Security Watch | Matt Hines » July 2007

July 31, 2007 | Comments: (0)

Robot Genius launches free anti-virus tool, RGguard

TAGS: Security

AV startup Robot Genius has launched RGguard, a free browser plug-in tool that claims to actively monitor Web site activity as end users surf the Internet and provide them with warnings about potentially dangerous URLs or downloads.

Promised as an effective system for unearthing spyware, adware, rootkits and other online malware, IE and Firefox, the plug-in promises to scan, identify and store the full path URL that points to each instance of malware on the entire Web -- a pretty tall task, but one that seems believable once you chat about it with Robot Genius Chairman Stephen Hsu. (click for podcast)

Hsu and Robot Genius business partner James Hormuzdiar are best known for building SSL VPN provider SafeWeb which they sold to Symantec for $26 million in 2003.

"Rather than identifying threats by fuzzy keywords and links, RGguard attacks the most common vector for malware propagation: executable programs, the same ".EXE" files users have known for two and a half decades," Hsu said in his company's product release.

"Malware purveyors bundle harmful software with innocuous screensavers, toys, and games. These programs wait before causing trouble, making identifying the cause of the problem difficult," he said. "Using RGguard, surfers can see exactly what various scanners said about a program before downloading it, check the total installed size, or even whether it installed device drivers."

As part of the approach, RGguard provides users with a list of every executable available on a site, including details about what each piece of software actually does.

To determine just what executables are up to, the company's technology promises to recreate the human interaction needed to download and test every .EXE file it finds online, claiming the ability to understand and complete even the most complex end user licensing agreements (EULAs) to see what the programs they promise really entail.

The firm recommends using RGguard in concert with its desktop Spyberus agent -- also given away for download at no charge -- to garner the best results.

According to the RGguard launch materials:

"RGguard accesses data gathered by a sophisticated automated testbed that has examined virtually every executable on the Internet. This testbed couples traditional anti-virus scanning techniques with two-pronged heuristic analysis. The proprietary Spyberus technology establishes causality between source, executable and malware, and user interface automation allows the computers to test programs just as a user would - but without any human intervention."

In the RGguard Enterprise Edition, Robot Genius offers capabilities for IT administrators to centrally block users from downloading or browsing malware-laden URLs, including the option to do so remotely using a Java-based management server.

Robot Genius also offers its malware data directly to customers for use in cooperation with their firewalls and other desktop security products.

Posted by Matt Hines on July 31, 2007 08:50 AM

July 26, 2007 | Comments: (0)

IT pros fear iPod data theft

TAGS: Security

A quick look around the commuter bus or office space will give you a pretty good idea of just how ubiquitous Apple's iPod media players have become among the professional set, but the devices are also increasingly being viewed by many IT workers as a potential threat for data loss.

In a new study published by Credant, which specializes in tools used to encrypt or block data being saved onto mobile devices, the company found that 67 percent of the 323 IT workers it surveyed consider the iPod to be a potential data security risk.

However, short of some sort of major disaster that links the Apple devices to data leakage, 49 percent of those surveyed said they likely wouldn't do anything new to protect against misuse of the gadgets.

Some 46 percent said that their companies have already established policies dictating acceptable use of the media players.

Truthfully, the Credant survey highlights the continued disregard among companies in dictating the use of USB-capable storage devices in general, of which the iPod is clearly just one of the most popular.

When asked to rank which USB devices they considered to be most dangerous in terms of potential corporate data loss, a vast majority (86 percent) of respondents still ranked traditional handheld storage drives, and SD-card carrying smartphones (13 percent) ahead of the iPod (10 percent).

The fact that most commonly-used handheld USB storage drives max out at around 2GB of memory, and that the iPod can carry up to 80 GB, however, does make the devices ripe for use by those looking to carry out insider data theft schemes of some sort. But there are other less-popular multimedia devices that also offer similar storage capabilities.

(For those unaware of all the storage features of their iPods, try out a drag-and-drop document save exercise on your device, it works just as any other USB drive might.)

While the research probably isn't the type of marketing promotion that Apple had in mind for iPod, the Credant report also shines a light on just how plentiful the gizmos are in the workplace.

Of those surveyed, some 61 percent said that they use their iPod while traveling for business or at work.

Among people ages 18-40, get this, the number of iPod users jumped to 92 percent of those interviewed. Wow. That's a lot of iPods if you guess that the percentage extrapolates outside of those surveyed, although maybe IT pros are just more likely to be early adopters. (I own one too.)

Overall, 7 percent of those interviewed said they already use their iPod for storing corporate information.

Interestingly, despite the fact that 67 percent view the media player as a potential data threat, only 61 percent said that they had actually heard of "iPod slurping," or the practice of using the devices to secretly store sensitive data.

In general, some 40 percent of those surveyed by Credant said that they have no protection in place to stop the use of USB drives such as iPods to store business information at all.

That's the heart of the problem, less than anything related to the iPod itself, said Chris Burchett, chief technology officer and founder of Credant.

"Organizations and IT professionals are not taking the risk involved with allowing use of these USB storage devices as seriously as they should when it comes to the potential for data loss," said Burchett. "They want to allow them for appropriate use, but they don't have the controls in place to ensure that there isn't misuse."

Burchett suspects that many companies will avoid the problem until they are forced to address the USB security issue via compliance regulations or after a major security incident that illustrates the potential for abuse.

"It's just not intuitive to some people that the iPod is just another storage device, that it works outside of iTunes, music and video," he said. "I think that until we see an event such as the VA laptop theft or the TJX break-in that involves an iPod or portable media player specifically, many people will still fail to understand the related risks."

Posted by Matt Hines on July 26, 2007 12:22 PM

July 24, 2007 | Comments: (0)

Researchers outline LinkdIn exploit

TAGS: Security

Software vulnerability testing specialists VDA Labs have reported what they claim to be a significant flaw in the Toolbar application offered by LinkedIn - an online social networking system used by business executives and other professionals.

According to a post to VDA's site authored by company founder Jared DeMott and fellow researcher Justin Seitz, the LinkedIn Toolbar flaw can be used to serve up remote client side exploits to anyone using the application that can be lured into visiting a Web site crafted to deliver such an attack.

For its part Secunia is rating the issue as "extremely critical," its most serious vulnerability rating.

The toolbar application is meant for use by LinkIn members -- of which the company currently claims 12 million -- to search for contacts or directly access the system from their browsers.

The exploit built by the VDA researchers specifically targets version 3.0.2.1098 of LinkedIn Browser Toolbar.

The researchers said that despite the fact that their exploit remains merely a proof-of-concept at this point that someone could potentially run wild on any machine which they successfully assault using the technique.

"If a user, with the LinkedIn toolbar installed, is tricked into browsing a Web site that contains the above code -- game over," the post reads.

In response to the VDA post, LinkedIn officials said that based their tests, the service and its Toolbar app are "completely secure." In fact, the company said, the issue is related only to users of Microsoft's Internet Explorer toolbar -- inferring that the problem may be related to that product, not its own.

Secunia also put the blame on IE, reporting that people using the LinkIn toolbar with Firefox and other browsers are not affected:

"The vulnerability is caused due to an error within the IEToolbar.IEContextMenu.1 (LinkedInIEToolbar.dll) when handling the “Search()” method, which takes in a VARIANT as the “varBrowser” argument. This can be exploited to execute arbitrary code when a user visits a malicious website. The vulnerability is confirmed in version 3.0.2.1098. Other versions may also be affected."

While LinkedIn doesn't likely contain a lot of people's sensitive data -- beyond their names, addresses and job titles -- cracking the system could provide an attacker with an interesting view into someone's the business connections, which could conceivably be used to harass or attack them in many different ways.

For instance, if someone were to receive an e-mail attachment or Web link that appears to be sent by another LinkedIn user with whom they've connected and trust, and the assailant knows where the targeted person works, and what type of data they might have access to, you can imagine the possibilities for social networking gone awry.

Posted by Matt Hines on July 24, 2007 09:38 AM

July 18, 2007 | Comments: (0)

Google building apps fuzzing tool

TAGS: Security

When I recently interviewed Google CIO Douglas Merrill about a report being published this week by Ponemon Institute that touched on the search giant's expanding security implications, he repeatedly referenced ongoing efforts within the company to develop automated applications vulnerability testing tools.

Now the company has taken the wraps off of one of those homegrown technologies, a black box fuzzing application dubbed Lemon that has been built to help target potentially dangerous Web applications flaws that could lead to cross-site scripting attacks, among others.

In a post to the company's security blog -- another useful tool in aiding Google's efforts to engage with researchers and end users to foster stronger security, Merrill said -- Srinath Anantharaju, a member of the company's security team, explained the details of Lemon, which the expert characterized as is "highly customized" for use with Google's apps.

As such, the company has no plans to release the tools to the public, Anantharaju reported.

Lemon is described by the security blogger as:

"A combination of scanning and an automated fuzzing tool, particularly to deal with the rising concerns of cross-site scripting (XSS)… that will work more than just a typical fuzz testing tool, it enumerates a Web applications URLs and corresponding input parameters, and then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses and ultimately, gets the bugs out of the Web app."

The expert said that the tool will work to ferret-out both stored XSS and reflected XSS threats, the two common formats for the attacks.

Google was forced to fix a critical XSS flaw in its Desktop search product earlier this year, prompting the Ponemon report on people's feelings about the problem.

In the survey of just over 600 IT security specialists, 71 percent said that they believe that Desktop likely harbors additional security flaws, a data point that highlights growing fears of Google's looming security impact, report author Dr. Larry Ponemon said.

Elaborating on Lemon -- which was originally designed as an experiment -- and the process of fighting XSS further, Anantharaju writes:

"The general principle behind preventing XSS is the proper sanitization (via, for instance, escaping or filtering) of all untrusted data that is output by a web application. If untrusted data is output within an HTML document, the appropriate sanitization depends on the specific context in which the data is inserted into the HTML document. The context could be in the regular HTML body, tag attributes, URL attributes, URL query string attributes, style attributes, inside JavaScript, HTTP response headers, etc."

"Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters. It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities."

"Besides XSS, it finds other security problems such as response splitting attacks, cookie poisoning problems, stacktrace leaks, encoding issues and charset bugs. Since the tool is homegrown it is easy to integrate into our automated test environment and to extend based on specific needs. We are constantly in the process of adding new attack vectors to improve the tool against known security problems."

It should be interesting to see what Google can do with its recently acquired GreenBorder and Postini assets to continue to create new security tools.

One of the biggest questions about the search giant in regards to security is whether it plans to build a revenue-generating business in the area, or whether it is investing merely to protect its other applications.

Posted by Matt Hines on July 18, 2007 12:39 PM

July 17, 2007 | Comments: (0)

DNS attacks hitting home

TAGS: Security

Attacks on domain name servers remain a serious headache for many organizations, with related denial-of-service threats on the rise, according to a newly published research report.

Based on a survey of approximately 465 IT admins carried out by Mazerov Research & Consulting -- and being promoted by anti-malware applications vendor Secure64 -- almost half (44 percent) of all respondents admitted that their companies have recently experienced either a pharming or cache poisoning attack, with one-third (33 percent) reporting denial-of-service assaults.

According to the report, which was published on July 17, both external and internal DNS servers remain equally under attack, with the recent incidents experienced among the respondents split almost evenly between the two types of server platforms.

In a nod to the importance of DNS systems, Mazerov found that just over half (54 percent) of all respondents said that their organizations are either 'totally or extremely dependent' on uninterrupted Internet connectivity to do business. An additional 26 percent of respondents said they were "very dependent" on full time access to the Web.

"Growing business dependence on Internet connectivity is the very vulnerability that allows malware to attack DNS," Mazerov researchers said in a report summary.

Another problem revolving around the DNS attack issue is that many companies rely on the servers to help ward-off malware and DoS attacks, including root kits and the like, the researchers said.

Some 54 percent of respondents said that their companies depend on DNS filters to prevent rootkits and other viruses, with 52 percent using the systems to retain availability during DoS campaigns.

When questioned as to how long their organizations could withstand having their DNS servers taken offline, some 74 percent said that such an attack would lead to a direct loss of productivity within their operations, with 54 percent admitting that they would not be able to conduct even basic business functions.

Some 40 percent of hose surveyed said that withstanding serious DNS attacks would lead to the loss of "significant revenue." Another 39 percent said they would expect related damage to their corporate brands and images if their sites are taken down.

When asked what the most catastrophic problem their organizations might experience in the event of a major Internet disruption, 37 percent indicated that they most feared losing e-mail services, while 47 percent said that the disruption of other Web-dependent services such as e-commerce, VoIP and customer support applications would hurt the most.

However, only 17 percent of respondents indicated that a failure of their DNS would be their worst nightmare.

That result puzzled the researchers and led them to conclude that many people fail to grasp the gravity of DNS threats.

"IT professionals are clearly facing a Sisyphean task when it comes to keeping their DNS secure," Bob Mazerov, founder and principal of the research company bearing his name, said in a synopsis of the report.

"What's particularly interesting is that most respondents perceived the loss of e-mail and other Web services as being a bigger problem than the loss of DNS," he said. "This suggests an enduring lack of focus, attention and awareness among IT and business professionals regarding the important and primary role DNS plays within the infrastructure of today's Internet-dependent enterprise."

Posted by Matt Hines on July 17, 2007 01:06 PM

July 16, 2007 | Comments: (0)

Researchers point to iPhone security risk

TAGS: Security

Security researchers with Web application testing specialists SPI Dynamics are drawing attention to a feature on Apple's hot new iPhone that they say could be subverted by hackers to attack users of the device and potentially monitor their phone calls.

In a blog posted to the security company's Web site on July 16, SPI security researcher Billy Hoffman proposes that a feature in the device's Safari browser that allows iPhone users to dial any phone number displayed on the browser by touching the digits on-screen could soon be subverted by hackers.

If capable of luring iPhone users to malware sites or legitimate sites infected with cross-site scripting attacks, Hoffman said, attackers could infect the devices with spyware that could allow them to track calls, redirect calls placed by a user, place unauthorized calls from the browser, program the device to make repeated calls for an infinite amount of time, or prevent the phones from calling at all.

As an example of the manner in which schemers could make money off the ruse, Hoffman said that attackers could use the technique to place batches of calls to toll 900 numbers they control.

The researcher with SPI (which was recently acquired by HP) said that the issue was reported to Apple on July 6, however, the iPhone maker has yet to address the issue in any form of public statement.

Apple representatives didn't immediately respond to calls seeking comment on the issue.

"SPI Labs [is] working with Apple to remediate the problems. However, [we] recognize the unique urgency of these issues and the large number of people that could be affected," Hoffman wrote. "As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues."

Posted by Matt Hines on July 16, 2007 03:28 PM

July 13, 2007 | Comments: (0)

Malware's next big trends?

TAGS: None

Always on the lookout for new and less-noticeable means for carrying out online fraud and other cyber-crimes, hackers are increasingly moving to adopt techniques including response splitting and cross-site forgery as they continue to mature their attacks, according to Web security and testing expert Jeremiah Grossman.

Grossman, founder and CTO of Web site vulnerability testing specialists WhiteHat Security, said that he has recently begun noticing more attacks in the wild that employ the two methods -- both of which have been understood for some time, but were thought to be avoided by most hackers based on their complexity and the availability of easier means to trick Web sites and end users.

While cross-site scripting (XSS) threats remain by far the most widespread method in use today by advanced hackers who seek to defraud online businesses and end users -- and Grossman expects that to be the case for the foreseeable future until more Web sites are secured from the technique -- the expert indicated that response splitting and cross-site forgery could represent the next big things in terms of vulnerability exploitation trends.

As defined by the Open Web Application Security Project (OWASP) -- which Grossman co-founded -- HTTP response splitting vulnerabilities occur when data enters a Web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a Web user without being validated for malicious characters.

Using the approach, an attacker then attempts to feed malicious data to a vulnerable application, including the data in an HTTP response header.

To mount a successful exploit, OWASP says, the application must allow input that contains carriage return characters into the header. The characters in turn give attackers control of the remaining headers and body of the response the application intends to send, and allows them to create additional responses entirely under their control.

Using the technique, hackers are already creating a range of new attacks, including variants on the time-honored XSS theme, Grossman said.

In some cases, attackers use the approach to send requests to a Web server and get the server to respond twice. Most times the server lets the first request by and "chokes" on the second, said the expert. This allows the attacker to poison the cache on the server itself and gain control over whatever Web pages are supported by the server -- and insert XSS code.

"Response splitting has been discounted for years as too hard to execute, but as soon as we began adjusting our tests to look for it we started seeing it everywhere," Grossman said. "This is already a big problem and we continue to find more and more examples; admittedly we were in the dark about its prevalence too until we started educating ourselves about it using customers' Web sites."

Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.

Using the technique, hackers try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names.

In some cases, the attacks are hidden on the vulnerable sites themselves.

CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding and Hostile Linking.

Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts and the like. Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged-in to any sites that have been accessed by an end user to carry out illicit activities.

Since the attackers log-in using legitimate credentials, it may prove harder for those victimized by the threats to prove to their banks or e-commerce sites that they weren't responsible for any transactions that were carried out, the expert maintains.

"Cross-site scripting and forgery are being used hand-in-hand, and almost everyone is vulnerable to forgery, it could become a massive problem," said Grossman, who will host a online seminar to discuss the topic on July 24.

"XSS will remain no. 1 in terms of attacks for a while, but cross-site request forgery is truly up-and-coming," he said.

Posted by Matt Hines on July 13, 2007 02:48 PM

July 10, 2007 | Comments: (0)

SEC charges stock spam botnet scammers

TAGS: Security

(Eds note: Apologies to loyal readers of the blog for the lapse in posts the last two weeks. One of the authors - Paul Roberts - has moved on from InfoWorld into the realm of industry analysts, while another, Matt Hines, was travelling and fighting laptop issues.)

The Securities and Exchange Commission has taken another step in its bid to eradicate online pump-and-dump schemes, filing securities fraud and money laundering charges against a pair of Texas men accused of running a sizeable campaign driven by the use of botnets.

Officials with the SEC announced that they have filed claims against Darrel Uselton, 40, and his uncle, Jack Uselton, 69 -- both of whom were labeled by the investment watchdog group as "recidivist securities law violators" -- for using a large network of zombie PCs to distribute spam e-mails that encouraged recipients to invest in penny stocks advertised in the messages.

The SEC claims that the defendants urged e-mail recipients to gobble up shares of 13 different companies over a 20 month period, resulting in over $4.6 million in gains for the accused, all of which was frozen in a bank account seized by law enforcement officials.

In a nod to old-world technology, the scammers also reportedly employed direct mailing tactics to push their efforts beyond the Internet.

As a result of the SEC charges, the Texas Attorney General's office and the state's Harris County District Attorney's office have indicted the accused for engaging in organized criminal activity and money laundering.

Botnets are increasingly being used as conduits for spam in order to help defeat the use of IP address blacklists aimed at stopping mass distributions of unwanted e-mail by identifying and blocking sources of the messages.

Pump-and-dump schemes -- which aim to line the pockets of their creators by pushing up the price of cheap stocks by touting some advantageous news or court ruling in the advertised company's favor -- have become one of the most common formats for message-based fraud over the last several years.

The Useltons' arrest follows other SEC efforts to crack down on the schemes, including the agency's move to freeze 35 penny stocks frequently advertised in pump-and-dump e-mails in March 2007.

"This latest step in the Commission's anti-spam initiative is intended to protect investors from fraud artists who would treat the investing public as their personal ATM machines," SEC Chairman Christopher Cox said in a statement. "The use of bots to spread investment spam at exponentially higher rates is making this type of fraud an even more virulent threat to ordinary investors."

Cox pointed out in his comments that the SEC is particularly focused on shutting down botnet-driven campaigns because they have proven so troublesome for investors and publicly-held companies whose stocks are targeted in the efforts.

"Not only are victims getting hit with get-rich-quick spam, but by turning the victims' computers into zombies, these fraudsters are sending out still more spam to others," he said. "Given estimates that up to one-quarter of all personal computers connected to the Internet are part of a botnet, and the thriving market in selling lists of compromised computers to hackers and spammers, the SEC is taking this very seriously. We remain aggressively committed to tracking down anyone attempting to use bots to prey on investors with false or misleading spam about securities."

The SEC's complaint, filed in U.S. District Court in Houston, claims that the men "orchestrated a series of spam email campaigns using an array of computer botnets to anonymously flood the inboxes of American investors with millions of spam emails touting near-worthless penny stocks with baseless price projections and other unfounded claims."

Each campaign, which advertised a single company in its messages, lasted from several days to several weeks in duration, the agency reported.

In a new twist that appears to point to some form of collusion between the businesses being touted in the e-mails and the scammers -- without disclosing whether or not the companies were aware that they would be used in the schemes -- the SEC complaint also contends that the Useltons "received unrestricted shares from penny stock companies for little or no money in return for purported financing or promotional activities."

The claims seek permanent injunctions and civil penalties against each of the individual defendants, as well as penny stock bars against the men.

The SEC said that Darrel Uselton was previously disciplined by the National Association of Securities Dealers (NASD) for misbehavior in 2004 and 2005, while Jack Uselton was permanently enjoined from trading by the SEC based on previous fraud violations as part of a 2002 settlement.

Of the companies whose stocks were involved, three were among the 35 who had their shares suspended in March, along with another whose shares were revoked by the SEC in 2005.

Posted by Matt Hines on July 10, 2007 01:18 PM