Re: Flame: Massive cyber-attack discovered, researchers say
What I got out of the article.
quote:What we do know is the bogus certificates for signing Windows Updates were created, and we know what Microsoft has said about it. We know that CAs using MD5 in their digital signatures are vulnerable in the way discussed, and we know that that the bogus certificates were signed by those weak CAs.
Also
quote:The cryptanalytic technique used to create the MD5 collision is new. It isnt radically different than previous known techniques, but this is using a technique that would have taken a great deal of expertise to develop.
Hmmmmmmm...Flame uses a somewhat similar method to Agent.BTZ to extract stolen info from offline networks via hidden USB files and there might not have been a mole but rather an unsuspecting party...the whole article is a good technical read.
FLAME The Story of Leaked Data Carried by Human Vector
Another important aspect is the fact that we assumed that both computers are infected with Flame. This is not necessary a prerequisite, because Flamer can use its worm capabilities against the targeted system, in order to infect a PC with internet access when the memory stick is plugged into it. However, it appears that this worm capability is inactive. This is somehow obvious because Flame has to control the spreading mechanism for this espionage machinery and ensure that it remains hidden. Given the complexity of this e-threat, an attacker would not want to lose control of the situation. So, how is the memory stick carried between the two systems? Well, here is where the human factor kicks in. So its amazing how two instances of Flame communicate with one another using a memory stick and a human as a channel. A private channel is created between two machines and the person carrying the memory stick has no idea that he/she is actually contributing to the data leak. Of course this operation could also be achieved by a man inside a mole who intentionally carries the stick from the restricted network that is being spied on to a system with internet access.
... there might not have been a mole but rather an unsuspecting party...the whole article is a good technical read.
FLAME The Story of Leaked Data Carried by Human Vector
... So, how is the memory stick carried between the two systems? Well, here is where the human factor kicks in. So its amazing how two instances of Flame communicate with one another using a memory stick and a human as a channel. A private channel is created between two machines and the person carrying the memory stick has no idea that he/she is actually contributing to the data leak. Of course this operation could also be achieved by a man inside a mole who intentionally carries the stick from the restricted network that is being spied on to a system with internet access.
A sneaker-net, just as it's always been, remains a network... primitive or simplistic or slow as that might be. And if one of the sneaker-netted computers is connected to the Internet, then all the sneaker-netted computers are connected to the Internet - only over very slow, erratic links. It's all so 1990 retro... only now we use terms like "human vectors," and USB flashdrives are the data containers instead of 5-1/4 or 3-1/2 inch floppies.
edited to add: A long time ago (in computer years), a pretty smart coworker once told me that computers are like hospital patients, and you have to apply infection controls as if they were. Anything you stick into one patient, you don't just stick into another patient without disinfecting it first... you assume it's contaminated, unless absolutely proven otherwise.
That's why smart organizations once clamped down, HARD, on sneaker-nets... and banned ANY "outside" media from being brought into their facilities and put into their systems. It wasn't perfect, but it helped contain plagues. Now we're in the era of the employee laptop, the micro-Flashdrive, and all the rest. And, because of the twin attractions of 'user convenience' and having 24/7 employees available via "outside" lappies, many organizations have apparently regressed to the olden days, back before "infection control" and the cross-contamination prohibitions. And obviously, some spook agencies out there in this cold, cruel world have taken notice... as well as exploitive action.
So true..I be on the road now fly fishing for trout 20 feet from where sit now between doing these post at the forum for the last month on a creek in PA Had to get some scripts at the pharmacy for the wife and saw a coupon on the net from the manufacture for $15 off each fill for a year. So no printer here just the lappy and I put the coupon on a flash drive in pdf. They of course need a hard copy.
None of the pharmacies around here would touch the flash drive with a ten foot pole..and I figured they would not.
So started out at the office depot and found they had closed up for good.. so I sweet talk a gal at the travel agency here to give it a try..but even though her PC had a port..it would not recognize the flash..in the end... since her pc was on the internet..she just went to the link and copied it too to paper. All is well.
Just for laughs.. I stopped by the walley world instant photo place with the machine that take USB and other media device a few days after that and ask them.. if the coupon was in jpg or other..would they make a photo of it next time if a needed something like that. Word is..no deal..photos only since they are not allowed to do coupons..something about most always state they can not be reproduced so they don't touch any of them.
I am not disappointed..I am happy most of these places would not touch an unknown quantity like this..say a lot for security.
Yes..I have done stuff like this with just having someone look at the screen of my smart phone and give the ok for many things out there...just in case some one suggest that next time.
There's a new threat that spreads via USB storage devices, by exploiting a previously unknown flaw in Windows shortcuts.
This did not use autorun, rather, just viewing the LNK file on the USB drive triggered the vulnerability in Windows Shell.
The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.
Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation:
It's Signed, therefore it's Clean, right?
So, I asked this System Administrator if such an attack could be successful on his network. He replied, "No, because we have configured a Group Policy that prohibits executables from being launched from USB."
You see, once the basics are understood of how the different attack vectors work, proper policies and procedures (proactive responses) protect the system from exploitation, no matter the vulnerability.
So, Conficker, Stuxnet, Flame --- all exploit different vulnerabilities but use the same attack vector. All are thus thwarted from being successful, as will be the next one that comes along using an executable on a USB drive.
Note that AV or a patch (reactive responses) are not required.
Two weeks ago, when we announced the discovery of the Flame malware we said that we saw no strong similarity between its code and programming style with that of the Tilded platform which Stuxnet and Duqu are based on. Flame and Tilded are completely different projects based on different architectures and each with their own distinct characteristics. For instance, Flame never uses system drivers, while Stuxnet and Duqus main method of loading modules for execution is via a kernel driver. But it turns out we were wrong. Wrong, in that we believed Flame and Stuxnet were two unrelated projects. Our research unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame. The Flame inside Stuxnet
During the 1970s about 2,000 Wang 2200T computers were shipped to the USSR. Due to the Afghan war in the 1980s, US and COCOM export restrictions ended the shipment of Wang computers. The Soviets were in great need of computers. In 1981 Russian engineers at Minpribor's Schetmash factory in Kursk reverse engineered the Wang 2200T and created a computer they named the Iskra 226. The "COCOM restrictions" theory, though, while popular in the West, is challenged by some Russian computer historians on the basis of the fact that development for the Iskra-226 started in 1978, two years before the Afghan war. One possible reason for this might be a Soviet fear of the backdoors in the Western hardware. It is also significantly differs from the Wang 2200 in its internals, being more inspired by it, rather than a direct clone.
I guess they were right. Who would trust a government, which now is in a business of spreading computer viruses. That's the cost of a small triumph of could be a brief delay in running some equipment in Iran vs loosing credibility among all other countries in the world. And that's what distinguishes a wise diplomacy from a politic campaign to get a re-election...
That's one of the normal reactions when a mighty continent no longer sees the rest of the world kung-fu fighting but actually overgrowing them in online- and other technologies.
Nothing specials, we'll get more of these in the years to come.
SSL security flaw with MD5 certificates announces today The problem is that many sites like banks, brokerages, credit card companies, and major online web sellers are all using MD5 certificates. I checked and my credit card company, my bank, & Google Gmail are all still using MD5 certificates.
»news.cnet.com/8301-1009_3-101296···1_3-0-20 A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers plans to announce Tuesday.
They plan to demonstrate how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.
Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://".
The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.
"The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)
Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement."
We seem to be a dumb, useless bunch of people if this has been going on for so long......MD5 SSL certs being affected and exploited this much further into the future and by the owner of the Operating Software to say the least, I think we might need to wonder beyond 'flame'.