Tech News Weekly: Edition 12-09

[Ehtyar]

The Weekly Tech News

Hi all. Sorry for the short one this week folks, there just wasn't enough stuff to fill the usual 10 slots but I hope you like the choices this week As usual, you can find last week's news here.

1. New DNS Trojan Taints Entire LAN from Single Box

Spoiler

http://www.theregister.co.uk/2009/03/16/dns_hijacking_trojan/
http://arstechnica.com/security/news/2009/03/new-version-of-dns-server-trojan-flushm-spotted-in-the-pipe.ars
Not entirely new per-se, but certainly improved. A recently discovered variant of Trojan.Flush.M is running amok, poisoning the DNS of machines connected over LAN via establishment of a rogue DNS server.

Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems.

Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server on the host machine. From there, other devices using the same LAN are tricked into using a malicious domain name system server, instead of the one set up by the network administrator. The rogue DNS server sends the devices to fraudulent websites that in many cases can be hard to identify as impostors.

2. Air France Trials Biometric Boarding Cards

Spoiler

http://www.theregister.co.uk/2009/03/19/france_fingerprint_cards/
Airline Air France is trialling a new boarding pass system that uses RFID coupled with fingerprint ID to permit automated boarding of aircraft.

Air France has started trialling RFID-equipped smartcards which store passenger fingerprints to allow automated boarding.

The card contains an encrypted version of forefinger and thumb prints. It can be used at a dedicated gate, which checks the card, compares it to the passenger's finger or thumb print and, assuming the dabs match, opens the gate.

3.  Intel CPU-level Exploit Could Be Tempest in a Teapot

Spoiler

http://arstechnica.com/security/news/2009/03/storm-over-intel-cpu-security-could-be-tempest-in-a-teapot.ars
http://www.theregister.co.uk/2009/03/19/intel_chip_vuln/
http://www.internetnews.com/hardware/article.php/3811311/Researchers+Warn+on+Security+Flaw+in+x86+Chips.htm
A flaw in Intel's recent CPU designs could allow code to be executed with System Management Mode privileges, which would make it practically undetectable by any current form of antivirus scanning.

Johanna Rutkowska of Invisible Things Lab has been making headlines ever since she announced her development of a seemingly undetectable rootkit she dubbed "Blue Pill." While that project is now defunct, Rutkowska has continued her research into hardware virtualization technology. Her more recent efforts have focused on Intel platforms and the company's Trusted Execution Technology; Intel released a BIOS update to fix several security vulnerabilities Invisible Things Lab discovered back in August of 2008. On Thursday, March 19, Rutkowska and fellow team member Rafal Wojtczuk released details of yet another Intel-focused exploit—is the CPU manufacturer's security sandbox not up to snuff?

Before we discuss the flaw in particular, let's take a quick moment and review the ring security model. The term "ring" refers to protective rings that encircle the OS kernel. Ring 3 (defined as "Applications" in the diagram below) is where users and programs should spend the vast majority of their time. Applications should never need access to Ring 0 or kernel mode, as it amounts to writing the application a literal carte blanche to modify, change, or delete anything it wants. One of the features Intel's Vanderpool (VT) technology offers is the ability to virtualize an OS starting from what we might call "Ring -1." An OS launched from Ring -1 can therefore run its own Ring 0 operations and is more effectively sandboxed from the host operating system.

4. EFF Shines Sunlight On Docs It Has "pried" from the Feds

Spoiler

http://arstechnica.com/tech-policy/news/2009/03/its-sunshine-week-a-nonpartisan.ars
The Electronic Frontier Foundation has scanned and made available online all documents it has retried through FOI requests from the government as a part of Sunshine Week 2009, a call for greater government transparency.

It's Sunshine Week, a nonpartisan celebration of (and request for) government transparency. Most of transparency concerns aren't technical in nature—open meetings and open records law are two of the biggies—but the Electronic Frontier Foundation's contribution to Sunshine Week looks to be a boon to tech journalists and advocacy groups.

The EFF has put its entire archive of government documents online. These have been "pried loose from secretive government agencies" through Freedom of Information Act requests and lawsuits over the years, but EFF has scanned and indexed all of them, then created a custom search engine to make browsing or digging much easier.

5. First Rule of Internet Censorship: Hide the Block List

Spoiler

http://arstechnica.com/tech-policy/news/2009/03/first-rule-of-internet-censorship-hide-the-block-list.ars
Discussion started by Ehtyar: https://www.donationcoder.com/forum/index.php?topic=17511.0
A list of soon-to-be-blocked websites for Australian Internet users has been leaked to the public by an insider from the Australian Communications and Media Authority.

Australia's telecom regulator, the Australian Communications and Media Authority (ACMA), has the authority to blacklist Internet sites, authority used almost exclusively to address childhood sex pictures (children's rights groups don't like the "child porn" label, which suggests a degree of agency that children involved in the practice don't have). But it also came to light recently that ACMA is willing to blacklist pages that simply list the censored websites, even though they contain no offensive images.

The Sydney Morning Herald noted today that ACMA's blacklist even includes certain Wikileaks pages, including a list of Denmark's censored websites (3,863 blocked). The page is apparently included on the theory that a massive list of sites with "lolita" and "youngyoung" in the their domain names is basically an invitation to Australians who might not otherwise know where to go to get an underage fix.

6. Browsers Bashed First in Hacking Contest

Spoiler

http://www.securityfocus.com/news/11549
Most of the major browsers were first to fall in the Pwn2Own hacking contest, with Google Chrome the last man standing after the first day of hacking.

Miller — a principal analyst at Independent Security Evaluators — found two flaws in Apple's Safari Web browser more than a year ago and prepped the easier-to-exploit issue for last year's competition, he said. Following an announcement that this year's contest would focus on browsers as well as mobile devices, Miller more fully researched the leftover security flaw and found that it remained exploitable.

"I found this bug ... last year, but like all good researchers, I sat on the issue," he said after being declared the first winner.

Following Miller's reprise, a computer-science student from Oldenburg University in Germany captured a pint-sized Sony Vaio computer and his own $5,000 by exploiting a previously unreported vulnerability in Internet Explorer 8. The student, who would only give his first name "Nils," declined requests for an interview until he also had a chance to attack the other browsers as well.

7. What IBM Might Gain by Buying Sun Microsystems (Thanks 40hz)

Spoiler

http://arstechnica.com/business/news/2009/03/report-ibm-eyes-sun.ars
http://www.linuxinsider.com/story/Sun-IBM-Deal-Just-Doesnt-Add-Up-66534.html
It appears Sun Microsystems has been looking to sell up with their books in poor shape, and IBM has apparently taken an interest. Hopefully 40hz will weigh in with his opinion, as he has an interesting opinion on the subject.

A report in today's Wall Street Journal claims that Sun's execs have been shopping the company around recently and that IBM is an interested party. The report indicates that if the talks between the two companies go well, a deal could be announced fairly soon. The number allegedly being floated by IBM is $10 to $11 per share for Sun, which would put the total size of the deal at $8 billion.

Assuming that IBM is actually interested in buying Sun, the obvious question is "why?" There is a ton of overlap between the two companies' product lines, so it's hard to see a lot of complementarity there. In fact, such a deal would seem overwhelmingly to be about one thing for IBM: shrinking the competition. Suns execs would pocket fat bonuses, and the former Silicon Valley high-flyer would be chopped up and absorbed into the belly of the Big Blue beast. Parts of Sun's business with no volume and hence no real future in the present market (things like the SPARC processor family) would be end-of-lifed, while some software assets and other IP could be picked up and used by IBM.

8. Boffins Sniff Keystrokes With Lasers, Oscilloscopes

Spoiler

http://www.theregister.co.uk/2009/03/19/keyboard_sniffing_demo/
Security researchers continue to develop less obtrusive methods of keylogging. One method uses a laser microphone, the other reads electrical pattern changes effected by keystrokes.

CanSecWest Researchers have devised two novel ways to eavesdrop on people as they enter passwords, emails, and other sensitive information into computers, even when they're not connected to the internet or other networks.

Exploiting vibrational patterns and electromagnetic pulses that emanate with every character entered, the Italian researchers are able to remotely sniff keystrokes from significant distances. The techniques use inexpensive equipment and can be hard for targets to detect, making them ideal for snooping on unsuspecting people in the office or building next door.

Ehtyar.

[f0dder]

#3 is interesting - theoretically, being able to run your code in SMM means you have 100% control over the machine; one of the interesting features of SMM is that you can trap port I/O... so, basically, if you could inject malware into the flash BIOS and use this SMM hack, you could trap the port I/O necessary to reflash the BIOS, and thus make the malware resilient to removal. This would be coupled with a custom hypervisor to avoid detection, and *b00m* - game over.

In practice, though, there's so much machine-specific stuff needed that this won't be a general threat. And it's not exactly a simple task being undetectable, even when you have a hypervisor... there's so many possible detection vectors.

[tomos]

thanks Ethyar

a good few interesting reads this week, even for non-techies like me (2,3,5,6,8)
Laugh of the week supplied by the title "First Rule of Internet Censorship: Hide the Block List"

[allen]

I was just about to post a thread on #6, glad I ran a search for pwn2own -- saved me from redundancy.

I was surprised Chrome survived while Safari did not -- I was honestly starting to wonder if there was that much difference under the hood between the two.  Guess so?

A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators. Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google’s Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.
Source: ars technica

[Lashiec]

I'm very worried about the direction Pwn2Own took this year, with statements like this:

These contests contribute to the growing culture of commercialism that surrounds the art of exploitation. In an interview with ZDNet, Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year. This is part of his new philosophy, he says, which is that bugs shouldn't be disclosed to vendors for free.

"I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."

Be glad nobody found a way to exploit the vulnerability during a whole year

[allen]

That is a bit disconcerting.  I'd lump it in with taking performance enhancing drugs, 'morally'.

I've never considered bug reports to be donating anything to the company -- if it gets fixed, then I benefit.  And the rest of the end users do, too.  Of course, I've never been sitting on a bug I could call a real gold winner.  I might sit on that, too

[ewemoa]

Thanks again, Ehtyar

Re: 1  Sigh...

Re: 6  Good point Lashiec.

Re: 7  s/IMB/IBM/ ?

Re: 8  Memories of Sun Sparc Station 20s with microphones and eavesdropping...

[Ehtyar]

Woohoo, retardedness on the roll. Thanks again ewe.

Ehtyar.