UK-Specific Zeus 2.0 Botnet
Frustrating it may be, in addition to providing all of my other security details, to have to remember a long customer reference code each time I visit the site; nevertheless, I can honestly say I've never been tempted to automate my online banking login with a GreaseMonkey script. And today, upon reading the comments of Rapport supplier Trusteer's CEO Mickey Boodaei and CTO Amit Klein, on the discovery of a pure "very focused" Zeus 2.0 Botnet, 100,000-PC strong, specifically targeted at UK banks and the private data of their customers, I'm quite glad that for once, I have managed to keep the lid on a particular source of curiosity.
Going beyond the usual haul of user IDs and passwords, this particular bundle of fun snags client-side resources such as your certificates and cookies (including those of social networking sites), harvesting these for banking site login information, credit and debit card details, bank statements, FTP credentials, and sundry personal data, such as your date of birth, workplace and job, which might be used as a basis for security questions.
With its friendly and readily searchable "Google-like" front end, this was the first pure example of the emerging Zeus 2.0 to be found "in the wild"; but apparently there are others around, too. One rather important fact to keep in mind is that "Zbot" often changes its form or "fingerprint" in order to avoid detection by your anti-malware.
2G GSM Broken, Pope Catholic
The DefCon® hackers' meet (Las Vegas, July 30 - August 1) provided a number of high profile scoops, some preannounced, some out of the
- Set up your base station with a good strong signal. Advertise it as belonging to a compatible operator.
- When a handset is enticed to connect to you, connect to the real network. Begin relaying authentication tokens transparently.
- Handset authenticates with network, which does not reciprocate (a known 2G vulnerability).
- Network tells handset not to encrypt (e.g. because strong encryption is disallowed in your country).
- Handset complies without displaying the mandated warning, because manufacturer has deemed this too annoying.
Wiretap Kiddies & Black Hat Redux
Poor beleaguered old GSM was also a big target of attack at the Black Hat® Technical Security Conference briefings earlier in the week (also in Las Vegas, July 28-29). Visit Dan Goodin at The Register, to hear about "a comprehensive set of tools" aimed at eavesdropping even on encrypted calls over GSM networks.
Famous DVD-CSS cracker Frank A. Stevenson from Oslo developed one of these tools: Kraken, which attacks GSM's A5/1 algorithm using a 1.7TB lorryload of rainbow tables. According to the project's cryptographer Karsten Nohl (of Security Research Labs, Berlin), GSM hacking has reached the level that Wi-Fi hacking reached a couple years ago: script-kiddies cracking their neighbor's Wi-Fi, and forcing the widespread adoption of WPA/TKIP over WEP.
Black Hat was a furiously busy time for Microsoft's SDL team. Bryan Sullivan presented a hot topic talk on Cryptographic Agility, or the ability to inject alternative cryptographic algorithms or implementations into apps without source code changes. Adam Shostack reprised his brilliantly conceived card game, “Elevation of Privilege: The Easy Way to Threat Model.” Finally there was also a multiple SDL presence at (SAFECode's) Grant Bugher's brainstorming panel, gathering "vision and approaches on improving software assurance" from the security community; the results of which should be up on the SAFECode blog any day now... oh, here's an SD Times article on it.
Please remember: don't have nightmares, do sleep well.