different models of wireless routers and embedded devices, including those made Linksys, D-Link, Buffalo, and Netgear.

Temporal fix is available here.

Credit: The Register

ESET have issued a press release concerning Win32/TrojanDownloader.Bredolab.AA, which made the top ten threat listing in June ThreatSense.Net® report.

The Bredolab trojan is the top-scoring threat in the Czech Republic and Slovakia, but also scoring high in other European countries. It appears in the Top 5 list of threats in Austria, Poland, Turkey; in the Top 10 in Bulgaria, the United Kingdom, Sweden, Belgium, Russia and Germany; in the Top 20 in the Ukraine and Italy, and in the Top 40 in France. In Ireland it has climbed from 40th place into the Top 15.

This is a class of application that is intended to act as an intermediary to the infective process. The label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the malicious executable is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon. There is a great deal of Bredolab activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. Indeed, nowadays it pays to keep an eye on new patches for any applications and utilities you use. Hopefully, Adobe’s new patching mechanisms will help to reduce the impact of these exploits in the longer term.

When a downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may well make changes to the system such as those described above in order to increase its chances of doing so successfully. There have also been some cases when Bredolab Trojan was downloaded by other downloaders in the Win32/TrojanDownloader.FakeAlert family, demonstrating a connection to rogue security application malware.

Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases.

The use of file formats such as PDF which most users think of as trustworthy is not a new tactic: in fact, like other document formats such as those used by Microsoft Office, they’re commonly used in targeted phishing attacks. However, the noticeable rise in Bredolab detections, especially in Europe, demonstrates that it is extremely active at the moment.

Users should, as always, take care when opening e-mail attachments and exercise caution while browsing the web, but they should also be sure to keep up with security patches to application software.

Credit: ESET ThreatBlog

If you own a mobile phone made by HTC and connect using Bluetooth, there’s a decent chance security researcher Alberto Moreno Tablado can rummage through sensitive files stored on the device using a critical bug in some of its wireless device features.

The directory traversal flaw resides in the File Transfer Profile (OBEX FTP) service that’s built in to the Bluetooth stack implemented by HTC, Tablado writes here. It allows an attacker to move from a phone’s Bluetooth shared folder into other folders and affects HTC handsets running versions 6 and 6.1 of the Microsoft Mobile operating system.

“Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically,” Tablado says. “A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.”

Getting the required authentication or authorization rights may be easier than it sounds. Paring the HTC handset with a Bluetooth device should do the trick, but more sophisticated techniques will also work. They include sniffing the Bluetooth pairing, cracking the linkkey or spoofing the MAC address. Once the needed privileges are acquired, an attacker can remotely read or overwrite virtually any file stored on the device in a way that’s completely transparent to the victim.

Tablado says he first notified HTC of the bug in February. “However, I only received acknowledgement responses from HTC Europe Support (Tech), no intentions to release a security fix from HTC Taiwan. Therefore, having attempted to collaborate with the vendor, I am forced to go public with all the information yet undisclosed.”

A spokesman for HTC America didn’t immediately return a phone call seeking comment for this article.

Credit: The Register