August 26, 2008
Fallout From the Debian SSL Vulnerability?
“US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as ‘phalanx2’ is installed.
“Phalanx2 appears to be a derivative of an older rootkit named ‘phalanx’. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.
(Link)
Previously:
Posted by mhall at 9:37 PM | Add Comment
Behavioral Credit Scoring Opens New Vistas in Niche Cards
Oh, man:
“The FTC suit against Atlanta’s CompuCredit for allegedly ‘deceptive’ marketing practices offers a rare look inside the opaque business of credit scoring. It reveals mechanisms that consumer advocates and politicians have long suspected exist — in which purchasing behavior, not just payment history, matters.
“The allegations, in part, focus on CompuCredit’s Aspire Visa, a subprime credit card for risky borrowers. The FTC claims that CompuCredit didn’t properly disclose that it monitored spending and cut credit lines if consumers used their cards at certain places. Among them: tire and retreading shops, massage parlors, bars, billiard halls and marriage counseling offices.
“‘The company touted that cardholders could use their credit cards anywhere,’ says J. Reilly Dolan, assistant director for financial practices at the FTC. ‘What they didn’t say was that you could be punished for specific kinds of purchases.’”
(Link)
Obviously & up front: It’s CompuCredit’s credit to extend or deny.
My first inclination is also to say “Well, a company behaving like that is probably doing people a favor by reducing the risk they’ll borrow much money from it.”
On the other hand, there are less obvious dynamics at work. One, for instance, is what happens to people trying to rebuild credit using CompuCredit’s cards who find their limit slashed. Credit scoring models include the amount of available credit one is utilizing, which means someone responsibly utilizing less than 50 percent of available lines of credit could find him or herself with a reduced credit score by buying the wrong thing.
As the article notes, there’s also the usefulness of this kind of model in enabling discriminatory lending practices:
“The worry is that companies may tweak the credit scoring systems in unfair or biased ways, weeding out or limiting borrowers based on race, gender or sexual orientation. (In the case of CompuCredit, regulators are taking issue with the lack of disclosure, not specifically its use of behavior-based scoring.)”
I’m thinking that if behavioral scoring doesn’t raise any regulatory flags, we’ve got a potential growth market in special credit cards for assorted subcultures. You could sell the whole behavioral tracking model as a kind of disciplinary aid by making adjustments to the interest rate or credit limit for all sorts of things: liquor store visits, gasoline consumption, shopping at merchants under boycott from assorted advocacy groups, buying from small or local businesses, etc.
So, your “Sustainability VISA” might make incremental cuts to your interest rate for buying your coffee from the locally owned coffee store instead of Starbucks, or push your rates up for buying from Whole Foods instead of the more local New Seasons, or cut your credit for buying from Amazon or Barnes and Noble instead of Powell’s.
I’m sure PETA & Focus on the Family could come up with good tables of rewards and punishments for their respective constituencies.
The punitive model appeals to me, too. I’ve already got a few “rewards VISAs.” Maybe it’s time for a special “punishments MasterCard.”
It seems, however, CompuCredit isn’t doing so well:
“The complainant alleged that those stakeholders of CompuCredit involved in the action, materially misrepresented the company’s solvency in violation of the federal securities laws by publicly praising the strength of the company’s credit card marketing and collections services, falsely touting the growth of the company’s credit card business, falsely claiming that the company was in compliance with applicable federal regulations and misrepresenting the FDIC and FTC investigations into the company’s accounting practices.”
Posted by mhall at 7:53 PM | Add Comment
August 22, 2008
Fedora's "Illegally Accessed" Servers
From the Fedora announcement list:
“Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.
“Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems. We are using the requisite outages as an opportunity to do other upgrades for the sake of functionality as well as security. Work is ongoing, so please be patient. Anyone with pertinent information relating to this event is asked to contact fedora-legal redhat com
“One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
The message is titled “Infrastructure report, 2008-08-22 UTC 1200.”
I like “illegally accessed.” That way it sounds like something besides “compromised,” which is what most people say when an intruder manages to get into a server he or she shouldn’t.
The subject of the mail is hardly begging to be read, either.
(Link)
Update: Red Hat’s critical ssh update is worth noting here, too.
Posted by mhall at 12:50 PM | Add Comment
August 20, 2008
Your Treacherous Clipboard
Some malware making the rounds stores a malicious URL in its victims’ clipboards:
“Computer security firms are warning about an attack that hijacks the clipboard where copied text is stored.
“The attack puts a hard-to-delete weblink into the clipboard that, if followed, leads people to a website selling fake security software.
“The code that inserts the link has been found in flash-based adverts seen on many legitimate websites.
“The attack on the clipboard has hit both Windows and Mac users of the Firefox web browser.”
(Link)
The BBC’s coverage is in line with this story where it has cropped up in mainstream tech reporting over the past week.
Some users report that they have to reboot their machines to make the malicious clipboard content leave their clipboards. Others say it goes away when they shut down Firefox. This guy, who actually writes a clipboard application, says it goes away if you close the window or tab with the problematic Flash content, which is what I have found with a demo of the exploit.
A quick barnstorm of the overall question of browsers being able to talk to the system clipboard indicates what I learned while working on a small helper script a few months ago: Browser developers have largely decided the browser shouldn’t be able to get at the system clipboard. A lot of JavaScript designed to take advantage of IE6 allowing exactly this have to fall back to Flash on other browsers.
Here’s a demo site that shows the attack in operation: http://raffon.net/research/flash/cb/test.html. It works on Camino and Firefox, but not on Safari.
Posted by mhall at 6:19 PM | Add Comment
August 18, 2008
A Needed Correction on MobileMe Security
Fanboys kill. Or at least contribute to the sum of human ignorance. a good takedown of some egregious securitybabble posted to AppleInsider:
“AppleInsider.com posted an article today claiming the lack of SSL on MobileMe has caused ‘unnecessary panic’ and MobileMe is in fact secure. This is 100% false.
“I’m not sure what to make of the article. I feel like the author said a bunch of big words hoping that most people would assume he knew what he was talking about and move on.”
That’s the long and short of it. The ensuing breakdown is worth paying attention to, especially if you’ve ever stopped to wonder if there’s a difference between an encrypted login and an encrypted session.
(Link)
Posted by mhall at 5:09 PM | Add Comment
August 14, 2008
iPhone Thursday: Speed, Sheep, Inscrutability
Hey, good news, iPhone users! Gartner says iPhone is acceptable for the enterprise!:
“Just barely, that is, as there’s still room for improvement on everything from application support to security to calendar access. Yet Apple’s latest handset is now viewed as a legitimate enterprise mobile device, according to a new Gartner report.
“‘It’s acceptable for enterprise use if the security it provides is the same as other handsets in play,’ Ken Dulaney, an analyst at Gartner (NYSE: IT), told InternetNews.com. ‘You’re only as secure as the lowest denominator,’ the analyst added.
“The iPhone features a complex password system for Microsoft Exchange users and a ‘wipe’ feature that clears the phone’s contents when a password is violated. Neither security aspect was provided on the initial firmware, according to Gartner.
“The research assessment comes as iPhone users are increasingly pushing the device through back doors to use as a workplace smartphone, since IT teams have been reluctant to formally adopt the popular handset due to what has been viewed as weak security mechanisms.”
The iPhone’s reception at DefCon has been equally enthusiastic. (Though I’m pained to point out that the “issues” reported in that link stem less from the iPhone being a rattling deathtrap of ‘sploitability and more from the essential dimness of mobile phone users of any denomination who wander into DefCon of all places, then blithely join any Wi-Fi network that presents itself.)
“While attendees are fairly careful about using their laptops on the wireless network, mobile phone users often blindly log into the network and surf away. Many of these iPhone and Windows Mobile phone users were caught and displayed on the wall. Some of the more popular phone logins captured were Twitter, ICQ and even Yahoo mail.
“Wall of Sheep member Beau Haugh said developers are constrained by small keyboards which forces them to focus on usability rather than security. ‘Special characters [in passwords] are best practices for security gurus,’ Haugh told us adding that they are ‘a big pain the butt’ to type on a phone keyboard. He added that mobile applications are usually more concerned about pulling data from sources rather than secure authentication.
“The team also discovered that many iPhone users were getting ‘owned’ as soon as they walked onto the convention floor because most users unknowingly have their phones set to automatically connect to available wireless networks. Of course this is a horrible feature to leave enabled at Defcon because the wireless network is considered to be the most hostile in the world. By the second day of the convention, the Wall of Sheep screen displayed a helpful reminder to iPhone users – ‘You don’t want your phone auto-connecting to *anything*’”
That iPhone Good News Item takes on a special poignancy when we consider iPhone Good News Item No. 3: “iPhone 3G network problems may get firmware fix”.
The speculative fix is for problems the iPhone appears to have getting and holding a connection with 3G networks, at least in the US. Maybe if those problems didn’t exist, more people at DefCon would be using their blazing fast 3G connections instead of suspending all reason and deciding “DefCon” spoken in the same breath with “Wi-Fi” sounds more safe than “stranger in a van” and “candy.”
Colleague Andy Patrizio at internetnews.com documented some of those issues on Tuesday. I haven’t noticed 3G connectivity problems because my iPhone suffers from the other 3G-related problem, which is that its GPS location services stop working unless I connect through EDGE. If I didn’t work inside my own little Wi-Fi cloud all day long, I’d be miffed. As it is, I’ve got a Mr. Spock-like sense of detachment regarding the possibility that some day I’ll be able to watch YouTube at lightning speed and know exactly where I am at the same time. Until then, like Galadriel, my iPhone has diminished and faded into the EDGE, where it will await a patch.
I don’t know if Andy’s a new Apple buyer or not, but for those reading who are, some sage counsel from Ars Technica:
“Supposedly, the ‘problem is affecting 2% to 3% of iPhone traffic,’ which doesn’t seem so bad, as long as no one else buys an iPhone. The real problem for Apple will be if the firmware upgrade doesn’t work. As it stands, we are currently at the second step in a process of customer service that will be familiar to longtime Mac users.
“There is a problem with an Apple product.
“Apple won’t admit to it.
“Someone threatens legal action.
“Apple does a recall.“Welcome to the club, iPhone users.”
Posted by mhall at 8:03 PM | Add Comment
August 13, 2008
Off-the-Shelf Spyware
This is a nice summary of everything wrong with surveillance software:
“When the PC Pandora site opens, for example, a trim lady in a pink shirt pops up and cheerfully declares: ‘At this very moment, there are over 50,000 pedophiles on the Internet trying to take advantage of our children.’ Well then, I better install a program that records everything my kids do online and then spend my afternoons scanning the logs! In the eyes of these monitoring-software companies, MySpace is the devil’s playground. The promotional copy often gives the impression that setting up a page on MySpace is but the merest pretext to an after-school Roman orgy. The message: If you don’t know what ‘LMIRL’ or ‘NIFOC’ or ‘POS’ means, you might as well drop your daughter off at a truck stop right now. (That’s ‘let’s meet in real life,’ ‘naked in front of the computer,’ and ‘parent over shoulder.’)
“It’s also worth noting how these sites stress their excellent phone support—the software packages are being pitched predominately to the technically clueless. If Mom and Dad did know how to use a computer, they could easily find a recent study by the University of New Hampshire’s Crimes Against Children Research Center, ‘Online ‘Predators’ and Their Victims: Myths, Realities and Implications for Prevention.’ Or, quicker yet, they could read an excellent summary of the study by Benjamin Radford at LiveScience. As he explains, the biggest threat to kids is still their parents, the Internet has not increased the amount of sexual abuse of children, and most Web predators rarely use deception as ‘most victims are well aware that the person they are communicating with online is an adult interested in sex.’ Monitor your kids if you want, but recognize that you are spying on them, not protecting them from a new strain of evildoers.”
(Link)
Posted by mhall at 3:08 PM | Add Comment
August 12, 2008
iTunes as Network Security Tool
So what was I saying just before I went on summer vacation? Oh … right … you should secure your wireless network lest the Indian police raid your house.
So, summer vacation:
My parents live in the Shenandoah Valley, close enough to the Appalachian Trail that it’s about a ten minute drive to a trailhead on Skyline Drive. I used to live over the mountain in Charlottesville, but long enough ago that purchasing a wireless access point was far too extravagant when all I really needed to do to enjoy the Internet from my futon was run 100’ of CAT5 along the baseboard.
My dad finally got broadband for his house this year. He keeps his computer in the basement while my mom’s is in an upstairs office, so rather than going through the floor to run a cable he opted for Wi-Fi.
It’s fair to say that wireless security issues aren’t on dad’s radar. It’s not something he reads about, has to come in contact with professionally (he manages a social work office), or deals with much personally (he doesn’t have a laptop, he uses a Palm Tungsten, he doesn’t worry about keeping his sync data in the cloud).
When we arrived at my parents’ house last week, I had my MacBook and iPod Touch along. I got out my Touch to check my mail, thinking I’d probably have to ask dad for a password. Not because he thinks about wireless security but because it’s 2008 and his new Linksys WAP surely did some sort of security by default, right?
Nope. The Touch reported one local network with the SSID “linksys.” When I tried to connect, it didn’t prompt for a password. Convenient enough. Because nothing was getting between me and my e-mail, I let the matter go. My parents live on a quiet residential street with big lots, and I think of their home and environs the way I last spent much time there, eight years ago. I figured they’d notice anyone parked out in front of their house using a laptop.
A few days later, I had the MacBook out and had the Touch plugged in to charge it up. That meant iTunes had launched to sync up. In the sidebar, I noticed an available “Shared” music library called “Juli’s Limewire Music.” Huh. Nobody named “Juli” in my parents’ house, and I had my doubts that either of my parents were big Limewire users.
Because dad had left the defaults in place on the WAP, it was a pretty simple matter to go find the default login/password online and log in to its admin interface. I pulled up the DHCP clients list and found my iPhone, MacBook, mom and dad’s computers, along with two machines called “Juli’s Computer” and “Chris’s Computer.”
A Brief Note on Communal Wi-Fi
Despite outward appearances, I have no philosophical problem with shared Wi-Fi. When I first moved to Portland, I used a busted up Dell Inspiron laptop to run a PersonalTelco WAP. If I’m in a strange neighborhood and need connectivity, I’m always pleased to find someone with an open WAP.
Just before we moved into our current house and I had to spend a morning waiting around for the DSL installer to show up, I borrowed a cup of bandwidth from the neighbor while I sat on the floor with my laptop. I tried to follow a few rules, though. There were large software updates waiting, which I deferred. I love SomaFM, but I didn’t bother with it while I was being someone else’s guest. I didn’t upload photos, do an online backup, or spend the morning on YouTube. I certainly didn’t run Limewire or BitTorrent. I just checked my mail, read my feeds and used IM.
All that behavior struck me as polite; or at least as polite as one can be when making self-interested assumptions about the lack of a password on a nearby WLAN. If I had an open WAP, I’d hope my neighbors would do the same.
Back to Our Story
So it’s with all that in mind that I noted the existence of “Juli” and “Chris’s” computers on my dad’s network, Juli running Limewire off of it, and got hot under the collar. I have no idea whether the RIAA is still suing grandmothers, but I didn’t want my parents to help me find out.
I asked a few questions of my parents, who know most of their neighbors’ names. I didn’t go into specifics because I wondered whether they’d volunteer any information. Mom wondered if that was why her connection seemed to slow to a crawl at random, because she had been convinced it was just Comcast sucking or dad screwing something up. Dad wondered what the harm was.
I explained what the potential harm was, trying not to be too dramatic about the matter but wanting to make clear that “Juli” was using their network to do something that would use up a lot of their bandwidth and possibly cause them to be the recipients of scare-letters from their ISP, or put them in danger of dealing with some sort of litigation.
I suggested a few alternatives, but since they didn’t know which neighbor, in particular, might be “Juli,” a neighborly over-the-fence “we’d like to share, but you shouldn’t do stuff we’d have to answer for” chat was out. We could have blacklisted “Juli’s” MAC address from the WAP, but dad doesn’t want to be a network admin on the prowl for abuse from other neighbors, and I didn’t think he’d be interested in reading a good nmap tutorial.
So at my suggestion, dad opted for the simple route: We put a password on the WAP, then we set up WPA with a password that I wouldn’t use for a bank account but would trust to stop a casual connection attempt. Then we clicked “update,” let the router cycle, pulled up the DHCP client list, and verified that “Juli” and “Chris” were gone. I bookmarked a few pages in the router’s interface for my dad so he could check in easily in case their unwanted guests somehow fell into the “determined attacker” category.
Mom thought it was funny to sit on the front porch and loudly say “Hey, Juli!” when someone she didn’t know by name walked out of a nearby house. I suggested that making whoever “Juli” was have to wait around for a few weeks while the local ISP got around to sending out an installer, then having to pay for her own bandwidth, was punishment enough, and that we didn’t really know what “Juli’s” skillset might be.
The Moral of the Story
There is no moral, but I guess I have some takeaways:
Why on Earth, in 2008, is it possible to install a wireless access point and NOT have reasonably secure default behavior? My guess: Support calls cost money Linksys et al don’t want to pay. So they waste their time with “security buttons” and other penny-a-unit crap they fervently hope nobody will use, so they won’t have to lose a more costly five or ten minutes of call center time when passwords are forgotten.
None of this stuff is obvious to the people who need to understand it. Kicking “Juli” off the network and setting up WPA and a more secure administrator’s password took less than a minute, but each stepped involved a lot more exposition. AES vs. WPA-PSK/TKIP? There wasn’t even a default choice, and some of the options wouldn’t work, depending on the security protocol one chose, but were not grayed out or otherwise made unselectable by the admin tool in the WAP.
I hope “Juli” has the good sense to keep her head down if she walks by while mom’s on the porch swing calling her name out to random strangers. Dad was more amused by the whole thing than anything, and took adequate satisfaction in knowing he was more secure. Mom, however, cherishes her online Bridge games, and continues to resent the time she lost to Juli’s bandwidth hogging.
Posted by mhall at 3:50 PM | Add Comment
August 11, 2008
New Tool for Old Gmail Account Hijacking Trick
The attack’s not new, but a tool to automate the process is:
“You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment’s network sees that you’ve requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.
“ If this weren’t enough, Mike Perry, a reverse engineer for San Francisco based Riverbed Technologies, debuted a software tool at the Defcon hacker conference that automates this cookie-stealing method for Gmail, as well as a number of other Internet heavyweights that he says are similarly vulnerable.
“ ’Web sites can say, ‘Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don’t do this,’ Perry said.
“I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled ‘Always Use https://’. While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser.” Perry’s releasing the tool in the next several weeks.
(Link)
Posted by mhall at 12:03 PM | Add Comment
August 3, 2008
"Nobody Got Shot" Isn't an Argument Against WPA.
Programming Note: I’ll be on vacation this week, and I probably won’t be blogging. Be back next Monday. Hope you all have a great week.
This could have gone much worse:
“When Indian police investigating bomb blasts which killed 42 people traced an email claiming responsibility to a Mumbai apartment, they ordered an immediate raid.
“But at the address, rather than seizing militants from the Islamist group which said it carried out the attack, they found a group of puzzled American expats.
“In a cautionary tale for those still lax with their wireless internet security, police believe the email about the explosions on Saturday in the west Indian city of Ahmedabad was sent after someone hijacked the network belonging to one of the Americans, 48-year-old Kenneth Haywood.
“The IP address for the email claiming responsibility for an obscure group called the Indian Mujahideen was traced by police to Haywood’s laptop. They then raided the plush 15th-floor apartment.
“Officers believe the email could have been sent by anyone within two floors of Haywood’s flat.
“‘He has never been detained, but we have called on him and questioned him as part of the investigation,’ said Parambir Singh, a senior officer in the anti-terrorism squad.”
Back in January I noted that Bruce Schneier doesn’t secure his wireless network, and at the time I said:
“there are lots of open access points businesses are happy to provide, and unless you’re the type to shrug off stuff like ‘cops impound all your computer stuff and you end up having to cop a plea for something that’ll end up getting you on a registered sex offender list,’ the consequences of not flipping the encryption switch will be brutal.”
He remains unmoved, arguing “the terrorists are more likely to use the open network at the coffee shop up the street and around the corner.”
To which I still have to argue “better them than me.”
And this commenter on his blog:
“I have a dream that maybe some day, law enforcement will be aware of the facts of open wireless networks and networks like Tor.”
I like geek self-pity as much as the next guy, but come on! The police traced the e-mail to a specific IP, quickly conducted a raid, then let the matter rest at some questioning. Nobody was detained, nobody was, apparently, harmed. The police seem to be quite aware that there was an open wireless network involved (something they couldn’t have known, in a residential case, anyhow, until they got a look at the premises). How much more aware do they need to be? Omniscient?
It just sucked for the people hanging out in the apartment to stare down the barrel of a counter-terrorism squad’s guns.
And to bring it back around to the point I made in January, India’s police seem a lot more chill about this matter than the average American prosecutor would seem to be about pornography.
Posted by mhall at 4:03 PM | Add Comment
