Is your vote really yours? Diebold voting machines vulnerable

Electronic voting machines have had a less then stellar record regarding their security Back in 2006 Diebold voting machines had an easily accessible memory card slot in the front that people could install viruses from. In 2008 it was demonstrated that Sequoia voting machines could easily have the front panel removed and the firmware chipped swapped out with an illegitimate one. Well a recent exploit developed by the Vulnerability Assessment Team at Argonne National Laboratory have demonstrated the ability to hack the machine to change votes with out leaving any trace behind for only $26.

What the researchers did is they used a man-in-the-middle style of attack by creating a small circuit board that carry’s the code which can manipulate the input of the device. They then unplugged the connection between the touch screen and the rest of the hardware and plugged the chip in between the two. That way when the touchscreen sends the data on what button was pressed the circuit board could reinterpret it as something else when it gets stored to the device. They then went on to demonstrate that they could easily affect the paper print out of the machine too, which Diebold added to prevent hacking the readouts. So with out opening the machine up and looking for the chip itself there would be no way to detect what was happening. As a little extra they added a RF device that could communicate with the chip allowing them to remotely control whats happening up to a mile away.

While this attack does require access to the internals of the machine that’s a relatively easy problem to overcome. Most voting stations are kept in low security areas like churches and schools. So access wouldn’t be the most difficult thing to gain.

You’d think that after the first couple of times its been shown that voting machines are easily hackable we would have given up on them. Unfortunately that isn’t case so were either going to have to make their security foolproof or go to a different system.

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

Behavioral monitoring malware

Behavioral monitoring malware is a new class of malware that mines many of the social networking sites for behavioral patterns. What I mean by behavioral patterns is that it will monitor what kind of websites you like, who you associate with, the kinds of things you buy. This kind of information is a goldmine for marketers. It allows them to build profiles of individuals outside a greater scope of sex, age, and location. Now they can know that your friends with x,y,z or that your a Chihuahua enthusiast who loves NASCAR. This kind of information can  be more insidious then more conventional malware.

Through this information they could then targets ads just for you or extending beyond marketing, unique attacks. We’ve talked about phishing attempts before in class and how its always kind of broad message to get as many people as possible. Thanks to behavioral pattern malware they can now easily tailor specific attacks just for you even if your some nobody. The usual malware targets things like credit cards or accounts and passwords. While these can cause trouble and be an inconvience you can at least cancel a credit card or change your password. But once they know who you are your in trouble. You can’t just change everything about yourself. Your not going to get rid of your friends and family and stop liking the things you do.

Some of the interesting technical aspects about this malware is it’s able to recognize who is on the fringe of social connections. That is if I’m someone who posts prolifically on twitter or Facebook and have lots of followers/friends, I’m going to stand out as a greater target compared to someone who has very few. Since I would have lots of connections I become a greater target because through my connections it can move on to new targets. Another interesting thing is that they infect unconventionally comapared to the usual malware. Most malware attempts to infect as many devices as fast as possible, while behavior patter malware would want to take its time in order to go unnoticed and collect as much information as it could.

http://www.pcworld.com/article/207659/malware_aimed_at_social_networks_may_steal_your_reality.html

Tools to make your browser safer.

With the ever growing complexity of modern day web browsers, there follows new and dangerous exploits for them. To get around this there exists a variety of plugins for the popular browsers. These plugins attempt to increase your security on the net no only against malicious attacks but also against companies tracking your usage.

The first plugin is called Noscript. Located here: http://noscript.net/ . Noscript disables javascript, java, flash, and other things that  might run on websites. A bar pops up on the bottom of the screen notifying users that its blocking scripts. From here you can choose to permanently enable them or just enable them for a session. Users might want to use a tool like this because exploits can be automatically loaded through things like javascript wiht out any sort of user input. Plus it can also block trackers. Currently there is only a Firefox plugin but supposedly they are working on a chrome one.

Another useful tool is Ghostery http://www.ghostery.com/ . This program blocks most of hte popular tracking methods that websites use to gather information. Whether they be plugins, scripts or tracking bugs. The program notifys you of when its found something and pops up in the corner what they are. It allows you to then click on them to find out more about what that particular tracker is and what it does. This program has a lot of overlap with Noscript in that usually noscript blocks them before it does. Ghostery works with all of the popular browsers.

The last one is Priv3 http://priv3.icsi.berkeley.edu/index.html . This disables all of the buttons for social network sites on other websites. These buttons enable the social network sites to track you on the internet even when you don’t click on any of them. So if your looking for more privacy this might be useful. Again noscript tends to block these already. Priv3 is currently only for Firefox.

Sinkhole’s can contain and prevent damage from botnets

Since botnets have grown to become one of the larger IT threats out there, researchers need to be able to find ways to neutralize them once they’re already active. One method that they use to do this is the sinkhole.

A sinkhole is computer that has all of the data reporting back to it instead of its original command and control server. In the case of the Kelihos botnet researchers at Microsoft had to reverse engineer the bot malware to send out new peer address routed to the sinkhole instead of the c&c server. Since the botnet didn’t connect directly to the command and control server but through a series router nodes, they were able to have the nodes start sending out the address for the sinkhole, instead of the c&c server. Given enough time most of the bots were then passing that address around the most instead of the its original server. Once the majority of the bots are reporting to the sinkhole the researchers are  able to analyze the data from the botnet and more or less shut it down. I say more or less because while the botnet is now inactive, they still need to rely on the end user to remove the botnet malware from their computer. It will be interesting to see what methods malware developers come up with to counteract the sinkhole technique since they always seem to find away around them.

http://arstechnica.com/business/news/2011/09/sinkhole-contains-botnet-nuked-by-microsoft-and-kaspersky.ars

The Tor anonymity network

Tor stands The Onion Router, a network consisting of relays and exit nodes that distribute traffic information anonymously to hide the user. This allows the user to evade traffic analysis so people can’t tell who the user is talking to. Traffic analysis is able to determine this information from packet headers which tell where the data in the packet is being sentand whom its being sent from.

Tor works around traffic analysis like this: the user sends information to the first tor relay node. That tor relay node then sends it to another one. While its being sent from one tor relay node to another the packet header will only have the information from the one tor relay node to the next, thus obfuscating the sender of the information and the receiver. It then travels through several more relay nodes before finally reaching an exit node where the information is then sent to where it needs to go. The path through the relay network is established by the client user every time they transmit data and changes which relays are used about every 10 minutes.

The Tor network is maintained by anyone who wishes to set up a relay or exit node. For relay nodes there is no danger with running one since the information from one node to another can’t be tracked. There has though arisen issues dealing with the legality of running exit nodes, mainly if the person running the exit node can be culpable for other users illegal uses of the network. This issue is still up in the air.

Tor is used by people for a variety of reasons. It’s used by law enforcement to visit pages they’re investigating so they can monitor with out leaving behind traces of government IP addresses. Or its also been in the news recently with regards to people in countries with strict censorship laws, allowing them to anonymously say things that could get them arrested. But people also use it for doing illegal things such as downloading warez or trading child porn.

Tor does have its weaknesses. People running the relay nodes and exit nodes might not be able to find out who sent data or where its going but they can view any unencrypted data themselves. So some websites use sign in pages that aren’t SSL secured and are transmitting their logins in such a way that could be accessed by malicious node servers.

Overall Tor is a good beginning for making internet traffic anonymous in a world where people try to exploit any personal information with any given chance, whether it be people, corporations or governments. Hopefully the flaws in it can be worked out to make it even more secure then it is already.

 

Further reading:

http://www.eff.org/torchallenge

https://www.torproject.org/index.html.en

Trojan.Mebromi is able to infect the BIOS

Every day the threat poised by malware grows greater and greater. A recently discovered trojan known as Trojan.Mebromi is able to flash itself to the BIOS of infected computer. So far it can only infect the Award bios system. Malware similar to this have been developed before called CIH, but it was last seen  in the 1990′s and only corrupted the BIOS not hide in it.

What happens is that when you turn on your computer the BIOS  loads the operating system up, among other things. What Mebromi does is alter the MBR (master boot record) of the system. This allows it to run its commands on start up before the OS. Upon booting the system it infects the system and downloads malicious files. This creates a big challenge for anti-virus developers because even if their scanners find the virus and remove it, they don’t detect it located in the BIOS. So when the user turns their computer on it again, it re-installs itself back onto the system.

So far the only way to remove it from your system is by flashing the BIOS.Flashing the BIOS is a very delicate procedure that could render your system bricked in the worst case scenario so  anti-virus developers are hesitant to do anything that could modify the BIOS in any way, preferring to leave it up to the developers of the BIOS.

For further reading:
http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/
http://www.symantec.com/connect/blogs/bios-threat-showing-again

The burgeoning threat of the Botnet

Everyday botnets are growing larger with no end in sight. It’s estimated that one fourth of personal computers connected to the internet are part of a botnet. This is a troubling statistic for anyone concerned with network security.

A botnet is a group of computers all infected with malicious software that allows the controller of the software to remotely manipulate the computers into doing a variety of tasks. These collections of computers usually number around 10,000 to 20,000 PCs but larger botnets consisting of millions are known. The most prevalent botnet is Storm with an estimated 1 to 25 million infected computers.

A user can be infected by a botnet through browser security exploits when visiting a webpage, spam email or by downloading a trojan horse. A popular method of the trojan horse is in keygens for pirated programs, which antivirus programs tend to flag but other users reassure it is due to the illegal nature of the program and not the trojan itself. Other novel new ways of infecting computers are being discovered. Recently researchers from the Stevens Institute of Technology created a UAV* capable of flying around and accessing weakly or unsecured networks. That lack of security could open the floodgate for malcious software to be introduced into it.The botnets are used for a variety of purposes such as DDoS attacks, spamming, traffic monitoring, key logging and phishing. One of the well known phishing attacks, and one I’ve dealt with personally, mimics an antivirus program and “alerts” the user as having many infected files. It then prompts the user into buying the program by entering identity and credit card information.

It’s hard to say if there will be any way to stop the proliferation of the botnet. With state actors beginning to use botnets for cyberwarfare there will be less incentive for governments to stop them. With botnets like Storm having the ability to defend itself from attacks through DDoSing the attacker, they are becoming harder and harder to defeat.

* http://nakedsecurity.sophos.com/2011/09/09/diy-drone-helicopter-wifi-attacks/