Re: Flame: Massive cyber-attack discovered, researchers say
It seems it would take a lot, mostly ignorance, to allow the installation of this in the first place. Depending on where you look around the Internet, some people are "buying into" this hype like it's the second coming of the computer infesting antichri$t BTW, looking at all those .ocx files it loads, AppLocker with dll restrictions enforced should stop it cold.
The new stand in software development now is - who cares about computer security when there is a lot of resources, available in latest computers for disposal. Just take it all or as much as you can.
That's true not only in the desktop world but the embedded world as well
About 10 years ago I was working for a company that used a 8051 based microcontroller (god I hate them!) with 16KB (16,384 bytes) of (EP)ROM and 1KB (1,024 bytes) of RAM. We were interviewing candidates for an embedded firmware developer position and this one guy asked why we weren't writing our code in Java! Needless to say he didn't get the job.
These days we have GB of RAM and TB of HD yet it still manages to be eaten up. I swear that many developers have stock in semiconductor/disk manufacturers.
Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products.
Might as well have run a headline saying it's tied to HP, Dell or Apple since it's more than likely that the code was written using one of their products.
I am thinking the makers of WD-40 might be at the bottom of this whole thing.
Re: Flame: Massive cyber-attack discovered, researchers say
Funnily enough, because I don't want to sound paranoid; when I first came here asking and pushing till WCB got sick of me, I found then on Win XP, sp 1 and dial up, there seemed something running on the computer because web site history did not match where I went, there was some shocking links I would not want to reproduce here or anywhere. Fast forward, the windows update redirection sounds familiar, because what ever happened it seemed like every update it was staying ahead of the patches.
I just can't believe how some of this behavior sounds so similar to what was happening then. Maybe some malware just proxies windows updates etc for it's own purpose, it is a platform standard?
All the read up just takes me back to then.......the funny thing though: If then was a baby brother to what is here of late, the time frame they are referencing at present, for the history of file date stamping would double. Scary thought.
Excellent Article...not only about how it came down..but also who was at risk..and better yet who might be at risk in the future and why.
Flames and collisions Posted on Jun 7, 2012 by Jeff
Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened.Mikko Hypponen Unless you are a system administrator for a government institution in or around the Middle East you do not need to worry about Flame infecting your computer. Flame (also known as Flamer and skywiper) itself is not a security concern except to a very narrow, targeted group. Quite simply you dont need to worry about being infected by Flame, and antivirus vendors who suggest otherwise may be engaging in fear mongering.
With so few people in danger of Flame, why am I writing about it? Good question. Im writing about it because one of the methods used in Flame has the potential of undermining a crucial part of computer security. The authors of Flame have the ability to subvert the Windows Update process. Whatever Flame itself does or doesnt do, the fact that its authors acquired the capability to distribute fake updates to Microsoft Windows is cause for serious concern.
Software updates and chains of trust
I have previously written about how an important part of computer security is ensuring that your software updates come from the right place. You dont want someone who pretends to be AgileBits giving you malicious updates to 1Password. And you dont want someone who pretends to be Microsoft giving you malicious Windows Updates. The methods used for digitally signing downloads and updates involves some mathematical magic and a Chain of Trust. In the summer 2011, we saw, in the example of DigiNotar, what can happen when someone finds a way to insert themselves into the chain of trust.
These two articles, Who do you trust to tell you who to trust? and A peek over the Gatekeeper explain the security infrastructure Ill be writing about here. You will see terms like Certificate Authority or Man in the Middle attack in this post, but they are more fully explained and illustrated in those other posts.
quote:What we do know is the bogus certificates for signing Windows Updates were created, and we know what Microsoft has said about it. We know that CAs using MD5 in their digital signatures are vulnerable in the way discussed, and we know that that the bogus certificates were signed by those weak CAs.
Also
quote:The cryptanalytic technique used to create the MD5 collision is new. It isnt radically different than previous known techniques, but this is using a technique that would have taken a great deal of expertise to develop.
Hmmmmmmm...Flame uses a somewhat similar method to Agent.BTZ to extract stolen info from offline networks via hidden USB files and there might not have been a mole but rather an unsuspecting party...the whole article is a good technical read.
FLAME The Story of Leaked Data Carried by Human Vector
Another important aspect is the fact that we assumed that both computers are infected with Flame. This is not necessary a prerequisite, because Flamer can use its worm capabilities against the targeted system, in order to infect a PC with internet access when the memory stick is plugged into it. However, it appears that this worm capability is inactive. This is somehow obvious because Flame has to control the spreading mechanism for this espionage machinery and ensure that it remains hidden. Given the complexity of this e-threat, an attacker would not want to lose control of the situation. So, how is the memory stick carried between the two systems? Well, here is where the human factor kicks in. So its amazing how two instances of Flame communicate with one another using a memory stick and a human as a channel. A private channel is created between two machines and the person carrying the memory stick has no idea that he/she is actually contributing to the data leak. Of course this operation could also be achieved by a man inside a mole who intentionally carries the stick from the restricted network that is being spied on to a system with internet access.
... there might not have been a mole but rather an unsuspecting party...the whole article is a good technical read.
FLAME The Story of Leaked Data Carried by Human Vector
... So, how is the memory stick carried between the two systems? Well, here is where the human factor kicks in. So its amazing how two instances of Flame communicate with one another using a memory stick and a human as a channel. A private channel is created between two machines and the person carrying the memory stick has no idea that he/she is actually contributing to the data leak. Of course this operation could also be achieved by a man inside a mole who intentionally carries the stick from the restricted network that is being spied on to a system with internet access.
A sneaker-net, just as it's always been, remains a network... primitive or simplistic or slow as that might be. And if one of the sneaker-netted computers is connected to the Internet, then all the sneaker-netted computers are connected to the Internet - only over very slow, erratic links. It's all so 1990 retro... only now we use terms like "human vectors," and USB flashdrives are the data containers instead of 5-1/4 or 3-1/2 inch floppies.
edited to add: A long time ago (in computer years), a pretty smart coworker once told me that computers are like hospital patients, and you have to apply infection controls as if they were. Anything you stick into one patient, you don't just stick into another patient without disinfecting it first... you assume it's contaminated, unless absolutely proven otherwise.
That's why smart organizations once clamped down, HARD, on sneaker-nets... and banned ANY "outside" media from being brought into their facilities and put into their systems. It wasn't perfect, but it helped contain plagues. Now we're in the era of the employee laptop, the micro-Flashdrive, and all the rest. And, because of the twin attractions of 'user convenience' and having 24/7 employees available via "outside" lappies, many organizations have apparently regressed to the olden days, back before "infection control" and the cross-contamination prohibitions. And obviously, some spook agencies out there in this cold, cruel world have taken notice... as well as exploitive action.
So true..I be on the road now fly fishing for trout 20 feet from where sit now between doing these post at the forum for the last month on a creek in PA Had to get some scripts at the pharmacy for the wife and saw a coupon on the net from the manufacture for $15 off each fill for a year. So no printer here just the lappy and I put the coupon on a flash drive in pdf. They of course need a hard copy.
None of the pharmacies around here would touch the flash drive with a ten foot pole..and I figured they would not.
So started out at the office depot and found they had closed up for good.. so I sweet talk a gal at the travel agency here to give it a try..but even though her PC had a port..it would not recognize the flash..in the end... since her pc was on the internet..she just went to the link and copied it too to paper. All is well.
Just for laughs.. I stopped by the walley world instant photo place with the machine that take USB and other media device a few days after that and ask them.. if the coupon was in jpg or other..would they make a photo of it next time if a needed something like that. Word is..no deal..photos only since they are not allowed to do coupons..something about most always state they can not be reproduced so they don't touch any of them.
I am not disappointed..I am happy most of these places would not touch an unknown quantity like this..say a lot for security.
Yes..I have done stuff like this with just having someone look at the screen of my smart phone and give the ok for many things out there...just in case some one suggest that next time.
There's a new threat that spreads via USB storage devices, by exploiting a previously unknown flaw in Windows shortcuts.
This did not use autorun, rather, just viewing the LNK file on the USB drive triggered the vulnerability in Windows Shell.
The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.
Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation:
It's Signed, therefore it's Clean, right?
So, I asked this System Administrator if such an attack could be successful on his network. He replied, "No, because we have configured a Group Policy that prohibits executables from being launched from USB."
You see, once the basics are understood of how the different attack vectors work, proper policies and procedures (proactive responses) protect the system from exploitation, no matter the vulnerability.
So, Conficker, Stuxnet, Flame --- all exploit different vulnerabilities but use the same attack vector. All are thus thwarted from being successful, as will be the next one that comes along using an executable on a USB drive.
Note that AV or a patch (reactive responses) are not required.
Two weeks ago, when we announced the discovery of the Flame malware we said that we saw no strong similarity between its code and programming style with that of the Tilded platform which Stuxnet and Duqu are based on. Flame and Tilded are completely different projects based on different architectures and each with their own distinct characteristics. For instance, Flame never uses system drivers, while Stuxnet and Duqus main method of loading modules for execution is via a kernel driver. But it turns out we were wrong. Wrong, in that we believed Flame and Stuxnet were two unrelated projects. Our research unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame. The Flame inside Stuxnet
During the 1970s about 2,000 Wang 2200T computers were shipped to the USSR. Due to the Afghan war in the 1980s, US and COCOM export restrictions ended the shipment of Wang computers. The Soviets were in great need of computers. In 1981 Russian engineers at Minpribor's Schetmash factory in Kursk reverse engineered the Wang 2200T and created a computer they named the Iskra 226. The "COCOM restrictions" theory, though, while popular in the West, is challenged by some Russian computer historians on the basis of the fact that development for the Iskra-226 started in 1978, two years before the Afghan war. One possible reason for this might be a Soviet fear of the backdoors in the Western hardware. It is also significantly differs from the Wang 2200 in its internals, being more inspired by it, rather than a direct clone.
I guess they were right. Who would trust a government, which now is in a business of spreading computer viruses. That's the cost of a small triumph of could be a brief delay in running some equipment in Iran vs loosing credibility among all other countries in the world. And that's what distinguishes a wise diplomacy from a politic campaign to get a re-election...
That's one of the normal reactions when a mighty continent no longer sees the rest of the world kung-fu fighting but actually overgrowing them in online- and other technologies.
Nothing specials, we'll get more of these in the years to come.
SSL security flaw with MD5 certificates announces today The problem is that many sites like banks, brokerages, credit card companies, and major online web sellers are all using MD5 certificates. I checked and my credit card company, my bank, & Google Gmail are all still using MD5 certificates.
»news.cnet.com/8301-1009_3-101296···1_3-0-20 A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers plans to announce Tuesday.
They plan to demonstrate how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.
Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://".
The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.
"The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)
Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement."
We seem to be a dumb, useless bunch of people if this has been going on for so long......MD5 SSL certs being affected and exploited this much further into the future and by the owner of the Operating Software to say the least, I think we might need to wonder beyond 'flame'.