Wednesday, 4 August 2010

Security Digest #11

This month: Black Hat, leaky phones, scary botnets...

UK-Specific Zeus 2.0 Botnet

Frustrating it may be, in addition to providing all of my other security details, to have to remember a long customer reference code each time I visit the site; nevertheless, I can honestly say I've never been tempted to automate my online banking login with a GreaseMonkey script. And today, upon reading the comments of Rapport supplier Trusteer's CEO Mickey Boodaei and CTO Amit Klein, on the discovery of a pure "very focused" Zeus 2.0 Botnet, 100,000-PC strong, specifically targeted at UK banks and the private data of their customers, I'm quite glad that for once, I have managed to keep the lid on a particular source of curiosity.

Going beyond the usual haul of user IDs and passwords, this particular bundle of fun snags client-side resources such as your certificates and cookies (including those of social networking sites), harvesting these for banking site login information, credit and debit card details, bank statements, FTP credentials, and sundry personal data, such as your date of birth, workplace and job, which might be used as a basis for security questions.

With its friendly and readily searchable "Google-like" front end, this was the first pure example of the emerging Zeus 2.0 to be found "in the wild"; but apparently there are others around, too. One rather important fact to keep in mind is that "Zbot" often changes its form or "fingerprint" in order to avoid detection by your anti-malware.

2G GSM Broken, Pope Catholic

The DefCon® hackers' meet (Las Vegas, July 30 - August 1) provided a number of high profile scoops, some preannounced, some out of the blue black. Judged most newspaper-worthy was Chris Paget's $1500 GSM cellular network base station spoof, which allows anyone with an interest to intercept and eavesdrop on 2G conversations. The mechanics of the trick were already well known:
  • Set up your base station with a good strong signal. Advertise it as belonging to a compatible operator.
  • When a handset is enticed to connect to you, connect to the real network. Begin relaying authentication tokens transparently.
  • Handset authenticates with network, which does not reciprocate (a known 2G vulnerability).
  • Network tells handset not to encrypt (e.g. because strong encryption is disallowed in your country).
  • Handset complies without displaying the mandated warning, because manufacturer has deemed this too annoying.
The real story is that a well-known vulnerability gets somewhat cheaper to exploit each year, but that 3G tech, particularly when applied at 2G frequencies to mitigate against the blocking vector, will soon put paid to its shenanigans.

Wiretap Kiddies & Black Hat Redux

Poor beleaguered old GSM was also a big target of attack at the Black Hat® Technical Security Conference briefings earlier in the week (also in Las Vegas, July 28-29). Visit Dan Goodin at The Register, to hear about "a comprehensive set of tools" aimed at eavesdropping even on encrypted calls over GSM networks.

Famous DVD-CSS cracker Frank A. Stevenson from Oslo developed one of these tools: Kraken, which attacks GSM's A5/1 algorithm using a 1.7TB lorryload of rainbow tables. According to the project's cryptographer Karsten Nohl (of Security Research Labs, Berlin), GSM hacking has reached the level that Wi-Fi hacking reached a couple years ago: script-kiddies cracking their neighbor's Wi-Fi, and forcing the widespread adoption of WPA/TKIP over WEP.

Black Hat was a furiously busy time for Microsoft's SDL team. Bryan Sullivan presented a hot topic talk on Cryptographic Agility, or the ability to inject alternative cryptographic algorithms or implementations into apps without source code changes. Adam Shostack reprised his brilliantly conceived card game, “Elevation of Privilege: The Easy Way to Threat Model.” Finally there was also a multiple SDL presence at (SAFECode's) Grant Bugher's brainstorming panel, gathering "vision and approaches on improving software assurance" from the security community; the results of which should be up on the SAFECode blog any day now... oh, here's an SD Times article on it.

Please remember: don't have nightmares, do sleep well.

No comments:

Post a Comment