A Week for Security
Purdue University in the United States has reported its third theft of electronic information this calendar year. In this case, 11,360 past and present employees may have had their records accessed. Although smaller than a number of other security breaches reported this year, it is the latest in a disturbing trend of University breaches. In an identity theft case which used employees instead of system breaches to steal identity data, New Jersey police are reporting that the largest breach of banking security in the United States has grown to encompass at least 676,000 individuals. In this case, it was employees of banks who manually copied out account information which was then forwarded to a holding firm. Where a normal bank employee would be accessing 40 to 50 account searches per day, the accomplices were accessing ten times that amount. The data was being sent to a company which then sold the information to legal firms, private detectives and other third parties. The key difference between this case and the ChoicePoint breach reported earlier is that ChoicePoint obtained the data legally and sold to unknown parties.
A recent deconstruction of the Witty worm has revealed some interesting information about the possible source of the worm which was one of the fastest spreading Internet worms to date. The Witty Worm was targeted at systems that ran a specific firewall application from ISS, a security product vendor. Designed to disable the firewall, spread itself automatically, then overwrite sections of the local hard drive, the Witty worm was not only fast spreading, but actually possessed a malicious delivery payload. A flaw in the method used to generate new addresses to attack meant that 10% of the available internet address space would never have been attacked, as the addresses would never appear. A common IP address to all samples of the worm, even after observing the random address generation, indicated that the infection originated from a client system in a large European ISP. The attack from the worm targeted a number of systems at a US military base in Europe in the initial attack spread. The intentional targeting of systems at the US military base suggests that the creator of the worm had specific inside knowledge of the client list for ISS products. In addition, the use of an undisclosed vulnerability also suggests that the hacker had access to ISS or a security company such as eEye, and the unpublished research into vulnerabilities for that application.
The uniqueness of the vulnerability, which effectively could not be scanned for without exploitation, indicates that the rapid spread of the worm was due to a-priori knowledge of the install location for the affected ISS product, which would have been hardcoded into the worm. People claiming to be ISS company representatives, posting on various internet forums, believe that the author was an insider, but have not been able to identify them. Witty was unique in its ability to fit inside a single UDP data packet and not impede it's ability to spread, even with a malicious payload. For such a malicious, nasty worm it is quite a beautiful creation (in a horrid sort of way), and quite possibly indicates a new breed of malware creator, the talented, motivated malicious individual who is an expert at their skillset.
Continuing with the theme of the big bad Internet, an old extortion technique has resurfaced. A Trojan-downloading infection tool, known as download-aag or Pgpcoder, utilises known flaws in Microsoft Internet Explorer to retrieve the malicious content on to the local system. Once in place, the malicious tool actively searches the local system for files with certain filetypes (such as Word documents and Excel spreadsheets), encrypts them, deletes the original, then leaves a message demanding $200 USD for a tool to decrypt the documents. This technique was originally tried as the payload of a virus several years ago, but the weak encryption implementation was easily bypassed, and the financial extortion led to a concerted effort to track down the originator. The original site that hosted the malicious downloader has since been taken offline, but, as with all things on the internet, once the information is out there, it can never be removed. The other good news is that the distribution of victims has been small, and doesn't seem to be increasing significantly.
In online safety news, the Bank of America (BoA) has announced their new authentication technique, designed to reduce the effectiveness of phishing attacks against their customers. BoA are partnering with PassMark Security to provide this service to their customers. With more than 13 million customers accessing their BoA accounts via an online interface, the bank is claiming that the extra authentication methods are going to alleviate the risk of phishing attacks succeeding. The not so good news is that it only solves one class of phishing attack, that which is obviously a fake site. It forces phishers to become more technical in their approach to phishing BoA customer data, making their sites more difficult to sort out from the legitimate sites.
The name of the BoA solution is 'SiteKey' and is comprised of a known password authentication, along with secondary authentication of a known secret / image / human voice contact. Once a computer has been used for authentication it will remain authenticated for future contact, presumably from a specially crafted internet cookie. If a computer is stolen, this authentication mechanism would presumably not require re-authentication, allowing the thief to effectively bypass it. The additional system resources required for the storage of unique images for every customer would not be trivial, and forces users who browse without the use of images or visually impaired users to use one of the remaining authentication methods, weakening the apparent strength of the design. If there are not unique images for every customer, there is a finite chance that a phishing site is going to be able to guess the image when trying to authenticate to victims (if it doesn't already pass it through from the real site).
One of the key claims from the BoA site is that the 'SiteKey' solution allows users to validate that the BoA site is the real site, and not something fraudulent. This claim is false. At best, it gives the customer a better feeling about what they do with their online banking information without actually increasing the security. In real terms, it may actually decrease the security as customers become used to entering their account data into web pages that appear to be correctly implementing the 'SiteKey' solution. Encryption and information security guru, Bruce Schneier, has opined that these sort of attempts at improving security merely shifts the problem to other areas, and can only serve to frustrate legitimate users. The analogy that he uses is motor vehicles. As cars have become more difficult to hotwire and include more anti-theft devices, it forces the criminals to move from theft when the owner is not present, to theft when the owner is present and the antitheft devices have been deactivated. Thus, partially solving the problem of car theft when no one is present has led to the significant increase in violent carjackings as the thieves effectively bypass the antitheft systems.
The Esperanto Security Suite, as discussed in the column on Knoppix CD usage in banking from last month, neatly solves all of these problems, with a secure implementation of two-factor authentication which can not be spoofed.
Another online safety story from the week is news that the founder of a site designed to assist consumers in avoiding CNP Credit Card fraud, has fallen victim to the very fraud that he is trying to raise awareness about. This does not mean that his efforts are worthless, instead, it highlights how easy it is for this type of fraud to be carried out without a lot of interaction from the victim. CNP fraud is carried out when there is no need for the physical presence of the customer to process a credit transaction. Online purchases, telephone payments, and a range of other transactions can be susceptible to this type of fraud since they do not require a physical presence to enact the transaction. The lack of a verifiable customer signature for these types of transaction removes one of the security measures that exists in face to face transactions.
Further to last week's report about the Australian Democrat's bill before Federal Parliament about introducing fines for unauthorised installation of software on a user's computer, the US House of Representatives has recently passed similar bills, the SPY Act, and the I-SPY Act. While not passed into law, yet, the I-SPY Act allows for jail terms of up to five years to be awarded as punishment for an unauthorised breach of a computer system which is then used to commit another US Federal crime.
While two wrongs do not make a right, sometimes watching natural justice take its course is quite pleasing. Website defacers have recently gone after phishing sites with a greater rate of effort. Although there have been examples from 2003 where defacers have targeted phishing sites, it seems that there is a growing trend where the defacers actively seek to exploit the phishing sites. On one level, this is a positive thing, as it could serve to warn phishing victims that they are not visiting the legitimate site that they think they are. Although the site defacements may be the result of good intentions, this activity remains illegal. Overall website defacement on the internet is reported to have grown by 36 percent over the last 12 months, so the targeting of phishing sites could help divert the attention of those who deface websites from valid sites. Simple advice, which is still the best way to avoid losing data through phishing attempts, is to never give out personal or sensitive data in response to an unsolicited email, even if it appears to be from a company that you do have dealings with.
A recent court case in the United States of America may have widespread consequences for the use of encryption software by consumers. The particular case involved a prosecution for child pornography images, where the suspect was using the PGP application to encrypt certain communication. The judge ruled that having encryption software on a system was able to be ruled as relevant to the prosecution's attempts to prove criminal intent. The use of encryption software and tools is recommended for all computer users as it helps to keep private data safe from misuse in the case of unauthorised access to their systems. For most users, who will never be arrested, this is not a problem. However, for those users who might be arrested at some time for a computer related crime, the presence of any encryption software may be ruled to be relevant to the prosecution case for establishing intent.
Also of interest in the last several days is reporting that the CIA is running a paper exercise where terrorist attacks conducted by anti-American and anti-Globalisation groups are channeled through the Internet. Dubbed 'Silent Horizon', the exercise is designed to identify and theorise how government agencies and industry bodies might respond to escalating attacks and disruptions over the period of many months. The exercise is based on theoretical events happening five years into the future, so the infrastructure and capabilities of the Internet should not be all that different from the current technologies. The concept of an unannounced major attack against a specific group of interests has been mentioned numerous times by various information security figures, and has been dubbed a digital Pearl Harbour. The concept of a digital Pearl Harbour is similar to the surprise Japanese aerial attack which brought the USA into World War II. Essentially, a massive surprise network attack is launched and timed to use new vulnerabilities that have not been made public, with the goal of causing major havoc on a system or network. The digital Pearl Harbour concept has been considered extremely unlikely by a number of security researchers, and has not attracted a lot of mainstream attention as a result. Some forum commentators humorously opine that, while a digital Pearl Harbour might be nice, they are waiting for a digital Hiroshima.
In terms of overall threats, the threat of cyberterrorism is considered a lower threat than physical attacks against infrastructure. The unique nature of the Internet means that a 'cyberterrorism' attack could be anything from a dedicated hostile government, through to a group of bored teenagers, with the same results from either group. The real threat posed to systems is a source of frequent discussion, with various known criminal interests, rumoured military hacker units in North Korea (and possibly other countries), hacker groups, and bored teenagers all posing real threats to current infrastructure.
Criticism targeted at the exercise was largely centered around a claimed lack of imagination by the organising agencies. Critics felt that the exercise was too limited in scope and did not necessarily reflect what the situation might be like in the case of an attack. They also claim that the agencies fail to recognise and adequately prepare for what is happening today. The recent Cisco network breach was estimated to have been the responsibility of a single individual who then also managed to gain root-level access to more than half of the computers that they tried to penetrate in a two day period. Root level access allows them to do anything they want with a system, and once this is compromised, all assurances of data and system integrity are removed.
30 May 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.