4 X Security Team

Microsoft plans to ship a solitary security bulletin next Tuesday with fixes for a serious security problem in its flagship Windows operating system.

The bulletin will carry a “critical” rating, which means that exploitation of the vulnerability could allow the propagation of an Internet worm without user action.

According to an advance notice issued by Redmond, the flaw is rated critical on Windows 2000, Windows XP and Windows Server 2003.

On Windows Vista and Windows Server 2008, the severity is downgraded to “moderate.”

Technical details on this issue will not be publicly available until Microsoft ships the patch on January 13, 2009.

[Source: zdnet]

Do phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn’t as profitable as originally thought.

Citing a 1968 published article “Tragedy of the Commons” the researchers argue that due to the fact that so many phishers operate on the same scam-scene, they earn less than the could possibly do. Moreover, according to the research the enormous volume of phishing emails is in fact an indication of the failure of phishing. Naturally, they are many more factors to consider, in particular, are phishers in fact profit-maximization machines or are they willing to sacrifice potential profit for the sake of their own security? Is it all about making big money, or about breaking-even in general?

“However, as we will show, the economics of phishing are far far worse than this. Rather than sharing a fixed pool of dollars phishing is subject to the tragedy of the commons ; i.e. the pool of dollars shrinks as a result of the efforts of the phishers. A community (all phishers) share a finite resource (the pool of phishable dollars) that has limited ability to regenerate (dollars once phished are not available to other phishers). The tragedy of the commons is that the rational course of action for each individual (phisher) leads to over-exploitation and degradation of the resource (the phishable dollars).”

Using the Tragedy of the Commons analogy in this case makes it sound as every phished person’s disposable income to which phishers would eventually have access to is universally the same. Logically, that’s not the case, since a single phished person could prove to be a more profitable catch for a phisher than a hundred phished people, and the number of potentially phishable people is always increasing with more people going online.

Moreover, perhaps not so economic models minded phishers are constantly looking for ways to achieve better efficiency, lower costs, and ways to eat other phishers lunch - by scamming their fellow colleagues. For instance, a related research published in August, 2008, found evidence that phishers are in fact backdooring phishing pages and then distributing them for free so that they can have other phishers do the scam for them. The same backdooring process, even though no properly analyzed in a study, continues to take place at a more advanced and far more profitable level - backdooring web malware exploitation kits and botnet command and control interfaces. Therefore, of the hundred actively participating phishers, eighty could be easily phishing for the other twenty.

• Go through related phishing tactics - DIY phishing kits introducing new features; Phishers apply quality assurance, start validating credit card numbers; Lack of phishing attacks data sharing puts $300M at stake annually

There are even more variables to consider. Take internal competition among different phishers. Just because a phisher has just sent a million phishing emails pretending to be from a leading German bank to a million Chinese users, perhaps not knowing that the spamming database he’s using belongs to Chinese citizens, doesn’t mean that the outcome of his campaign would be similar to a fellow phisher that’s taken basic localization and targeting steps into account. With localization of cybecrime taking place as of early 2008, outsourcing the translation process of a particular phishing campaign/email is opening up an entire new space for phishers to more effectively target potential victims. The bottom line here is that the second phisher has a higher chance for success even though they’re attempting to phish the same Chinese users, since he’d be impersonating a local bank and his phishing creatives would be speaking native language.

This is where efficiency and scalability comes into play, a situation pretty similar to that of spam. As long as even a small number of people out of a million phishing emails sent become victims, the phishers would break-even and thus, continue expanding the number of emails sent. This shouldn’t be taken as a failure of phishing in general, instead, it should be considered as a campaign optimization practice attempting to achieve better results by targeting a larger population.

Quality assurance is yet another differentiation factor distinguishing the sophisticated phisher from the novice one, who will never get close to the potential market share the sophisticated one is aiming at. Just because all phishers have access to the same quality fakes of legitimate banks, and DIY phishing tools assisting them in redirecting accounting data to a single domain, doesn’t mean that all of them will make the same impact. The experienced ones would achieve a higher average online time for their phishing domains, and would apply better targeting and localization tactics due to the fact that spammers, phishers and malware authors are consolidating and vertically integrating to cut costs and achieve scalability. Phishing may be described as a low-skill, low-reward job in the study, but just like every cybercrime practice the “knowledge workers” in the phishing ecosystem are those getting most of financial rewards, with the rest basically generating noise and in fact often getting busted due to their inexperience, acting as a human shield for the sophisticated phishers.

There’s another issue to consider and that is how much money is a phisher actually looking to make out of his phishing campaigns, and is there in fact a maximum or a minimum to his ambitions? Even though access to someone’s account is obtained, is the phisher actually able to withdraw the money from the account, or is he in fact going to be making money from selling access to the phished account to someone who can do it, thus, monetizing the accounting data instead of using it? Evidence gathered on this practice clearly indicates that novice phishers may in fact never obtain any of the money that they have access it, but again make money out of selling the access to a particular account to those who can.

Phishers may not be making the money that they used to a couple of years ago, but then again phishing has long stopped being an exclusive cybercrime practice - it’s turned into a cybercrime practice “in between” with the phishers breaking-even given the lowering costs and entry barriers into the phishing space in general. And as long as they break-even, millions of phishing emails would continue circulating, again “in between” the rest of their malicious activities.

[Source: zdnet]

A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.

This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywords and using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them.

• Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)

Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currently detected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

[Source: zdnet]

In the wake of the escalating conflict between Israel and Hamas, it didn’t take long before pro-Hamas supporters organized themselves and started to defacing thousands of pro-Israeli web sites in order to use them as vehicles for propaganda — Israel is meanwhile hijacking TV signals.

For the time being, pro-Israeli sites remain automatically probed for web application vulnerabilities through search engines reconnaissance of the Israeli web space by JURM-TEAM and TEAM-Evil, two groups working together and using identical templates for the defaced sites.

Compared to previous hacktivism (politically motivated hacking) activities on behalf of this group consisting primarily of mass web site defacements through web applications vulnerabilities exploitation, last week TEAM-Evil managed to hijack the DNS records of several hundred Israeli domains — traffic was redirected to bestsecurity.jp — once compromising the administration panel of the domain registrar DomainTheNet.

• (Go through some of the notable DNS hijackings throughout 2008 - Comcast.net’s DNS hijacking; Photobucket.com’s DNS hijacking; ICANN and IANA’s DNS hijacking)

Members of Team-Evil are no strangers to Israel. The group has been periodically attacking pro-Israeli web sites since 2006. Who are Team-Evil anyway?

Originally started as a Moroccan-based hacking group of Muslim hackers, today thanks to the group’s popularity, they’ve managed to not only recruit more hackers/script kiddies, but also, gain the support of other Muslim hacking groups. The group’s efficient way of exploiting Israeli and pro-Israeli web sites through commodity web site defacement tools scanning and exploiting known web application vulnerabilities reached such a peak, that a 17 years old member of Team-Evil got busted. In the ongoing web site defacement attacks, several other well known Muslim hacking groups appear to be working directly cooperating with Team-Evil, such as:

• JURM-TEAM - members include sql_master, Jurm, Dr.Noursoft, RedDoom, Lpooxd, Cyb3rt and Dr.win
• Islamic Cr3w - members include Twister and AlH7N00TY
• TEAM SPECIAL AGENT - members include PrOf-HaCkEr,Black^Monster, FREEM@N, and R00t-Os
• Team-Evil themselves - members include Jurm, Cyber-terrorist, J3ibi9a, Scritpx, Fatna Bant Hmida

It’s important to point out that the massive web site defacements taking place are not rocket science, they are the low-hanging fruit made possible for them to abuse due to insecurely configured web servers. Interestingly, according to one of the messages left on the defaced sites, a separate campaign is launched by the Hamas supporters in response to June, 2008’s defacement done by Israeli hackers of the arabs48.com portal.

• (Go through related hacktivism attacks - Hundreds of Dutch web sites hacked by Islamic hackers; Pro-Serbian hacktivists attacking Albanian web sites; 300 Lithuanian sites hacked by Russian hackers)

Having monitored the demise of international cyber jihadist hacking teams (Osama Bin Laden’s Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR) attacking primarily Western sites, in comparison Israel, Palestine and their supporters are not going to give up that easily the propaganda capabilities that they’ve building since 2001 by means of web site defacements.

[Source: zdnet]

RealNetworks has shipped a new version of its Helix Server to plug at least four vulnerabilities that introduce code execution and denial-of-service risks.

The flaws affect Helix Server Version 11.x, Helix Server Version 12.x, Helix Mobile Server Version 11.x and Helix Mobile Server Version 12.x. Three of the four bugs are considered “highly critical” because of the risk of remote code execution attacks.

Technical details:

• ZDI-CAN-293: RealNetworks Helix Server RTSP DESCRIBE Heap Overflow Vulnerability. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks Helix Server. User interaction is not required to exploit this vulnerability. Authentication is not required to exploit this vulnerability.
• ZDI-CAN-323 DOS stack-based buffer-overflow vulnerability when parsing RTSP SETUP. Denial of Service can be triggered performing three consequent crafted requests on port 554 (default RTSP) of the server.
• ZDI-CAN-333: RealNetworks Helix Server DataConvertBuffer Heap Overflow Vulnerability. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks Helix Server. Authentication is not required to exploit this vulnerability.
• ZDI-CAN-380: RealNetworks Helix Server NTLM Authentication Malformed Base64 Heap Overflow Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of RealNetworks Helix Server. Authentication is not required to exploit this vulnerability.

Information on patching these installations can be found in this RealNetworks advisory (.pdf)

[Source: zdnet]

Third party plug-ins like Adobe Flash do a poor job of cleaning traces of your browser sessions, rendering private-browsing features somewhat useless, according to a new study by researcher Katherine McKinley.

McKinley, a researcher at iSec Partners, created a tool for testing the functionality of clearing private data after a browser session and browsing in private mode and found that some browsers — most notably Apple’s Safari for Windows — do a poor job of wiping traces of a browser session.

[ SEE: Microsoft confirms ‘InPrivate’ IE 8 ]

McKinley warns (.pdf):

Third party plug-ins like Adobe Flash, which is far more popular than any individual browser or platform, seem to undermine the data protection schemes offered by all common browsers, however. While browsers are introducing more features with privacy implications, such as persistent local storage, they have mostly integrated the management of this type of information into a single location. When users want to ensure their privacy with respect to information stored via the browser standard methods, they can go to a single location to clear the data, use a separate browser, or use a working private browsing mode, if available.

Plug-ins need to take extra steps to ensure the privacy of their users. The clear best practices in this area, as exemplified by Google’s Gears, prompts users before allowing a site to store data on their system, holds a per-browser data store, and integrates their management UI into the browser UI. Adobe Flash does none of these things, instead silently allowing web sites to store data, uses one global data store for all browsers, and uses a settings UI accessible only when the user is connected to the Internet.

[ SEE: Major Web browsers fail password protection tests ]

She called on browser vendors and plug-in vendors to cooperate to make their platforms more trustworthy:

A set of standard APIs to communicate the need for plug-ins to clear data for a particular origin, all sites, or even a date range needs to be developed, and its use required of all plugins. In the absence of these APIs, plugins which require use of any local system resources should prompt before allowing web sites to store data locally, and integrate the management of interface into the standard browser API.

In the study, McKinley tested the data storage on modern browsers, including HTTP cookies, HTML 5 session storage, Mozilla Firefox perisistent storage, HTML 5 database storage, IE userData, Adobe Flash and Google Gears.

[ SEE: Firefox scrambles to add ‘private mode’ browsing ]

Apple’s Safari on Windows, which offers a “Private Browsing” option, did not fare well:

The HTML 5 Database store on Safari is not cleared when resetting the private data, the user must go to their preferences and select Security, then click the “Show Databases” button on that tab to review or delete databases. For IE 8 Beta 2, the browser must be closed to actually clear the data for the running instance. In each of these cases, it is necessary to perform additional actions to effectively clear this data.

And more:

Safari on Windows fared the worst of all in [tests] with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode. On OS X, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.

* Image source: 253C. Hat tip to NYT’s Brad Stone.

[Source: zdnet]

In the wake of this morning’s 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I’ve read so far has focused on the technical details and real-world impact of their findings. Rightly so — their paper describing the attack is a fascinating read filled with enough gory details to make any security practitioner salivate.

To summarize, the crux of the attack was the fact that certain certificate authorities (CAs) still use the MD5 algorithm to sign SSL certificates. The researchers exploited this implementation by harnessing some existing academic research on MD5 chosen-prefix collisions and sprinkling in a few additional tricks.

The most frustrating part of this whole debacle is that it should have never happened.

Like any widely-used cipher, MD5 has been scoured for weaknesses by crypt-analysts since its introduction in 1991. The first significant cracks in the surface appeared at the CRYPTO 2004 conference in August 2004, when Xiaoyun Wang presented a paper entitled Collisions for Hash Functions that described a method for producing MD5 collisions.

[ SEE: SSL broken! Hackers create rogue CA certificate using MD5 collisions ]

History has shown repeatedly that cryptanalysis is an evolutionary process. Each subsequent compromise builds on top of prior work, and each new attack is more practical than the last. The Wang presentation should have been a wake-up call that the clock was ticking on MD5. But, aside from the security community, nobody paid much attention.

At the time, I was employed as a security consultant for @stake, and I can remember revising all of our deliverable templates to remove any mention of MD5 from our best practices or boilerplate text. Even some of my own colleagues were split on whether that was necessary, since the attack didn’t have any practical implications yet. I agreed that we had no reason to act like the sky was falling, but it would only be a matter of time until a practical attack would be discovered. As such, our customers should be advised, at the very least, to eradicate MD5 from their code going forward.

But people tend to be lazy. The typical enterprise mindset can best be summarized as “if it can’t hurt me today, stop bothering me,” and that probably won’t change anytime soon. For an enterprise application, the risk is bounded. If you choose to use a weak hash algorithm in your custom web application, you only hurt yourself and your customers. Apparently, that is a risk people are willing to take, even though switching hash algorithms is a fairly trivial code modification.

A few years later, right on cue, Marc Stevens released a master’s thesis entitled On Collisions in MD5 (.pdf), detailing a chosen-prefix attack against MD5. This was a significant breakthrough and one crucial step closer to the practical, real-world attack revealed today in Berlin.

It’s an absolute travesty that the CAs failed to act not only on the Wang research, but on every other MD5 attack that has materialized since. Any organization who is in the business of selling trust should take all possible measures to be trustworthy, and the CAs failed miserably in that regard.

* Chris Eng is senior director of security research at Veracode. He is currently removing root CAs from his web browser.

[Source: zdnet]