Dragan on Security

Payment with credit or debit cards, at least in Serbia, at some of Intesa bank owned POS terminals is NOT secure. They print full credit card number on paper slip.

I recognized this issue many months ago after purchase in one shop. Accidently, I looked carefully at slip issued after purchase and found that full card number is clearly printed on slip. No stars (*) or other wildcards instead of eight card number digits in the middle of number, as it is usual. This gives possibility of misuse and is not in compliance with standards which credit card companies require of banks and processors. If you using your credit cards in these shops you may be at serious risk!

After compliant to my bank (which is not Intesa), it was passed to Visa and their official called me on phone. He explained that this issue has been noticed earlier by their revision and bank was requested to sort it out in short term.

Unfortunately, months after this complaint and promise that things will be sorted out shortly, I’ve had same case today. One of shops in Serbia which uses Intesa POS terminal issued slip with my full card number.

Now, I feel free to report this publicly as I hope this will help banks, credit card companies and shops to sort out this problem and mitigate risk to which we as customers are exposed.

My recommendation to all credit card owners is to look carefully, ask shop staff and avoid payment by cards in shops which own this type of POS terminal. If you already did this, then report issue to your bank, credit card issuer or Intesa officials.

Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.

To simply check if you are infected, you can use Conficker Eye Chart developed by Conficker Working Group.

If you can see all six images in both rows of the top table on Conficker Eye Chart, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Not many people seem to have noticed that Invisiblethings team has reported the 3rd attack against SMM (Attacking SMM Memory via Intel® CPU Cache Poisoning) which they have found in the last 10 months. Joanna Rutkowska, founder and CEO of Invisible Things Lab reported it on her blog and also company’s web site.

Here is citation of one interesting opinion:

But anyway, does the fact we can easily compromise the SMM today, and write SMM-based malware, does that mean the sky is falling for the average computer user?

No! The sky has actually fallen many years ago… Default users with admin privileges, monolithic kernels everywhere, most software unsigned and downloadable over plaintext HTTP — these are the main reasons we cannot trust our systems today. And those pathetic attempts to fix it, e.g. via restricting admin users on Vista, but still requiring full admin rights to install any piece of stupid software. Or selling people illusion of security via A/V programs, that cannot even protect themselves properly…

One of attacks has been shown on recent CanSecWest Applied Security Conference: Vancouver. That is: Getting into the SMRAM: SMM Reloaded – Loíc Duflot.

Looking into these reports and state of current security, it seems that is room and necessity of important changes in this area.

Read this interview and you probably will be scared. It is interview with Matt Knox. He talks about his early days designing and writing adware for Direct Revenue.

He says:

It would have been fairly trivial for me to go spelunking for people’s credit card information or whatever. I had four million nodes. I could have done it without anybody at the company even noticing.

and:

Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.

Question is: Who owns “your” computer?

Thanks to Aleck for pointing me to this scary interview.

I have worked for some time on using of artificial intelligence (AI) for protecting computer / information systems and networks. My work is primarily in area of intrusion prevention and detection systems (IDS and IPS). Some of work and papers in this area has been published in journals and technical conferences. Also, I believe that is much more to come out in future.

But there is another angle of AI utilization. It is approach which considers machine intelligence usage for attack on systems’ security. Interesting article in IEEE Security and Privacy Magazine, by Carl E. Landwehr from University of Maryland, talks about topics and says:

Ray Kurzweil predicts that by 2040 or 2050, machine intelligence will exceed human intelligence – an event he and others have dubbed the “singularity”. Will such intelligent machines be better able to defend themselves than today’s relatively unsophisticated ones? Will their intelligence be used for attacks as well??

It is possible that, in future, we will have chance to see artificial intelligence systems which are able to fight. One side will be AI systems that attack and another AI supported systems which are in protection role and providing security.

Full citation of article: Carl E. Landwehr, “Cybersecurity and Artificial Intelligence: From Fixing the Plumbing to Smart Water,” IEEE Security and Privacy, vol. 6, no. 5, pp. 3-4, Sep/Oct, 2008.

Note: Article is available with subscription or can be bought as PDF.

It seems that bad days came for MD5 and those who based hashes on it. It is possible to create two executable programs with different functionalities with identical MD5 hash. Therefore, it is possible to create malicious executable which has same MD5 hash as regular program. This can be done just by using public Internet information and tools.

Here is short story and list of resources that you can be interested in to try.

In March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published paper “How to Break MD5 and Other Hash Functions” in which they described an algorithm that can find two different sequences of 128 bytes with the same MD5 hash. That article originally was here, but it seems as it is not anymore. You can buy it from SpringerLink (here) for price of $25, or download based on subscription to it. There is free Power Point presentation here.

Abstract of paper “How to Break MD5 and Other Hash Functions” says:

MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

In meantime, Peter Selinger from Department of Mathematics and Statistics, Dalhousie University, published the tool that you can download for free and which he used to create MD5-colliding executable files. He calls it the “evilize” library. This software is based on Patrick Stach’s implementation of Wang and Yu’s algorithm. You can find his original implementation here.

Eduardo Diaz has described a scheme by which two programs could be packed into two archives with identical MD5 hash. A special “extractor” program turns one archive into a “good” program and the other into an “evil” one.

Almost three years ago I had published blog post on MD5 Online Cracking. Also, I have written about NIST new hash competition here and here.

[Thanks to Zeljko for pointing me to this implementation of tool.]

Do you owe cell phone? Yes, of course. Then read this: Cell Phone Spying: Is Your Life Being Monitored?

It says:

It connects you to the world, but your cell phone could also be giving anyone from your boss to your wife a window into your every move.  The same technology that lets you stay in touch on-the-go can now let others tap into your private world — without you ever even suspecting something is awry.

and

You don’t have to plant a CIA-style bug to conduct surveillance any more.  A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

Also:

Dozens of programs are available that’ll turn any cell phone into a high-tech, long-range listening device.  And the scariest part?  They run virtually undetectable to the average eye.

Take, for example, Flexispy.  The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.”  Its tools use a phone’s microphone to let you hear essentially any conversations within earshot.  Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on.  The phone won’t even ring, and its owner will have no idea you are virtually there at his side.

Is that legal?

You won’t find it on the flashy front page, but buried a bit further in the site, the company says you’re fine to use their program only “on a phone that you own, for protecting your children,” or for purposes like “archiving data.”  It’s a bit of a contrast from the bold suggestions of “uncover[ing] employee espionage,” “catch[ing] cheating husbands,” and “bug[ging] meeting rooms” that fill the company’s materials.  After a little more explanation, their answer as to the legality of the service ends with a broad statement: “Please consult a qualified lawyer in your country for the correct answer to this question.”

Let me make it easier for you: Once you get into listening in to private conversations without either party’s consent, you’re treading rough water that could sweep you straight into jail.  Whether it’s an employee or a spouse on the receiving end of your mission, neither federal nor state privacy laws take violations lightly in America.  Getting caught could cost you several years behind bars, among other serious penalties.

And can it be detected?

Finding spyware on your phone isn’t easy.  There are dozens of bug detectors available from surveillance companies, but the only true fix is taking your phone to your provider and having them wipe it out altogether.  That will restore the factory settings and clear out any hidden software that’s running on your phone.

Scary, isn’t it? I would strongly suggest to keep your hands far from this.

But also I would suggest to use security software for your cell. For example, there is F-Secure Mobile and I have been using it for some time. Two products can be very helpfull F-Secure Mobile Anti-Virus(TM) and F-Secure Mobile Security(TM). Here are some details:

F-Secure Mobile Anti-Virus(TM)

• F-Secure Mobile Anti-Virus(TM) is easy to use and does not require excess device resources or unnecessary user interaction.
• It automatically scans all files in the background, both in the device and on the memory cards.
• When an infected file is detected it is immediately quarantined to protect all other data in the system.
• The antivirus database is updated invisibly in the background when a data connection is used for emails, web browsing etc.

F-Secure Mobile Security(TM)

• F-Secure Mobile Security enables secure mobile computing by combining an integrated antivirus and firewall.
• Device-recident protection safeguards the mobile device from any type of attack, from intrusion attempts to malware.
• The solution delivers invisible and automated safety through real-time, on-device protection with easy to use firewall rule sets and automatic over-the-air antivirus updates
• F-Secure Mobile Security scans both incoming and outgoing internet/network data packets. It stops malicious, unwanted, harmful, or possibly dangerous packets.
• F-Secure Mobile Security is designed to be easy to use and delivers protection without need for unnecessary user intervention.

We can expect much more to come soon.

Poll “Primary motives for hacking are” which was open on this blog since December 21, 2007 to March 31, 2008 is closed now. Based on answers of visitors, who took opportunity to vote in the poll, main reason why hackers (malicious ones) are attacking is because they take it as intellectual challenge. Next reason is money etc.

Here is summary of results.

As it was said in introductory post for poll, it is based on Australian government Institute of Criminology i.e. its High tech crime centre classification. You can see paper (linked in blog post also) here.

There were polemic about definition of hackers and is that correct to say that hackers are malicious. Many people think that definition of hackers mean that they “wear white hat” i.e. hackers are not driven by malicious motives. However, crackers are ones who “wear black hat” i.e. they are supposed to be malicious, according that opinion. Also, some people mentioned that poll lacks precise definition of hacking and description of hacker and cracker difference for sake of this poll.

This poll is about public opinion – what people think about hackers and their motives, so it was left to opinions and thoughts of everyone and a little bit imprecise (intentionally). :)

You can look into Merriam-Webster’s dictionary definition of hacker – it may be interesting.

If you’ve thought your data are secure on encrypted hard disk, read: Lest We Remember: Cold Boot Attacks on Encryption Keys. Researchers with Princeton University and the Electronic Frontier Foundation (EFF) have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer – say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that’s stored in the computer’s RAM.

There is also full research paper and YouTube video about this attack.

Abstract says:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

[Thanks to colleague Sanida O. for bringing this to my attention].

Be careful, be very careful when use social networking sites! Some social networking sites and some sites that pretend to be social networking, but are marketing profiling sites, may pose huge privacy risk. I will talk here about very popular StubmleUpon which shouldn’t but actually yes.

When you sign for StumbleUpon, you have possibility to email everyone on your mail lists including MSN/hotmail, Yahoo mail, Gmail, AOL, facebook, Outlook, Outlook Express etc and call to join you on your friends list. It is offered through very simple user interface in browser.

If you chose to use this possibility you will need to provide your user name and password for MSN/hotmail, Yahoo mail, Gmail! Seems as password scam, isn’t it.

Much more, if you choose to Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your IExplorer; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.

If you click on above image, you’ll see larger size image and read message which says “Don’t worry, it’s safe :)”. Message ends by smile, yes… Funny! By reading terms and privacy policy of StumbleUpon, you probably will not find many details about this. It looks like usual benign privacy policy without mentioning high privacy risks that you are exposed to by using this social networking site.

After sending question to support using Web based contact form, automated response arrived which I answered by additional e-mail question stating urgency of response. There is no answer on these questions yet.

There are also other privacy risks of this social networking site including list of friends visible by everyone, visited (stumbled) Web sites, contacts, preferences, messages etc. StumbleUpon offers its toolbar which is considered as spyware by some antispyware scanners.

There is also post on Steve Riley’s blogthat talks about some FaxBox. When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems).

My recommendation is to avoid clicking on anything suspicious, especially something which will talk to your mail clients, Web based mails and your contacts there. Or to say it stronger: do not click on anything like this never ever!

There is also earlier post on this blog “The Privacy Risks of Social Networking Sites”.

Note:StumbleUpon sent many visitors to my blog and it seems that some stumblers like this blog – thanks all of them. But I have to be honest – StumbleUpon poses privacy risk.