The Inquisitr » security

The Epic Wordpress + MediaTemple Failure

Kyle Brady — Sun, 15 Nov 2009 21:53:40 +0000

A week ago I, Kyle the Invincible!, was hit by an injection attack on the majority of my own sites, and it took a large handful of hours to even figure out what was wrong. Once I discovered that a file had been somehow uploaded to my server, which executed itself and inserted malicious code onto my site’s pages, I wrote about it – in fact, you can find the full technical details on my blog and some more details on the Wordpress bug ticket.

Everything seemed like it was OK afterwards, since MediaTemple (my host) had worked pretty heavily with me to find the problem and determine the solution – I even wrote about how I was happy with the interaction and name-dropped the techs who had helped me. But then when my post on the issue started getting popular, because this is apparently a common problem at the moment, they stopped talking to me, especially when I started pushing for more answers.

The key to all of this is that a file is somehow uploaded to the server, which I had initially thought might be a fault of my CMS. Wordpress claims it isn’t their fault, but they released a security update (2.8.6) pretty quickly after my security and bug reports on the issue. MediaTemple claims it’s not their fault either, because Wordpress is “notoriously insecure”. But when the same issue started appearing for other users that don’t even use Wordpress, I became concerned – even more so when I learned most, if not all, of them are MediaTemple (gridserver) customers.

I’ve been pressing them for answers for the last four days, since I decided it was a hosting security issue, and have been ignored pretty stoically. But imagine my surprise today when I notice that I’ve been hit by the exact same attack, just a week later, this time running Wordpress 2.8.6.

If there’s a security issue floating around, you’d imagine that those behind the problem would be extremely interested in fixing it as soon as possible… right? Well, apparently not. It seems to be more important for both Wordpress and MediaTemple to act more like the Camel Lights camel rather than Boris from Goldeneye, and this is absolutely unacceptable from a user standpoint. Any vulnerability that allows unauthorized access to data, breaks a site, makes a huge list of SPAM links to porn, and redirects links to a malware distribution site is entirely not something to laugh at.

This is not a chain mail letter you can ignore without repercussions – this could effect a very big swath of the Internet, no matter who has caused the security hole.

I’ve been relatively happy with the (gridserver) plan from MediaTemple, and I know most people have been too. If this keeps up, however, I’ll be leaving them for someone who’s more interested in my data security than they appear to be, especially since all evidence points to this being a server issue rather than that of public-level software.

MediaTemple: step up, and do what we pay you for. If not, there will be a user reckoning.

Wordpress: you need to make an announcement. If it’s not your fault, that’s fine – but recognize the issue publicly, publish steps to fix the issue, and make a definitive claim against MediaTemple; however, you better have concrete evidence that it isn’t your fault.

Kyle Brady is a contributing columnist for the Inquisitr, an entrepreneur, and has a future in science fiction. He can be found at his blog, via email, or on Twitter.

Chrome OS gets ‘mounting library’ but doesn’t change the fact a Web OS is dumb

Steven Hodson — Thu, 12 Nov 2009 23:35:08 +0000

I was reading Sarah Perez’s post at ReadWriteWeb about some clever folks at the DownloadSquad who have found some goodies in the Chrome OS code that seems to indicate that the new web-based operating system will be able to monitor for new devices attached to your system.

What does this mean?

Well it means that your web-browser – in this case Chrome I would imagine – suddenly becomes a file manager. This is nothing new really as typing (on a Windows machine) C:/ in the addressbar of both the newest version of Firefox and Chrome will display the folders and files on C drive. You can navigate your hard drives without any real problem. In IE 8 however it will launch Explorer which is a change from previous versions of IE.

As Sarah quite rightly points out though in her post this opens up a whole slew of security issues – this was the reason for the change in IE.

As exciting as that sounds, a commenter on the blog post points out that a browser that acts like this could mean serious security issues for the new operating system. Would a malicious web page be able to tap into this feature to wreak havoc on your system? We know that Google said security was one of the key aspects of the OS, but we also know that hackers are extremely crafty as well. No matter how good the security measures Google puts into place to limit this sort of access, there’s nothing that would provide 100% protection. And isn’t this the same sort of functionality that Microsoft ditched in Internet Explorer years ago with the launch of IE7 due to these very same security concerns?

All this aside the idea of a web-based operating system that you access through a browser still strikes me as one of the dumbest ideas around. Sure have your data in the cloud but to put the control of using even the most basic functions of your computers in the hands of a company that you can only access if you have an Internet connection is foolish.

Even if we were to consider this as as a possibility is it really a realistic use of hardware that continues to grow in power every year?

Here we have machines, even including laptops, that have more computing and graphics power in them than all the computers used to power the Apollo space program and we want to reduce them to running a bunch of javascript in a browser window.

What a waste.

Rogue group hijacks hundreds of Facebook groups for your own good

Kim LaCapria — Tue, 10 Nov 2009 21:50:11 +0000

Despite well-known privacy leaks and rampant availability of sensitive personal data, Facebook remains hugely popular.

Lulled into a precarious sense of security by friends locking accounts, most people feel fairly comfortable sharing information they might not otherwise like to see on the front page of The New York Times. (One of the litmus-tests for information sharing on the internet, that or “would you like to see it in your grandmother’s inbox?”) A common Facebook function for many users seems to be the practice of joining any and all groups that cross their news feeds, from “Celebrities I’d Like To Hit in the Face With a Bag of Doorknobs” to “I couldn’t give a flying f**k about what you’re up to on Farmville.”

Today, many users woke up to find the following message posted on the “walls” of groups taken over by Control Your Info, who state that the mass-hack was “strictly not for profit and done for a good cause.” (It did get their name in the news, though.)

Hello, we hereby announce that we have officially hijacked your Facebook group.

This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.

For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:

Think about the safety in your social media life to the same extent you do in your real life. Watch the videoclip for more information or check out www.controlyour.info for more tips soon!

We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.

The loophole which allowed the group to gain administrative access to Facebook groups exists in groups in which the administrator has since jumped ship. Anyone belonging to a group without an admin can appoint themselves in charge of the group and then change the group name, contact members, and so on. While it’s unlikely to be the end of life as you know it, it’s certainly something to think about.

Facebook has commented on the matter and denied groups had been hijacked, asserting that no sensitive data had been compromised. The spokesman also addressed concerns with large groups and cleanup of the affected groups, many of which remain “hijacked”:

“The names of large groups cannot be changed, nor can anyone message all members,” he said. In cases where Facebook finds that a group name has been changed inappropriately, it will disable those groups, which is what it plans on doing in this case, he said.

CIA head nixed secret plan for assassination squad

Steven Hodson — Tue, 03 Nov 2009 22:02:19 +0000

According to a story in the Washington Post the CIA was in the process of developing teams of anti-terrorist assassination squads that ended up being shut down when CIA head Leon Panetta found out about them.

While there were apparently plans at the agency to develop these squads for a number of years with the idea of using them to hunt al-Qaeda leaders it wasn’t until recently that the plans were upgraded to a “somewhat more operational phase”.

Once he learned of the plans and shut them down Panetta appeared at Capital Hill to brief lawmakers about the whole deal since they had been kept in the dark about it.

The Obama administration’s top intelligence official, Director of National Intelligence Dennis C. Blair, yesterday defended Panetta’s decision to cancel the program, which he said had raised serious questions among intelligence officials about its “effectiveness, maturity and the level of control.”

But Blair broke with some Democrats in Congress by asserting that the CIA did not violate the law when it failed to inform lawmakers about the secret program until last month. Blair said agency officials may not have been required to notify Congress about the program, though he believes they should have done so.

Source: The Washington Post

The Democrat lawmakers however feel that the CIA intentionally misled Congress by failing to disclose the program. It was a program that came out of “presidential finding” signed by President George W. Bush shortly after September 11, 2001 that granted the agency broad authority to use deadly force when hunting down bin Laden and other high ranking al-Qaeda members.

Those deleted text messages? Maybe not so deleted after all

Steven Hodson — Tue, 27 Oct 2009 05:07:58 +0000

We live in an increasingly mobile computing world and as a result more and more of our daily affairs are ending up on things like our mobile phones. Everything from text messages to myriad bits of personal information.

Here’s the thing though – all those text messages you thought you deleted. Well they may not be as deleted as you might have thought and all that other private information – well it turns out it may not be as private as you thought. At least so say Kim Khor, director of Khor Willis & Associates an Australian mobile forensics company found on the speed dial of police departments and corporations.

Khor with the help of a device the shape of a hockey puck and costing $25,000 can retrieve those secret text messages that you thought you had deleted from your mobile phone even after five years.

Keen to find out more The Sunday Telegraph tested their abilities last week.

We provided Mr Coulthart with an old SIM card, found in the bottom of a friend’s drawer and an eight-month-old iPhone to discover what information they could find.

Start of sidebar. Skip to end of sidebar.

End of sidebar. Return to start of sidebar.

Mr Coulthart inserted the seven-year-old SIM card into his forensic device and was able to scroll through hundreds of messages, including a “Merry Christmas” from December 25, 2005.

“From this SIM card I can see messages, many deleted, back to July, 2005,” Mr Coulthart said.

He ascertained the owner’s date of birth, home address, brother’s name and high school attended _ all from deleted messages.

“Often when messages are deleted from the handset they are sent to the SIM card, and as long as there is space on the card they are still accessible to a hacker,” Mr Coulthart said.

With Bluetooth and infrared to access information from a mobile phone at a distance, the $25,000 forensic device is the law-enforcement tool of choice, he said.

The men then uploaded information from a newer iPhone, affording easy access to the contacts book, SMS messages and photos.

Mr Khor said: “We used an email address gathered from the phone to find a Facebook profile and confirm the `friends’ accounts, thereby finding, for example, a photo of the owner’s sister.

“In 10 minutes we found a fair amount of personal information about the family and the owner online.”

Source: The Daily Telegraph

Isn’t technology grand?

Comcast going proactive against PC infections

Steven Hodson — Thu, 08 Oct 2009 22:20:36 +0000

In a move that maybe should have been done years ago Comcast is testing out a new automated service in Denver called Comcast Constant Guard. The idea being that as the IPS they will be able to detect much easier unusual spikes in activities from particular IPs they can warn their customers of possible infections.

The alerts are triggered when computers on their networks are found to be doing activities that are commonly associated with botnet style activity. As well customers will be notified if their IP address is identified as the source of spam on an industry span list.

Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.

If customers don’t have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.

The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.

"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."

Source: cnet News – Comcast pop-ups alert customers to PC infections

The new service will eventually be rolled out to the ret of the country and replace the current practice of contacting the user by phone.

Image: cnet News

Swarm intelligence for cutting edge cyber security

Steven Hodson — Mon, 28 Sep 2009 18:40:04 +0000

In the battle to keep computer networks safe we are use to using tools like resourcing hogging anti-virus and other malware scanning methods. The problem is that in many cases this is more like fighting a rear-guard action as malware creators change and adapt quicker than the tools we use to fight them.

This may change due to some new thinking and following one of nature’s scrappiest fighters – the common ant.

Using a concept called swarm intelligence security researchers are trying to create a digital version of those pesky little insects that have ruined more than one picnic.

“In nature, we know that ants defend against threats very successfully,” explains Professor of Computer Science Errin Fulp, an expert in security and computer networks. “They can ramp up their defense rapidly, and then resume routine behavior quickly after an intruder has been stopped. We were trying to achieve that same framework in a computer system.”

Source: Science Daily – Ants Vs. Worms: New Computer Security Mimics Nature

The project at Pacific Northwest National Laboratory (PNNL) has already successfully used this idea of digital ants to track down a worm that they let loose into a network of 64 computers. As a result the project has been extended and two of the researchers, Wes Featherstun and Brian Williams, will be incorporating their research into their master’s theses.

This type of security isn’t something that we will probably see anytime soon on our personal computers as it is more oriented to protecting large networks like the ones at universities, governments, and large corporations.

Visiting China? Throw away your mobile phone on returning

Steven Hodson — Wed, 16 Sep 2009 19:31:15 +0000

It appears that the US Government doesn’t think that it’s a good idea to use any of your electronic equipment like laptops and mobile phones after you return from a trip to China. In fact they suggest that you use separate equipment all together for your trip and then wipe it clean afterwards.

Such was the case when Mark Bregman, chief technology officer at Symantec, was advised by some “three-letter agencies in the US Government” to buy a mobile phone in the US and throw it away when he returned. This is on top of the fact that he already uses a separate MacBook Air for his trips to China – which the agencies also suggested he weight before leaving and again on returning – which he reimages every time he returns home.

Bregman said the US was also concerned about its companies employing Chinese coders, particularly in security.

He said the "software supply concern" was due to fears that Chinese developers would insert malicious code into software sold to American companies or the US government.

Source: CRN – Safety first for IT executives in China

Rogue ad battle at New York Times

Steven Hodson — Sun, 13 Sep 2009 21:22:01 +0000

According to Steven Musil at cnet Security The New York Times is in the midst of a battle to get rid of a what they are terming “an unauthorized advertisement”.

In typical fashion the ad warns readers that their computer could be infected with some sort of virus and then redirects the reader to a site offering “antivirus software”. The site readers are being redirected to is best-virus03.com and is a hijacking site that takes over your browser and will attempt to install software.

As one cnet reader told Musil

One CNET reader described how the pop-up ad essentially hijacked his browser, preventing him from navigating away from the site.

"They took me to an ‘antivirus site,’ which kept attempting to scan my computer and install software. Using the back button kept reloading the virus page," the reader said. "It was not possible to close the page, necessitating a force quit."

At this point other than a short blurb in the newspaper’s Media & Advertising section NYT isn’t saying a whole hellva lot.

Linux not so pure and safe after all

Steven Hodson — Sun, 13 Sep 2009 18:29:40 +0000

For almost as long as there has been OS wars the mantra of the penguin herders has been that the likelihood of Linux ever being vulnerable to tings like viruses and trojans was next to nil. This was something that they liked to hold over the heads of all us dumb Windows users – much like the Mac contingent does as well.

How many times have we heard the chant … “you want to be safe use Linux – Windoze is for losers” or some such similar childishness?

Well now Windows users can tell all those Linux lording geeks to stuff it because just as with any operating system there are weaknesses that can be exploited (usually the person behind the keyboard) and Linux is no different. Regardless of how the Tux lovers might pontificate about the security of Linux the fact is that Linux can be exploited which is exactly what a security researcher has found with the discovery of a cluster of Linux servers that is being used as a special ops kind of botnet. As well it is being used to distribute malware to unsuspecting web surfers.

Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they’ve also been hacked to run a second webserver known as nginx, which serves malware.

"What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution," Sinegubko wrote here. "To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s)."

Source: The Register – Linux webserver botnet pushes malware

While it is unclear how the infection began Sinegubko suggests that it may be because on nothing more than careless administrators who had their passwords sniffed – hence my comment about the biggest security weakness being from behind the keyboard regardless of operating system. Current the network consists of about 100 nodes running the Apache webserver on different distros of Linux.

Anonymous data not so anonymous after all

Kim LaCapria — Tue, 08 Sep 2009 21:26:34 +0000

Like Hansel and Gretel’s trail of breadcrumbs, we all leave a trail of personal information as we navigate the internet.

Your friend sent you a birthday drink! A post about taxes in your hamlet, another about your toddler’s eating habits, a flight or hotel reservation, your Netflix queue… I think every internet user has a bit of a creeping bit of nervousness about what the web collective “knows” about their lives.

Ars Technica has an interesting post on this very subject today, summed up in a slightly jarring quote here:

“For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical ‘database of ruin,’ the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Reidentification has formed the database of ruin and given access to it to our worst enemies.”

Luckily for all of us, we’re Joe Average. The majority of us will never run for office or be in the headlines, but woe betide those of us who do. Google knows who you are, and it doesn’t keep secrets. Everyone laughed at Caribou Barbie Sarah Palin when some enterprising /b/tards youths hacked her e-mail account. But how secure are your security questions?

We all think we’re careful, not spilling an awful lot in public space and hey, my Facebook profile is set to private! (But as the ACLU pointed out not too long ago, our random FB tidbits also leak out through the profiles of our friends, of which I have over 150. I haven’t even met 150 people, in my life.) The linked Ars Technica article points out that even the benign stuff is not necessarily benign, when combined with other data that’s readily available. For instance, 87% of Americans are identifiable by birth date, zip code, and gender alone. How many places on the internet is that information readily available about you?

Perhaps the most worrying part is that information leakage seems to be trending toward being perpetuated forward but becoming relevant backwards. Let me explain with another anecdote from the article. In the mid-90s, a grad student in Massachusetts took an admittedly dopey initiative to study “anonymized” medical records data for all state employees to try to identify one. She was quickly successful in finding and delivering the Governor’s personal data to him:

Only six people in Cambridge shared his birth date, only three of them men, and of them, only he lived in his ZIP code. In a theatrical flourish, Dr. Sweeney sent the Governor’s health records (which included diagnoses and prescriptions) to his office.

So while you may be anonymous for now, bear in mind that almost unlike the fairly recent past, most of the information you release is leaving a trail. Could a forum post made in haste about a chronic cough affect your health coverage in 15 years? Could an old Netflix queue be used against you in court?

Selling out your kids online chats

Steven Hodson — Tue, 08 Sep 2009 00:00:00 +0000

Parents generally try to do the right thing when it comes to the amount of time their children spend on the web. They do everything they can to try and make it a safe experience even when it means installing software to monitor their children’s actions while surfing and chatting.

Because of that concern there are many companies who market all kinds of software to concerned parents wit the promise that it will make them feel better about a child’s time spent online. Generally companies like Symantec, McAfee and others like CyberPatrol treat much of what they track as confidential information between them, their software and the parents who install it.

Unfortunately not all companies have the same moral and ethical foundation. Software sold under the Sentry and FamilySafe brands of software, have been discovered to have been selling collected data to businesses looking for ways to better tailor their sales pitches to children. They do this by monitoring the children’s private chats on service like Yahoo, MSN, AOL and other services for conversations about movies, music and games.

The software brands in question are developed by EchoMetrix Inc., a company based in Syosset, N.Y.

In June, EchoMetrix unveiled a separate data-mining service called Pulse that taps into the data gathered by Sentry software to give businesses a glimpse of youth chatter online. While other services read publicly available teen chatter, Pulse also can read private chats. It gathers information from instant messages, blogs, social networking sites, forums and chat rooms.

EchoMetrix CEO Jeff Greene said the company complies with U.S. privacy laws and does not collect any identifiable information.

"We never know the name of the kid — it’s bobby37 on the house computer," Greene said.

What Pulse will reveal is how "bobby37" and other teens feel about upcoming movies, computer games or clothing trends. Such information can help advertisers craft their marketing messages as buzz builds about a product.

Source: AP – Web-monitoring software gathers data on kid chats

Lure of technological convenience hides a nasty side

Steven Hodson — Wed, 02 Sep 2009 21:57:55 +0000

There is no denying the fact that we all love our tech toys. Apple’s iPhone continues to sell, smart phones in general grow in popularity, GPS-based apps are just handy to have. Things like electronic swipe cards for subways, toll booths and quick payment at stores make life easier – and quicker. God knows I wouldn’t know what to do without my debit card – I hardly ever carry cash anymore.

The dark side to this though is that every time we use those ‘conveniences’ that data is collected and kept somewhere. Under the guise of aggregated data used for everything from profit projections to traffic flows this data is amassed painting a picture of where you have been and what you have done.

This collection of data has many privacy experts concerned as we are seeing cases of this type of data turning up in courtrooms. Whether it be the police using cell phone records to track people to things like E-ZPasses to show people’s travel routes at the times when crimes have occurred. Google searches have shown up in more than a few high profile murder trials.

As Adam Cohen notes in an editorial post at The New York Times this isn’t just the prevue of the police and lawyers.

Corporations and the government can keep track of what political meetings people attend, what bars and clubs they go to, whose homes they visit. It is the fact that people’s locations are being recorded “pervasively, silently, and cheaply that we’re worried about,” the Electronic Frontier Foundation said in a recent report.

Sure we might realize empirically that we are probably being watched by an increasing number of CCTV cameras as we move around but in general people don’t realize the extent to which their everyday activity is recorded. People aren’t told that using that transportation card will also allow the transportation authority to track them (or that police have used those records in criminal investigations). Cell phone users aren’t told that even though they aren’t using the phone that if it is turned the companies can track their movements.

Not all of this information is being broadcasted and collected without our knowledge as the popularity of social media services like BrightKite which is a web service that let’s you broadcast your current location and the willingness of people to tell the world where and what they are doing. Sure the typical argument that advocates of these types of services, knowing or otherwise, is that if we have nothing to hide we shouldn’t be concerned about all this data collected.

Sorry but that’s a mug’s argument in my opinion. I can understand how some of this data can be helpful but in no way does it need any type of personal information attached to it. As Cohen points out in his editorial

As much as possible, location-specific information should not be collected in the first place, or not in personally identifiable form. There are many ways, as the Electronic Frontier Foundation notes, to use cryptography and anonymization to protect locational privacy. To tell you about nearby coffee shops, a cellphone application needs to know where you are. It does not need to know who you are.

When locational information is collected, people should be given advance notice and a chance to opt out. Data should be erased as soon as its main purpose is met. After you pay your E-ZPass bill, there is no reason for the government to keep records of your travel.

While the lure of convenience is making this kind of data collection palatable that doesn’t mean that it is a good thing or that it should be being done.

OS X’s changing security landscape

Steven Hodson — Fri, 28 Aug 2009 21:22:36 +0000

There’s a lot of talk going on in the tech blogosphere about the newest release of OS X, Snow Leopard, coming to market with a built-in malware scanner. Now that it has shipped we are seeing exactly what lies behind the real thing and it turns out to be not much more than an XML styled file called XProtect.plist that at this point only contains the signature information for two trojans.

Interestingly enough the files detailed are for trojans that hit the web earlier this year, there is nothing for more current exploits. While security experts may be divided on the actual usefulness of such a limited scanning the reality is that at this point in time the Mac doesn’t need the same type of malware definition file that Windows does. This is because for the most part Mac doesn’t share the same market share or interest for malware creators.

For much of the life of the Mac computers there has been no real need to worry about things like viruses, trojans, or other types of malware because the truth of the matter is that as a platform it held no attraction for those people who create malware. This unfortunately has given Mac users a deluded point of view that Mac’s are some how immune to malware. Many a flamewar has risen over this fact with people who try to point out that Mac’s real security has been one of market share rather than true security baked into the operating system.

It isn’t just Windows users who have been trying to say this in defense of their operating system of choice but is also coming from die-hard Apple fans who use Mac systems day in and day out. Such a person is Dino Dai Zovi who has been hacking Mac’s for almost as long as he has been using computers. The winner of the PWN2OWN hacking contest in 2007 said recently that “the Mac is not magically protected from malware”.

Charlie Miller, co-author of The Mac Hacker’s Handbook with Dai Zovi, who is a multi-year winner of the PWN2OWN hacking contests said in an interview

"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."

Even in light of what people like Miller and Dai Zovi are saying there is still a large contingent of Mac users who truly believe that they are invulnerable to malware by virtue of the Unix base that OS X is built on. It is also the same type of opinions held by the Linux community as well. As much as these people like to believe this they are ignoring a fundamental law of our world – whatever mankind creates someone will find some way to figure out how it works and then subvert it.

Pick any technology created by man at at some point some-one finds a way around it, a way through it or some way to break it. It is an inescapable law and just because Mac users would like to think that OS X is above all this they are living in a dream world.

Apple though may be coming out of their dream state fugue with Snow Leopard and the inclusion of a malware scanner. For Mac security experts like Dino Dai Zovi though this initial step may not go far, or deep, enough as he recently put forth his wish list when it comes to Snow Leopard

In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.

At this point Dai Zovi also adds Leopard has a security level akin to something between Windows XP Service Pack 2 and Vista and it still remains to be seen where Snow Leopard will fall.

Right now the Mac only has about 5 percent market share worldwide with half of that being US users but it is a share that is rising, from 3.73 percent to 4.86 percent in one year. With that rise though also comes the increased visibility of OS X as a target for malware creators so the dreamland that many Mac users live in when it comes to security is in danger of crashing down around them.

As Charlie Miller said

"No computer or operating system is more or less secure when it comes to users being tricked into downloading something,"

image courtesy of Mac Magazine Brazil

Snow Leopard ships with malware blocker (Wha??)

Steven Hodson — Wed, 26 Aug 2009 02:21:41 +0000

After years of lording over Windows the fact that Mac OS X doesn’t, or couldn’t get attacked by malware Apple’s next version of OS X, Snow Leopard, is being shipped with as malware blocker. Back in December of last year I got some flack over a post about OS X and how its days of not being a target for viruses, trojans, or other types of malware where numbered.

How things can change in almost a year eh. As many have always maintained Apple’s real security against these baddies was that the user base size of OS X didn’t make it worth malware developer’s time. Something must have changed if Apple has gotten to the point that they have incorporated a malware scanning engine as a part of Snow Leopard.

Ryan Narine at cnet Zero Day has this to say about the discovery

It is not yet clear how Apple is handling the package scans for signs of malicious software.

I have confirmed that Apple is not using the open-source ClamAV engine to handle these scans so it’s likely the company has entered into an agreement with a commercial anti-virus company.

This isn’t the first official acknowledgment from Apple that the Mac operating system may be susceptible to malware. This Web page on Mac OS X security actually recommends the use of third-party anti-virus software to get “additional protection.”

All I have to say is

It takes 1,000 cameras to solve only one crime

Steven Hodson — Tue, 25 Aug 2009 22:18:51 +0000

If there is one thing that England is known for it is it Big Brother attitude about watching every move made by its citizens. In London alone there are more than a million cameras that has cost the government £500 million.

So what are the results from all this surveillance?

Well according to Detective Chief Inspector Mick Neville, a senor Scotland Yard officer, in an internal report out of all the crimes committed in 2008 only 1,000 were solved with the help of CCTV camera. He also wrote that CCTV only played a role in capturing just eight out of 269 suspected robbers in one month. This would seem to match up with an early report form the Home Office that cameras have had only a “modest impact” on reducing crime.

David Davis, the former shadow home secretary said it is ”entirely unsurprising” that the report highlights some shortcomings of CCTV.

”It should provoke a major and long overdue rethink on where the Home Office crime prevention budget is being spent," he said.

”CCTV leads to massive expense and minimum effectiveness. It creates a huge intrusion on privacy, yet provides little or no improvement in security.

”The Metropolitan Police has been extraordinarily slow to act to deal with the ineffectiveness of CCTV, something true both in London and across the country.”

Source: Telegraph :: One crime solved for every 1,000 CCTV cameras, senior officer claims

It would be interesting to see if this kind of effectiveness, or lack of it, that CCTV has had in other countries employing them.

Malware served up based on operating system

Steven Hodson — Tue, 25 Aug 2009 13:10:00 +0000

While the stick yer head segment of Mac users will almost certainly find some reason to spout their typical rhetoric about Mac’s being impervious to viruses, trojans and other such evil goodies that isn’t stopping the malware writers from improving their odds of getting you to install their crap. One of the newest tricks apparently is for the website you are visiting to detect which operating system you are running and then serve you up a nasty package for that OS.

Ivan Macalintal from Trend Micro recently came across a new variant of the DNS changer trojan that checks for which operating system is behind the browser and then will offer up the appropriate Windows or Mac installer.

This follows a similar finding last month by McAfee, which spotted the same tactic being used at sites that try to trick the user into installing a browser plug-in supposedly needed to view online videos: The bogus plug-in was offered as a ".exe" file for Windows visitors, and a ".dmg" installer file for those who browsed the site with a Mac.

Meanwhile, Symantec warned last week that it had detected several blogs that were advertising free, streaming online copies of movies that were just released in the theaters. The lure is once again a fake video plug-in, followed by either a Mac- or Windows-based version of the DNS Changer Trojan.

Source: Security Fix :: Malware Writers: Will That Be OS X, or W?

Most of these new and more dangerous delivery systems are coming at us via blogs and websites that pander to those looking for video and software that they would normally have to pay for.

The reason for this is that by making the visitor think they need some new type of codec to view some questionable video it makes them more willing to install whatever is offered up to them. This is just taking the whole social engineering up a level or two.

image courtesy of Security Fix

AT&T says Mitnick is too hot for them

Steven Hodson — Thu, 20 Aug 2009 16:03:52 +0000

It sucks being a computer security guy at the best of times but it’s got to be doubly so if you are someone of Kevin Mitnick’s stature especially when not even your webhost or cellphone provider want anything to do with you. Granted one can get use to having one’s website being attacked on a regular basis or having one’s cellphone information show up in all different corners of the web but it seems the people providing those services can get tired of all of the attention.

For Mitnick everything it seems has come to a head in the past month as both his longtime webhost, HostedHere.net, and AT&T, his cell phone provider, has told him to take his business elsewhere. While the walking human honeypot suggests that companies need to take responsibility for a security system that still leaves ways into the networks the companies involved are just as happy to show him the door.

“Kevin is a high-profile target," said David Wykofka, IT director at HostedHere. "When vulnerabilities come out in third-party vendor software, he is one of the first targets on their list. This is just one of the perils of being Kevin Mitnick. If you’re Barack Obama, you don’t get webhosting at GoDaddy."

Source: The Register :: Besieged by attacks, AT&T dumps celebrity hacker

Okay I get that companies have every right to pick who they might want as their ideal ~~suckers~~ customers but isn’t just tossing someone like Kevin Mitnick to the curb like throwing the baby out with the bath water? After all what better way to have your systems constantly tested for free (you ever seen the prices that security pros charge for intrusion assessment?) than to have someone like Mitnick as a customer. Not to mention the free PR value of being able to say your network is secure enough to protect someone like Kevin.

This is just short-sighted and dumb.

BotNet command and control finds new home on Twitter

Steven Hodson — Fri, 14 Aug 2009 03:17:26 +0000

Twitter is being used for a lot of things these days but I bet one thing that the Twitter team never thought they would see their creation being used for the command and control of botnets but according to some investigation by Jose Nazario at Arbor Networks this is indeed the case. Jose also reports that the Twitter security team is already investigating the one known account being used for this type of thing.

Luckily the original bot in question (here’s the VirusTotal analysis) is detectable by 19 out 41 evaluated AV tools. Here is a short sample of what has been found so far

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:
$ unzip out.qqq Archive: out.qqq inflating: gbpm.dll inflating: gbpm.exe $ openssl md5 gbpm.* MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4 MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

Source: Arbor Networks :: Twitter-based Botnet Command Channel

Like I said earlier this account is being examined and watched by Twitter but it appears to be one of more than a handful of botnet command and control accounts currently active on the service.

Bootkit – the next generation rootkit terror

Steven Hodson — Sun, 02 Aug 2009 03:40:19 +0000

I remember well the noise that was made when word of rootkits began to surface. They were nasty little suckers that threaten to by-pass your security programs and load all kinds of nasty bugger onto your computer. It was one of these rootkits that got SonyBMG into really big trouble in 2005 when it was discovered that their music CDs were installing them as part of their DRM effort.

Well it seems that the next generation of these horrors has now arrived on the scene and are going by the name of ‘bootkits’ and these bootkits make the rootkits look like boy scouts. Announced at the Black Hat conference where its creator, 18 year-old Peter Kleissner, showed how the bootkit, called Stoned, was capable of bypassing a TrueCrypt encrypted partition and system encryption.

Stoned, the bootkit, combines a rootkit with the ability to modify a PC’s Master Boot Record which enables malware to be activated even before the operating system is started. Kleissner’s bootkit is able to infect all available 32 bit varieties of Windows from Windows 2000 to Windows Vista along with the most current Release Candidate of Windows 7.

Stoned injects itself into the Master Boot Record (MBR), a record which remains unencrypted even if the hard disk itself is fully encrypted. During startup, the BIOS first calls the bootkit, which in turn starts the TrueCrypt boot loader. Kleissner says that he neither modified any hooks, nor the boot loader, itself to bypass the TrueCrypt encryption mechanism. The bootkit rather uses a "double forward" to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt. Kleissner tailored the bootkit for TrueCrypt using the freely available TrueCrypt source code.

Once the operating system has been loaded, Stoned can get to work and install malware, such as a banking trojan, in the system. Peter Kleissner, who is only 18 years old, has also included several plug-ins, for example a boot password cracker and a routine for infecting the BIOS. The framework layout of Stoned allows other programmers to develop their own plug-ins for the bootkit. Kleissner thinks that Stoned could also be of interest to investigation agencies, for example for developing a federal trojan.

Source: The H-Security :: Bootkit bypasses hard disk encryption

Interestingly enough the bootkit will not work under two conditions. The first being if the computer is using the successor to the BIOS – known as the Extensible Firmware Interface (EFI). The second is when the drive is encrypted using Windows own Bitlocker encryption mechanism.

For anyone old enough the use of Stoned as a name for this bootkit should bring back some memories as this was also the name of a silly but irritating virus back in the late 80’s which I do remember quite well even though I never got hit by it.