Dragan on Security

Michal Wegrzyn informed me about new and interesting project on http://vsl.sourceforge.net/.  That is new steganographic tool. Name of tool is Virtual Steganographic Laboratory (VSL). It is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides friendly GUI along with modular, plug-in architecture. Tool is very similar to CrypTool which has been described on this blog here.

VSL screenshot

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. That is a form of “security through obscurity”. The word steganography is of Greek origin and means “concealed writing”. Generally, messages will appear to be something else: images, articles, or some other covertext. It may be considered as kind of invisible ink between the visible lines of a private letter.

The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Virtual Steganographic Laboratory (VSL) is simple, easy to use software for steganography, steganalysis and watermarking. It gives scientists and students a powerful tool for conducting wide range of experiments involving different types of message embedding, diverse attacks (employing image processing algorithms) and steganalysis with the use of popular methods. Due to its use of generics (and few other features) it requires at least Java 1.5 (5.0).

Primary interface of the VSL is a graphical block diagramming tool and a customizable set of block modules. VSL uses dynamic invocation, so any new module can be created, added and used along without recompilation of the application.  Many steganographic applications are usually command-line tools or very simple GUIs which consist of one chosen method. VSL provides framework for complex yet simple to arrange experiments and methods testing. It can use many methods simultaneously and everyone can add a new one.

I see this as very promising project and will continue to watch its progress.

Payment with credit or debit cards, at least in Serbia, at some of Intesa bank owned POS terminals is NOT secure. They print full credit card number on paper slip.

I recognized this issue many months ago after purchase in one shop. Accidently, I looked carefully at slip issued after purchase and found that full card number is clearly printed on slip. No stars (*) or other wildcards instead of eight card number digits in the middle of number, as it is usual. This gives possibility of misuse and is not in compliance with standards which credit card companies require of banks and processors. If you using your credit cards in these shops you may be at serious risk!

After compliant to my bank (which is not Intesa), it was passed to Visa and their official called me on phone. He explained that this issue has been noticed earlier by their revision and bank was requested to sort it out in short term.

Unfortunately, months after this complaint and promise that things will be sorted out shortly, I’ve had same case today. One of shops in Serbia which uses Intesa POS terminal issued slip with my full card number.

Now, I feel free to report this publicly as I hope this will help banks, credit card companies and shops to sort out this problem and mitigate risk to which we as customers are exposed.

My recommendation to all credit card owners is to look carefully, ask shop staff and avoid payment by cards in shops which own this type of POS terminal. If you already did this, then report issue to your bank, credit card issuer or Intesa officials.

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

Interesting article: Investigators replicate Nokia 1100 online banking hack – Network World. It says:

Versions of the 1100 have firmware that can be modified in order to intercept SMSes, including one-time banking passwords.

and

An Ultrascan informant sold one of the devices recently in Tangiers, Morocco, for €5,500 (US$7,567), Engelsman said. Ultrascan previously confirmed data earlier this year that one Nokia 1100 sold for €25,000.

If you can’t remember how Nokia 1100 looks like, see article on Wikipedia. Also you can see details about this model on Nokia web site.

Is it just Nokia 1100 or possible with some other models maybe?

There is new poll on this blog. Question is “Which antivirus software do you use?” and possible answers are:

• Symantec
• McAfee
• Kaspersky
• F-Secure
• AVG
• Avast
• Trend Micro
• NOD32
• Other
• None

Thank you for voting.

Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.

To simply check if you are infected, you can use Conficker Eye Chart developed by Conficker Working Group.

If you can see all six images in both rows of the top table on Conficker Eye Chart, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

I use McAfee suite on one of my computers. It has McAfee Site Advisor which should help with knowing which Web sites are safe and which are risky or dangerous. Today (April 2, 2009) I was surprised that McAfee warned me in attempt to access some of Google’s services with red mark and message:

74.125.77.132 may try to steal your information.

Why were you redirected to this page? When we visited this site, we found it may be designed to trick you into submitting your financial or personal information to online scammers. This is a serious security threat which could lead to identity theft, financial losses or other dissemination of personal information.

I checked and found that this IP address belongs to Google.

To whom to believe: Google or McAfee, interesting question isn’t it?

Not many people seem to have noticed that Invisiblethings team has reported the 3rd attack against SMM (Attacking SMM Memory via Intel® CPU Cache Poisoning) which they have found in the last 10 months. Joanna Rutkowska, founder and CEO of Invisible Things Lab reported it on her blog and also company’s web site.

Here is citation of one interesting opinion:

But anyway, does the fact we can easily compromise the SMM today, and write SMM-based malware, does that mean the sky is falling for the average computer user?

No! The sky has actually fallen many years ago… Default users with admin privileges, monolithic kernels everywhere, most software unsigned and downloadable over plaintext HTTP — these are the main reasons we cannot trust our systems today. And those pathetic attempts to fix it, e.g. via restricting admin users on Vista, but still requiring full admin rights to install any piece of stupid software. Or selling people illusion of security via A/V programs, that cannot even protect themselves properly…

One of attacks has been shown on recent CanSecWest Applied Security Conference: Vancouver. That is: Getting into the SMRAM: SMM Reloaded – Loíc Duflot.

Looking into these reports and state of current security, it seems that is room and necessity of important changes in this area.

Read this interview and you probably will be scared. It is interview with Matt Knox. He talks about his early days designing and writing adware for Direct Revenue.

He says:

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.

and:

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

Question is: Who owns “your” computer?

Thanks to Aleck for pointing me to this scary interview.

Interesting interview: Safe, But Also Sorry: Security expert Bruce Schneier talks about privacy and property in the information state – Reason Magazine.

Citation:

Reason: In Schneier on Security, you emphasize that technology isn’t the only (or even the most important part) of a security solution. Why do people tend to systematically discount cultural and economic factors in considering questions of security?

Schneier: We live in a technological world, and it’s common for us to believe that technology can solve our security problems. It solves so many of our other problems, so it’s a plausible belief. It’s also easier to believe that a shiny new piece of technology—a new ID card, a new airport scanner, a new face-recognition system—can solve our problems than boring old concepts like culture and economics. Admitting that technology isn’t the answer is admitting that there isn’t an answer that will solve the problem, and many people can’t do that yet. We’ve forgotten that risk is an inherent part of life.