The ramifications are pretty significant. If you live in a house and not a big apartment building, your identity is pretty easy game with such a tool. Getting embarrassed by more or less targeted advertising (“We found from your searches that you are interested in naked teenagers wearing rabbit ears? Do WE have a deal for YOU!“) is almost the least worry (though if I got a call from the home business woman in the video clip, I’d be furious at having my privacy invaded, rather than show an interest in her stuff!) But there’s even worse possibilities - what if somebody finds our that you are looking for legal advice, or something similarly crucial to be kept private? Information about an illness, or depression for example?

At the moment, the searches seem to only allow tracking back from websites -> via search terms -> to the orignator of the query. But how long until the direction is reversible? Do we all have to become hackers and hide behind sophisticated software just to browse in peace?

A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.

The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.

Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.

I have worked for two of the Big Three automotive companies (Ford and General Motors) as well as a number of other companies where I had access to all sorts of sensitive data and information and not once did I ever consider stealing any of it. Not because of any possible consequences of such an action, but because it would be wrong to do so. I’ve worked at the General Motors Design Center in Warren where I saw all manner of prototype vehicles that car magazines would love to get the details on ahead of time as well as the Milford Proving Grounds where the prototypes were put through their paces. I worked in the Alpha Building at Ford Motor Company where literally gigabytes of data on whole car lines were stored on various PCs and network shares. When I was laid off from Ford, twice, I was seriously upset, but not once did I consider the possibility of taking anything with me.

Sure both companies had policies in place meant to make such thefts harder - certain workstations GM blocked writing to USB devices of any kind - but nothing that I didn’t have knowledge of how to circumvent and certainly nothing proactive enough to have stopped me had I wanted to take any data. I suppose I’m just too honest to think of such things. I have a sense of honor at the idea that I’m entrusted with the care and support of such data. It angers me that so many others would violate that trust because, at a minimum, it makes my job that much harder. Stupid and ineffective restrictions, like the blocking of USB devices, just end up getting in the way of fixing machines and just the fact that so many others are untrustworthy means I’ll be looked at with suspicion by association. Hell, it means I’ll be looking at my fellow colleagues with suspicion as well and that’s just not the sort of work environment I want to be in.

The fact that this survey was done by a security company probably means it’s somewhat inflated, but if it’s even remotely close to the truth it’s very upsetting indeed.

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

The reason why is pretty simple. Without the SSL feature turned on Gmail only uses a secure connection for the initial login and then all session data is sent back and forth unencrypted. The problem with that is your session data includes your login information which kinda defeats the point of having it encrypted during the login. Someone sitting with a packet sniffer looking at your network traffic could snatch that info from the data stream and have full access to your account and all the archived emails. By turning on the SSL feature the entire session will be encrypted from beginning to end.

You can tell if your session is encrypted by looking at the address bar of your browser. If you see HTTPS: at the start of the address while reading your email then you’re encrypted. This feature is turned off by default so if you haven’t specifically turned it on then you’ll want to. You can do that by clicking on the SETTINGS link in the upper right corner of the Gmail screen and on the GENERAL tab (which should be the default that comes up) you scroll down to where it says BROWSER CONNECTION and click on the box for “Always use https.“ Then just press Save Changes to update your account. You may need to quit and login to Gmail again to make sure it’s working.

You won’t notice anything different about how Gmail works from before, but you’ll be a little better protected.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

“The genius of this is that it’s completely reusable,“ said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.

“What this means is that almost any vulnerability in the browser is trivially exploitable,“ Dai Zovi added. “A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks.“

I doubt that there’s truly little Microsoft can do about the problem, but the solutions involved might be unpalatable to their business goals (e.g. drop ActiveX altogether). The attack appears to rely on Internet Explorer specifically so one possible solution for Vista users is to switch to a different browser such as Firefox or Safari. Which, really, they probably should do anyway.

What’s more interesting is the conclusion of the article:

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.

“This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,“ Dai Zovi said. “I definitely think this will get reused soon, sort of like heap spraying was.“

Unless those other platforms are running Internet Explorer and ActiveX I’m not sure how they’d be vulnerable, but then the article doesn’t go into great detail on exactly what the hack involves. Microsoft has said their aware of the presentation and are interested in looking at it more closely once it’s made public.

Seeing that there was something being appended to the end my first stop was to see what his homepage was configured for in his browser. Sometimes when you install malware on your system it’ll change the default webpage of your browser so it can install even more junk, but pulling up the options screen it was clear that last bit wasn’t part of the URL. That seemed odd so on a lark I tried to pull up Yahoo myself and, sure enough, my Avast went nuts warning me of a virus and showing the same URL. I’m pretty sure both our PCs aren’t unknowingly infected with the same virus so the only logical conclusion is that it must be coming from Yahoo! directly. Either they’re trying to pull something over on their users or their servers have been hacked.

Anyone else experiencing the same thing at the moment? Dad says it was fine earlier today and there’s nothing on any of the tech sites I frequent about it so it must be something that’s happened only recently.

Update: It appears that it’s a false positive with Avast. Manually telling it to update the .dat files cleared up the issue.

A new Trojan horse masquerading as a video “codec“ required to view content on certain Web sites tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous “Zlob“ Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS can be thought of as the Internet’s phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.

[...] The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company’s malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.

The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer’s Internet connection is functioning fine.

Checking router settings is certainly not one of the things I think to do when cleaning up an infected machine as this is a first as far as anyone knows. You can bet it’ll be something I consider looking at from now on, especially if I know the user in question doesn’t know anything about DNS routing. You should always change the default password on your router along with, if possible, the username of the administrator account itself. Attackers don’t have to have physical access to your machine to attack your router any longer.

I’ve been asked to do this by Joseph Bochner, a lawyer out of Menlo Park California, who’s been trying to bring the makers of WinFixer 2005 to justice for almost four years now. Jospeh hasn’t said what he wants to talk to Setsune about, but I’m assuming it’s to find out how he managed to come by some of the information he had in that old forum posting. The folks at the Mercury News just did an article on Joseph’s ongoing quest which gives some background on what he’s been through:

Bochner, a Menlo Park lawyer who handled mostly real estate cases at the time, soon discovered that the PC was infected by malware, malicious software that attacks computers. The program had apparently infected the machine despite anti-virus protection and the latest virus definitions. It piqued Bochner’s interest. He sought to track down those responsible and stop the scam.

But over the past four years, Bochner has discovered that despite the enormous economic and social costs of online crime, there is no simple way to disrupt these schemes. His experience provides further evidence, on a personal level, of a key finding of the November Mercury News series “Ghosts in the Browser”: Shadowy con men, responsible for an explosion of illicit online activity, often find it all too easy to evade uninterested law enforcement agencies and out-staffed security experts.

Bochner tried federal agencies and state task force officials. He called on security software companies. He even filed his own class-action lawsuit, which he abandoned because, Bochner said, he lacked the resources and expertise to handle the case on his own.

“I am astounded at the inaction,“ said Bochner, who has continued to search for help in reviving the case.

Filings in the lawsuit, as well as interviews and other public documents, provide details of what Bochner uncovered about “WinFixer,“ the alleged conspiracy named for a variant of the malware that has gone by many names, including WinAntiVirus, Errorsafe and SystemDoctor.

WinFixer, as you can probably already tell, is one of the many fake anti-virus apps out there that deliberately infect your PC and then tell you it’s infected as if the problem had been there all along. If you want to get rid of the viruses you have to purchase the program except that the program doesn’t actually remove the viruses because it’s what put them there in the first place. Joseph’s saga is illustrative of how hard it is to get law authorities to do anything about these scammers in part because they don’t see it as a big problem, in part because they lack the manpower, and in part because they don’t really understand what the problem is. This is one of the reasons you have to be very careful about what you install on your PC and consider carefully any pop up warnings from software you’ve never installed from companies you’ve never heard of. There’s a good chance that even if you do complain to someone nothing will be done:

Bochner became convinced that the operators of the system should be prosecuted, and turned to the FBI. Agents from both Silicon Valley and southern Florida, where one potential defendant lived, investigated before deciding against seeking criminal charges.

“There was a lot of hoopla and there were complaints made, and (the WinFixer operation) was shady and backward,“ San Francisco FBI Special Agent Joseph Schadler said in an interview.

But FBI agents, like officials from a series of other agencies, decided against pursuing a criminal case. Some questioned whether a crime had occurred; others said it would be too difficult to prove. One agent who turned Bochner down, Sacramento Valley High Tech Crimes Task Force commander Capt. Glenn Powell, told the Mercury News his unit didn’t have the personnel to pursue such computer fraud cases.

Joseph hasn’t given up the fight, however, and he’s tracking down every lead he comes across. Which is how he came to send me an email. His last reply which just arrived in my inbox explains what he’s hoping to accomplish:

Les,

Thanks much for the prompt reply.

The poster referred to your blog as his favorite…perhaps a request for help to your reader community might attract a response? Setsune said he had complained to Big Pipe; I’m looking for people who have submitted a complaint regarding WinFixer…to anyone!

Regarding “lack of concern or manpower,“ I would add lack of understanding. Hence my efforts.

Thanks again and best wishes,

Joseph Bochner

So Setsune, if you’re still reading SEB some three years later, Joseph would really appreciate it if he could contact you. Or if any of you regulars have had experiences with WinFixer 2005 and tried to complain to someone about it then Joseph would like to hear about that as well. Leave a comment here or drop me an email and I’ll get you in contact with Joseph and maybe he’ll be able to win at least one victory in the war against the scammers.

Virus from China the gift that keeps on giving - sfgate.com

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games - and its designers might have larger targets in mind.

“It is a nasty worm that has a great deal of intelligence,“ said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse.

The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from remote locations and hides files, which it names randomly, on any PC it infects, making itself very difficult to remove. It spreads by hiding itself on photo frames and any other portable storage device that happens to be plugged into an infected PC.

The authors of the new Trojan Horse are well-funded professionals whose malware has “specific designs to capture something and not leave traces,“ Grayek said. “This would be a nuclear bomb” of malware.

In fact quite a few people found themselves infected with this and several other trojans after plugging in digital picture frames they got for Christmas:

The initial reports of infected frames came from people who had bought them over the holidays from Sam’s Club and Best Buy. New reports involve frames sold at Target and Costco, according to SANS, a group of security researchers in Bethesda, Md., who began asking for accounts of infected devices on Christmas Day. So far the group has collected more than a dozen complaints from people across the country.

The new Trojan isn’t the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets - networks of infected PCs that are remotely controlled by hackers.

There’s at least one part of this article that I’m sure will delight owners of Macs and Linux based PCs:

Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.

Let the gloating begin.

Things are likely to get worse before they get better as the malware authors are pumping out new code at a pace fast enough that the anti-virus companies are having trouble keeping up. According to Prevx there are already 67,500 variants of the trojan talked about in the article. Right now it appears this trojan only steals passwords to some MMORPGs, but it’s thought that it’s a test run in preparation for something more insidious.

Annual IBM security report paints worrisome picture for 2008 - ArsTechnica.com

IBM Internet Security System’s X-Force has released its annual report (PDF) on malware trends and statistics from last year. 2007 saw some significant changes in malware distribution, and there’s reason to think that some of these shifts mark the beginning of new attack patterns rather than small abnormalities. The following are some of the highlights from the report:

• Reported vulnerabilities in 2007 were down five percent compared to 2006, but the number of those vulnerabilities that were classified as severe rose by 28 percent.
• Microsoft, Apple, Oracle, IBM, and Cisco reported the most vulnerabilities, but collectively account for only 13.6 percent of all reported vulnerabilities.
• 90 percent of the 2007 vulnerabilities were exploitable from a remote location, up 1 percent from 2006
• Most in-the-wild exploits are being generated by web toolkits. Prevalence of these toolkits has risen dramatically since they appeared in 2006.

There’s a couple of things in the report that stood out to me. The first being that, contrary to what most people seem to believe, Microsoft products aren’t miles and away worse in terms of security than those of Apple, Oracle, IBM, and Cicso. Of those top 5 vendors a good 80% of the known vulnerabilities have been patched and while that still leaves 20% of them unpatched, that’s still a boatload better than the 50/50 ratio that everyone else tends to have.

The second thing that stood out is the fact that the percentage of exploits that could be accessed remotely jumped from 43.6 percent in 2000 to 89.4 percent this year. That’s huge and shows just how valuable taking over your PC has become to these people:

Trojans were the overall darlings of the year, accounting for 26 percent of all malware distributed. Worms, adware, viruses, and downloaders also grabbed significant chunks of the pie, while keyloggers, rootkits, and spyware all were all confined to small pieces of the market. Trojans were also responsible for the largest number of malcode additions in 2007—a total of 109,246 new Trojans were detected in 2007, compared to 64,173 worms, 55,873 adware programs, and 48,889 viruses.

Those numbers are staggering, though it helps to keep in mind that a lot of these programs are variations on a theme as each hacker modifies the code to try and avoid detection and/or adapt it to their specific goals. It all should act as a reminder of the need to keep your anti-virus software up to date, make use of a decent firewall, and be very careful about knowing exactly what you’re installing on your PC. Some of the more recent, but less successful, exploits have tried to spread themselves through PDF and MP3 files. While some of the most successful exploits are the fake media codecs from sites that tempt you with some outrageous or titillating video that requires you to install a media codec you’ve never heard of before you can watch the clip. When you do you’re suddenly infected with malicious downloader or spyware. 

We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.

Many of our regular readers will remember the huge Sony BMG XCP DRM rootkit debacle of 2005. Back then malware with rootkits were not very common but since then a lot of malware families have adopted rootkit cloaking techniques. It is unclear if the “rise of the rootkit” would have happened in this magnitude without the publicity of the Sony BMG case. In any case, a lot more people now know what a “rootkit” is than back then.

This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation.

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under “c:\windows\“. So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

Oops. To their credit Sony does appear to have learned something from the previous debacle and they’re admitting right up front that it’s an issue:

Electronics giant Sony has confirmed a recently discovered security flaw in some of its products that could leave PCs vulnerable to attack by hackers.

The firm said that the fault, which affected software packaged with memory sticks, was developed by a third-party.

Sony said it was conducting an internal investigation into the problem and would offer a fix “by mid-September”.

That’s a big change from the last time when the president of Sony BMG, Thomas Hesse, made the mistake of railing against angry consumers by declaring “Most people, I think, don’t even know what a rootkit is, so why should they care about it?“ That did little to cool heads at the time.

So if you happen to be an owner of one of these Sony USB drives you should be aware that your desire for extra security may have made you less secure, but Sony’s working on a fix for you.