unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
Friday, October 1st, 2010 07:26 am

Sergei Shevchenko decodes a multilayered, multi-version matryoshka trojan hidden in a Flash video.

When this master exploit encounters one of these twelve combinations [of platform and Windows version number], it will unpack the string by interpreting it as a hex-encoded byte sequence, and then reload this code as a Flash file via loader.loadBytes().  I don't believe it:  A Flash file which is decoded dynamically and then loaded proceeds to load another dynamically created Flash file from a repertoire of twelve strings.  But it's true.  When I copy the first string into my hex editor, I can clearly detect the structure of a, this time uncompressed, Flash file.

That's what I call professional!  The various versions of the Flash environment differ to such a degree that exploits which rely on specific addresses only cause the Player to crash, which doesn't serve the attackers.  Therefore, they either have to write very generic shell code – which is quite difficult, or they arm themselves with an arsenal of very specific exploits and then choose the one that fits the respective Flash Player.  Quite obviously, our little criminal has chosen the easier way and is carrying a whole arsenal of weapons.


And that malware authors now use the obfuscation strategies already known from conventional Win32 malware in virtual environments such as Flash is bad news for the anti-virus vendors.  Because it ultimately means that AV vendors will from now on also need to emulate the run-time environments of JavaScript, the .NET framework and Adobe Action Script to reliably detect malware.

This is a very clever exploit.  And I seem to find myself saying that altogether too frequently of late.

The first generation of malware was one-off exploits, frequentyly fairly simple, put together usually by single individuals who launched them themselves for the notoriety, for extortion, or just to see what they could wreck.  The second generation was the polymorphic virus development toolkits that let basically any black-hat wanna-be build a virus with a handy point-and-drool interface, and fast-spreading blitz worms like Code Red.  And the third generation...

Well, the third is sophisticated, professionally-crafted attacks like this, like Stuxnet, like Conficker.

The world has changed.  Again.  And not for the better.

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Friday, March 26th, 2010 05:39 pm

Security researchers point out that SSL (Secure Sockets Layer) is vulnerable to what they call the compelled certificate creation attack, in which a government agency (say, the NSA) or operative thereof coerces a certificate issuer (such as Verisign) to issue a falsified SSL certificate, which the agency can then use with certificate renegotiation to perform a transparent man-in-the-middle attack against SSL.

unixronin: Rodin's Thinker (Thinker)
Saturday, February 27th, 2010 02:24 pm

I pay attention to numbers.  It's one of those Aspie traits.  In particular, something has struck me about credit and debit card numbers.

You see, those numbers are all 16-digit numbers that appear on the card in groups of four.  Some of those digits are coded; for instance, the first digit is always 5 for a Mastercard, 4 for a VISA.  In general, the first four digits identify the card issuer and the type of card, as I understand it.  But one would then expect a high degree of randomness in the remaining 12 digits, or at least a lack of visible correlation between the remaining 12 digits and the identity of the cardholder.

This does not, in fact, appear to be the case.  I have observed over a period of quite a few years now that there is a strong tendency for a comparatively small number of groups to appear again and again in the numbers of cards issued to the same individual, even from different issuers.  There also appears to be some tendency for CVV numbers to repeat.

This makes me wonder whether it might in fact be possible to predict, with a reasonable success rate, the numbers of cards issued to a particular individual, if you know the numbers of cards issued to that individual in the past.  If so, and if you can do this for a number of different cardholders, I further wonder whether it might be possible to take the identifying information for an arbitrary individual and predict (again, with a reasonable success rate) the numbers and CVVs of cards likely to have been issued to that individual.

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Thursday, December 17th, 2009 10:56 am

Robert Cringely talks about gag orders from Apple, and the day AT&T learned about Moore's Law.  A short but interesting read, in several ways.  (Ever heard of the PortalPlayer iPod?  ...No, I didn't think so.)

In other news, SecurityWire reports that despite a lack of visible activity, Conficker is still quietly out there doing its thing.  The Conficker botnet is currently estimated at around 7 million machines.  Mikko Hyppönen of F-Secure Corp says that due to the botnet's size and the way it is being monitored, "it would be difficult for anyone to use it to make money or break it up and rent portions out without being detected".

"Conficker was unique in many ways and the biggest mystery around Conficker is why?" Hyppönen said.  "The most logical explanation is that Conficker got too big and too noisy.  It attracted too much attention."

Botnet monitoring organization The ShadowServer Foundation reported that "Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now", but its creators — despite suspicions — have still not been positively identified.

And while I'm at it, the Wall Street Journal reports that insurgents in Iraq and Afghanistan are using off-the-shelf software such as SkyGrabber, purchased off the Internet, to snoop unsecured communication links on US Predator drones and see what the drone's operator is seeing, enabling them to know what roads and buildings are under drone surveillance.  The Pentagon has known about the vulnerability since the Bosnia campaign in the 199s, but hadn't done anything about it until now because they didn't think any adversary would possess the know-how to exploit it.  The newer, uprated Reaper drone has the same vulnerability, despite the fact that the vulnerability was already known when General Atomics began designing the Reaper.

Personally, I'm boggled that it didn't occur to General Atomics to encrypt drone downlinks in the first place.  It seems like a no-brainer.

unixronin: Closed double loop of rotating gears (Gearhead)
Tuesday, July 24th, 2007 02:36 pm

Medeco locks are immune to bumping, right?

Well ... actually, now that you mention it, not so muchMarc Tobias reports on a successful compromise of a Medeco M3 lock mechanism using a dummy key blank and a paper clip.

To make matters worse, we were able to create a bump key with our simulated blank, that would open an m3, (although bumping is, in fact, much more difficult in this scenario).  This capability may raise serious security concerns, especially in commercial and government installations where master keying may not be allowed.

Medeco lock bumping video here.

unixronin: Closed double loop of rotating gears (Gearhead)
Thursday, May 31st, 2007 08:18 am

Bruce [livejournal.com profile] schneier makes some interesting comments about patterns of behavior and tactics.  In particular, the key point is the following:  If you have an attacker who has a consistent pattern of not attacking you the same way twice, it's not only ineffective to put in place massive preparations against a repeat of each new one-off attack, it's stupid, because it diverts resources from emergency preparedness measures that you could use to respond to ANY attack or disaster.

Al-Qaida terrorism is different yet again.  The goal is to terrorize.  It doesn't care about the target, but it doesn't have any pattern of tactic, either.  Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response.  And to refuse to be terrorized.

These measures are effective because they don't assume any particular tactic, and they don't assume any particular target.  We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don't stare them down).  Otherwise, general countermeasures are far more effective a defense.

There's only just so many one-off attacks that even the US can afford to put billion-dollar infrastructures in place to defend against a repeat of.  And every time we do, every time we overreact, every time Congress wets its pants and hides in the corner, every time we return an airline flight to the airport because a passenger had hand cream in her carry-on — every time we throw the baby out with the bathwater — we hand the terrorists a victory.  The way to win against terrorists is to deliver a swift and deadly beatdown whenever we're sure of the right target to respond against, and otherwise refuse to allow them to change how we live our lives.  Deny them the terror.

unixronin: Closed double loop of rotating gears (Gearhead)
Tuesday, January 30th, 2007 11:19 am

There's a growing trend in web e-commerce sites to "improve" site security by adding a "secret question" to the identifying information for the user.  It's well-intentioned, usually.  But it's almost invariably poorly implemented.

You want me to be able to prove my identity by answering a "secret" question to which only I would know the answer?  OK, fine.  Then let me pick the question.

But this isn't what most sites do.  They typically let you pick one question from a list of three to five.  Sometimes, they pre-pick the question; you don't get a choice at all.  ING Direct goes slightly better than the usual run of this; they provide a list of eight possible questions, from which you must pick and answer five.  When called for, they will use one randomly-selected question from the five you chose.

The problem is that, invariably, most — if not all — of the questions offered for your selection are questions to which the truthful answer is a matter of public record.  Your city of birth, for example, or that old standby beloved of banks and credit-card companies, your mother's maiden name.  What's worse, in many cases, if you forget your password, you can gain access to your account by answering the secret question instead.  So anyone who wishes to gain access to your account need only research the answers to those four or five most common "secret" questions — a much easier task than cracking or otherwise compromising your password, since the vast majority of users will answer those questions with the correct answer.  The slightly more sophisticated user recognizes that to answer these non-secret "secret" questions with a truthful answer which can be readily found in public records is a security weakness, not a security measure, and so will provide false answers to the questions; but then there's the problem of remembering which false answer you supplied to which question on which site.  And that means that either you develop a system of some kind (which could be as simple as, say, answering every "secret" question with "Madagascar"), or you write your answers down somewhere accessible.  It's not hard to come up with a system.  But the honest fact is, most security-unaware average users aren't going to even realize they need to do it.

The upshot of it is, the "secret question" tactic, as commonly implemented by 90% of web sites, does not improve security; it weakens it, sometimes drastically.

As noted above, there's an astoundingly simple measure for making the "secret question" gambit an actual, real security improvement:  Let the user pick the question, as well as the answer, and disallow questions to which the answer is likely to be trivially available from public records.

So why don't more sites use it?

unixronin: Closed double loop of rotating gears (Gearhead)
Friday, July 28th, 2006 09:48 pm

Aircraft hijackings are really pretty rare these days, right?  But as [livejournal.com profile] schneier reports, the European Commission, Airbus, Siemens and the Technical University of Munich are spending 36 million Euros to develop a system whereby in the event of an actual or suspected hijacking, controllers on the ground can remotely take control of the aircraft, fly it to the nearest airport and land it, with no intervention necessary or possible from the pilots.

I've actually been aware of this project for some time now, and [livejournal.com profile] schneier's reaction now is the same as mine was when I learned about it:  This is a really bad idea.  The situation in which it's intended to be used is so uncommon the benefit is probably minimal, but it opens up a whole new vulnerability -- because you KNOW that once a system like this goes into service, the protocols will sooner or later become public, the equipment specs will be leaked, the encryption protocols protecting it (pray there IS encryption) will be cracked, and once that happens, it will no longer be necessary for hijackers to get on -- or even near -- the airplane at all.  They'll be able to hijack any airliner so equipped, from the ground, and presumably fly it wherever they want by passing control to successive previously-placed ground stations.  Had this technology been in place and already cracked on 9/11, the hijackers could have gotten all four aircraft to their targets instead of just three, and none of them would even have had to die.

This is one of the most stupid and ill-thought-out flight-safety ideas I've ever heard of.  As pointed out in the comment thread in [livejournal.com profile] schneier's post, there is one perfectly simple way to prevent 100% of hijackings:  Physically isolate the cockpit on all airliners from the passenger cabin with an unbroken bulkhead, give the flight crew their own separate entry, their own lavatory, and their own refrigerator and microwave for their in-flight meals.

Of course, would-be hijackers could take the flight attendants and passengers hostage, and threaten to kill them if the pilots don't comply with their instructions.  But that's fixable, too, by allowing passengers with legitimate CCW permits to fly armed.  Hell, offer discounted fares for passengers willing to fly armed and intervene in the event of a hijack attempt.

There's one thing I think [livejournal.com profile] schneier missed, though.  Even if the system isn't cracked, this would open up a whole new ability for terrorists to DOS the entire commercial air fleet and ground all commercial travel world-wide.

You see, they don't have to actually crack the system.  All they have to do is convince the world that they probably have cracked it.  Every nation would have to order its commercial air fleets grounded until they could be certain the system had been resecured.  They would have no choice.  Can you think of the consequences for any government if a terrorist group announced that it had acquired the ability to subvert this system and take over control of any airliner from the ground, and that government alone decided that the terrorists were bluffing and did not ground its commercial fleet -- and subsequent events proved them wrong?

unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
Tuesday, March 28th, 2006 04:46 pm

Citizens Bank just sent us both updated debit cards.  The new card proudly proclaims that it is PayPass enabled.  I'm not familiar with PayPass, but from the minimal information included with the new card and data I've found online, it's a short-range RFID technology.  I find my attention particularly called to this bit (emphasis mine):

"Its built-in technology lets you just tap your card on the PayPass reader at participating locations and your transaction is complete.  No need to swipe or give your card to cashiers.  Smaller purchases [which turns out to be up to $25] may not require a signature or PIN."

This seems to imply to me that someone who can get their hands on a PayPass-enabled card can use it freely without needing to know a PIN, as long as they keep their purchases small.  The convenience of not needing to swipe, with the touted feature of "Your card never leaves your hand", is undeniably going to be attractive for many people, but I find the security implications disturbing.

On the other hand,

"All transactions are protected with the Zero Liability Policy for any unauthorized purchases."

The press releases I've found claim that the read range of the PayPass RFID chip is restricted to about 4cm, which - if true - is promising from the viewpoint of remote scanning risks.  (I've had difficulty finding much in the way of solid information.  Most of the technical data is restricted to licensees.  If anyone knows of any accessible useful documentation on the security features, pointers would be welcome.)  Interestingly, Motorola has been field-testing PayPass-enabled phone handsets for about 18 months now;

"Motorola is excited to be working with MasterCard to create a phone that has the potential to be lifestyle changing, and offers a convenient, fast, and secure method of payment.  In essence your phone will become your wallet, key chain and your ID," said Ron Hamma, vice president and director of enterprise business development, Motorola, Inc.  "Fully integrating MasterCard PayPass technology in our phones is a natural fit and major benefit to the consumer."

unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
Friday, January 27th, 2006 02:09 pm

[livejournal.com profile] sierra_nevada found this Inquirer article, which claims that the popular ZoneAlarm personal firewall secretly sends data to Israeli parent company CheckPoint.

This, of course, leads me to wonder whether Checkpoint Firewall-1 has ever been audited for any malicious behavior....

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Saturday, October 29th, 2005 07:31 pm

So now [livejournal.com profile] cymrullewes has got the "We advise you to change your password now!" message I got the other day.  Seems like a hell of a LOT of people are getting it.

This leads me to wonder:  Is there something we should know, that LiveJournal isn't telling us...?  Did their registration database maybe get hacked, or something like that?

unixronin: Pissed-off avatar (Pissed off)
Wednesday, September 21st, 2005 08:45 am

There's a new eBay phishing spoof in the wild.  It's not too badly done, and quite convincing at first glance; I'm guessing they're relying on you thinking "This is bullshit!  This idiot hasn't bought anything from me!" and clicking the "Respond" link before you think to actually examine it and see if it's legit.  Social engineering.  If you do stop to examine it, there's several flaws.

  • "Your registered name is included to show this message originated from eBay."  Well, actually, now that you mention it ... no, it isn't.  Not anywhere in the message.  "Oops."
  • That "Respond" button doesn't go to an eBay URL.  As a matter of fact, it goes to, which is vds-381430.amen-pro.com, registered in Paris, France.
  • Oh, and all the links in the right-side sidebars, and the "learn more" link?  They aren't.  Links, that is.  They're faked and don't connect to anything.  There's no anchor tag.  Mouse over them and see.
  • And did you notice that the "Thank you for using eBay" URL is to ebay.com, but all the other eBay links on the page are ebay.co.uk links?  A little bit inconsistent there, neh?
  • And of course, there's the minor problem that it doesn't come from an eBay address, and isn't even convincingly spoofed.  Mine came from "eBay <qezzobvasze@pisem.net>".  The X-mailer header is oddly curious, too:  "pig pen 3095 guardian angels"
  • And then there's the actual, non-HTML message body:  "When over marzipan takes a coffee break, cough syrup related to parking lot starts reminiscing about lost glory.When behind ski lodge procrastinates, from movie theater gets stinking drunk.toothaches remain nearest.pocket living with graduated cylinder reads a magazine, but bubble bath from short order cook learn a hard lesson from about pine cone."  Whoa!  Lay off the glue, dude.

Here it is, in all its phishy stench:

eBay sent this message to you.
Your registered name is included to show this message originated from eBay. Learn more.
Question from eBay Member -- Respond Now eBay
eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included).
 Question from jell

    I have not received any item from you, what happend, I've sent you the money, now were is my item ? If you don't Respond Now I will contact ebay and I will report you, I will also go to the police !Lett me know, I am not a fool ! 

Thank you !

Respond to this question in My Messages.
Respond Now
Thank you for using eBay
Marketplace Safety Tip Marketplace Safety Tip
If this message is an offer to sell an item without winning it on the eBay Web site (including Second Chance Offers sent through My Messages) please do not respond to the sender. These external transactions are unsafe and not covered by eBay purchase protection programmes.

Never pay for your eBay item through instant wire transfer services such as Western Union or MoneyGram. These payment methods are unsafe when paying someone you do not know.
Is this email inappropriate? Does it breach eBay policy? Help protect the community by reporting it.
Learn how you can protect yourself from spoof (fake) emails at:
This eBay notice was sent to you on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your notification preferences.
See our Privacy Policy and User Agreement if you have questions about eBay's communication policies.
Privacy Policy: http://pages.ebay.co.uk/help/policies/privacy-policy.html
User Agreement: http://pages.ebay.co.uk/help/policies/user-agreement.html
Copyright © 2005 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.