Current events: Adobe Reader Vulnerability

Posted on February 20, 2009 by sojc701

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system. “In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location, The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.” blogged McAfee researcher Geok Meng Ong.

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date. “While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Posted in Current Events | 7 Comments

XSS in the Wild (Updated)

Posted on February 20, 2009 by erielt

When I recently tried to look up some information about the song L’America by The Doors, I stumbled upon the site songfacts.com (http://www.songfacts.com/detail.php?id=278). At the site, I was immediately greeted by a popup box cheerfully proclaiming “HAI2U”. After having dealt with this extensively in lab 2, I immediately recognized this as an XSS vulnerability that someone had taken advantage of. Looking into the source code, I saw that the javascript alert was the only thing that had been done–luckily not too malicious. Unfortunately, the code was also in a permanent comment on the site so that any visitor to the site is subjected to the attack rather than having to special link. The attack was done with a simple script tag, so obviously little or no filtering is being done. I sent an email off to the site telling them about their vulnerability, what a malicious user could use it for, and how to fix it with a php filter and a link to suitable filter. Although part of me wanted to play around with the security hole a little more (perhaps a real life version of lab 2?), I thought it would be better to try to have them fix the site. I like songfacts because there are some interesting things, so I rather they fix it then have someone else break the site with redirects, cookie stealing, or any other similiar (or even more malicious) things. I just wanted to let everyone know that what we did in lab 2 is most definitely applicable to real life and XSS vulnerabilities are still out there on many different sites.

One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?

As a side note, please don’t exploit this because the vulnerability is still there on that site. Remember, you signed legally binding and restricting ethics forms!

Update:

After I emailed the website, they took out the offending post and also asked me for more information on fixing this problem. I wrote some more information for them and tried to help clear up this security vulnerability as well as others that may arise from the same issue of user input sanitation. The admin was very glad to have help and offered to send me a t-shirt in return for my help. It looks like being good and helpful paid off.

On another note, I have found XSS vulnerabilities to be way too common on the web. As dangerous as these can be, it seems like site administrators are not well informed about these problems. While just going about normal business on the web, I also found an XSS vulnerability in the Windermere real estate pages. I have emailed that webmaster as well so hopefully they are as receptive to the problems as the first site owner was.

Posted in Miscellaneous | 8 Comments

Security Review: Self-scanning Checkout

Posted on February 20, 2009 by devynp

Self-scanning checkout, also called “self-checkout” is an automated process that enables shoppers to scan, bag, and pay for their purchases without human assistance. A typical self-scanning checkout lane looks like a traditional checkout lane except that the shopper interacts with a computer’s user interface (UI) instead of with a store employee. Instructions are given to guide shoppers to complete the checkout process. Typically, the customer scan each item or manually enter its identification code and bag it. The weight observed in the bagging area is verified against previously stored information to ensure that the correct item is bagged, allowing the customer to proceed only if the observed and expected weights match. After scanning and bagging, customer may choose method of payment: debit card, credit card, or cash. There is normally an attendant watching over several self checkout machines, to provide assistance, prevent theft through exploitation of the machines’ weaknesses, and to enforce payment. Attendant assistance is also required for the purchase of age-restricted items.

Continue reading

Posted in Security Reviews | 3 Comments

State of Utah Fleeced for $2.5 Million

Posted on February 17, 2009 by jimmy

Over 2.5 Million dollars was stolen from the State of Utah’s Treasury, according to a recent article in the Salt Lake Tribute.  According to the article, an attacker obtained a vendor number for the University of Utah’s construction department, then submitted paperwork with a forged signature from the director changing the departments back account to a new Bank of America account located in Texas (The article uses the word “signature” but I can’t seem to find if it was digital or hand-written, I am assuming hand-written given the context).  The attacker apparently set up this account using intermediaries who may not have known its purpose.  With the account in place, and the paperwork filed, the attacker began submitting invoices on the State of Utah’s website on behalf of the University department, such that deposits were made, summing to nearly $2.5 million, into the fraudulent account.  Fortunately the account was frozen before $1.8 million dollars were transfered, resulting in a net loss of $700,000. Continue reading

Posted in Current Events | Tagged , | Comments Off on State of Utah Fleeced for $2.5 Million

Current Event: YoBusted.com, busted?

Posted on February 16, 2009 by hmu2

According to a recent article from Business Week, a photo-sharing site, YoBusted.com, has crossed the line between maintaining personal privacy and extortion. This site allows users to post incriminating pictures of friends without proof that his or her permission to use the photos has been given. The “busted” friend can remove the photos, but only after paying a fee to become a member of the YoBusted site. According to the article, at least four people found photos on the site that had been taken from their Facebook profiles and posted on YoBusted without their permission and inaccurately tagged with their names (thus wrongly accusing them of participating in the activities depicted in the photos). Facebook has alerted the FBI against this site claiming that posting the pictures was a violation of Facebook’s terms of service and that the site is unlawfully requiring payment for picture removal. YoBusted claims that it provides many services (not just removing pictures) that justify charging a fee to use their site and that in order to maintain the attractiveness of the site, will remove photos under their discretion without charging a fee.

Besides the obvious personal security concerns of having embarrassing photos posted online without the individual’s permission, there are larger issues here: anyone can make a website that can provide almost any service they want. YoBusted is an incorporated company using a legally registered domain to provide a service that allows anyone to be the paparazzi and everyone to be the next big tabloid story. This site is the encarnation of a common public desire: gossip, only people are taking it more personally when it’s their face plastered all over a website instead of some big movie star or politician. Quite frankly, I think this site is teaching users a valuable lesson: don’t put embarrassing photos of yourself on the internet and increase the privacy settings on your social networking sites.

I think another big issue highlighted by this controversy is that individuals are no longer in control of their online reputations. It seems that even a person who has never accessed the internet can’t escape some amount of information about themselves being somewhere online. The underlying question is how can people combat something they can’t even detect? Are internet users (and non-internet users for that matter) really expected to constantly surf the web to ensure no one has posted something about them without their permission?

People will most likely react to this site’s attempt to provide a “valuable” service with concern and fear, which will hopefully encourage them to take down embarrassing photos of themselves and increase their privacy settings online.  In the broader social context, maybe this issue will make people think twice before they do something stupid. I doubt it, but for humanity’s sake, I can at least give them the benefit of the doubt.

Note: YoBusted.com is currently “Under Construction”. I’d be interested to know if this is a direct result of Facebook’s accusations and/or other political/social influences.

Posted in Current Events, Ethics | 2 Comments

Security Review: Automobiles

Posted on February 15, 2009 by ando

In the United States, automobiles are everywhere.  Most middle-income families own more than one vehicle, and chances are that everybody knows of at least one person whose vehicle has been broken into or stolen.  Cars, trucks, and SUV’s are very expensive and contain many assets that would interest adversaries.  As technology improves, the ways vehicles are secured continually gets better, but thieves also get smarter.  There will never be a completely secure vehicle.

Continue reading

Posted in Security Reviews | 2 Comments

Weak Password

Posted on February 14, 2009 by liaowt

According to yahoo!News, the statistics of 28,000 passwords that are recently stolen from a popular US website that is posted in physorg.com  “16 percent took a first name as a password … 14 percent relied on the easiest keyboard combinations to remember such as ‘1234’ ….” People tend to use passwords that are easy to remember such as names, their favorite words, etc. Since most people have many accounts, in order to manage their log in passwords, they intend to chose easy remember password.

One way to prevent people from using weak password is for them to have a built-in password checker when the users register new account or wanted to change their passwords(like the one that is posted here).  There should a requirement for the password length and combination. A secure password has to be at least 8 characters long and it “should include a combination of uppercase and lowercase letters, numbers, and symbols.” Moreover, it would be helpful if there are short side note on how to create secure password.

The attacker can compromise people’s accounts using these easy-to-remember passwords and they have about 40 percent chance to get it correct. Other than that, users tend to write their passwords down on their notes or PC. By doing this, attackers can easily get access to users’ computers and get their passwords.

If people think that their account for a website is not that important to them, they won’t even bother to change their passwords to stronger ones. They believe that even though they have weak passwords, their accounts won’t be attacked.  On the other hand, people would probably change their weak passwords to more complex ones for financial account such as banking account or private account like Gmail.

Posted in Current Events, Ethics | 4 Comments

Current events: Microsoft offers money for catching Conficker virus creator

Posted on February 13, 2009 by sal

I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany.  Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.

Posted in Current Events, Miscellaneous | 3 Comments

Security Review: HomeLink Universal Transceiver

Posted on February 13, 2009 by vincez

The HomeLink Universal Transceiver is a device that, like a universal remote, can record the output of a wide variety of garage door openers and home automation control systems and emulate the output for future use. When used as advertised, the HomeLink system simply replays signals that you could have produced anyway, but from a central source. However, since the HomeLink device basically allows replay attacks, there are security implications if the device is to be used by someone with sinister intentions.

Community gate openers and garage door openers are, by their very design, long-range communication devices. If the signal the opener emits cannot be detected a good distance away, the devuce is not doing its job. Therefore, it follows that the HomeLink device could record garage door opener signals while passing by a car that is using a garage door opener. With access to many types of garage doors after being in the proximity of the door opening, a world of possibilities opens up.

Continue reading

Posted in Physical Security, Security Reviews | Comments Off on Security Review: HomeLink Universal Transceiver

Security Review : Add-ons

Posted on February 13, 2009 by kosh

An add-on is a simple plugin that you use, say for firefox, to let you do your work more easily. This also lets you customize the browser in ways that do not affect the productivity of other people. Add-ons are becoming a major part of the browser functionality but sans the scrutiny that goes into developing a browser.

Assets and Security Goal:

* Assets: Your browser, everything that you use it for and your cookies. Uh, not the ones you eat. and privacy.
* Security Goal: Protect your privacy at all cost and your cookies and your intimate browsing secrets!

Adversaries and Threats:

* Unauthorized publishers: This is the dreaded group of publishers that are able to make an add-on for your browser and pass it off as being legitimate and harmless. This is much easier than you think since most add-ons are unverified or rather community verified and it might take a while to find an exploit.

Weaknesses:

* Counterfeit add-ons are the biggest risk – a majority of the add-ons are through unverified authors.
* Deceived by community rating. Since the rating for the plugins is done by the community, an obscure/malicious add-on can be easily made to look like a legitimate one through a community of attackers/ an attacker with a community of profiles.
* Unauthorized plugins from third party websites.

Defenses:

* Other legitimate users – These are probably the best and most formidable defense when it comes to validating add-ons. However, this also a delayed defense since ‘enough’ users will have had to use the add-on for someone to finally detect a malicious exploit.
* Firewall – Your firewall is also your second line of defense when preventing backdoor access through the malicious add-on
* Antivirus software – An up-to-date virus definition file should help the software detect a malicious plugin. However, this also assumes that the attacker used a known exploit/trojan/virus to inject into the add-on.
* Security updates from the browser, OS – These can help patch the exploits that are currently in place.

Risks:
The risk of being duped means to lose a significant amount of personal information that is stored in the browser. With the shift of browser towards acting like an OS with features to save passwords,sessions, etc, there is an unbelievable amount of personal information that can be stolen through a malicious add-on. The add-on can also redirect to malicious websites that involve elaborate phishing scams leading to the loss of information and money. Such attacks give the hacker a complete control of your online portfolio which can be held for ransom and also misused, causing personal damage.

Conclusion:
Overall, although there are inherent risks to open source projects like a community browser, a large part of the attacks are easily mitigated due to the sheer number of users that pass through such an add-on. There also seems to be significant,active and unofficial community that monitors the plugins for malicious intent. One way to decrease the probability of such an attack would involve letting a significant time pass from the release of the plugin to the installation for it to be tested by active community members. Filtering the installation of add-ons also becomes an important but often impossible task in a corporate environment where the risks are especially high. Add-ons(unsigned) are definitely a double edged sword that need to be dealt with care.

Posted in Policy, Security Reviews | Tagged , , | 1 Comment