Internet Security Zone Blog

by Albert Sweigart, Consumer Security Development

The well-known security researcher Dan Kaminsky pushed for the adoption of DNSSEC (Domain Name System Security Extensions) in his recent presentation at the Black Hat DC conference. Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address. This would allow the attacker to trick someone visiting YourOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website.

That vulnerability has been patched since, but the DNS protocol itself in many ways remains fundamentally insecure:

• DNS is not a secure protocol by itself, and software applications do not rely on it for security. The use of cryptography imposes some computational expense on the server and cause scalability issues. Secure Sockets Layer, the technology that most consumers interact with by seeing the tiny lock icon next to the URL bar in their web browser, mitigates this problem somewhat. A fake website would not be able to reproduce the proper SSL certificate, and web browsers display warnings about accessing web sites with invalid SSL credentials. However, users are amazingly resistant to such warnings, and the “click the button to make the message box go away” mentality causes many users to ignore these warnings.

• Unfortunately, a more common attack would just be not employing SSL at all. Redirecting a user from YourOnlineBank.com (which uses SSL) to the fake replica website (which does not use SSL) would not produce any browser warnings. The cannier user may notice the lack of the “https” in the URL before entering their password, but most would not.

• With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy targets to hackers. By hijacking the YourOnlineEmail.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address (such as BObama@YourOnlineEmail.com). This password would then be intercepted by the attacker when it is sent not to the real YourOnlineEmail.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.

DNSSEC is a proposed protocol (introduced in RFC 2065) that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain. Without a demand from applications, there is little incentive to add DNSSEC.

DNSSEC also has a political problem with the international community and more libertarian proponents of the Internet. The DNSSEC protocol would place the root authority to authenticate the entire domain name system with the U.S. Department of Commerce, including the domain name system of 187 different countries. This centralization of authority would also give the government the power to disable domain names, or perform DNS hijacks themselves.

Kaminsky has always been lukewarm to the idea of DNSSEC, but despite its problems and complexity Kaminsky is for securing the DNS protocol. A fix at this level of the Internet could potentially solve an entire class of security problems. The pressure placed on networks and DNS servers by business and consumer interests provide too large of an incentive to ignore this issue forever. And while the work to simplify the administration of DNSSEC is still far in length, Kaminsky has pointed that the implementations of proposed alternatives to DNSSEC (such as DNSCurve) are far behind.

By James Grant, Team Lead and Senior Developer

I was recently traveling and wanted to keep in touch with both work and the world. I packed my laptop and was off. On arrival, the hotel clerk proudly told me that the hotel offered free Internet over Wi-Fi, no encryption to worry about. Great! I guess...

Confession: I get a little paranoid about security so I'm thinking through all the ways this could go wrong: the person in the next room is going to see all my Internet traffic because it is going over the airwaves like a cell phone call; the person in the next room will try to hack into my computer; the person in the next room will see my email address and I will get more spam. I need a new room! But wait, everyone in the hotel can see my traffic-- as well as anyone driving by! Well, the good news is that not everything you do on the Internet puts you at risk.

Using email

The first thing I wanted to do was check email at work. My company uses a VPN to support email access, so I can do that safely. I am free to use a public Wi-Fi link because a snoop will not try to decrypt my VPN traffic to read the emails. The VPN is the strongest link in the chain, not the weakest link.

The next thing I wanted to do was check my personal email at Gmail. There I have to be a bit more careful. I deliberately go to https://gmail.google.com (instead of http://...)because then Gmail gives me an encrypted connection (safe). If I just typed gmail.google.com, my login would be encrypted, but the emails I read and wrote would be unencrypted and any snooper could see them! Remember: whenever you see "https" at the start of the link in your browser, it means you're a lot safer than "http".

Checking online news

With that done, I wanted to check the news. Now I personally don't care who knows what news articles I read, so I freely went to my favorites:

www.news.google.com, www.theregister.co.uk.

Using Facebook

Then I wanted to check what was happening at Facebook. Darn. That's where I caught myself and chose to wait. Facebook encrypts the actual login, but after that it isn't as safe. Snoopers could learn the email address I use to log in as well as my profile ID (every Facebook member has a unique profile ID).

They also might be able to get my "session token": information that lets them connect to Facebook as if they were me. I could be wrong, like I said, I get a little paranoid. So I did not connect to Facebook over the unencrypted Wi-Fi.

Banking and other private activities

What else would I not recommend in a public setting?

- banking - even if the connection is encrypted, I reveal what bank I use

- online investments - same as banking, only more money at stake

- private activities: IM, political activities, porn (no, I'm

not confessing anything here. It's you, Dear Reader, I am thinking of!)

Avoid all of these things on unencrypted Wi-Fi, unless you use a service like Anonymizer Anonymous Surfing. With a service like Anonymizer, everything works the same but your network traffic gets routed through their server using an encrypted connection. Snoopers can't tell where you're going or what you're sending.

What about public computers?

A final note about using a public computer (library, conference, hotel, etc.) I would not log on to any account of mine on a public computer, even if it were an encrypted https: website. The computer might have a virus or other tool for logging everything you type. Think of a public computer as having the public looking over your shoulder.

By Jordy Berson, Group Product Manager, Check Point Software

A vulnerability in Adobe Acrobat is being used to steal business and government secrets.   This exploit entices its victims to open a PDF document, upon which a Trojan is transferred invisibly to the victim's PC.  The Trojan secretly records the keystrokes and allows hackers remote access to the victim's computer. This vulnerability has so far been targeted at business executives and government officials.  I don't know what's scarier - the attacks that target people like you and me directly to steal our identity, or knowing that our goverment and business officials are being spied on. 

The general idea is this: You're surfing the Internet, you land on a Web site, and BAM! Malicious software secretly downloads to your PC.  Most of the time you don't even have to click on anything or even stay on the site for more than a moment.  But when you leave the site, you take an invisible threat away with you that steals your identity and your privacy.

The Adobe attack is just the latest chapter in a dramatic but predictable story. Nearly every week for the past year, it seems a new drive-by exploit is discovered.  Web surfers fall victim.  Identities are stolen.  Secrets are passed.  Virus companies catch up...too late as usual. 

Any Web site will do.  These types of exploits have been hosted on compromised mainstream sites such as Miami Dolphins and Tom's Hardware and on popular banking sites where you'd never expect them, as well as on riskier sites such as free download sites.  The point is that these threats can affect you no matter where you surf and no matter how careful you are.  

How likely are you to hit a drive-by? A study by Google concluded that over 1% of all Web searches contain at least one malicious URL which could be a drive-by.  So out of 100 Web searches, you'll hit at least one of these.  And that's just one of the methods to get you. Phishing sites and other social engineering tactics can land you on a malicious Web site too. And if you do stuff like downloading free screensavers and music and you spend a lot of time social networking, your risks are higher.

So what do you do?  Hide your love away...

Hackers love people who run old versions of their software.  And you don't want to be loved by hackers! When you run outdated software on your PC, you make it dead easy to get hacked.  You're almost asking for it.  So please update all your software now...right now.  And especially if anybody is using an older version of IE or Firefox (or whatever browser you run)...upgrade immediately!  You should be on IE 7 and Firefox 3.  

...and get a good traffic cop.  The traffic cop is one of the few technologies out there that can stop drive-by downloads.  And this one is *the* only one at this time that works automatically (the others require you to change the way you download files and manage your file system). It's our own ZoneAlarm ForceField.  In the time its been out, its stopped 100% of drive-by downloads that we've been able to test - theoretical and actual. It does a lot of other stuff too. Try it for free and please tell me what you think of it.  Love it or hate it, I'd love to know. It's less than 5MB.

Thanks!

http://www.zonealarm.com/security/en-us/trial-download-zonealarm-forcefield-browser-security.htm

Read the Adobe Security Bulletin here.

By John Gable

ZoneAlarm Director of Product Management

Hardly anyone knew about it.

The Los Angeles Angels website was recently hacked overnight with a drive-by download. It tried to download “AntiVirus 2009”, a well known fake security program that actually installs malware, onto visitors' systems. The Angels fixed the problem the next day, but damage was done.

I don’t mean to pick on the American League West Champions. This happens much too often, not just in major league baseball, but also the National Football League (Miami Dolphins), job sites (Monster.com), financial institutions (Bank of India) and plenty more.

What else don’t you know about?  Did you know about …

• the virus/spyware that hit Check Free, the online bill pay service used by many major banks and others, which infected around 160,000 users?

• the latest Internet Explorer 7 vulnerability that gives hackers a hole to silently install malicious software onto your PC?

• the Waledac botnet Valentine email and e-card attack?

I suggest there are 3 good reasons most people don't hear about such incidents.

1. Hackers want to be invisible.  Gone are the “good ole days” when a hacker wanted to become famous. The "I Love You" virus was a big problem, but at least you knew if you were infected. Now hackers go to great lengths to make sure you don’t know anything is happening as they take over your PC.

2. Web sites that have been hacked don’t exactly spend marketing funds to tell the world what happened. Responsible sites, like Check Free, quickly contact any potential victims to help them. But the last thing most sites want is to scare you away.

3. Same logic applies to software vendors, even security companies. Plus, sometimes they don’t want to advertise vulnerabilities because they don’t want to educate hackers how to break in.

Special kudos to the companies that do a good job at communicating threats. Adobe just issued a security bulletin about a buffer overflow issue with Adobe Reader 9 and Acrobat 9.

I’m happy to report that our new ZoneAlarm Extreme Security, which integrates our latest PC security suite with our web browser security and more, is the only security suite that blocked any of the threats I listed above from the very first moment they hit the Web (someone else might have stopped the LA Angeles attack - but I can verify that others missed all the other attacks).

In fact, ZoneAlarm Extreme Security blocks all of them. See our Stops Attacks Others Miss page for more details.

Do you think people need to know about these Web attacks or is ignorance bliss?

Zango is at it again, and again the good guys have prevailed.

You would think that everyone would appreciate how security products protect users from dangerous, annoying or just unwanted attacks and content.  But then again, you might not be a company “allegedly” doing “questionable” things.  And if you were that company, you might just sue a security company working to protect its customers.

We were threatened with a lawsuit by 180Solutions/Zango because of how ZoneAlarm warned our users about some of their technologies. That suit was dropped early last year.  (See more here: http://download.zonelabs.com/bin/free/pressReleases/2006/pr_1.html).

Now, Zango is suing Kaspersky Labs, our partner for anti-virus detection and removal.  This time, they actually went to court.  And we are delighted to report that Zango lost and Kaspersky won.  (See more here: http://www.net-security.org/virus_news.php?id=857).

Granted, anyone can make a mistake, and security vendors are sometimes guilty of false positives – incorrectly tagging something as dangerous when it isn’t.  But there are also companies that push the boundaries of privacy and security, and someone has to draw a line.  People rely on security vendors to make that call, and we in the security industry must make that call with conviction and not back down in the face of controversy.

This is a victory for everyone who relies on security products to protect them.  Everyone should applaud Kaspersky Labs and encourage all security vendors to show that kind of courage and stand up to threats and lawsuits.  Don’t reduce security warnings just to avoid a lawsuit or discomfort – stand firm and protect!

Congratulations Kaspersky.

Some interesting links for this holiday week:

• The Credit Card Prank part II

• Destruction as art - CD data destruction device

• Hand operated travel shredder, no power required

• Sony to pay 1.5M for music CD rootkit debacle

• Newly released ePassport cloned in 5 minutes

• How much for a Windows Vista 0-day? Apparently $50K USD

• Analyst's Diary: The Kaspersky Blog

• IE7 Anti-Phishing tool slows PCs?

• Giant list of Windows XP commands

Wiley has allowed Ross Anderson to release his widely respected book "Security Engineering" online as a free download (server is under heavy load right now).

While this book might be a bit in-depth for the normal computer user, many non-security type people still find it useful. For example, the chapter on Bookkeeping is useful for many small business owners and the rest of the book is full of interesting security insights in all kinds of fields.

The combination of free email with anonymous classified sites (such as Craigslist) creates an environment ripe for con artists and opportunistic people to get information and meet others romantically, under false pretenses - called Social engineering. Wikipedia defines social engineering  as "the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies."

Paid-for online dating sites have become a platform for phishing as well. I once received an email through a popular dating site. He offered his undying love as well as a fortune. Unfortunately he was far away in Nigeria.  In his photo he was speaking on a cell phone (probably to the bank about his impending $$$ fortune). Incredibly, he had paid $1 to send me the email. He must have calculated the return on investment by targeting "lonely hearts" would exceed the dollars spent.

Now sites such as Don't Date Him Girl provide an social engineering antidote for women to reveal the truth about dating scammers. The prospect of having a photo and story posted should at least deter those with "something to lose." (e.g. married men)

Of course prevention is always better than fixing a problem. So, follow the same aphorism that applies to online security and avoiding cons:

• If it sounds too good to be true, it very well may be.
• And, use multiple points of verification that a person is "for real" lest you be phished out of a fortune in dollars or heartache.

Know what I mean?

About a month ago, my wife's and my debit cards started getting rejected at the stores. Maybe it's just me but it's an unpleasant experience. I feel like the cashier must be thinking what a loser I must be running out of money in my bank account and just can't keep it together. Inevitably, a defense comment comes out like "Well it worked yesterday...".

When it didn't work at the bank machine either, I called the bank. "There's been a security compromise on one of your cards", she says. Oh really!. "And what exactly is that?", I ask. "It seems one of the cards was used at an instant teller belonging to another bank and it had a PIN logger on it", I'm told. Oh really! "Then you did the right thing.", I said in reflex. "Is there anything else I can do for you today?", she says from her memorized script. "Can you drive down and give me some money?" It seems I'll have to wait until the bank opens on Monday.

As I go back to my car, I ask myself 'why did they cancel both cards? Why not just my wife's?'. (It was she who had used another bank's machine. My card was not compromised. My PIN was not stolen. It isn't stored on her card. My card is completely valid and as safe as before. I guess they don't know what they are doing.

Well it took more than a week to get new cards in the mail. Doubly annoying since they hadn't bothered to notify me.

Then I hear about how several banks had card information compromised:

http://www.msnbc.msn.com/id/11731365/

Is my bank listed? You bet! Do I shop at OfficeMax? Not since that rebate issue last year, but let's not go there! So now I'm doubting the story my bank told me. If PIN numbers were stolen, it makes sense to replace both cards.

The article brings up an important point, that the law protects credit card users far better than debit card users. With a debit card, you could be held responsible for all money stolen from your account. Not so with credit cards. Why haven't I been using a credit card? Well, let's not go there either. But now I've applied for one. It's either that or all cash purchasing and I don't think my wife will go for that.

UC Berkeley carried out a social engineering attack (actually more of a prank) against the rival USC basketball team. The attack included: a star basketball player, a (ficticious) young lady named Victoria, and some Instant Messaging. Pretty easy and pretty funny.

This story may not seem to have anything to do with securing your PC, but social engineering attacks are (what I believe to be) one of the most common ways a computer user can infect/compromise/divulge/risk their computer/credit card numbers/identity.

• What is a phishing attack? It's social engineering someone to divulge personal information through confusion, misrepresentation.

• How does spyware often get installed? A user (or even a child wanting smileys ;) is tricked or enticed to visit a website providing the spyware and is either hit with a drive-by download or downloads something that seemily safe that *also* contains spyware.

• How does email bourne malware spread? A user gets an attachment from their friend (a name they recognize, just like a phishing site they recognize) and they end up clicking it -- bam, they're infected.

There are many kinds of social engineering, the attack on a USC basketball player shows just how extensive the variations are.

Go read the UC Berkeley attack on USC.

Wikipedia definition: Social Engineering