Modernizing Authentication — What It Takes to Transform Secure Access
Malware creators are devising increasingly sophisticated ways of compromising their targets, as illustrated by the devilishly clever Stuxnet worm, which has been wreaking havoc in Iraq's nuclear facilities over the past few months.
But malware doesn't have to be complex, as victims of the recent spate of "boy in the browser" (BitB) attacks have discovered. Dubbed BitB attacks because they are far less sophisticated and mature than full-blown "man in the browser" (MitB) Trojans, they work using the old trick of modifying the victim machine's hosts file. Adding a single line to this file can reroute traffic for a specific Web address usually a bank to a replica site hosted on a machine controlled by the malware author. "BitB is suitable for a quick, low cost sting operation while MitB is suitable for long lasting complex and high budget operations," says Rob Rachwald, a director at security outfit Imperva.
For hackers, the beauty of BitB attacks is that they are simple to write no complex hooking or device driver code is required and they can easily be modified to avoid anti-virus signatures. The BitB malware can also delete itself after modifying the hosts file, so it can't be detected later by a virus scan with a matching signature. Once gone, the only way to detect that the malware has infected a machine is to examine its hosts file: on most systems it should be empty, but if it includes the domain name of a bank, preceded by an IP address in somewhere like Russia, China or Romania, then it's a get bet that you've had a visit from a malicious young man.
An even simpler way for hackers to access confidential data is to buy second-hand hard drives or retrieve them from the trash to see if any information has been left on them. Many people are wise to this, and before disposing of their drives they either overwrite their data multiple times (using software such as Darik's Boot and Nuke) or use degaussing machines to render the drives useless by subjecting them to a strong fluctuating magnetic field, which effectively demagnetize the disks, erasing all traces of the data.
But if your computer uses a solid state drive (SSD) then you could be heading for trouble. Researchers at the University of California in San Diego found that securely removing data from SSDs turns out to be very hard indeed. That's because ATA and SCSI commands for destroying SSD data rarely work, and degaussing has no effect on the data at all. Multiple overwriting is effective, but because of the way that SSDs work this is too time consuming to be practical.
The researchers conclude that the only way to be certain that your data is secure when you dispose of an SSD is to ensure that you only store encrypted data on it. Smashing the drive up with a hammer is probably also quite effective.
Facebook and Google Tighten Up their Acts
Two bits of security good news in the last month: In response to Firesheep, the session hijacking tool that made it trivial to access the Facebook accounts over open, unsecured Wi-Fi connections, the company has now made it possible to use Facebook entirely over a secure HTTPS connection, thus thwarting Firesheep. The plan is to make this the default connection type at some point in the future. The sooner the better, frankly.
Google introduced HTTPS by default for Gmail service way back at the beginning of 2010, but the company has beefed up email security still further with the introduction of two-factor authentication for Gmail. Once you sign up for "2 step verification," Google will call or SMS you with a one-time code that has to be entered with your username and password when you log on. There are also apps for Android, Blackberry and iPhone devices that generate onetime codes, which is handy if you plan on checking your email when there's no cell phone coverage.
Mobile OSes Coming in to the Firing Line
And good news of sorts for beleaguered Windows users, who saw over two million new pieces of malware appear in 2010. According to Kaspersky Lab's Cybercrime Outlook 2020, "the defining feature of the next decade will be the end of Windows' domination of user operating systems." And that means that malware writers will be spending more time attacking mobile platforms such as Android and iOS, and less time hammering on Windows.
There's certainly the potential to create pernicious mobile malware, as security company Websense reported. A game developer was offered a deal to embed an application inside his Android game, Tank Hero, to "measure customer experience by collecting data in the background." Whatever that means.
This embedded app required permission, which the Android OS requests from users, to:
- Call phone numbers without user intervention
- Record audio
- Read SMS or MMS messages
- Connect to the Internet
- Access the phone's GPS
Sounds suspicious? The author, Abayas, and his colleague thought so. "Obviously we would both rather be unemployed than embed spyware in our app. I would also love to see your reactions to the next update if Tank Hero requested all these new permissions," he commented.
He is assuming, of course, that Android users read permissions requests before installing apps. Those that don't could soon be heading for trouble.
Researchers Pwn iPhone in Six Minutes
Apple's curated App Store is supposed to ensure that malicious apps can't be embedded in games, but before iPhone users get too smug it's worth mentioning that some appalling security flaws have been discovered in the device. Researchers at the Fraunhofer Institute for Secure Information Technology announced this month that they have figured out how to get their hands on encrypted passwords stored on an iPhone's supposedly secure keychain in just six minutes, even when the device is locked using a long passcode. What they discovered is that there's no need to bruteforce the keychain's 256-bit crypto key to get at the passwords, because it can be deduced from other data stored in the device. And to cap it all it turns out that this data can be accessed even when the phone is locked, so there's need to bruteforce the device's passcode either.
The Fraunhofer hack gives access to all sorts of encrypted keychain passwords such as passwords for email, LDAP accounts, corporate VPN passwords, and even WIFI passphrases. "As soon as attackers are in the possession of an iPhone or iPad and have removed the device's SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well," said the researchers in a statement. "Control of an e-mail account allows the attacker to acquire even more additional passwords: for many web services such as social networks the attacker only has to request a password reset."
So much for Apple's cell phones being enterprise ready.
Sony Pwns Itself
Finally, the self-inflicted security fail of the month goes to Sony for sending out its PlayStation 3 master signing key in a jokey tweet. The metldr root key is supposed to be a closely guarded secret, which is why the company's legal people are currently busy trying to prevent hackers from revealing the very same key.
The tweet came from a Sony Twitter account belonging to fictional PS3 vice president Kevin Butler, and was in response to a tweet containing the key and the challenge to "Come at me." Whoever it is at Sony (or one of its agencies) that writes the fictional character's tweets apparently though the key was part of some game instead of a top secret corporate asset, and blithely retweeted it to the world with the message "Lemme guess you sank my Battleship?"
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.