Secure Yourself Online

A pair of critical vulnerabilities in Sun Microsystems Inc.’s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations, and access information on Nokia Series 40 cell phones, a Polish researcher said Monday.

Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday, and notified Nokia the same day of the security issues in its handsets. However, Gowdiak is taking a disclosure tack he admitted will be controversial. He has provided the vendors with only a small subset of the information he’s uncovered, approximately one-to-two pages worth. To obtain the remainder, which includes proof-of-concept code, Sun or Nokia will have to pony up $29,826.

The flaws can be used by attackers to force-feed malicious Java applications to Nokia Series 40 phones, said Gowdiak. Those applications, in turn, could be crafted to conduct all kinds of mischief, including making phone calls from the phone, sending text messages from the phone, and recording audio or video. Hackers could also access any file on a Nokia 40 model phone, obtain read and write access to the phone’s contact list, access the phone’s SIM card, and more, added Gowdiak.

“This can completely wipe out any security within J2ME,” said Gowdiak in an interview Monday. “It allows [attackers] to do anything malicious on any mobile device.”

All told, Gowdiak said he had found 14 security issues with the Nokia Series 40 handsets. The Series 40 is the world’s most widely-used mobile platform, according to Nokia. Gowdiak estimated that approximately 140 different Nokia handsets use the Series 40 platform.

All an attacker needs to hack a specific Series 40 handset is its phone number, Gowdiak claimed. A security flaw in the platform can be exploited by simply sending a maliciously crafted series of messages to a given phone. “By combining the vulnerabilities with the Series 40 issues, one could develop malware which could be simply deployed. And that malware won’t be visible to the user,” he said.

Gowdiak tested seven different Nokia Series 40 handsets — “At least one from each major family in the series,” he said — but he suspects that other manufacturers’ phones that use J2ME may also be vulnerable.

He said that the most current version of Sun’s Java Wireless Toolkit also contains the critical bugs. The Toolkit is essentially a software developer’s toolkit, or SDK, for building wireless applications based on J2ME. The implication, said Gowdiak, is that any application created with the Toolkit would also be open to attack, including those installed on handsets other than Nokia’s.

Nokia did not respond to a request for comment Monday, and although Sun did return a call, its spokeswoman did not have any immediate information about the vulnerabilities reported by Gowdiak.

For his part, Gowdiak said security teams at both companies had confirmed receiving his reports last week. “They seem to be working on these issues,” he added.

But the vulnerabilities may not be what many focus on, Gowdiak admitted.

To fund his start-up — a Polish-based company called Security Explorations — Gowdiak is selling copies of his research for 20,000 euros each. “There are six long months of work in this research,” he said in justifying the price. “It was an enormous amount of research.”

But Gowdiak is savvy enough to know that the move will be controversial. “Of course. The whole security arena is divided,” he argued. “Some will be against this and some will be for it.”

He said that the amount of information he had turned over to Sun and Nokia was “similar” to what he had disclosed to vendors previously. “We’re not blackmailers, we’re not black hats,” he said. “They have a choice whether they want to sign up for our security research or whether they want to [devote] research engineers of their own to investigate the vulnerabilities.

“But in our opinion, they have full vulnerability information.”

He also stressed the special nature of the vulnerabilities he had discovered. “This is the first time that such a widespread and critical attack has been demonstrated against Nokia’s Series 40 devices,” he said. “We have proved that these devices can be hacked and infected with malware in a very similar way PC computers are.”

Still, he was on the defensive. “Some people will attack us, and hate us,” he said, for selling research in this fashion. “But in time, people will be able to judge on their own whether we got it right.”

He stopped short, however, of promising to release more information once Sun and/or Nokia had patched their software. “We’re considering it,” was as far as he would go.

(Source:ComputerWorld)

I called it from day one. The minute Russia goes to war, they are going to engage in cyberwarfare tactics. They have executed DDOS attacks against Georgian infrastructure, news networks, and any source that georgians could use to communicate military instruction, pleas for help, or update news agencies by anything other than traditional (generally non-actionable) means. It makes me wonder why the hell NATO is allowing a sovereign nation to be invaded without provocation,  without excuse.  You’ll notice that traffic is being cut off in turkey, as well as traffic being manipulated by Bryansk , Russia. The network security community needs to draw up an Internet warfare charter to be issued to the UN for  introduction. Because, as the Internet is a international community, it needs to be treated as neutral wargrounds.As an exception,however, allow nations engaged in bilateral warfare to attack designated targets of the opposing side so that collateral damage is not done- and the free flow of unrestricted information is not impeded.

From the Georgian Embassy, An official Release:

For confirmation and current status of the cyberwar:

Example - Nameservers for www.itdc.ge Georgia’s web development enterprise are continuously showing : * ns1.garse.net returned (SERVFAIL) * ns2.garse.net returned (SERVFAIL)

Two traceroutes to web site mfa.gov.ge - Georgia Foreign Affairs - show:

(a) From US - Ge = Blocked via TTnet Turkey

(b) From Ukraine - Ge = available & slow; note; cached (forged page),now only via redirect through Bryansk Ru

Other Georgia government websites e.g. mod.gov.ge (Ministry of Defense) - president.gov.ge show:

(c) From US - Ge = Blocked via TTnet Turkey

(d) From Ukraine - Ge = Blocked via TTnet Turkey

Internally - several Georgia based servers now only under external routing control e.g. AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Now only available via AS12389 ROSTELECOM AS JSC Rostelecom (Ru) and AS8342 RTCOMM AS RTComm RU Autonomous System (Ru) - servers - Georgia traffic through Deltanet being redirected via TTnet

So you still support Private Disclosure of Bugs? The Huge problem that was recently reported in DNS servers was patched, granted it took nearly a year for all coorporations to come on board. Nearly 75% of all servers are patched to “fix” the issue. “Well, What’s the problem”, you may ask. The problem is the fact that these patches were untested by the security community, so it is fitting that within a month of patches being released- That a security researcher in Russia  has found a way to exploit the patch.

LINK:RUSSIAN PHYSICIST BYPASSES DNS PATCH

Direct Links To his work is HERE and HERE

Four hours prior to this story, Russia launched a guided missle at the georgian capital. The tensions between Georgia and Russia have been palpable in the international landscape over the past 5 years- and although there have been skirmishes along the border- never have the two nations been so close to full scale war. Both sides have already shown a very large acceptance of cyber attacks, attacking each other’s websites as a show of force, a military tactic, or to achieve economic ramifications against the opposing side. A georgian-russian war, although terribly tragic, would offer the world the first glimpse of a full scale cyber war. If the two sides begin to actively target each other, they will most certainly use cyber tactics. But what images will we be seeing on the news if this happens? What form would these attacks take, and how would it affect the target nation?

Most likely the great number of attacks would be carried out against infrastructural networks. Attacks would strategically target critical targets, much in the same way an army would destroy AA outfits or border crossings- initial targets will include infiltrating DeMilitarized  Zones and destroying/bypassing firewalls.On the part of Russia, do not be surprised to see the digital equivalent of nuclear bombs being unleashed upon georgian infrastructure. The russian army certainly has centers where they have a number of “zombie” computers that are able to be controlled as a single entity. 25000 computers all flooding a server with requests will simply overwhelm the server, cutting off access. The more computers,the more bandwidth,the more organized a flood is- the more effective an attack will be. Also, russia also seems to have a number of very skilled hackers, who (In an attack situation) would be able to completely destroy a given network.

If a full-scale conflict breaks out between georgia and russia- Both nations will have to do an emergency inventory of their web-facing prescence, as well as internal networks. Any vulnerability that can be found, will be found.

I meant for this to go up the day before the olympics, However- Lightning had other plans. Blew out my modem and any dsl access I had, so here is the delayed version of the olympic cyberscape threat analysis

So with the 2008 Beijing Olympics beginning tommorow today, I figured I would do an threat breakdown for the olympic games internet landscape. As with any large event, the nasties of the internet underground will always exploit the spotlight- My hope is that this guide will help you know what to expect in the coming weeks. For the purposes of this article we will divide all the threats into two categories:(True) hacking and Social Engineering.

Hacking: One of the biggest targets for hacking, of course, will be be the olympic site itself. Attackers will be seperated into basically five groups. Pro-Democratic activists will target the site to further their message, using it to speak out against the principals of the chinese government. Tibetan protesters will be looking to bring light to the atrocities that china has commited against their country, and attempting to get worldwide support. Human Rights activsts have already infiltrated the website, and changed many of the headline and border colors to be orange- the color of the human rights protests.Other political activists such as taiwaneese, or islamic nationals will also be looking for their piece of the virtual pie. You also have the fifth category, people who have no beef with china, but are looking solely for fame inside of the hacking community.

The next big target in the hacking category would be the actual infrastructure that supports the record keeping, ticket indexing,and financial records of the games. If compromised, this could be the biggest information compromise of the year, and could be a massive PR disaster for china.For this reason, china needs to be extra vigilant, protecting even the least significant access points. Even a minor compromise of system could wind up costing tens of millions, if not more in financial damage to olympic attendees.

Social Engineering: Social engineering is one of the most serious danger for the majority of olympic attendees. We all get THOSE emails, Your bank account is being used, your credit card has been stolen, uncle frankeiose in the congo has lef t you 50 Million dollars. Social engineering is used to play upon the hopes, fears and dreams of the target, you. So how is it most likely that a social engineer will use these methods in the Olympic season, and what shape may these attacks take?  In this season of physical prowess,  social engineering (aka:phishing) attacks are most likely to take the form of straight phishing,spam, or storm worm variants. Phishing attacks will be semi-normal in comparison with what is normally seen. Possible attack techniques would be emails from the ticketing agency, urging you to verify your ticket information. Another technique could be giving users the option to “Upgrade” their tickets to ground level seats.Another possible attack technique would be the classic “Your Credit Card Has been Stolen” scenario. In this scenario, an attacker would tell you that your credit card number has been stolen from somewhere in china, and is currently being used to purchase items. Traditional Spam is another popular technique, however this is a generally unmalicious use. Spam emails you may see could be Discount Tickets for the olympics, Olympic based gambling, or sites where you can watch the olympics “for free online”. These emails are generally just a nuisance, however, some sites contain malicious code which can silently install keyloggers, or any other number of other nasty programs onto your computer that allow a attacker to see all of the data passing over your network. Rule of thumb? Do not even open spam.Perhaps the most destructive of all the social engineering techniques of late is the storm botnet. Storm Variants rely on time specific events to spread the Botnet. A Botnet is a virus that turns your system into an extension of a hackers computer, allowing him to harvest your credit card info,use you to hack others, or even use you to harvest other people’s info. Storm variants spread through seemingly realistic “news events” they have used false stories of the US invading iran, false aid to myanmar and china, or falsified assasinations to spread the worm. Likely variants you will see in the next few weeks will dwell upon the successes of previous attempts. You are likely to see reports of “Olympic Bombings”, “Bush Boycotts Iran”, “Olympic Earthquakes”, or other sensationalized stories. It is key to remember that most large news agencies will not email you regarding news events,  unless you specifically request it.

Wonderful.  Yet another government computer is stolen out
from under the authorities noses.Supposedly this computer
was supposed to be encrypted, however- statistics show that only
30 percent of computers required to be encrypted by law- are encrypted.
So chances are that the thief stole this laptop from the back of
ANOTHER admin’s car, and instantly picked up thousands of social security
numbers. But that’s not the worst of it- 26 computers or computer were reported
stolen, while over 5,500 can no longer be “Tracked”.
Just freaking wonderful.
The “Official” Press report follows:
A laptop stolen from TVA contained Social Security numbers and reflects
generally inadequate policies and procedures for tracking computers at
the agency, according to the TVA Inspector General.

The laptop was one of approximately 26 computer and computer-related
items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according
to the IG, although the report stated it was unclear whether sensitive
information was present on any of the laptops or PCs stolen from TVA.

TVA spokesman Jim Allen said TVA officials did not have information late
Thursday on how many people were involved in the breach, who they were
or whether the information had been used in any fraudulent activities.

According to the IG, since TVA rolled out an inventory system for its
computers in August 2004, called the HP Service Desk, TVA has been
unable to track more than 5,550 computers. “The inability to adequately
track, as well as the lack of encryption, on these computers increases
the risk for the disclosure of sensitive or restricted information,” the
report [1] stated.

More and More evidence is always stacking up to disable Java inside of your browser. This week, a new attack method was revealed by the “Next Generation Security Software” foundation, along with Ernest & Young Advanced Security Center. It turns out that attackers have been beginning to use a new stealth tactic to gain control over your browser. Security researchers have developed a new image that is combined with a malicious java applet. When the user views the image, the java applet silently runs and its payload delivered as if it was coming from the host website. The combined image/java applet is called a “Gifar”,  and can be delivered to any website that allows image uploading. The website interprets the package as a picture, so doesn’t restrict its uploading.

How can you avoid this attack?

When you are going to a website that may contain user-uploaded images go into your browser’s “Options” settings and disable Java content.
Have You seen this used? Tell us your story!

Recently an article from Scheiner on Security tweaked my interest, as it has many security professionals. I began to research the actual policy and am even more stunned than when I read scheiner’s initial article. It seems that anytime you come in to the country (See Ports of Entry:Here) you are subject to a having your laptop taken,disassembled,illegally accessed, and analyzed. It seems that if you display nervousness(pteromerhanophobia),are attending a defense conference(Defcon),or generally draw the ire of the secondary screening decision man, anything you own will and can be analyzed. The big issue that I have with this process is that it does not take into account the privacy of US citizens. A Border agent should not be able to say “What’s your password” or “Please Enter your Password”, it is almost like asking a person to allow you into is safety deposit box.You put information is a specific safety deposit box so that noone could get it, so why should you allow someone to take everything you have? It absolutely should not be done, what’s more, out of thousands of laptop searches and seizures- the worst punishment anyone recieved from the government provided documents has been a 10,000 dollar fine for copyright violations.
So how do US Customs agency protect their “Right” to search and seize laptops of incoming aliens and US citizens with the following statement

“Aliens have the burden of establishing that they are admissible to the U.S., or are entitled to the immigration status they seek. U.S. citizens also have to establish their citizenship to the satisfaction of the officer and may be subject to further inspection if they are the subject of a lookout record, if there are indicators of possible violations (such as the possible possession of prohibited items, narcotics, or other contraband), or if they have been selected for random compliance examination.”

Wonderful. So if you are wearing a Shirt such as You will be “Randomly Searched”. You Should be fine if you wear this shirt however .

See the statement of the US Deputy Commisioner of Customs here

Edit:Upon further inspection it appears that border agents cannot open or read correspondence contained within letter class mail (See declared policy here). By encasing a laptop in a letter class, sealed, stamped envelope- border agents would not be able to open without a search warrant or your consent.Macbook Airs would be most effective. Anything with the laptop should be classified as correspondence, (I.E. Email,Chats,IM,Pictures,Shared Documents,Collaborative works, etc.)

Note:I have not tried this technique, I am Only observing written policies and court cases (See official policy here

Almost daily, You will get emails claiming someone has changed your password, that someone wants to be your friend, or that you just received a huge sum of money from a long lost uncle. The catch? All you have to do is login and put in your secret answer. Most people have discovered that these attempts are fake, so the continued use doesn’t get quite as many results, it still tricks people.

However, Phishers are trying more aggressive techniques to trick people into logging in to phony websites.A new phishing email (via Trend Micro)that recently emerged claimed that the user’s Bank of America account was accessed by an international IP from an unregistered computer and that their “Foreign IP Spy” detected that breach. However, banks have never been known to register their clients’ computers to their online banking systems. So any email you recieve informing you that your account has been accessed by a remote IP is blatantly false.

It is asking the user to verify and register his current computer by logging in to the Bank of America website. That link leads to a new window which opens a phishing website that is using a fake address bar. Most users who clicked on that link will surely enter their login information.

As you can see in this image, the address bar clearly says that you are on the bank of america secure website.However, Upon further inspection than most end-users know to do you will discover this

You can clearly see that your “Secure Website” is nothing more than a phishing attempt.

So How can you protect yourself from this phishing attack?

A. Only open emails from verified or known sources.

B. Regardless of who the email is from- Do not click an embedded link to go to a Financial institution, go directly to the website.

C. Any Privacy Essential website you go to, verify the source!

(In Internet Explorer)

1. To verify:Right Click and Select Properties.

2. Look in the Web Address (URL) Section to verify what website you are viewing.

3. If it is not the expected web address, LEAVE.

(In Mozilla Firefox)

1.Right Click on Desired Webpage and Select “Page Info”

2.Click the “General” Tab

3.View the Address Selection to verify that your at the desired destination

4.If you are not at the desired location, LEAVE!

(Opera)

1.If you need to know how to do this in Opera 9.x leave me a comment And I will write instructions in, However- because of the low user base; I will not write one at this time.

As many people have already learned, either through word of mouth or by personal experience, Internet Explorer is probably the WORST browser you could use for the security of your personal data. Between gaping holes in the coding, ease of manipulation for viruses, and the mass use in the marketplace, internet explorer is ripe with vulnerabilities.These vulnerabilities allow attackers to view,change,hijack and even steal your banking,clientele, or other personal data. Even so, there are still people who are so instilled with the thoughts that if it comes from microsoft, its best. Because of this, I decided to develop a step by step guide for Internet Explorer users to securely browse the web.

Before Opening Your Browser

A.Right Click on the “Internet Explorer” Icon. Click on “Properties“. Check to be sure that the Program Path is not taking you to a program besides Internet Explorer.If something unexpected is in the program path, you need to delete the desktop Icon and replace it with an authentic link.

Your browser is open, Now What?

B.Go to “Tools” click on “Internet Options” Be sure that your Homepage Is Not set to  a webpage that you do not know.

C.In the Address Bar Type in- “www.mozilla.com”. Press “Enter”

D.Press “Download” and Download Mozilla Firefox- The Secure, Customizable Web Browser.

Sorry, But there are currently simply too many ways for the end-user (You) To be decieved in Internet explorer. I just cannot, with a clear conscience, advise anyone to use Internet Explorer- Especially for “Secure WebSurfing”. If you MUST use internet explorer, do not visit any websites that

A- You Do Not Know and Trust

B- Asks for your password

C-Has Embeddable content

Internet explorer should be an absolute LAST RESORT for anyone who values privacy, or who enjoys having money in their bank account.