Video Screencast Help
Security Response
Showing posts for October of 2007
Showing posts in English
Erik Kamerling | 31 Oct 2007 07:00:00 GMT | 0 comments

Welcome back. In my previous blog I was telling you about Kohno et al discovering how we can manipulate a Windows machine into starting to timestamp in the middleof a non-Tsopt enabled flow. If we have control of a machine that aWindows client connects to or we act in a man-in-the-middle (MiTM)capacity on a flow involving Windows hosts, we can perform a simpletrick. The “attacker” must actively modify a TCP SYN/ACK packet halfwaythrough the regular TCP handshake with a Windows host (server toclient) to incorrectly contain Tsval in violation of thetimestamp standard. If RFC 1323 guidance was adhered to in thissituation, a Windows system facing such an unexpected Tsopt in SYN/ACKwould not begin to timestamp its packets. However, it was discoveredthat if we introduce such a Tsopt-enabled SYN/ACK we can trick Windowssystems into...

Andrea DelMiglio | 30 Oct 2007 07:00:00 GMT | 0 comments

As anticipated in my first blog post,email service providers play a central role in the battle againstonline fraud. This is because they are often the only organization toown the data needed to support financial institutions and lawenforcement agencies in prosecuting criminals.

Most phishing sites are hosted on compromised Web servers and in thepast, stolen accounts were stored on local log files that phishers usedto save, using rather standard filenames (like “data.log” or “cc.txt,”where “cc” obviously stands for credit card). Web servers withdirectory listings that were enabled together with phishing kitanalysis quickly made this simple technique ineffective, becausefinancial institutions were able to read those files as well.Therefore, they were able to block stolen Internet banking accounts andcredit cards, thus preventing further...

Erik Kamerling | 29 Oct 2007 07:00:00 GMT | 0 comments

Kohno, Broido, and Clafy introduced theseminal paper "Remote physical device fingerprinting" at the IEEESymposium on Security and Privacy held May 8-11, 2005. In this paperthey outlined for the first time how TCP timestamp values can be usedto physically differentiate one Internet-connected host from another.Their work is based on the concept of “clockskew,” which is the amountand rate at which a computer's clock uniquely deviates from a baseline.Every physical machine's internal clock components deviate from truetime in a measurable and unique way. By measuring this drift patternusing linear regression/curve fitting (using the TCP timestamps option(Tsopt) value in normal TCP traffic) they were able to passively andsemi-passively perform clockskew calculations on remote hosts thatallowed them to accurately fingerprint individual computers. Thiscutting-edge methodology has subsequently enabled them to perform amyriad of brand new de-anonymization attacks.

Using TCP...

Andrea Lelli | 26 Oct 2007 07:00:00 GMT | 0 comments

A couple of weeks ago in thisblog entry, we learned how misleading applications advertise themselveson the Web. Now we'll take a closer look at the other side of things tosee how misleading applications infiltrate users' machines in order toconvince people to download and purchase them.

We are used to seeing malware that uses all sorts of tricks tocompromise a user's machine in order to steal valuable information orperform fraudulent activities. The purpose of all of this? Of course!Money! Why else would the miscreants otherwise make the effort ofstudying new tricks and developing new malware when they can simplyconvince users to give up their money spontaneously?

This is how it goes with misleading applications. They can appear inseveral ways, such as in downloaders or simply via browseradvertisements: "Your computer is in...

Ron Bowes | 25 Oct 2007 07:00:00 GMT | 0 comments

These days, many people take it for grantedthat their email is secure. People (and companies) send all kinds ofcritical information through email, expecting it to make it to thecorrect person and only that person.

That's a bad assumption.

Email is often used by Web applications to reset passwords, byfinancial sites to provide updates to profiles, and by friends andfamily with personal information. Any of this data, in the wrong hands,could be dangerous to a person. It could lead to all the usualproblems: identity theft, information exposure, and the exposure oftrade secrets.

Email passes through several servers in much the same way astraditional mail travels through several people. The sender sends anemail directly to an SMTP (or similar) server, which is often run bythe sender's Internet service provider (ISP). That server typicallyforwards the email to the recipient's mail server (which can be run bythe recipient's ISP, the recipient's company, or...

Scott Roberts | 24 Oct 2007 07:00:00 GMT | 0 comments

On the day I got my iPhone I submitted a bug report to Apple. It wasn’t truly a bug, but I didn’t know of a better way to express my disappointment involving the absence of a software development kit for the iPhone. It just seemed like too unique of a device to not be able to create applications for it. Perhaps a bug report was a bit of a low blow, but I never expected I'd hear anything back. However, the day after Apple announced they were going to release an iPhone dev kit in February of '08, I got an email in response to my "bug." Now, this email was identical to what Apple posted in the "Hot News" portion of their Web site and while I'd seen it before on many of the Apple news sites, this time I actually read it. One big section stood out in particular:

“It will take until February to release an SDK because we’re trying to do two diametrically...

Parveen Vashishtha | 23 Oct 2007 07:00:00 GMT | 0 comments

A new type of vulnerability isbecoming more popular these days. It is an arbitrary file overwrite/deletevulnerability that can be exploited by attackers to overwrite or deletearbitrary files on an affected computer. These vulnerabilities existparticularly because of a registered ActiveX control failing torestrict which domains may load the control for execution. An attackexploiting this vuln can lead to arbitrary code execution by a remoteattacker.


Successful exploitation of this vulnerability allows attackers tocreate, or append to, arbitrary files. An attacker can write to a startupfolder to execute arbitrary code during the next reboot or logonsession. A user will not be required to authorize the objectinstantiation since the object is within a signed ActiveX control. Atypical exploitation scenario would require an attacker to convince atargeted user to visit a malicious website.


We have come across approximately 40 issues...

Hon Lau | 23 Oct 2007 07:00:00 GMT | 0 comments

Some months ago I reported on a cross site scripting vulnerability relating to PDF filesand browser handling of them. As it turned out, the vulnerability wasnot used in the wild much at all. Fast forward to October 2007, wherewe now have a new Adobe PDF vulnerability on our hands. First disclosedon September 20, 2007 by “pdp” on the Gnucitizen Web site, it wassubsequently patched by Adobe yesterday.

One day later, we have discovered a new Trojan named Trojan.Pidief.Athat actually exploits this vulnerability to compromise an unpatchedcomputer. So far we have seen a fair number of emails containing thisnew Trojan in the wild. It is likely that Trojan.Pidief.A has beenspammed out in targeted attacks on specific business...

Anthony Roe | 22 Oct 2007 07:00:00 GMT | 0 comments

A bot network tends to fluctuate such thatthe number of members of the network wax and wane over time. I basethis understanding on my regular observation of modern botnets and theobservations of my peers (please see pg. 41 of ISTR Volume X).In the past, IRC protocol-based botnets fell victim to an “AchillesHeel” situation if the single central server being used to control thenetwork was taken down, because the network without a controller wouldfall apart.

The miscreants that choose to build and control these bot networksbegan to develop innovative methods that could bolster theirreliability. With this goal, Fast-flux DNS tactics were employed toprovide redundancy so that these networks were more difficult to takedown. Trojan.Peacomm (also known as “Storm Worm”) employed the Overnetprotocol – a robust,...

Masaki Suenaga | 19 Oct 2007 07:00:00 GMT | 0 comments

Yesterday we became aware of an in-the-wild exploitation of a previously unknown RealPlayer vulnerability.This unpatched vulnerability affects the latest versions of RealPlayerand RealPlayer 11 BETA distributed on their site. The issue affects anActiveX object in the RealPlayer component ierpplug.dll.

This DLL has been exploited in the past,although only remote denial of service was achieved at the time. Itappears that the miscreants have refined their technique to achievecode execution. The parameter passed to the vulnerable method of theActiveX control appears to allow only character strings, which is mostlikely why the shell code is made up of only English letters (A~Z) andnumbers (0~9). These characters can be read directly by Intel IA-32CPUs modifying machine code instructions on-the-fly.