SilentBanker: Stealing Money While You Wait

April 7, 2008

Online banking is a precarious thing. While it’s great to avoid the line at the bank, the security risks that come with this convenience are immense. Online banking has broken down the geographic and physical limitations that previously prevented fraudsters from thinking global.

To get to the point, there are some really powerful, cleverly designed trojans in the wild, designed to steal hard earned cash from under our noses.

One that’s had a lot of attention over the last couple of months is SilentBanker. While other banking trojans indiscriminately log keystrokes, take screenshots and/or redirect you to phishing sites, SilentBanker takes a much more tactful and targeted approach.

SilentBanker’s evil genius lies in its ability to dynamically adapt attacks based on which banking site you use. The administrators of this trojan continually create profiles for new banks and, once a bank is profiled, SilentBanker can then perform a host of tricks to swipe cash from unsuspecting users. The most worrying are HTML code injection to prompt users for extra credentials, and the ability to dynamically modify the destination account numbers during live transactions, sending funds to a hacker’s account, rather than the intended recipient. In the case of the latter, the user is not presented with any evidence of the fraudulent transaction. Confirmation pages are presented with the original, user submitted details.

While other attacks will often spike a user’s attention when thousands of dollars go missing from an account, trojans like SilentBanker are much less likely to draw such attention, because they only withdraw amount which users specify. There is nothing unexpected, unless the intended recipient of a transactions start asking their whereabouts of payments.

The best ways to protect against trojans like this are up-to-date antivirus, a firewall with application control and being alert to any change in the authentication process for your online account.

Symantec has rated SilentBanker as a low risk threat, largely due to it’s limited distribution, so it’s a case of be alert, not alarmed. However, more will follow.

Symantec have done a good technical write up:
http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html

And Sophos have a write up on a similar trojan called Zbot:
http://www.sophos.com.au/security/blog/2007/12/882.html

Advertisements

Hack a Mac: PWN2OWN at CanSecWest

April 1, 2008

A security researcher at a Canadian security conference won over $10,000 in prize money for attacking a completely patched OSX system.

Hackers in the “PWN2OWN” competition at CanSecWest were given the choice of attacking Vista SP1, OSX 10.5.2 or Ubunti 7.10. The winner of the competition, Charlie Miller, chose OSX as his platform, explaining “it was the easiest one of the three”. He exploited a Safari vulnerability and compromised the system within the space of two minutes.

This doesn’t mean that there will suddenly be an deluge of OSX attacks. Windows is, without doubt, the platform of choice to exploit. Just a heads up for all those Mac users out there.

http://www.computerworld.com.au/index.php?id=790701222&eid=-144

m0n0wall: DIY Firewall

March 29, 2008

If you have an old PC lying around that you were too lazy to throw out, don’t change your ways in a hurry. It may come in handy. If you have the need, you can turn it in to a first-rate NAT firewall router.

Why? Well, sure, you can buy a router for $80 bucks and, to be honest, a cheap D-Link or Linksys router is all you need most of the time. But if that kicks the bucket and you need a replacement or if you take a look at the m0n0wall GUI, and fall in love, you may find this great little firewall is the perfect way to get your Pentium II back in the game.

The reason old machines are perfect for DIY appliances (like m0n0wall) is that, while you won’t have much luck running XP (and Vista, you’d be dreaming) on them, they have ample grunt to run a stripped down Linux/BSD operating system.

m0n0wall is a FreeBSD-based system with a bit of a difference. It’s entire boot-time command sequence is done in PHP and all system configuration is stored in an XML file, making it ridiculously resource efficient. Not only that, but the whole install image manages to squeeze in under 6MB. That said, every megabyte sure packs a punch. It does stateful packet filtering, NAT, DHCP, SNMP, IPsec and PPTP VPN, DynDNS, Wake-on-LAN, captive portal and traffic shaping. It also has a great SVG based traffic grapher and one of the best web GUIs around.

So how do you get it up and running? If you just want to try it or you’re not bothered to do a hard drive install, you can download the CD-ROM image and run it straight from the CD. You can even do this on your primary machine (although not recommended) without it messing with Windows. Just pop a floppy or USB stick in to store the config file.

If you’re using it long term, grab the Generic-PC image. If you need a hand with setup, take a look here.

Bottom line, this product is amazing… and secure… and open source… and free. Give it a try.

lockup-m0n0wall.png

http://m0n0.ch/wall/

ShieldsUP!: Scan Your System

March 22, 2008

This certainly isn’t anything new, but more a reminder to check your router’s security settings.

If you haven’t used it before, ShieldsUP! is a site which will scan some or all of the ports on your internet-facing device and tell you if they are visible to the world. Ideally you want everything “stealth”. If it isn’t and you don’t know why, have a look at your router. The port settings will usually be found under “Firewall”, “Packet Filter” or “Security Rules”.

UPnP is often the culprit for “unstealthing” ports. UPnP (Universal Plug and Play) is a protocol which let’s programs manipulate the router so you don’t have to configure it to work with, say, bittorrent. You rarely need to allow inbound traffic though and, even if you do, it should be configured manually. Once you work out what inbound traffic is/isn’t allowed, you should turn UPnP off.

lockup-shieldsup.png

https://www.grc.com/x/ne.dll?bh0bkyd2

Unlocker

March 20, 2008

I can’t understand why Windows has so little control over itself. Specifically, I take issue with the fact that it periodically refuses to terminate processes on demand, usually saying something like:

Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.

Sorry to bother you Windows. How inconsiderate of me.

Unlocker is a tool you can use to get around Windows’ incompetence. It’s a lightweight app that adds a context menu allowing you to unbind files, folders and USB device from any process or user.

Along with being just plain useful for everyday, there’s also a security tie-in. A lot of malware will use this inadequacy in Windows to prevent you or your anti-malware program from removing files. With Unlocker on hand, you can delete or move whatever you like, when you like, without having to boot to Safe Mode or a Linux live-cd.

lockup-unlocker.png

http://ccollomb.free.fr/unlocker/

TrueCrypt 5.1a

March 17, 2008

The TrueCrypt team are working overtime adding improvements and bug fixes.

This time they’ve increased boot speed (for system encrypted drives) by ~10% and fixed some system incompatibility issues which could lead to the hibernation file being left unencrypted on particular setups. Good to see them dealing with these issues so quickly, yet another reason TrueCrypt’s such a great product.

http://www.truecrypt.org/

TrueCrypt 5.1

March 14, 2008

A few days ago, the TrueCrypt guys released version 5.1 of their stunningly secure and free, data encryption utility. The release of TrueCrypt 5.0 added support for system partition encryption, ie. encrypting every byte on your OS partition, so you have to enter a password before Windows/OSX/Linux boots. 5.1 added hibernation support for this sort of encryption.

Whole disk encryption isn’t a do-or-die for everyone, so here’s my two cents on using TrueCrypt.

USB Sticks: They’re just asking to be lost. If they are, any old sideshow could read through your resume, work documents, love letters and whatever else you keep on it. TrueCrypt has a ‘Traveller Disk’ tool which lets you encrypt some or all of your USB stick. Making a small (mine’s 100MB) encrypted file (an encrypted file which you mount as a drive letter) container will give you enough space to lock up your important files, while leaving your videos and mp3s alone. TrueCrypt throws a portable version of the software on your USB so you always have it on hand.

External Hard Drives: From a security point of view, these are similar to USB Sticks. They’re small, light and easily stolen/lost. However, you’re likely to store a lot more data on them and the data’s likely to be more important. It’s best to encrypt the whole disk. A couple of caveats though. Unlike system partition encryption, you can’t just click “decrypt disk” to get rid of the encryption. You have to copy the data off the disk, reformat, then copy it back on. Another issue is that if you use your disk on other people’s systems, you’ll have to install TrueCrypt first. If either will cause problems, figure out what needs to be secured and create an encrypted file container.

Laptops: There are a lot of news articles about laptop theft. Because they are so tempting to thieves, it’s probably best to encrypt your whole disk. You could just create an encrypted file container or encrypt your data partition (if you have one), but it’s better to do the whole lot, just in case you have some financial papers or embarrassing photos stored somewhere you’ve forgotten about.

Desktops: The risk of these being lost/stolen is significantly less than laptops or USB sticks, but it still happens. Encrypting your whole disk doesn’t hurt. In fact, according to tests by Steve Gibson, it actually makes your drive run faster in some situations. That said, even though TrueCrypt is phenomenally reliable, encrypting your drive could make it more difficult to recover data from if there is a problem. It’s probably better to create an encrypted file container and mount that. If you have a separate HDD or partition for your data (which is recommended, less system files fragmention), you can encrypt the whole thing and have TrueCrypt auto-mount and prompt for a password when you boot up your OS.

Then again, if you don’t store anything private on your computer, don’t bother. But chances are you have at least a few files which are worth the small inconvenience of using TrueCrypt. I highly recommend giving it a try.

lockup-truecrypt.png

http://www.truecrypt.org/

Some RFID Cards Cracked

March 11, 2008

I don’t understand why people develop proprietary encryption. Seems like a lot of effort for no gain. AES is rock solid and there are a number of secure hashing standards… and they’re free to use.

Here’s the reason this issue has come up. NXP Semiconductors, an RFID access card manufacturer, have sold over a billion of their ‘Mifare Classic’ RFID cards. Recently, some University of Virginia researchers physically opened one of these cards and, using a microscope to analyse the physical logic gates, worked out the proprietary algorithm. It’s called ‘Crypto1’.

Turns out Crypto1 is a dud. It produces cryptographically weak output allowing an attacker to guess the key in a matter of minutes. Because its RFID, an attacker doesn’t even need physical access to the card. Seeing as these cards are potentially used as access tokens for buildings around the world, this could potentially be a threat to your company’s security. We may never know how big this issue becomes, seeing as it would be unwise to publicly announce that you use a broken security technology.

The point here is that companies shouldn’t use proprietary security. They should use opens standards like AES, which has been pounded on, without fault, for years. Security through obscurity is a poor practice.

To the credit of NXP, they have now released the ‘Mifare Plus‘, which is backwards-compatible with the ‘Classic’ system, and supports AES. It ain’t a free upgrade though.

http://www.cs.virginia.edu/~kn5f/

Browser Vulnerabilities

March 8, 2008

I just checked some browser security stats on Secunia. Not surprisingly, Internet Explorer 7 holds the crown for the most unpatched vulnerabilities at the moment. At the time of writing, it has 7 unpatched out of the 22 which have been made public since its release. Firefox 2 comes in number second, with 4 unpatched out of 21 public vulnerabilities.

My favourite browser, Opera 9, has zero unpatched flaws, and has only had 14 known flaws since release.

lockup-ie7.png

lockup-ff2.png

lockup-opera9.png

More details here: IE7 , Firefox 2, Opera 9

Frozen Memory Hack

March 5, 2008

A bunch of Princeton researchers figured out that your RAM actually keeps data, once the power’s cut, for a lot longer than commonly thought. They also worked out that if you flip a compressed air can and spray it on the RAM chip, it will retain data for an even longer period of time. They then developed a tool that can boot from a USB device and steal encryption keys (which are stored in RAM) for whole disk encryption tools like TrueCrypt, Windows BitLocker and Mac FileVault.

Should we be concerned? Not really.

For one, a hacker needs physical access to your computer, and, unless you’ve got something super valuable on your computer (that someone else knows about), noone is going to bother going to all the effort. In any case, if your computer was on, surely they’d just access the data on the spot… or steal the whole thing. The other thing is, after about a minute, the data is as good as gone from your RAM, so if anyone’s concerned about it, the problem can be solved by just hanging around for a minute or two after you switch your machine off. Furthermore, this only really affects whole disk or system partition encryption. If you store your really important files in a encrypted volume file (with TrueCrypt), the encryption key will be securely erased when you unmount. Hence, this attack wouldn’t work.

The only everyday situation where I could see this being a problem is if you have particularly untrustworthy co-workers. They could perform this hack while you take a toilet break and then, with knowledge of the key, access your computer at a later date. They could also use Winlockpwn to bypass your Windows password.

To sum up, it’s annoying that this is possible, but it won’t really affect most people. Congrats to the Princeton guys though. This is some very clever engineering.

Video:

http://citp.princeton.edu/memory/