Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Security Risks
Showing posts in English
Josh Harriman | 19 Nov 2007 08:00:00 GMT | 0 comments

I just wanted to make mention that a coupleof my testing methodology conference papers have finally been uploadedto our whitepaper section here in Security Response. I say "finally" because I had to wait until after I presented my latest one at this year's Virus Bulletin conference held in Vienna. But, I have no excuse for the other paper I presented at last year's Eicarconference in Hamburg, other than the fact that I thought it would bebetter to have both papers ready at the same time because theycompliment each other.

The first one—A Testing Methodology for...

Andrea DelMiglio | 05 Nov 2007 08:00:00 GMT | 0 comments

Anonymous proxy services are onlineapplications that enable users to surf the Web with enhanced privacy.These applications act as an SSL proxy between the user and the Website to be visited, thus masking the IP address and providingadditional privacy features, such as referrer hiding, script removal,cookies removal, and URL encoding. Proxify is one provider of these services, but many more are available on the Internet.

Although we believe online privacy is something we always need to take care of,the use of these kinds of services...

Erik Kamerling | 02 Nov 2007 07:00:00 GMT | 0 comments

In the previous entries in this series (part 1, part 2)I discussed the different tricks and indicators of issues involvingtimestamping anomalies, specifically with Windows-based computers. Now,from a defense and detection standpoint it is relatively easy to detectsuch activities on the network using a tool like Wireshark or its command-line equivalent tshark.

In the example below we make two assumptions: 1) Windows clients onour network should not be using the timestamp option on outgoing SYNpackets (this violates default configurations), and 2) a host on theoutside of our network that receives a SYN with no timestamp set shouldnot respond in turn with a timestamped SYN...

Erik Kamerling | 31 Oct 2007 07:00:00 GMT | 0 comments

Welcome back. In my previous blog I was telling you about Kohno et al discovering how we can manipulate a Windows machine into starting to timestamp in the middleof a non-Tsopt enabled flow. If we have control of a machine that aWindows client connects to or we act in a man-in-the-middle (MiTM)capacity on a flow involving Windows hosts, we can perform a simpletrick. The “attacker” must actively modify a TCP SYN/ACK packet halfwaythrough the regular TCP handshake with a Windows host (server toclient) to incorrectly contain Tsval in violation of thetimestamp standard. If RFC 1323 guidance was adhered to in thissituation, a Windows system facing such an unexpected Tsopt in SYN/ACKwould not begin to timestamp its packets. However, it was discoveredthat if we introduce such a Tsopt-enabled SYN/ACK we can trick Windowssystems into...

Erik Kamerling | 29 Oct 2007 07:00:00 GMT | 0 comments

Kohno, Broido, and Clafy introduced theseminal paper "Remote physical device fingerprinting" at the IEEESymposium on Security and Privacy held May 8-11, 2005. In this paperthey outlined for the first time how TCP timestamp values can be usedto physically differentiate one Internet-connected host from another.Their work is based on the concept of “clockskew,” which is the amountand rate at which a computer's clock uniquely deviates from a baseline.Every physical machine's internal clock components deviate from truetime in a measurable and unique way. By measuring this drift patternusing linear regression/curve fitting (using the TCP timestamps option(Tsopt) value in normal TCP traffic) they were able to passively andsemi-passively perform clockskew calculations on remote hosts thatallowed them to accurately fingerprint individual computers. Thiscutting-edge methodology has subsequently enabled them to perform amyriad of brand new de-anonymization attacks.

Using TCP...

Andrea Lelli | 26 Oct 2007 07:00:00 GMT | 0 comments

A couple of weeks ago in thisblog entry, we learned how misleading applications advertise themselveson the Web. Now we'll take a closer look at the other side of things tosee how misleading applications infiltrate users' machines in order toconvince people to download and purchase them.

We are used to seeing malware that uses all sorts of tricks tocompromise a user's machine in order to steal valuable information orperform fraudulent activities. The purpose of all of this? Of course!Money! Why else would the miscreants otherwise make the effort ofstudying new tricks and developing new malware when they can simplyconvince users to give up their money spontaneously?

This is how it goes with misleading applications. They can appear inseveral ways, such as in downloaders or simply via browseradvertisements: "Your computer is in...

Ron Bowes | 25 Oct 2007 07:00:00 GMT | 0 comments

These days, many people take it for grantedthat their email is secure. People (and companies) send all kinds ofcritical information through email, expecting it to make it to thecorrect person and only that person.

That's a bad assumption.

Email is often used by Web applications to reset passwords, byfinancial sites to provide updates to profiles, and by friends andfamily with personal information. Any of this data, in the wrong hands,could be dangerous to a person. It could lead to all the usualproblems: identity theft, information exposure, and the exposure oftrade secrets.

Email passes through several servers in much the same way astraditional mail travels through several people. The sender sends anemail directly to an SMTP (or similar) server, which is often run bythe sender's Internet service provider (ISP). That server typicallyforwards the email to the recipient's mail server (which can be run bythe recipient's ISP, the recipient's company, or...

Ron Bowes | 19 Oct 2007 07:00:00 GMT | 0 comments

Economy servers are typically IRC serverswhere criminals and so-called "black hats" congregate to sell theirillegally obtained merchandise. They can be thought of much like abazaar of old, where the sellers announce their wares and their pricesin the hopes that buyers will choose them. These wares typicallyinclude stolen credit cards, identities, online gaming accounts, Website logins (such as Paypal and eBay), and other illegal goods. Becausethese servers are frequently tracked by law enforcement, the people whodo the trading have to be careful.

It has been observed that these servers rarely have a single fixedaddress. Commonly, the server migrates to a new address on a regularbasis, as frequently as every week. Presumably there is somepre-arranged pattern or a central source that tells loyal users wherethe current server is. It's not uncommon for a researcher to connect toan active economy server only to find it completely empty. This forceslaw enforcement and...

Ben Nahorney | 18 Oct 2007 07:00:00 GMT | 0 comments

I was recently reminded of a childhood gamemy friends and I used to play in the forests near where I grew up. I’dstand near the edge of the tree line, holding a burlap sack, while myfriends snuck into the underbrush looking for snipes.You had to be really quiet, see, because those critters would scareeasily. You had to have patience too; sometimes you’d be standing therefor hours in your snipe-catching crouch. On more than one occasion itseemed my friends got lost in their hunt, and as dusk turned intoevening, I’d have to head home empty-handed, before my parents startedwondering where I was.

I was a gullible kid.

In much the same way, many people these days are being misled bymessages they receive about threats on their computer. But where theworst that came of our snipe-hunting adventures was wariness of what myfriends would tell me, believing these messages can...

M.K. Low | 17 Oct 2007 07:00:00 GMT | 0 comments

Some people are very willing to give uppersonal information and most aren’t aware how much they are revealing.From social networking sites to personal Web pages to email, strangersnow have access to more personal information than ever before. Look atany person’s page on a social networking site and you can seeinformation ranging from first name, last name, address, email address,phone numbers, birthday, photos, employers, education, well, you getthe point.

So why would letting the world know inconsequential information suchas my dog’s name be so dangerous? Most users have passwords taken fromtheir personal lives such as educational institutions, favorite hockeyteam (Go Leafs Go), pets' names (Fluffy),or even family members’ names. Or, when a user forgets the password totheir email, the email program asks...