Dragan on Security

Nice essay on Wired.com by Bruce Schneier.

McAfee published 10 security predictions for next year. This is list:

• The number of password-stealing websites will increase using fake sign-in pages for popular online services such as eBay.
• The volume of spam, particularly bandwidth-eating image spam, will continue to increase.
• The popularity of video sharing on the web makes it inevitable that hackers will target MPEG files as a means to distribute malicious code.
• Mobile phone attacks will become more prevalent as mobile devices become ’smarter’ and more connected.
• Adware will go mainstream following the increase in commercial Potentially Unwanted Programs.
• Identity theft and data loss will continue to be a public issue – at the root of these crimes is often computer theft, loss of back-ups and compromised information systems.
• The use of bots, computer programs that perform automated tasks, will increase as a tool favoured by hackers.
• Parasitic malware, or viruses that modify existing files on a disk, will make a comeback.
• The number of rootkits on 32-bit platforms will increase, but protection and remediation capabilities will increase as well.
• Vulnerabilities will continue to cause concern fuelled by the underground market for vulnerabilities.

You can find podcast here.

Is biometric by fingerprints secure? It seems it is not anymore - see this.

(IN)SECURE Magazine issue 9 has been released and available for free download (here). Many thanks to publisher and authors for their good work and providing us with free magazine.

U.S. Copyright Office released its list of DMCA exemptions for the next three years. You may read it here. Also it is well covered on various blogs and press. You can read about it on Freedom to Tinker, and Derek Slater’s blog. This comment is interesting:

The DMCA exemptions were surprising and fortunate, but, as always, disappointing.

You are probably overwhelmed with lot of new and various words and acronyms that you can hear or read everywhere. Here is one more: SMiShing. McAfee Avert Labs Blog in its post (I saw this word for first time there), considers SMiShing as an emerging threat vector. Some cell phone users have started receiving SMS messages that call them to visit various web sites or that are fake confirmation about signing to various online services.

This is version of phishing by SMS and yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams. SMiShing will certainly require more attention in future.

Couple of words to remember about phising: Phishing attacks use both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social-engineering schemes use ’spoofed’ e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

Pharming is an attack in which a user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site. It is different than phishing in that the attacker does not have to rely on having the user click a link in an email to deceive the user– even if the user correctly enters a URL (web address) into a browser’s address bar, the attacker can still redirect the user to a malicious web site.

The threat due to pharming is not new, and has been known to security experts under the more technical term DNS cache poisoning. However, due to the increasing use of the Internet to conduct financial transactions, criminals are now using DNS cache poisoning for profit. The name pharming was coined after a significant DNS cache poisoning attack in March 2005 due to its loose similarity to phishing attacks that were common at the time.

Interesting article about pharming can be found here. Also visit Symantec’s web site where you can find some details and guidelines how to be more secure from phishing and pharming attacks (here). Web site dedicated to pharming is here and web page dedicated to antiphising is here.

In recent post on this blog, I mentioned attacks on RSA algorithm, so called “side-channel” attacks on secure systems. If these types of attacks show as successful, it can pose significant threat to DRM (Digital Rights Management). See more about DRM in Wikipedia article (here). Also it is interesting to see what EFF (Electronic Frontier Foundation) site has to say about DRM (here).

Security researchers have developed a new approach to breaking the RSA algorithm that creates new problems for the development of effective rights management software.

Cryptoanalysts already known the time taken to make different calculations using the same encryption key might, in theory at least, give attackers code-breaking clues in much the same way electro-magnetic leakage or power fluctuations can be used in so-called “side-channel” attacks on secure systems. The new so-called Branch Prediction Analysis (BPA) attack is a refinement on this approach that makes code breaking feasible on commodity PCs instead of expensive high-performance kit.

A carefully written spy-process, running alongside the RSA-process, is able to collect almost all the secret bits used in an RSA signing operation by monitoring the states of a CPU. The approach yields far quicker results than statistical analysis, cryptography researchers say.

“The successful extraction of almost all secret key bits by our SBPA attack against an openSSL RSA implementation proves that the often recommended blinding or so called randomization techniques to protect RSA against side-channel attacks are, in the context of SBPA attacks, totally useless,” researchers Onur Aciicmez, Cetin Kaya Koc and Jean-Pierre Seifert report in their paper.

“Despite sophisticated hardware-assisted partitioning methods such as memory protection, sandboxing or even virtualisation, SBPA attacks empower an unprivileged process to successfully attack other processes running in parallel on the same processor.

The approach frustrates existing countermeasures according to crypto guru Bruce Schneier, who writes that the approach would be particularly potent if directed against Digital Rights Management (DRM) implementations.

Sources: The Register, Bruce Schneier’s blog, IACR (International Association for Cryptologic Research).

A very interesting paper written by Joanna Rutkowska titled “Introducing Stealth Malware Taxonomy” proposes a simple taxonomy that could be used to classify stealth malware according to how it interacts with the operating system.

Read this paper here.

It is ten years since my paper written for IEEE Technical Applications Conference Northcon 96, titled: “A Development Environment for Generating System for Universal Network Connecting” was published. Conference was held November 4-6, 1996, Seattle, Washington, USA.

You can find that paper here. Note: IEEE subscription is required to download full paper.