Rain Clouds

February 28, 2011

It appears that around half a million GMail accounts went offline yesterday – worse yet, some users lost the contents of their Google Apps accounts even when they were available again.

If you’re storing critical data “in the cloud”, scenarios like this are why a local backup is so critical.

Definition Monday: Exploits

February 28, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Exploits.

Many times, when reading security alerts on a mailing list like bugtraq, you will see the word “exploit”. What exactly is an exploit, and why is it important?

It’s important to remember that many of the security vulnerabilities that are discovered by third party researchers, particularly in the open source world, are theoretical. That is, a particular piece of code may appear to have a security hole because of the way that it is written, but that does not necessarily mean that the security hole can be taken advantage of by an adversary. If that piece of code is never exposed to the adversary, or if it has some other routine protecting it, or if the means of taking advantage of it cannot actually happen, then the hole remains theoretical.

For example, imagine a piece of software that controls an industrial metal router in a factory. It is entirely possible that the software requires an old version of Microsoft Windows, and that updating Windows will cause the metal router to stop working. That version of Windows may have a security vulnerability when exposed to a hostile network. But if the computer running the metal router is never attached to a network, then there is no way to take advantage of the vulnerability. It ceases to be a problem.

(I know that this sounds like some metaphysical tree-falling-in-the-forest stuff. Is a vulnerability that can’t be attacked still a vulnerability? I’ll leave that to the philosophers – I have enough on my plate worrying about the systems that are exposed to pontificate on those that aren’t.)

On the other hand, if a security vulnerability can be taken advantage of, and if it can be done in a reliable, repeatable fashion, then the  code that attacks it is referred to as an “exploit”.

For example, take a look at this posting on the bugtraq list from two days ago. The poster has identified a Cross-Site Request Forgery (CSRF) vulnerability in a particular model of Linksys home router. In addition to discovering the flaw, he has also included exploit code in the form of an HTML snippet that takes advantage of the vulnerability – this can be used to add an administrative user to the Linksys router configuration, under certain conditions, without the user being aware of the addition. And since all of the traffic on a home or small business network passes through this router, it’s probably not a great place for your adversary to have administrative privileges.

So, to put it succinctly, an exploit is a piece of software or an explanation of how to take advantage of, or exploit, a security hole.

Other terms that you might run across:

Proof of Concept (PoC) Exploit – This is a crude exploit intended to demonstrate that a security vulnerability exists, but is not as reliable or as professionally produced as a normal exploit. You will often see these in environments like bugtraq, where the author doesn’t want to provide something that can be “weaponized” and used to attack systems but still wants to prove the existence of a bug.

Zero-Day Exploit – This is an exploit for a security vulnerability that the vendor has not yet released a patch for. A newly discovered hole in Microsoft Windows 7, which is still present even when all vendor patches are applied, would be a zero-day exploit. Here is an example of a zero-day in the Cisco Secure Desktop product.

MetasploitThe Metasploit Framework is a penetration testing tool that provides a plugin architecture for running multiple exploits. Generally speaking, each exploit is its own little program; with Metasploit, they are all launchable from a common command shell. This is a boon for both penetration testers and computer criminals, both of whom make a business of taking advantage of security vulnerabilities.

New Android Spyware

February 27, 2011

Two new pieces of spyware for the Android smartphone platform have shown up this week – unlike past threats, these are spreading in the US and not just in the Chinese market.

SW.SecurePhone looks especially nasty, recording both data within in the phone and sounds in the physical environment and uploading them to a remote server every twenty minutes.

Calling Service Shut Down

February 27, 2011

The unique services of callservice.biz, which assisted thousands of identity thieves since the site’s founding in 2007, have been shut down.

The idea was simple: since many identity thieves are operating in non-English-speaking countries, they need people with believably American accents to talk to bankers. Callservice.biz supplied voice talent, in German or English, to use the data stolen by criminals to impersonate account holders and authorize things like wire transfers or withdrawals.

The owner of the site, Dmitry M. Naskovets, has pled guilty to wire fraud charges and is facing up to thirty seven and a half years in prison.

Windows 7 SP1 Issues

February 24, 2011

Windows 7 Service Pack 1 has been released. And, as with every Service Pack, issues have been reported.

The short version: make sure that you are running the latest version of any security software, including HIDS and antivirus, to make sure that it can accommodate the new version of the OS. And if you’re in a large network environment, a gradual rollout with lots of testing might not be a bad idea. This SP doesn’t actually contain anything urgent, so it’s not necessary to rush the deployment.

Center for Password Sanity

February 24, 2011

The web page of Dr. Rick Smith features, among other things, The Center for Password Sanity. This is a set of essays, written while he was working on his book Authentication, all about passwords, their strengths, and their weaknesses. Definitely worth a read, and might even be worth passing along to managers who are still thinking that passwords should be handled the same way they were in 1988.

Back to Basics

February 24, 2011

An article on Threatpost makes a compelling point: despite the amount of press lavished upon attacks like Stuxnet or Aurora, most companies don’t need to be worried about the latest and greatest targeted attacks. They need to worry about the basics – SQL injection attacks, phishing, social engineering, and other “boring” threats.

For the vast majority of companies, especially ones outside of the Fortune 100, there is simply no present threat from something like Aurora. Complex, expensive security infrastructures aren’t what you need. You need properly hardened servers, trained employees, and developers who know how to write secure application code.

“Silent Fixes”

February 23, 2011

Every so often, Microsoft will issue security fixes that are not tied to a known vulnerability, and which are not intended as a response to a particular CVE bulletin. Many people refer to these as “silent updates”, since their purpose has not been publicly announced. Last week, an explanation of this phenomenon was posted on Technet.

Sanitizing SSDs

February 23, 2011

This paper (warning: PDF) from the Usenix FAST conference looks at an interesting question: with hard drives quickly giving way to solid-state drives (SSDs), how do we securely wipe data from workstations using the new technology?

From the paper:

Reliably erasing data from storage media (sanitizing the
media) is a critical component of secure data manage-
ment. While sanitizing entire disks and individual files is
well-understood for hard drives, flash-based solid state
disks have a very different internal architecture, so it
is unclear whether hard drive techniques will work for
SSDs as well.

We empirically evaluate the effectiveness of hard
drive-oriented techniques and of the SSDs’ built-in san-
itization commands by extracting raw data from the
SSD’s flash chips after applying these techniques and
commands. Our results lead to three conclusions:
First, built-in commands are effective, but manufactur-
ers sometimes implement them incorrectly. Second,
overwriting the entire visible address space of an SSD
twice is usually, but not always, sufficient to sanitize the
drive. Third, none of the existing hard drive-oriented
techniques for individual file sanitization are effective on


February 22, 2011

A new trojan, named OddJob, has been discovered. It surreptitiously hijacks a web banking session, cutting off “logoff” attempts and allowing the criminals who operate the trojan remotely to access victims’ accounts.

This is a nasty one.