Month: August 2005

The National Association of State CIOs has issued a report on wireless security, entitled “The Year of Working Dangerously”. Link to the report here.

While serious in nature, they paint a somewhat humurous analogy of past technology vs. current:

“Jim, a state employee, checks the radio of his brand new 1985 Buick Riviera for a morning traffic report—everything’s normal so far. Miles down the road, however, Jim realizes that he forgot his favorite BBQ chips. Hurriedly, he spins by the grocery store only to find an empty shelf where the BBQ chips should be. Making the best of it, Jim places a refill order on an existing prescription at the grocery’s pharmacy counter. Back on the road, Jim finds a long line at the toll road because of drivers with incorrect change. Frustrated, he turns on the radio, dialing past the music of Bruce Springsteen and John (still Cougar back then) Mellencamp, only to miss important detour information. What Jim also does not know is that a very time-sensitive message is waiting for him on his desk. Once at work, Jim scrambles between meetings with colleagues and accessing and reviewing files on his new desktop computer with a massive 20 MB hard drive.

Fast forward twenty years. Again taking off without his BBQ chips, Jim’s wife alerts him via his smart phone. This time, he finds his BBQ chips in plentiful supply. Radio Frequency Identification (RFID) tracking at the pallet level helps the grocery store stay well-stocked and also ensures that Jim’s prescription does not contain counterfeit substances. Jim checks out quickly by waving his RFID payment key fob at the cashier counter. At a stoplight, Jim reads an urgent email on his smart phone. He then breezes past the toll booth in his silver Nissan 350Z Coupe without stopping. The toll booth’s RFID reader automatically scans an RFID-tagged sticker on Jim’s car and deducts the toll from his pre-paid account. Listening to Coldplay’s new single, Jim receives a traffic advisory from his on-board telematics system. On time to work because his on-board navigation system guided him through a detour, Jim powers up his wireless laptop with the needed files and conducts a meeting in a colleague’s office. Jim’s use of a smart phone, wireless network and laptop do not compromise sensitive state information because of good security and privacy protection measures and training the state provided to Jim and his colleagues about the responsible use of wireless technologies.”

This is nuts.  A dozen kids at Kutztown Area High School “hacked” into the school’s network.  Ok, it’s very wrong, but the clueless luddites at the high school are pressing felony charges.  

From an editorial in the local newspaper..

“…Nobody is accused of altering grades or stealing personal information. The school district likens the tampering to vandalism of school property, saying it had to spend time and money for its technicians (who seem to have been outwitted by the savvier students at every turn) to restore the altered software to its original state….Felony charges against the students also fail to reflect the school district’s culpability here. The district inadvertently gave out its password to students by taping it to the back of the laptops. No computer system is invulnerable, but the district’s firewalls have looked more like speedbumps.”

What these kids did is completely wrong and should be punished.  However, I think most techies can see themselves as bright, bored (and usually nerdy) teenagers having maybe done the same thing.  

What happened to the normal disciplinary actions like suspension, detention or God forbid, being forced to do extra PE? 

I know what I might do as principal: Have the kids make up the damage by working as sys admins for the school. 

But felony charges? Give me a break.

Feel free to comment.

Alex Eckelberry

This is a fairly technical article, but for the cypto wonk, it’s heaven.  Originally seen on Slashdot.

Alex Eckelberry 

After my last blog entry on Grokster, I got some interesting new things to look at.

Eric Howes emailed me with this snippet: “Just tested the Grokster install on a Win2K machine: this thing drops the .NET install bomb on computers without .NET already (which may be why you didn’t see this). No surprise, really, given that it installs BroadcastPC.tv, which was the culprit in the previous rounds. As with those previous installs, there is no notice whatsoever that .NET would be installed.”

So Grokster is installing a BIG FAT .NET PAYLOAD!!!  Sounds familiar…

Then Alex Morganis blogs that Grokster is installing a trojan.    Interestingly, he got the same results I did, but F-Secure is tagging one of the files as a trojan. It’s this nasty KVM thing, whose entire purpose in life is to bring down other adware (Eric’s seen it on other sites as well, such as 4w-wrestling(dot)com).

And now, for the final blow, Grokster hoodwinked someone at Download.com, who despite their laudable “Zero Tolerance No Adware” policy, has allowed Grokster to be downloaded again.

The download.com version is a different than the one on the Grokster site but pretty darned close.  It still installs Cydoor, which displays ads (within the Grokster app). It still pops you to http://client(dot)grokster(dot)com/us/start/?c=as&ver=265, which provides friendly adware installs.  And then on reboot it prompts the user to install BlueTide Software (Surf Sidekick), which displays pop-up ads on the user’s desktop in response to user web browsing.

This Grokster install at Download.com is the second piece of adware we’ve seen back on the download.com site. The other is Warez p2p, which does contextual advertising as well as installing new.net.  

One of our researchers reports that after allowing this Grokster installation to fester for a while, the installed software downloaded a raft of other software, including ABI/Aurora.

Madness.

Alex Eckelberry

Another example of how Microsoft can just make a blogger’s day.  

Microsoft issued a statement on Zotob last night.

“There are currently a number of press reports regarding an Internet worm called Zotob. News reports had indicated that there was potentially a new worm. We are not aware at this time of a new attack; instead our analysis has revealed that the reported worms are different variations of the existing attack called Zotob. Microsoft has reviewed the situation and continues to rate the issue as a low threat for customers…Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack.”

Windows uber-guru Paul Thurrott at Windows IT Pro lashes out: “This statement bears little comfort for companies such as ABC, Caterpillar Company, CNN, Daimler Chrysler, “The Financial Times,”  Kraft Foods, “The New York Times,” San Francisco International Airport, SBC Communications, United Parcel Service (UPS), and The Walt Disney Company, all of which suffered computer crashes, downtime, and repeated reboots because of the worm attacks. According to reports, at least six separate worms have exploited Microsoft’s recently revealed flaws.”

He goes on to make this point: “…Only Win2K, eh? According to AssetMatrix, Win2K is the most-often used Windows version in medium- and large-sized corporations, edging out XP 48 percent to 37 percent. Put another way, roughly half of all Windows installations in corporations are Win2K”

Zotob is not light stuff.  It is hitting companies.  While someone could say that system administrators out there should have taken steps to patch their systems earlier, many of these IT professionals are harried souls dealing with meager budgets and lack of resources. 

I respect Microsoft for having patched this thing, but judging from the current emotional level on the ‘net, the PR team at Wagged might put in a dash more compassion in Microsoft’s statements on Zotob.

Alex Eckelberry

Grokster had pulled their adware advertising supported version, offering only a paid-for version.  Now, the adware advertising supported version is back, offering loads of fun for all users.

I thought maybe Grokster got religion.  After all, they lost with the Supreme Court.  People have been upset about adware in Grokster for quite some time.

Wrong.

First, the text on the free download page is a totally confusing.  It says: “In order to download the free version of Grokster, you must agree to install all of the adware listed below during the Grokster install” (it also classifies this adware as “valuable downloadable software”).

However, you can un-check the boxes, which gives you the impression that you can take these little adware components off.

Well, uncheck away, because it doesn’t seem to matter.  There’s this little thing at the end of the page:

Now, here’s what’s odd.  It doesn’t seem to actually install these components, even though it tells you it will. You get other stuff though (like WinFixer), but not nearly as much as you see above.

Maybe they want to leave that as an option in the future.

At any rate, after the install you get presented with some pop-up about installing Crystal Palace. You also get directed to a start page (http://client(dot)grokster(dot)com/us/start/?c=af&ver=265 which instantly pops up an installer for another piece of adware.

Going back to that same page, you get an active/x prompt (which looks like this under XP SP2)

Clearly, they have a bit of a ways to go…A lot of the problem seems to revolve around the client.grokster site.

Maybe it doesn’t matter, because prominent images linking to Music pages goes to Mediafeast, which is well, out of business.

Alex  

We did a SunPoll™ on “Which enterprise AV product is your favorite”?  SunPolls are completely unscientific, but you can see the results here:

“HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks – web cache poisoning, session hijacking, cross-site scripting and most importantly, the ability to bypass web application firewall protection.”

Link.

CacheLogic says video downloads make up 61% of file sharing traffic, audio downloads 11%.

Now, of course, if you can get that Big Family Guy Video or that Big Fat Albert ad, you’re in good shape…’cause stuff comes with it! 

Alex Eckelberry

Off topic: A “PSP hacker by the name of Matan phoned in to let us know he ported Bochs (an open-source x86 emulator) to the PSP…” Link (thanks to BoingBoing and Wonderland)

So now you can run Windows 95 and Linux on your PSP!

Thankfully, there isn’t a whole lot of spyware that runs on Windows 95.

Alex Eckelberry

Unisys UK proclaims UK users are apathetic about ID theft

To our neighbors (and erstwhile masters) across the pond, I’m happy to show you some examples of some UK people who got nabbed in the recently discovered ID theft ring.

I don’t know if Unisys overstated the problem, but here is what they found:

• 11% of UK consumers have been the victims of identity theft and fraud
• 58% have no desire to be educated about fraud
• 61% have no concerns about the safety of bank or building society accounts
  (only 9% worry a lot compared to almost twice that for U.S. consumers)
• 73% of consumers have never been contacted by their banks to discuss potential fraud
• 50% would not switch banks or building societies if offered better security protection

Unisys thinks it’s costing businesses 1.3 billion pounds a year. 

Alex Eckelberry

The LazyGenius writes about an article originally posted on CastleCops, on how Artists Against 419 have successfully shut down 15 banks through their vigilante activities. 

As you may know, the infamous “Nigerian” scams (also called 411 or 419 scams, after the section of the Nigerian penal code that deals with these type of fraud schemes), are those weird emails that you get asking to help some poor Nigerian diplomat get money out of his country.  There are many variations of these scams, as we’ve blogged on before. 

Artists against 419 is a group of people who try to take down the bandwidth of scammer banks by linking to images on the fake bank’s websites. 

Alex Eckelberry

The Fourth Ammendment of the Constitution protects against “unreasonable searches and seizures”.  (For the reasons why the Fourth was created, see this article).

Over 50 federal agencies are either currently or planning to perform data matching and mining, in some cases for anti-terrorism reasons.

So does this violate the Fourth?

According to an article in a forthcoming Georgia Law Review by Daniel Steinbock of the University of Toledo, it seems it might. To wit: “The most striking aspect of virtually all anti-terrorist data matching and data mining decisions is the absence of even the most rudimentary procedures for notice, hearing, or other opportunities for meaningful participation.”

Alex Eckelberry
Presidnet

Are friends, family and boyfriends the root of spyware infestations? Security researchers the world over have noticed a trend when it comes to spyware and virus infections–the Other Person Syndrome (OPS). 

Invariably, researchers who encounter a severely infested machine will notice that infection may not have necessarily come from the primary user. Instead, they come from a boyfriend, the babysitter, kids or a friend who “just used the computer for a bit”. 

The lesson here is obvious:  People bring their own bad habits into your computer and can wreak havoc.  

Of course, this is all anecdotal, but there’s a big fat grain of truth in there. A while back, I did some spyware de-infestations on a couple of neighbor’s systems.  One had a babysitter who would come over to sit their child, and the machine would start getting all funky with spyware.  Another had two teenage daughters, who were active on the ‘net (oh man, that was a bad infestation — really bad).  I believe that the kids and the sitter were responsible for the infestations.

Eric Howes, who gave me the idea for this blog entry, says more to support this position:

“I’ve cleaned a lot of my students’ PCs over the years. Most of them have been females. And every single one tells the same story: ‘My PC was running fine until my boyfriend visited this weekend. He used it for a few hours. And now my PC is deluged with porn pop-ups and something trying to dial out from my modem.’ It’s the same story every single time. And if the boyfriend happens to be under 25 years of age, you can be sure the PC is riddled with porn dialers.

He points out that “Caroline” is now telling that very story at BroadBandReports:  

The strange thing is, that for the past 3 years, I have not had a problem.  The occasional mydoom was getting stopped by norton antvirus and the odd thing popped up here or there. It has been in the past few months I keep getting problems.

 

It came to a head when I was on holiday and my boyfriend was using my PC – and he said he got 6 consecutive alerts of viruses coming through email.all got stopped apart from smitfraud. so when he could not eradicate it, he purchased Xoftspy and another program which he was told would get rid of it.

 

Since then, Norton rarely reports email alerts and NEVER reports anything on virus scans – I have always used liveupdate every day or so.

Now, We Know for A Fact That Men are Inherently Bad (an argument supported by empirical evidence).  But I think the problem is much larger than just men.  We see people getting infected in all kinds of places; you might find spyware on horoscope sites, lyric sites and wrestling sites.  Of course, playing on the dark edges of the internet (the two Ps — porn and piracy) certainly increase your chances of infecting your pristine machine, but there’s plenty of stuff out there for everyone—naughty or nice.  

What should you do apart from the normal type of security things?  Primary users on their computers should set up accounts with Restricted Access to avoid the dreaded OPS.  You as an administrator can control what’s installed, but when someone else wants to use your PC, put them on a Restricted Account.  Password protect your own Administrator account.

Heck, it IS your computer, after all.

Alex Eckelberry

Contrary to your probable first impression, Zotob is NOT the third bastard child of Haruk the Klingon. 

In fact, it’s a nasty new worm that uses a vulnerability in Plug and Pray, allowing a remote attacker to control a Windows system remotely.

Windows 2000 systems are particularly at risk, although XP and 2003 Servers have a risk of infection.

According to Sans:

“The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
– Patch MS05-039 will protect you
– Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
– Blocking port 445 will protect you (but watch for internal infected systems)
– The FTP server does not run on port 21. It appears to pick a random high port.”

Patch those systems!

Note that in certain rare cases, Zotob can infect a Windows XP and Windows Server 2003 systems, if the computers were set up to enable Null sessions.  See PC World article here.

Alex Eckelberry 
(Tip ‘o the hat to Eric)

Oy vey, if people would only read this blog or contact us before jumping to conclusions.

iDefense, which was recently acquired by Verisign, has analyzed the code for the keylogger we reported on and has released a statement that they have determined “it’s not CoolWebSearch code”.

Of course it isn’t.

Hello, people, we never said it was CoolWebSearch. The call back to the remote server was found during a CoolWebSearch infestation.

Furthermore, when we finally got a hold of the keylogger, we clearly stated that the keylogger is a new variant of the Dumaru/Nibu trojan (and a nasty piece of work).

Also, all the infections we’ve found are on unpatched Windows systems. Link here.

Alex

CNET article reports that the feds are funding development on ways to spy on VOIP traffic.

Well, if you think they don’t already do that with POTs lines…

Alex
Thanks to BoingBoing

Another website for security professional to keep in their arsenal.

From the alert:

The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures.

Updated daily, NVD currently contains information on almost 12,000 vulnerabilities. It allows users to search by a variety of characteristics, including vulnerability type, severity and impact; software name and version number; and vendor name. NVD also can be used to research the vulnerability history of a product and view vulnerability statistics and trends.

Alex Eckelberry
Thanks to beSpacific

Word on the street: Webroot just snagged McAfee’s Senior VP of Corporate Development, Seksom Suriyapa, to become Sr. VP of Business Development over at Webroot.

Why interesting? It shows the continuing and growing legitimacy (and market share gains) of antispyware companies in a space that should be owned by the AV companies.  Replacing the AV companies’ hegemony in security is a new breed of innovative security companies like Webroot and PC Tools (and I daresay Sunbelt).

Mr. Buggy whip: Meet your friend, Mr. AV.

Alex Eckelberry

Here is their statement from their website.

———————————-————————————————————
News Update (2005-08-09):

As you may have heard, there is a new spyware identity theft ring out there:
http://news.yahoo.com/s/zd/20050808/tc_zd/157623
http://sunbeltblog.blogspot.com/

For some obscure reason, they keep claiming that it has something to do with coolwebsearch. It does not. We urge anyone who has any evidence on this actually being linked to us to come forward and let us know. If one of these people is actually working for us, we will contact the FBI and release his information immediately. In addition we will of course close his account and withhold his or her payment for violation of our rules, as we have done with all the so called “hijackers”.

Our lawyers are currently thinking of suing yahoo and all the other places who posted this article with “CoolWebSearch” in it as the name of the so called exploit for slander. Please get your facts straight before doing these things.

For reference purposes, this is how you find out whether or not a site is related to coolwebsearch: you click a link and you track where the redirections go. If it goes through the CWS ip, which is currently 66.250.74.152, or the domain coolwebsearch.com then it’s CWS, otherwise, IT’S NOT! There are dozens of hijacker outlets out there, and they are all called “CoolWebSearch” by those who do not bother to check their facts before posting articles on news sites.

———————————-————————————————————

Please. Sunbelt has never said this keylogger was coming from CWS.  We said exactly the following: “This keylogger is not  CoolWebSearch.  It was discovered during a CoolWebSearch (CWS) infestation, but it actually is its own sophisticated criminal little trojan that’s independent of CWS.”

Alex Eckelberry