[tags]phishing, web redirection[/tags]
Jim Horning suggested a topic to me a few weeks ago as a result of some email I sent him.

First, as background, consider that phishing and related frauds are increasingly frequent criminal activities on the WWW.  The basic mechanism is to fool someone into visiting a WWW page that looks like it belongs to a legitimate organization with which the user does business.  The page has fields requesting sensitive information from the user, which is then used by the criminals to commit credit card fraud, bank fraud or identity theft.

Increasingly, we have seen that phishing email and sites are also set up to insert malware into susceptible hosts.  IE on Windows is the prime target, but attacks are out there for many different browsers and systems.  The malware that is dropped can be bot clients, screen scrapers (to capture keystrokes at legitimate pages), and html injectors (to modify legitimate pages to ask for additional information).  It is important to try to keep from getting any of this malware onto your system.  One aspect of this is to be careful clicking on URLs in your email, even if they seem to come from trusted sources because email can be spoofed, and mail can be sent by bots on known machines.

How do you check a URL?  Well, there are some programs that help, but the low-tech way is to look at the raw text of a URL before you visit it, to ensure that it references the site and domain you expected.

But consider the case of short-cut URLs.  There are many sites out there offering variations on this concept, with the two I have seen used most often being “TinyURL” and “SnipURL”.  The idea is that if you have a very long URL that may get broken when sent in email, or that is simply too difficult to remember, you submit it to one of these services and you get a shortened URL back.  With some services, you can even suggest a nickname.  So, for example, short links to the top level of my blog are <http://tinyurl.com/2geym5>, <http://snipurl.com/1ms17> and <http://snurl.com/spafblog>.

So far, this is really helpful.  As someone who has had URLs mangled in email, I like this functionality.

But now, let’s look at the dark side.  If Jim gets email that looks like it is from me, with a message that says “Hey Jim, get a load of this!” with one of these short URLs, he cannot tell by looking at the URL whether it points somewhere safe or not.  If he visits it, it could be a site that is dangerous to visit (Well, most URLs I send out are dangerous in one way or another, but I mean dangerous to his computer. :-)).  The folks at TinyURL have tried to address this by adding a feature so that if you visit <http://preview.tinyurl.com/2geym5> you will get a preview of what the URL resolves to; you can set this (with cookies) as your default.  That helps some.

But now step deeper into paranoia.  Suppose one of these sites was founded by fraudsters with the intent of luring people into using it.  Or the site gets acquired by fraudsters, or hijacked.  The code could be changed so that every time someone visits one of these URLs, some code at the redirect site determines the requesting browser, captures some information about the end system, then injects some malicious javacode or ActiveX before passing the connection to the “real” site.  Done correctly, this would result in largely transparent compromise of the user system.  According to the SnipURL statistics page, as of midnight on May 30th there have been nearly a billion clicks on their shortened URLs.  That’s a lot of potential compromises!

Of course, one of the factors to make this kind of attack work is for the victim to be running a vulnerable browser.  Unfortunately, there have been many vulnerabilities found for both IE and Firefox, as well as some of the less well-known browsers.  With users seeking more functionality in their browsers, and web designers seeking more latitude in what they deliver, we are likely to continue to see browser exploits.  Thus, there is likely to be enough of a vulnerable population to make this worthwhile.  (And what browser are you using to read this with?)

I should make it clear that I am not suggesting that any of these services really are being used maliciously or for purposes of fraud.  I am a happy and frequent user of both TinyURL and SnipURL myself.  I have no reason to suspect anything untoward from those sites, and I certainly don’t mean to suggest anything sinister.  (But note that neither can I offer any assurances about their motives, coding, or conduct.)  Caveat emptor.

This post is simply intended as commentary on security practices.  Thinking about security means looking more deeply into possible attack vectors.  And one of the best ways to commit such attacks is to habituate people into believing something is safe, then exploiting that implicit trust relationship for bad purposes. 

Hmm, reminds me of a woman I used to date.  She wasn’t what she appeared, either….  But that’s a story for a different post. 

[posted with ecto]

[tags]viruses,OpenOffice,Word,Microsoft,Office,Powerpoint,Excel[/tags]
In my last post, I ranted about a government site making documents available only in Word.  A few people have said to me “Get over it—use OpenOffice instead of the Microsoft products.”  The problem is that those are potentially dangerous too—there is too much functionality (some of it may be undocumented, too) in Word (and Office) documents.

Now, we have a virus specific to OpenOffice.  We’ve had viruses that run in emulators, too.  Trying to be compatible with something fundamentally flawed is not a security solution.  That’s also my objection to virtualization as a “solution” to malware.

I don’t mean to be unduly pejorative, but as the saying goes, even if you put lipstick on a pig, it is still a pig.

Word and the other Office components are useful programs, but if MS really cared about security, they would include a transport encoding that didn’t include macros and potentially executable attachments—and encourage its use!  RTF is probably that encoding for text documents, but it is not obvious to the average user that it should be used instead of .doc format for exchanging files.  And what is there for Excel, Powerpoint, etc?

[tags]DHS,MS Word,threats[/tags]
Earlier, I wrote about the security risks of using Microsoft Word documents as a presentation and encoding format for sending files via email (see posts here and here).  Files in “.doc” format contain macros, among other things, that could be executable.  They also have metadata fields that might give away sensitive information, and a lot of undocumented cruft that may be used in the process of exploiting security.  It is no wonder that exotic exploits are showing up for Word documents.  And only today it was revealed that the latest version of Office 2007 may not have even gotten the most recent patch set.

Want to find some vulnerabilities in Word?  Then take a look at the list of US-CERT alerts on that software; my search returns almost 400 hits.  Some of these are not yet patched, and there are likely many as-yet unpatched flaws still in there.

Clearly, the use of Word as a document exchange medium is Bad (that’s with a definite capital B).  People who understand good security practices do not exchange Word files unless they are doing collaborative editing, and even then it is better to use RTF (if one continues to be beholden to Microsoft formats).  Good security hygiene means warning others, and setting a good example.

Now, consider that DHS has released BAA07-09 to solicit research and prototypes to get fixes for current cyber infrastructure vulnerabilities.  I could rant about how they claim it is for R&D but is really a BAA for further product development for fundamentally flawed software that cannot be fixed.  But that isn’t the worst part.  No, the BAA is only available as Word documents!

Can you say “irony”?  This is the agency charged with helping guide us to a more secure infrastructure?  If so, electronically KYAG.

Update: A response from Dr. Douglas Maughn at DHS points out that the site I indicated for the BAA is actually FedBizOps rather than DHS.  The DHS posting site actually has it in PDF…although the FedBizOps link is the one I’ve seen in several articles (and in a posting in SANS NewsBites).

Of course, it would be great if DHS could get the folks at FedBizOps to clean up their act, but at least in this case, DHS—or rather, DHSARPA—got it right.  I stand corrected.

[tags]biometrics,USB,encryption,hacking[/tags]
One of our students who works in biometrics passed along two interesting article links.  This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked.  This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented.  (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete.  The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.

We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about.  Security is about reducing risk of untoward events in a given system.  To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses.  Securing one component against obvious attacks is not sufficient.  Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.”  Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.

Good security takes into account people, events, environment, and the physical world.  Poor security is usually easy to circumvent by attacking one of those avenues.  Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!

[posted with ecto]

[tags]Google, spam, 419[/tags]

I recently blogged about some unsolicited email I received from a recruiter at Google.  Much to my surprised, I was shortly thereafter contacted by two senior executives at Google (both of whom I know).  Each apologized for the contact I had received; one assured me he would put in a positive recommendation if I wanted that sys admin position. :-)

I have been assured that there will be some re-examination made of how these contacts are made.  So, score one for my blog changing the world!  Or something like it.

[posted with ecto]