Month: March 2009

Another miscarriage of justice?

This is worrisome. Marist College Professor James D. Kent stands accused of having porn on his system.

I don’t know anything about the case, but this statement is flat-out false:

Under questioning by Kent’s attorney, D. James O’Neil, Investigator Barry Friedman said he had found evidence of some viruses, so-called “trojans” and other unwanted software on Kent’s computer when he analyzed its hard drive at the state police Forensic Investigation Center in Albany. The placement of a “trojan” on a computer makes it easier for other kinds of potentially harmful viruses to find ways to attach themselves to a computer, Friedman explained.

Under questioning by Senior Assistant District Attorney Marjorie Smith, however, Friedman said none of the viruses or “trojans” he found on Kent’s computer would have enabled someone to download, sort or file the more than 60,000 images of children in provocative poses discovered on the computer.

“No known virus is capable of doing those things,” Friedman testified. [emphasis mine]

That’s simply not true (assuming that Friedman’s use of the term “virus” is the common misuse, to refer to any malware). I even posted a video on YouTube a while back showing a situation where porn was displayed automatically on a user’s system.

Let’s hope this is not another miscarriage of justice.

Alex Eckelberry
(thanks to IDG’s Robert McMillan for sharing the link)

10/21/2010 Update here.

Please, the world is NOT ending on April 1

Some people are getting hysterical about Conficker’s deadly payload on April 1. 60 Minutes’ infomercial for Symantec special didn’t help, either.

Relax.

Randy Abrams at ESET does a nice job of explaining the situation:

Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is. These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.

In other words, all that happens on April 1 is that Conficker’s next stage goes into place on already infected systems. This does not mean masses of new users will be infected. This seems to be the confusion.

As you know, the Conficker worm takes advantage of a vulnerability in Windows that Microsoft fixed in October of last year. If a machine is patched with this update from Microsoft, then that system cannot get infected by Conficker.

The reason some people are getting infected by Conficker is because their system(s) are unpatched. Or, they are patched, but are joined to a network where there is a computer that isn’t patched, in which case Conficker typically hops from a network share onto the local box when logging in with a domain admin account.

Nevertheless, Conficker is being really hyped as something terrifying on April 1. It’s true that “something” will happen on April 1, but you need to be infected first with the worm for this event to affect you. If you’re not infected, nothing will happen. And as Joe Stewart says, if you’re reading his blog page, you’re probably not infected (because Conficker targets his site).

So, just make sure your system is updated with the latest updates from Microsoft, and keep your antivirus software updated.

If you’re worried in general about vulnerabilities in your computer, you can always go run the free inspection tool at Secunia.com. It will tell you what programs on your computer need to be updated.

You can also run the free Sunbelt Conficker scanning tool here.

Alex Eckelberry

Ghostnet

By now, most of you have read about the massive spy operation allegedly being run from China. Researchers from Cambridge and the University of Toronto worked jointly on the investigation, dubbing the spy operation “Ghostnet”.  

It’s a big deal.  Sadly, it’s not surprising.

I’ve posted the full, Cambridge-Toronto collaborative report here (pdf).  Separately, Dr. Shishir Nagaraja and Ross Anderson at Cambridge have written a summary, available here

Worth reading.

Alex Eckelberry
(Thanks to Les Bell and Paul Ferguson for hunting these down.)

The RealAge privacy issue

From the NY Times today:

“Americans yearn to be young. So it is little wonder that RealAge, which promises to help shave years off your age, has become one of the most popular tests on the Internet.

According to RealAge, more than 27 million people have taken the test, which asks 150 or so questions about lifestyle and family history to assign a “biological age,” how young or old your habits make you. Then, RealAge makes recommendations on how to get “younger,” like taking multivitamins, eating breakfast and flossing your teeth. Nine million of those people have signed up to become RealAge members.

But while RealAge promotes better living through nonmedical solutions, the site makes its money by selling better living through drugs. “

As Sunbelt’s Eric Howes says, “Not all online privacy threats come in the form of malware/adware/spyware. And it is still true that one of the easiest ways to get people to do things they would not normally do (e.g., cough up sensitive medical history data) is to construct an appeal to fear or vanity, or both.”

Alex Eckelberry

Doing a Thoreau — unplugging from the grid

Wayne Porter, a good friend and Microsoft Security MVP, decided to unplug for six months.

All experiments must come to an end or so they say. I have spent the last six months on an interesting pilgrimmage. During four of those six months I completely “unplugged” from the grid. No e-mail, No Web, No Net, No cell phone- Nothing…I explored nature, toured back alley graffiti covered alleys controlled by gangs, explored hollows, talked to a wide-range of people and had a host of other adventures. Most of the time I simply thought about things. Exactly where am I going and why?

Yikes.  I could not survive this long without being connected.   

Anyway, he’s back now, and is blogging again

Alex Eckelberry

Nasty little Twitter hack

Something our friend Lance James came up with: 

Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a worm on the microblogging service.

The attack, posted online Thursday by researchers at Secure Science is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm, said Lance James, chief scientist with Secure Science.

“You can couple an attack with our code and it would just tear the crap out of Twitter,” he said.

Link here.

Alex Eckelberry

SMM exploit POC code published

As mentioned earlier today, Rafal Wojtczuk and Joanna Rutkowska have published a new paper on using cache poisoning to exploit the Systems Management Mode (SMM) in Intel 386 and above chipsets.

Some interesting snippets:

System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of “Ring -2”, as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in “Ring -1”.

…Interestingly the very same cache poisoning problem we abuse in our attack against SMM has been identified a few years ago by Intel employees, who even decided to describe it in at least two different patent applications [3] [1]. We haven’t been aware of the patents before we discovered the attack — we never thought a vendor might describe weaknesses in its own products and apply for a patent on how to fix them, and still not implement those fixes for a few years2… The patents turned out, however, to be easily “googlable” and it would be surprising that nobody else before us, and Loic Duflot, have created working exploits for this vulnerability.

…We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code3.

and finally:

Intel has informed us that they have been working on a solution to prevent caching attacks on SMM memory for quite a while and have also engaged with OEMs/BIOS vendors to implement certain new mechanisms that are supposed to prevent the attack. According to Intel, many new systems are protected against the attack. We have found out, however, that some of the Intel ‘s recent motherboards, like e.g. the popular DQ35, are still vulnerable to the attack. Additionally the workarounds that Intel has mentioned to us are not yet officially documented, but Intel told us that they will be updating the CPU documentation shortly (In particular the vol. 3a of [4]).

The paper is here (pdf).

Alex Eckelberry

Interesting Conficker C analysis published

The folks over at SRI have published an interesting additional information on Conficker.C.  Worth reading. Link here.

In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers.   In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis.   Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.

Alex Eckelberry

An alternative to “free” credit reports

For years, we’ve been hearing ads from freecreditreport. com.  As you probably know, it’s not true — the service is not free. 

The FTC has launched an educational campaign, pushing the actual free credit report service, AnnualCreditReport.com.  I’ve used it a number of times myself and it’s a great (and free) site.

Ed Dickson has written much more on the subject here.

It’s important to keep up on your credit report, for obvious reasons.  But you don’t need to pay.  You also don’t need to pay for all other services, like Lifelock, when you can easily do it yourself — for free.

Alex Eckelberry

Should be an interesting news day for security

Joanna claims she’ll be releasing exploit code later today (12 noon EDT, 16:00 UTC) for a new nasty rootkit, that embeds itself into Intel chipsets through SMMI (Systems Management Mode, a little-known feature that allows hardware vendors to manage certain chip functions, like power management, using software).  James Heary has more here.

Then, I expect some more interesting new research to be published on Conficker later today, which I’ll be publishing on this here blog.

Alex Eckelberry

Symantec changes tack on Ask relationship

Follow-up from a prior post on the subject, Rowan Trollope, Symantec senior veep posted something on the subject:

Safe Search update

I’ve seen the negative feedback here in the forum regarding Norton Safe Search, and have been carefully listening over the last couple weeks, and working with my team on the best course of action.

While we believe Safe Search is a valuable feature, many of you were surprised by the addition of the search box to the Norton toolbar, and expressed concern over not being given the choice of whether or not to install it.

Given your response, we’ve taken immediate action. Moving forward, Norton Internet Security and Norton 360 will now ship with the search box disabled by default. Norton Safe Web site ratings will still be available to users. We are starting this process immediately and will be rolling out updates over the next few weeks.

Also, I want to clearly convey that this is not an Ask toolbar. It is part of the Norton browser integration and it is easily disabled. Also, to be clear, there is no Ask code running on your computer – it is all Norton code. There is no separate component to uninstall or remove. Once disabled, it is completely shut off and inactive. When enabled, the only information we are sending to Ask.com is the actual search query.

Customers who already have the search box enabled will not be affected, but still have the option to disable it manually via the Norton Toolbar menu.

My team and I have worked very hard to deliver security products with superior speed and performance, and I want every aspect of our customers’ experience to be positive. The last thing we want to do is cause any frustration with our loyal, technical users.

We want our customers to have an outstanding user experience and are revisiting Safe Search to determine how we might deliver this feature in a more positive way in the future. There are customers who are currently using and benefiting from this feature and ultimately, we do want to offer this, but make sure we do it in the right way.

Thanks, as always, for your candid feedback here in the forums.

Regards,
Rowan Trollope
Senior Vice President

Alex Eckelberry
(Via Donna)