Pages

Friday, February 12, 2010

China shuts down cracker website

The Chinese authorities have shut down what they describe as the biggest training website for hackers in China. The China Daily newspaper on Monday reported that three of the people behind the "Black Hawk Safety Net" site have been arrested. The group is said to have offered software and assistance for cracker attacks over the web. Since 2005, the website has acquired 12,000 members, paying out 7 million yuan (approximately £650,000) in membership fees. According to China Daily, 170,000 users were registered with the site.

The police began investigating the site in 2007, when a number of Black Hawk members were connected to an attack on the municipality of Macheng in Hubei province. News of the shutdown comes against the backdrop of a dispute with the USA over an
attack on US internet giant Google. Google claims that the attacks originated in China. The Beijing government has rejected the allegations, stating that it is itself the biggest victim of online attacks and takes stern measures against crackers.

China Daily quotes a 23-year old Black Hawk member as saying, "I could download trojan programs from the site which allowed me to control other people's computers." Courses cost between 100 and 2000 yuan (approximately £9 and £187). "I did this just for fun but I also know that many other members could make a fortune by attacking other people's accounts." In Chinese press reports the talk has largely been of attacks on private access data for games and other entertainment websites and on e-mail and chat rooms. A 20-year old student told China Daily, "Basically students were told how to steal accounts and use trojan programs."

Hacker extracts crypto key from TPM chip


An American hacker has, with a great deal of effort, managed to crack a Trusted Platform Module (TPM) by Infineon. He was able to read the data stored on the TPM chip, for instance cryptographic keys (RSA, DES) such as those also used by Microsoft's BitLocker on appropriate motherboards.

TPM hardware incorporates various levels of logical as well as physical measures designed to counter a range of attacks, such as differential electromagnetic analyses (DEMA) and even physical intrusions. Once the keys are retrieved, however, an attacker can read the encrypted data stored on a hard disk without needing a password.

Previously known as the smart card hacker, Christopher Tarnovsky of Flylogic Engineering has presented his work at the Black Hat DC security conference. He apparently managed to suss out a processor in the "SLE 66CLX360PE" family used in the TPM. For this purpose, he extracted the actual chip from the housing in his special lab using various procedures that involved liquids and gases (a video about this is available online).
He then worked his way through the different layers of the chip using, for instance, a Focused Ion Beam microscope and Photoshop to figure out the chip's structure and find a way into the heart of the TPM.
Subsequently, he analysed the on-chip signalling pathways to obtain access to the processor's data bus. This took Tarnovsky the better part of six months and numerous TPM chips. However, retrieving the license key of an XBox 360, which also contains Infineon's TPM, apparently only required an additional six hours.
While Tarnovsky says that Infineon has so far said such attacks just weren't feasible, Peter Laackmann, Infineon's Senior Principal for Chip Cards & Product Security, in an interview with The H's associates at heise Security, denied this is the case.
The executive said that Infineon does not rule out the possibility of successful attacks. Laackmann said that TPM chips are not uncrackable and are not advertised as such. The potential for such an attack was already evident in an earlier evaluation phase and had apparently been carried out successfully by company researchers, quite some time ago.
However, one mustn't neglect the effort involved in such an attack, said Laackmann, adding that even Tarnovsky himself admits that the necessary steps aren't easy to reproduce and require a considerable amount of special equipment. According to Tarnovsky, the required lab equipment represents an investment of about $200,000.
Laackmann also said that the product family has become obsolete, and that the cracked processor was only intended for smart cards. There is a new generation of TPM chips based on the SLE78 family, which apparently offers not only further physical anti-intrusion measures, but also additional cryptographic features. In these chips, recording data bus traffic after breaking into the housing is said to be ineffective because the data is encrypted. Infineon's Integrity Guard concept is designed to avoid the transmission and processing of plain text data altogether. However, so far, few devices incorporate these new chips.

The hack's potential consequences for the many TPM-protected systems in corporate environments, for instance, are difficult to predict. One can hardly assume that criminals will reproduce such attacks on a practical level in the medium term. However, intelligence agencies could use the technology in targeted attacks – perhaps they are doing so already. Tarnovsky does not intend to publish the details of his approach – but he is also a business man. He plans to test the security of other vendors' TPMs in the near future.

Friday, February 5, 2010

David Litchfield



David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt für Sicherheit in der Informationstechnik in Germany. David is a CHECK team leader and holds SC clearance.
In 2003 David was voted as the "Best Bug Hunter" by Information Security Magazine. He has found and help to fix 24 security flaws in SQL Server, including the vulnerability that was exploited by Slammer, 17 in IBM's DB2, 22 in Informix and over 100 in Oracle. In February 2008 David discovered a new class of vulnerability in Oracle that can lead to "Lateral SQL Injection" and, in the November of 2006, another new class of vulnerability in the same RDBMS that can lead to "cursor snarfing" attacks. Both are general programming flaws, that can lead to data compromise. David pioneered major advancements in Oracle forensics and has authored 6 technical papers since March 2007 on the topic.


David is Chief Research Scientist at NGSSoftware, a UK computer security services and software company he founded in 2001. NGSSoftware was acquired by NCC Group in November 2008. In 2007 NGSSoftware was awarded the Queen's Award for Enterprise, and was listed as one of the UK's fasted growing tech companies by both Deloitte and the Sunday Times. NGSSoftware was winner in the Best Security Company category in the 2008 European SC Magazine Awards and runner up in 2007. Previously David was Director of Research at @stake after his first company, Cerberus Information Security, was acquired in July 2000.
In May, David was named the "Entrepreneur of the Year" at the South London Business Awards 2008.
Prior to starting a career in computer security David competed as a track and field athlete for Scotland. He was the Scottish Under 20 Champion for both the long jump and decathlon and is the holder of the Scottish Schools Indoor record for long jump.
Source: http://www.davidlitchfield.com

Thursday, February 4, 2010

Report: Google to work with NSA over cyberattacks


According to a report from The Washington Post, following the recent massive cyber attacks originating in China, Google will be working with the United States National Security Agency (NSA). Under the agreement, which has yet to be finalised, the NSA will help Google analyse the information gathered from the recent attacks and will help to investigate and defend against future attacks on the company's networks. The report goes on to say that "the deal does not mean the NSA will be viewing users' searches or e-mail accounts, or that Google will be sharing proprietary data". Neither Google, nor the NSA have confirmed theWashington Post report.

Google had
announced in mid-January that hackers based in China had attempted to gain access to the email accounts of several Chinese human rights activists and had stolen important source code that could potentially allow access to other data. Following the attacks, the company said that it was no longer prepared to bow to Chinese censorship, that it is considering withdrawal from the world's largest and fastest-growing internet market and closing down Google.cn and its Chinese office. Google has already received the backing of the US government, however, China has denied any involvement in the attacks.
Created by President Truman in November of 1952, the NSA is the largest intelligence service in the US. Approximately 120,000 soldiers and civilians from around the world work for the agency. In 2005, it was
revealed that the NSA had been tapping the telephones of its own citizens.

Microsoft confirms new vulnerability in Internet Explorer



Microsoft has confirmed the existence of a security vulnerability revealed at the Black Hat DC security conference on Tuesday and itself issued a warning. The vulnerability allows a crafted website to access and read the content of arbitrary files on a PC. Although an attacker needs to know the specific path and file name, for a standard Windows installation these are usually known default paths.
All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access. For Internet Explorer 7 and 8 running under Windows 7, Vista or Server 2003/2008, the vulnerability cannot be exploited as long as protected mode is activated in the browser (as it is by default).
Microsoft has said that it is looking into how it can solve the problem. However, solving it is not going to be straightforward, as Jorge Luis Alvarez Medina of Core Security Technologies, who discovered the vulnerability, has repeatedly stressed. The crux of the problem is that security zone settings in Internet Explorer do not always bite if a path is entered in the browser in UNC (Uniform Naming Convention) format (e.g. file://127.0.0.1/C$/.../index.dat). This means that under specific conditions JavaScript from the Internet Zone can access (and render) local files, despite the zone model being intended to prevent this.
Core Security reported two similar cross-domain vulnerabilities to Microsoft in 2008 and 2009, for which Microsoft released updates. However, until now, Microsoft has always merely patched things up, without addressing the actual core problem. As a result Medina has been able to discover a new means of reading local files. To overcome the hurdles set up by Microsoft, he takes advantage of a bug in the way the MIME type of local files is determined and a weakness when processing OBJECT tags.


As an interim solution, Microsoft has released a
downloadable fix-it tool which disables the Internet Explorer file protocol. This could, however, cause problems for some other applications.

Tuesday, February 2, 2010

China: We are biggest victim of hacking

China has denied any role in alleged cyberattacks on Indian government offices, calling China itself the biggest victim of hackers.
When asked about Google's allegation that cyberattacks launched from China hit the US search giant, foreign ministry spokesman Ma Zhaoxu said Chinese companies were also often hit by cyberattacks.
"China is the biggest victim of hacking attacks," Ma said, citing the example of top Chinese search engine Baidu.com being hacked last week.


Google last week said it might exit China after being hit by recent hacking attempts largely aimed at accessing the Gmail accounts of Chinese human rights activists. It also said it planned to hold talks with Chinese authorities about whether it could offer an uncensored version of its local search engine.
Ma said he did not know if Chinese authorities had started talks with Google. A Google spokeswoman did not confirm a Bloomberg news report that Google and China had already started the talks. "That's not what we've been saying," she said in an email.
An Indian official has reportedly said local government offices including that of India's National Security Advisor were also targeted last month by hackers believed to be from China.

Google invites attacks on Chrome


Google has launched an experimental programme to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation's 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 – however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation.
According to Google, it doesn't matter whether the vulnerability is in the open source
Chromium version or the binary Chrome version. The two differ only marginally anyway – Chrome additionally contains GoogleUpdater and sends an RLZ parameter which is forwarded to Google when a search term is entered in the Chrome address bar. The company will not be offering rewards for reports of bugs in third-party plug-ins.
Google is hoping that this will improve the security of its browser and therefore security for its users. Any bug found can be reported via the bug tracking system. Further information and a list of Q&As can be found in Google's
blog entry announcing the programme

Windows hole discovered after 17 years

Microsoft isn't having an easy time of it these days. In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

The workaround requires users to start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don't cause any major compatibility problems for most users while no 16-bit applications are being used.

Update - The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).
Asbestos Cancer Asbestos Cancer