IT Resource

Researchers have found a huge electronic spying operation that has infiltrated computers and stolen documents from government and private offices around the world, including those of the Dalai Lama.

In a report provided to the New York Times, a team from the Munk Centre for International Studies in Toronto said at least 1,295 computers in 103 countries had been breached in less than two years by the spy system, which has been dubbed “GhostNet”.

Embassies, foreign ministries, government offices and the Dalai Lama’s Tibetan exile centres in India, Brussels, London and New York were among those infiltrated, said the researchers, who have detected computer espionage in the past.

The researchers came to the conclusion that computers based almost exclusively in China were responsible for the intrusions, although they stopped short of saying the Chinese Government was involved in the system, which they said was still active.

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald Deibert, a member of the research group – “This could well be the CIA or the Russians. It’s a murky realm that we’re lifting the lid on.”

A spokesman for the Chinese Consulate in New York dismissed the idea China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, told the Times. “The Chinese Government is opposed to and strictly forbids any cybercrime.”

The researchers began investigating after a request from the office of the Dalai Lama, the exiled Tibetan spiritual leader, to examine its computers for signs of malicious software, or malware.

The network they found possessed remarkable “Big Brother-style” capabilities, allowing it, among other things, to turn on the camera and audio-recording functions of infected computers for potential in-room monitoring, the report said.

The system was focused on the governments of South Asian and Southeast Asian nations and the Dalai Lama, while computers at the Indian Embassy in Washington were infiltrated and a NATO computer was also being monitored.

Just a few days after public release, vulnerabilities in Google’s Chrome browser have already been publicised. Ramifications of an attack could range from an application crash to remote malware installation.

The first vulnerability was found on Wednesday by researcher Aviv Raff, who discovered that the browser was open to a highly-publicised ‘carpet bombing’ attack first found in Safari. The Safari hole was patched earlier this year, but because Chrome uses Apple’s WebKit software, the flaw has reappeared in the Google browser.

A proof of concept page was published demonstrating how an attacker could embed malicious code on a web page and then use it to conduct a remote malware installation with a separate specially-crafted Java applet.

Then researchers Rishi Narang and JanDeMooij posted separate reports of a vulnerability in the browser’s chromium.dll component that was exposed through the browser’s URL bar. The flaw can be made to cause an application crash, though neither report mentioned the possibility of remote code execution.

There is often a requirement to block/deny user access to certain websites and this post shows how administrators can utilise Squid to achieve this:

Squid is a popular open source web proxy server and web caching software. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other network lookups for groups of people sharing network resources and (which is of most interest to us for the purposes of this post) by aiding security via traffic filtering. It was originally inteneded for Unix/Linux but has been ported to a number of platforms.

Squid has powerful ACL (access control list). The primary use of the ACL system is to implement simple access control. This can be used to deny a user from accessing particular site.

In order to do this we have to edit the Squid configuration file.

e.g. # vi /etc/squid/squid.conf

Search for `Access Controls’ and append the following lines (in this example we are blocking access to ‘nastysite.com’):
acl badsite dstdomain .nastysite.com
http_access deny badsite

Save and close the file, and then restart Squid:
# /etc/init.d/squid restart

 If required, you can specify more than one site to be blocked:
acl badsite dstdomain .nastysite.com  .anothernastysite.com
http_access deny badsite

You can also use regex expressions to block access to more than one website. for example,  if you would like to deny access for any sites where the URL contains the word “twitter”, use the following ACL lines:
acl badsitegroup url_regex -i twitter
http_access deny badsitegroup

More information on Squid commands can be found at: http://wiki.squid-cache.org/FrontPage

There’s been some wild and panicky stuff in some of the Tech press lately about a potential exploit that could bypass Vista’s security model. It all sounds pretty drastic but please bear in mind that most reports have been pretty sensationalist about it.

A ZDNet blog post contains a bit more ‘measured’ information about it along with responses from one of the guys who reported the exploit.

The August upate from Microsoft is likely to contain a number of critical and major fixes.

The update will include seven items rated as ‘critical’, the highest of Microsoft’s security alert levels. All of these will address issues that may allow an attacker to remotely execute code on a targeted system.

Four of the critical fixes relate to Office issues, one addresses critical flaws in Windows 2000, XP and Server 2003, another fixes a critical issue in Windows Media Player while the last addresses a critical vulnerability in Internet Explorer.

Also planned are five fixes rated as ‘important’. The patches include two remote code execution flaws in Windows and one in Office. The other two updates address information disclosure vulnerabilities found in Windows Messenger, Outlook Express and Windows itself.

The company plans to release the update on Tuesday 12th August. The release will also include non-security updates for the Windows Malicious Software Removal Tool and the Windows Update, Microsoft Update and Software Update Services

A quick note to warn you that the first code sample has been released to try and exploit the recently announced DNS cache poisoning vulnerability. While most users will be relying on their ISP etc to ensure they have patched the hole, you should also make sure that you have applied any required OS patches/updates (e.g. Windows MS Security Bulletin  MS08-037).

Also – you should note that while attackers may be able to redirect you to a bogus IP, they will not be able to replicate a digitally trusted security certificate. So if you go to your online banking site and see that you are on an ‘http’ page or if you get the IE7 warning page about untrusted/mismatched certificates then you should be careful. Of course, many sites use Shared certificates so it is quite common to see this warning message but you shouldn’t expect to see it when using online banking or similar.

Research in Motion, makers of the Blackberry, has warned businesses to disable the function which allows a BlackBerry to read PDF files, after a security flaw was found in the software.

A “high” severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF files may be used to compromise a network. RIM disclosed the flaw last week but is yet to issue a patch, stating that no timeframe for a fix was available.

Until then, customers asre advised to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw relates to how the service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a “high” severity rating.

“If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer,” RIM states on its advisory.

According to Sense of Security’s principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

“Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM’s servers based in Canada,” he said.

“If someone loses their device and it’s not locked in some way, you could browse internally to that company’s Web-based resources,” he said.

“The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources — if it comes up on the BlackBerry and you know it’s not published on the internet, that should raise alarm bells.”

Blackberry/RIM Knowledgebase article

Security research firm, Kapersky Lab, is calling all security and cryptography experts to join forces in an effort to crack a blackmailing virus that employs a currently unbreakable 1024-bit encryption key.

The virus, which has been dubbed ‘Gpcode’, infiltrates a user’s computer via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1024 bit key and then demands money from the user to obtain the decryption key.

The malware is a revision of a previous virus, thought to be from the same author, which appeared two years ago but only used a 660 bit key.
Read more…

Security specialists are warning of a new virus that encrypts data on infected machines and demands money for the decryption key.

‘Gpcode’ is thought to access PCs via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1,024-bit key.

Once all the files have been encrypted a ReadMe file is left on the machine giving an email address to send money in order to get the decryption key.
Read more…

The Federal Government kicked-off National E-security week today with the launch of a new security alert service for internet users and small businesses.

The National E-security Awareness Week is a Government initiative aimed at boosting awareness of e-security risks.

The alert service, announced today, is a free subscription-based service that provides vulnerability and threat information while advising users how to manage outbreaks.

“I am pleased to announce the new Stay Smart Online Alert Service with up-to-date advice on the latest e-security risks tailored for Australian internet users,” said Communications Minister Stephen Conroy.
Read more…

Email and web gateway security provider Marshal has updated its WebMarshal gateway solution.

WebMarshal 6.1, announced today, enables granular policy control and HTTPS content scanning, and includes new tools designed to make it easy to block web staples such as streaming videos and chat.

“Not only does WebMarshal 6.1 add HTTPS content scanning, closing a potential loophole for viruses to enter and confidential information to leave an organisation,” said Bradley Anstis, Vice President of Products at Marshal, “but it also provides greater control over employee use of instant messaging and streaming media, which can be a serious drain on both productivity and bandwidth”.

The firm also spoke of its better integration with Microsoft Internet Security and Acceleration Server, improvements that will make deployment easier, it said.

Panda Security has upgraded its online malware scanner, ActiveScan to version 2.0. Panda said the upgrade was a response to “the growing complexity of modular-built intelligent malware, such as rootkits.”

ActiveScan 2.0 draws on Panda’s flagship ‘Collective Intelligence’ infrastructure, which takes security and malware information directly from its user community.

In this upgrade ActiveScan stores “collected behavioural patterns of programs, file traces, and any new malware samples gathered globally, which are then automatically analysed, classified and correlated with PandaLabs’ malware knowledge base.”

When new malware is found, Panda’s system generates ‘vaccines’ to disinfect malware. To try out the system users are directed to the Panda URL, www.infectedornot.com. The site allows single PCs to be scanned for malware, and even entire company networks.

Panda added that ActiveScan 2.0 “is compatible with all antivirus programs in the AV market,” and can use both Internet Explorer and Firefox web browsers.

Security firm BitDefender claims to be the first to issue an update to protect against a new vulnerability in Microsoft’s Internet Explorer 7.

Researchers issued a signature update to protect users against a flaw in the way IE7 parses web pages in preparation for printing.

The bug could allow a remote attacker to execute arbitrary code on a victim’s machine if the victim tries to print a specially-crafted web page while including a table of links.

The vulnerability was discovered by independent security researcher Aviv Raffon, who also released proof-of-concept code.
Read more…

A research posting to the Debian security list last week has led to the confirmation of a serious hole in two flavours of the Open Source Linux operating system.

Frederick Lee, a researcher at insecurity company Fortify, said that the flaw, which affects Ubuntu as well as Debian, had been “seriously underestimated ” as it makes the Secure Sockets Layer (SSL) of the two Linux sustems vulnerable to malicious attack.

“We’re calling this vulnerability ‘insecure randomness’ since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions,” he said.

Lee reckons that the flaw, which tinkers with the randomness engine used to encrypt secure transactions, could be used to intercept traffic between a user and supposedly secure connection between a user and, for example, an online banking site.

Cybercriminals are stealing bank login details from Australian online bankers and selling the data on European black markets for as much as €550 ($913).

A bundle package that includes personal information and personal bank details from Commonwealth Bank, ANZ, Suncorp and Bank West account holders is going for €550, according to McAfee Avert Labs’ research.

Prices depend on what’s on offer such as available balance, bank organisation and country. And as in the legitimate world, quality costs more.

“My investigations led me to visit a site proposing top-quality data for a higher price than usual,” wrote researcher Francois Paget, in the Avert Labs blog.
Read more…