There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.
The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.
I am slightly uncomfortable with this approach.
It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right persons; but what if all those blogs/researchers made a mistake!? It would have been nothing more than a smear campaign that could have affected the lives of some innocent internet users.
This tactic is used by the police in some countries, so they can catch “real” criminals on the run. They name and shame, appealing for help from the public and thus making it more difficult for them to cary on with their illegal activities.
By “real” I mean criminals in the traditional sense of the term, who have broken the law physically as opposed to virtually. But as our lives become more and more entangled with the virtual world, criminal activities “there” can and do have an impact “here”.
Where I think there is a difference, is that the police conducts a thorough investigation before naming and shaming, more importantly they follow an established, documented and legally sound process to conduct such investigation. Although those security researchers are experts in their own right (pun intended), it is a dangerous game to become a vigilante…
To conclude, I am not fundamentally against this practise but I am concern it could spiral out of control. It also highlights how difficult it is to bring hackers to stop their activities as, this, is some kind of last resort solution.
By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.
This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!
Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.
The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A Hash list is a type of data structure that is very popular because it stores and accesses data in a list very quickly. Before an object is inserted into a hash list, it is first hashed using a hash function to provide a “unique” hash reference which is then used to access and store the object in the list. To simplify, it replaces the usual [i] of a standard list with a [hash reference]. (“i” being an integer).
In reality those hash references are not so unique and collisions do occur. When it happens the objects with the same hash reference are daisy chained. The longer the chain and the least efficient hash lists become. Under normal operation it does not happen often and this is not a problem.
But as first highlighted by Scott Crosby and Dan Wallach in 2003, data/object stored into hash lists can be manipulated so collisions do happen more often. So much more in fact, it can degenerate the hash list resulting into the server’s CPU going overdrive and bringing the server to its knee in the process.
Alexander and Julian explained at 28c3, as shown in this video, that for Perl the issue was located in how the DJBX33A (PHP5) and DJBX33X (PHP4) functions were generating hashes. Other languages were also vulnerable because they were using very similar functions to generate their hashes.
With the help of CERT they communicated an advanced advisory to the relevant vendors and organisations in early November 2011, after they successfully implemented an attack for most of the languages used by Web Applications. They received different responses, some more satisfactory than others…
Ruby reacted very quickly and has a patch ready, Microsoft has issued a temporary work around for ASP.Net by limiting the number of parameters, PHP and Python needs more time and Oracle, although they have provided a patch for Tomcat and will in a near future do the same for Glassfish, stated that it isn’t an issue for Java. If you watch the 28c3 video you can easily understand they are wrong (clue for Oracle, go to the 32d minute or so). Therefore we should expect a Java patch for the HashTable and HashMap functions soon, albeit too late.
To conclude, this is a serious issue that has now a practical and known way to exploit it, with a global scope and high performance impact. Microsoft in a Technet article has provided a snort signature to detect this type of attack against ASP.Net, it should be fairly easy to adapt for other languages.
The recommendation is to both monitor for a patch related to your web applications (and implement it quickly when available) and to also monitor your network for such attacks (and try to block its source IP if not coming from a distributed attack). You should be reviewing what are the versions of the languages used by your Internet facing web applications and probably also ask your 3rd party partners what they plan to do about it!
OpenDNS has just release a beta software to enable encryption of DNS queries called: DNSCrypt.
Not encrypting DNS queries can lead to two main type of attacks, as described by OpenDNS:
“First, it prevents man-in-the-middle attacks which can cause malicious DNS responses to be used to trick you into visiting a dangerous website or send traffic to an unintended third party. Second, it prevents snooping by your ISP or any other intermediary who might want to sniff your DNS traffic to see what domains you are resolving.”
DNSCrypt can significantly increase a user web security as until now there was no way to encrypt DNS queries. As stated by OpenDNS, DNSCrypt should be seen as complementary to Domain Name System Security Extensions (DNSSEC) because the later is not use to encrypt DNS queries, but to provide authentication and chain of trusts.
DNSCrypt is not the answer to every DNS related threats though, as OpenDNS still acts as a relay to the real website’s IP to be accessed, and if the DNS servers it got some of its information from are compromised OpenDNS will still serve you the compromised IP. Also, one of the great advantage of OpenDNS is its ease of use, the fact you just have to point your Router to their DNS servers, with DNSCrypt you need a software to be installed on each machine you want to protect. It would be great to see future routers supporting/integrating DNSCrypt so it is seamless and would also protect any devices connected to that router, including smartphones, tablets, etc.
Nonetheless, this is definitely a step in the right direction! And although it is only available as a MAC Beta, a PC version should be coming up soon. Will it stay a free service, is also something that remains to be seen…
Twitter has just announced they will be opening the technology from Whisper Systems they just acquired. This is good news for Android users, and Google. Their technology allows text messages to be encrypted as well as providing full disk encryption, the later will only be made available, well, later!
This has the potential to bring security enhancement to the Android’s mass.
If you ever wanted to work for a UK secret intelligence organisation, GCHQ, they are running a contest until the 11th of December, where you need to decipher some code to get a password. Once submitted, that password will redirect you to their recruitment website.
The password is probably “ifyoudon’twanttoworkforuswewillfindyou”…
There is a good article on TECHNET on Next Generation Firewall (NGF) and the fact that most, if not all, companies accept port 80 in/out meaning traditional F/W are less and less effective against malware using this port as a mean to call home or come in.
The Article nicely summerize the need to look for more than IP/PORT/PROTOCOL but also for the type of Payload going through.
Although not a new technology, the evolution of Malware is a growing issue which makes that technology more and more relevant.
Two vulnerabilities in iOS5 have recently been discovered, one is affecting the iPad2 and the other the new iPhone 4S. In both cases it allows anyone to bypass any lock/passcode to gain unauthorised access to the device.
1) iPad 2 + iOS5 + SmartCover = Anyone can unlock your iPAD
This only affects iPad2 with iOS5 and the smart cover set to automatically lock the device.
With a locked iPad2, keep pressing the power button until you see the screen telling you to swipe to turn off, close the smart cover, reopen it and push the CANCEL button.
This will give you access to the latest application that was used. It means that if you were on the application listing screen you will be able to see all the applications installed on the iPad, but you will not be able to open any other applications. This is because you are in the “finder”/”Explorer” application.
But it also means that if before you closed your smart cover to lock your device you were in the mail application, using this technique would give you full access to the mail app and your emails.
To fix the issue you need to disable the smartcover autolock feature, until Apple fixes this bug.
2) iPhone 4S + SIRI
With SIRI enabled, even if you have locked your phone with a passcode, you can hold the HOME button and SIRI will be activated allowing you to speak commands such as call someone, send a text or an email, etc.
Although you cannot open applications this way, you can still do unauthorised actions as mentioned above.
To fix this issue you need to disable SIRI, until Apple fixes this bug.
What is somewhat surprising is that it is taking so long for Apple to fix these issues, They have been know for more than a week…
The Inquirer recently ran a story about a group targeting Facebook and their use of your personal information. This group called “Europe Vs Facebook” claims that Facebook not only stores information about you even after you have deleted it, in other words it never really get deleted, but that they also create ghost profile of users who opted not to be on Facebook in the first place.
I find this very interesting because technically it is quite possible… Even if someone is not on Facebook their photo can be uploaded and their name tagged to it. It would require much more intelligence though to be able to correlate some information about that person discussed in Facebook mails/messages but it is in theory possible.
Although many people have warned in the past about Facebook big brother attitude, its deletion policy emphasizes the fact they were right!
The Europe Vs Facebook website explains how to request Facebook for all the data they have on you.
The best advise regarding Facebook is to consider all the information in it as public, even if you are restricting your information to a selected few friends. Once you have told a story or shared a photo online, you do not control it any more.
Now the question really is, what about other social media sites? Twitter and co?
This is a bit of an unusual post for this site because it is not directly related to IT Security, but I have recently watched a video of a lecture by Rearden CEO Steve Perlman that I found truly inspiring!
Steve Perlman is the Steve Job of Engineering.
He has participated/invented/funded many different cutting edge technologies and gave an overview of 3 of them in his lecture. What strikes me is how all those technologies are linked together even if isn’t necessarily obvious. It would be tempting to say it is all driven by his apparent interest in gaming but that would be too simplistic, it is driven by a desire to invent new technologies and not being afraid of rewriting the rules!
1. The first technology he spoke about is MOVA, which apparently rewrote the rules on how computer generated 3D characters were done (and more if you look at his last example about Batman). It is impressive to see the list of films that are now using that technology, from “The curious case of Benjamin Button” to the latest “Pirates of the Caribbean”. I actually thought they were using real actors and a mask for Benjamin Button…
It was also interesting to see that studies show the human brain doesn’t like “almost perfect” images of human. In fact, we prefer a cartoon face over a very good but still not quite real 3D face. Something I believe we all sensed when watching some animated movies a few years ago which although technically impressive were just not quite right.
2. Then he spoke about ONLIVE, a technology which is primarily aimed at streaming HD and power hungry gaming experience to terminals such as TV, tablets, phone, etc…
Basically this is gaming in the cloud, but really, it is so much more!
I liked his analogy that today’s cloud solutions are more hybrids than complete solutions. You have a range of applications that are hosted in different “clouds” and some online storage stored in some other “clouds”, etc.
What they have designed is a huge power backend that “just” stream video/audio to a terminal.
But for this to be usable they invented a new video compression technology which is very performant. Apparently the requirements are 3 to 5 Mb/s (soon to be 2Mb/s) for HD video and 0.5 to 2Mb/s for phones/tablets quality, which can be obtained on 3G!
You also need to be within 1,000 miles of one of their datacenters: 3 in the USA and only 1 in Europe (Autumn 2011).
Not only do their gaming offering is already impressive and has been running for a year in the USA but he also demonstrated the use of MAYA directly from an iPad.
So you could always question how useful that can be to use such a complex application on such a small device which does not necessarily has the right human interface to interact efficiently… but that technology also works on MAC or PC and not everyone has a computer fast enough to handle such type of applications.
The great thing about their technology is that you do not need to upgrade your device to catchup on the latest CPU or GPU requirements in future applications.
It would be interesting to find out more about how they handle file sharing among applications and what security they can offer to protect your hosted data.
3. Finally, he presented a new wireless technology which sounds pretty impressive. One that apparently breaks Shannon’s law in regards of the shared spectrum capacity as it could offer 10x to 1000x times what is available today. Furthermore, it has a wider coverage than TV, with at least 30 miles coverage. It is also much faster than 4G with much less latency, consumes less power, costs less, etc…
It does sound too good to be true, but with Steve Perlman’s track record I am happy to believe him.
This is apparently possible because we should not be considering airwaves like strings or wireless telephone lines, he made an analogy with a cell bubble around a telephone which I didn’t really understand, but then I don’t think anyone in the audience did! There is a white paper HERE.
It is called DIDO for Distributed Input Distributed Output
According to Steve this is a completely new way to look (I should really say listen ;) at airwaves propagation and if you were to look for DIDO traffic with standard radio equipment you would not see anything but noise.
This got me thinking, if this technology is so new, has such a huge and yet unknown coverage, cannot be detected with today’s radio technology… shouldn’t someone speak to SETI so they can listen to this “advanced” communication method ;)
Seriously though, this is all very impressive. It is a long video, about 1h30, but as I said at the start of this post Steve is an amazing source of inspiration. What a great attitude and great achievements!
He created a technology to produce life like animations, a technology to provide those graphics and more to everyone and finally a transport medium which could deliver all this almost anywhere in the world. This may be a loose link between all those inventions but a link nonetheless!
I am looking forward to see those new technologies hopefully blossom and to his future inventions!
This is the home of the Open Source Cryptography project, BUGS. Also, as I have been working in IT Security since 1998, this a place where I share my views on a wide range of security related topics.
Recent Comments
None Found