4 X Security Team

A team of Swiss researchers say there are several ways to recover keystrokes from wired keyboards by simply measuring the electromagnetic radiations emitted when keys are pressed.

In all, the team of researchers from the Security and Cryptography Laboratory in Lausanne, Switzerland, found four different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls.

A research paper on the discovery will be published after a peer-review process. Team members Martin Vuagnoux and Sylvain Pasini explain the findings:

To determine if wired keyboards generate compromising emanations, we measured the electromagnetic radiations emitted when keys are pressed. To analyze compromising radiations, we generally use a receiver tuned on a specific frequency. However, this method may not be optimal: the signal does not contain the maximal entropy since a significant amount of information is lost.

Our approach was to acquire the signal directly from the antenna and to work on the whole captured electromagnetic spectrum.

We found 4 different ways (including the Kuhn attack .pdf) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.

We conclude that wired computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively inexpensive equipments.

The team released two online videos (here and here) demonstrating the research findings.

* Image source: DeclanTM’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Just hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug — to trick users into launching executables direct from the new browser. (Here’s a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that changes the download behavior for files that could execute code.

From the changelog:

• This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
• The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
• If discarded the download is removed (and its file deleted). If saved, download goes as usual.
• Dangerous downloads not confirmed by the user are deleted on shutdown.

[Source: zdnet]

Microsoft has released an out-of-band patch to fix an extremely critical worm hole that exposes Windows users to remote code execution attacks.

The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory. The vulnerability is rated “critical” on Windows 2000, Windows XP and Windows Server 2003.

On Windows Vista and Windows Server 2008, the flaw carries an “important” rating.

From Microsoft’s critical MS08-067 bulletin:

• A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft said it was aware of “limited, targeted attacks attempting to exploit the vulnerability” but the company did not provide any clues about the origin of the attacks or the target that was hit. There are no signs yet of public proof-of-concept code.

According to the bulletin, there is a chance that the vulnerability could lead to a “wormable exploit.”

• The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
• Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

The vulnerable Windows Server service provides RPC support, file and print support, and named pipe sharing over the network. It is also used to allow the sharing of your local resources (such as disks and printers) so that other users on the network can access them.

This is the first out-of-cycle patch from Microsoft since the fix for the animated cursor vulnerability in April 2007. It is the 67th bulletin from Redmond this year.

[Source: zdnet]

To share phishing URLs, or not to share? That’s the rhetorical question, since sharing ultimately serves the final customer and ensures a lower average time for a phishing site to remain online. In a recently published research (The consequence of non-cooperation in the fight against phishing) Tyler Moore and Richard Clayton analyze the current state of delayed data sharing, and argue that the impact of non-cooperation among vendors is resulting in an estimated $326 million annual loss :

“The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days. Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed.”

Why wouldn’t “take-down companies” be interested in sharing the data so that more customers get protected by visiting a phishing site that has already been shut down? Because the process of taking down phishing sites has been commercialized by vendors diversifying their fraud protection and brand reputation services a long time ago. Such competition is in fact supposed to provide more value to the end users, since on their way to achieve better results than the competing company, the vendor will inevitably start taking down phishing sites more efficiently. However, as long as data is not shared so that a particular company can claim that it’s taking down phishing sites faster than the other, the end users remain at risk.

In a related research published by Symantec in 2007, the company analyzed the average online time for phishing sites and argued that the take-down process is greatly affected based on the country the site is hosted in :

“Public phishing statistics often report the overall number of attacks hosted in a specific country, but this is not the only interesting detail: phishing attacks are more dangerous when they can “survive” online until the majority of potential victims open the phish email. Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia.”

Non-profit community driven projects such as Phishtank and StopBadware.org are great examples of how this sharing mentality can protect most end users, so feeding these services with phishing/malware URLs in between ensuring that a phishing email never actually gets the chance to reach the inbox of an end user at the first place, is the way to go. Moreover, phishing emails are only part of the problem since banker malware has gotten so efficient and sophisticated, that I can easily argue that more money are at stake due to the increasing number of people infected with banker malware, compared to those interacting with phishing emails, since the banker malware remains active long after the phishing site has been shut down. Competitive practices must be balanced with social responsibility, which is where sharing of data comes into play.

[Source: zdnet]

On the same day Opera shipped a browser update with patches for three separate security vulnerabilities, hackers are openly discussion a new zero-day flaw that exposes Windows users to remote code execution attacks.

With Opera 9.61, the Norwegian browser maker corrects an issue where History Search could be used to reveal browser history (rated extremely severe); a Fast Forward bug that allows cross-site scripting (highly severe); and an information disclosure flaw in news feeds (also highly severe).

But even as Opera users were scrambling to apply the latest patches, a public discussion on the Full Disclosure mailing list exposed a zero-day vulnerability that could lead to cross-site scripting and even remote code execution attacks.

The discussion began with this Roberto Suggi advisory on the History Search bug fixed in Opera 9.61 but quickly expanded to raise the possibility of code execution attacks.

Within hours, researcher Aviv Raff discovered a way to execute code from remote and released a harmless proof-of-concept exploit that launches the Windows calculator.

I can confirm that a separate exploit exists that launches harmful code remotely against fully patched versions of the Opera browser.

Until Opera can fix this new issue, users are strongly urged to consider a different browser or avoid clicking on links on untrusted Web pages.

[Source: zdnet]

The recently discovered critical Windows vulnerability that necessitated an out-of-cycle patch is extremely similar to one that first appeared two years ago. The MS08-067 vulnerability, which was originally spotted by analyzing in-the-wild captures, is remarkably similar to the MS06-040 vulnerability that enabled the spread of a variant of the Mocbot trojan, leading security researchers to believe that it will be used to renovate an old worm. Both vulnerabilities existed in the same region of code, which handled parsing and routing of RPC messages. While some may ask why MS08-067 wasn’t spotted when the code was so heavily vetted when MS06-040 was discovered, I can assure you that finding vulnerabilities, even when they are staring you in the face and they are vanilla stack overflows, is far more difficult than it may sound.

Good software architecture assumes that the vulnerabilities may exist and, designing with “defense in depth” in mind, creates obstacles that slow down exploitation of a vulnerability so as to allow the administration time to apply a patch. For example, designers can randomize the memory layout of the application so remote exploits would have to make vast numbers of attempts at exploiting the application before they are successful. To mitigate the effects of fast network connections, the application should be designed to shut down if it detects something odd happening before the remote attacker hits upon the specific memory layout. This design principle was used in Windows Vista, limiting the platform’s vulnerability to the latest attack.

Someone in Microsoft’s Security and QA group is most likely torturing themselves for not finding this vulnerability back in 2006. They should take some comfort that their latest architectures are tolerant of this mistake. After all, they are only human.

[Source: zdnet]

The Google Android operating system is vulnerable to a serious security vulnerability that allows malicious hackers to launch drive-by browser attacks, according to alert from a security research outfit.

Technical details of the vulnerability, which occurs because Google Android uses an unpatched open-source software package, is being kept under wraps until a patch is available.

[ SEE: Android security team appeals to hackers ]

Google was notified of this issue on October 20th, 2008.

According to a warning from Independent Security Evaluators (the company that found the first iPhone code execution flaw), this particular security vulnerability “was known and fixed in the relevant software package,” but Google used an older, still vulnerable version.

The Google Android OS powers the T-Mobile G1 by HTC, a device that’s currently in stores in the United States.

[ SEE: Research firm: Google Android SDK has multiple vulnerabilities ]

• A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes.

The researchers, however, acknowledged that the impact of this attack is “somewhat limited” because of the way Google Android is designed.

• A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly.

[Source: zdnet]