Internet Security Zone Blog

by Albert Sweigart, Consumer Security Development

The well-known security researcher Dan Kaminsky pushed for the adoption of DNSSEC (Domain Name System Security Extensions) in his recent presentation at the Black Hat DC conference. Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address. This would allow the attacker to trick someone visiting YourOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker’s fake website.

That vulnerability has been patched since, but the DNS protocol itself in many ways remains fundamentally insecure:

• DNS is not a secure protocol by itself, and software applications do not rely on it for security. The use of cryptography imposes some computational expense on the server and cause scalability issues. Secure Sockets Layer, the technology that most consumers interact with by seeing the tiny lock icon next to the URL bar in their web browser, mitigates this problem somewhat. A fake website would not be able to reproduce the proper SSL certificate, and web browsers display warnings about accessing web sites with invalid SSL credentials. However, users are amazingly resistant to such warnings, and the “click the button to make the message box go away” mentality causes many users to ignore these warnings.

• Unfortunately, a more common attack would just be not employing SSL at all. Redirecting a user from YourOnlineBank.com (which uses SSL) to the fake replica website (which does not use SSL) would not produce any browser warnings. The cannier user may notice the lack of the “https” in the URL before entering their password, but most would not.

• With the domain name system vulnerable, a website’s “forgotten password” feature also becomes an easy targets to hackers. By hijacking the YourOnlineEmail.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user’s email address (such as BObama@YourOnlineEmail.com). This password would then be intercepted by the attacker when it is sent not to the real YourOnlineEmail.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.

DNSSEC is a proposed protocol (introduced in RFC 2065) that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain. Without a demand from applications, there is little incentive to add DNSSEC.

DNSSEC also has a political problem with the international community and more libertarian proponents of the Internet. The DNSSEC protocol would place the root authority to authenticate the entire domain name system with the U.S. Department of Commerce, including the domain name system of 187 different countries. This centralization of authority would also give the government the power to disable domain names, or perform DNS hijacks themselves.

Kaminsky has always been lukewarm to the idea of DNSSEC, but despite its problems and complexity Kaminsky is for securing the DNS protocol. A fix at this level of the Internet could potentially solve an entire class of security problems. The pressure placed on networks and DNS servers by business and consumer interests provide too large of an incentive to ignore this issue forever. And while the work to simplify the administration of DNSSEC is still far in length, Kaminsky has pointed that the implementations of proposed alternatives to DNSSEC (such as DNSCurve) are far behind.

By James Grant, Team Lead and Senior Developer

I was recently traveling and wanted to keep in touch with both work and the world. I packed my laptop and was off. On arrival, the hotel clerk proudly told me that the hotel offered free Internet over Wi-Fi, no encryption to worry about. Great! I guess...

Confession: I get a little paranoid about security so I'm thinking through all the ways this could go wrong: the person in the next room is going to see all my Internet traffic because it is going over the airwaves like a cell phone call; the person in the next room will try to hack into my computer; the person in the next room will see my email address and I will get more spam. I need a new room! But wait, everyone in the hotel can see my traffic-- as well as anyone driving by! Well, the good news is that not everything you do on the Internet puts you at risk.

Using email

The first thing I wanted to do was check email at work. My company uses a VPN to support email access, so I can do that safely. I am free to use a public Wi-Fi link because a snoop will not try to decrypt my VPN traffic to read the emails. The VPN is the strongest link in the chain, not the weakest link.

The next thing I wanted to do was check my personal email at Gmail. There I have to be a bit more careful. I deliberately go to https://gmail.google.com (instead of http://...)because then Gmail gives me an encrypted connection (safe). If I just typed gmail.google.com, my login would be encrypted, but the emails I read and wrote would be unencrypted and any snooper could see them! Remember: whenever you see "https" at the start of the link in your browser, it means you're a lot safer than "http".

Checking online news

With that done, I wanted to check the news. Now I personally don't care who knows what news articles I read, so I freely went to my favorites:

www.news.google.com, www.theregister.co.uk.

Using Facebook

Then I wanted to check what was happening at Facebook. Darn. That's where I caught myself and chose to wait. Facebook encrypts the actual login, but after that it isn't as safe. Snoopers could learn the email address I use to log in as well as my profile ID (every Facebook member has a unique profile ID).

They also might be able to get my "session token": information that lets them connect to Facebook as if they were me. I could be wrong, like I said, I get a little paranoid. So I did not connect to Facebook over the unencrypted Wi-Fi.

Banking and other private activities

What else would I not recommend in a public setting?

- banking - even if the connection is encrypted, I reveal what bank I use

- online investments - same as banking, only more money at stake

- private activities: IM, political activities, porn (no, I'm

not confessing anything here. It's you, Dear Reader, I am thinking of!)

Avoid all of these things on unencrypted Wi-Fi, unless you use a service like Anonymizer Anonymous Surfing. With a service like Anonymizer, everything works the same but your network traffic gets routed through their server using an encrypted connection. Snoopers can't tell where you're going or what you're sending.

What about public computers?

A final note about using a public computer (library, conference, hotel, etc.) I would not log on to any account of mine on a public computer, even if it were an encrypted https: website. The computer might have a virus or other tool for logging everything you type. Think of a public computer as having the public looking over your shoulder.

By Jordy Berson, Group Product Manager, Check Point Software

A vulnerability in Adobe Acrobat is being used to steal business and government secrets.   This exploit entices its victims to open a PDF document, upon which a Trojan is transferred invisibly to the victim's PC.  The Trojan secretly records the keystrokes and allows hackers remote access to the victim's computer. This vulnerability has so far been targeted at business executives and government officials.  I don't know what's scarier - the attacks that target people like you and me directly to steal our identity, or knowing that our goverment and business officials are being spied on. 

The general idea is this: You're surfing the Internet, you land on a Web site, and BAM! Malicious software secretly downloads to your PC.  Most of the time you don't even have to click on anything or even stay on the site for more than a moment.  But when you leave the site, you take an invisible threat away with you that steals your identity and your privacy.

The Adobe attack is just the latest chapter in a dramatic but predictable story. Nearly every week for the past year, it seems a new drive-by exploit is discovered.  Web surfers fall victim.  Identities are stolen.  Secrets are passed.  Virus companies catch up...too late as usual. 

Any Web site will do.  These types of exploits have been hosted on compromised mainstream sites such as Miami Dolphins and Tom's Hardware and on popular banking sites where you'd never expect them, as well as on riskier sites such as free download sites.  The point is that these threats can affect you no matter where you surf and no matter how careful you are.  

How likely are you to hit a drive-by? A study by Google concluded that over 1% of all Web searches contain at least one malicious URL which could be a drive-by.  So out of 100 Web searches, you'll hit at least one of these.  And that's just one of the methods to get you. Phishing sites and other social engineering tactics can land you on a malicious Web site too. And if you do stuff like downloading free screensavers and music and you spend a lot of time social networking, your risks are higher.

So what do you do?  Hide your love away...

Hackers love people who run old versions of their software.  And you don't want to be loved by hackers! When you run outdated software on your PC, you make it dead easy to get hacked.  You're almost asking for it.  So please update all your software now...right now.  And especially if anybody is using an older version of IE or Firefox (or whatever browser you run)...upgrade immediately!  You should be on IE 7 and Firefox 3.  

...and get a good traffic cop.  The traffic cop is one of the few technologies out there that can stop drive-by downloads.  And this one is *the* only one at this time that works automatically (the others require you to change the way you download files and manage your file system). It's our own ZoneAlarm ForceField.  In the time its been out, its stopped 100% of drive-by downloads that we've been able to test - theoretical and actual. It does a lot of other stuff too. Try it for free and please tell me what you think of it.  Love it or hate it, I'd love to know. It's less than 5MB.

Thanks!

http://www.zonealarm.com/security/en-us/trial-download-zonealarm-forcefield-browser-security.htm

Read the Adobe Security Bulletin here.

I recently met John Sebes, co-founder of the Open Source Digital Voting Foundation. What are they doing? In his words, while the rest of the world was running around in a panic about the problems with electronic voting machines, he decided to do something about it.

Their goal is to design a voting system that will be secure, reliable, able to do a vote recount and will be open-source so people and inspect the design. It will earn the public's trust.

If you are a designer, you can help with the design.

If you are a developer, you can work on it.

If you are a believer in fair elections, you can contribute to bring this idea to fruition.

Following up on the previous post regarding "roving" wiretaps, a well connected co-worker sent me this tidbit (quoting from the site):

Cellular Spy Phone
The telephone is programmed with a telephone number and when anyone calls the Spy phone, it rings and operates as a normal telephone but when the phone is called using the telephone with the number that was previously programmed into the phone, it automatically answers without any ringing or lights coming on and it turns on the built in microphone to listen to all the surrounding noises or conversations. There is no other Spy Phone like it anywhere.

To enable this type of function, it requires new software (as they stated "previously programmed"). Most cell phones can be flashed over the network by the Cellular company (like an automatic software update), so I'm beginning to think the remote tapping isn't so far fetched after all.

This site only provides this type of modification for specific phones, but if the firmware can be modified to do it, I guess it would just take more firmware modifications to get the same type of features on other phones.

But wait, there's more interesting surveillance equipment on this site -- the GSS1000 SpyPhone:

1.       Any sounds in the vicinity of the phone in the ("Listening Mode").
2.       Monitor conversation made or received by GSS-1000 ("Interception Mode").
3.       Monitor and track all incoming & outgoing SMS messages.

And, for those "tapees" who are close in proximity or UHF range to the tapper, there is the UHF Mobile Phone Transmitter:

·          Working GSM Nokia Cellular Phone
·          Built-in wireless UHF transmitter
·          Crystal controlled
·          Transmits both side of conversation
·          Range up to 600 feet (200 meters)
·          Up to five miles using our briefcase repeater
·          Magnetic antenna available for the receiver
·          The phone comes with quick AC & car chargers
·          Completely Stealth / Undetectable

The site doesn't mention prices or if they accept Paypal (you know to make ordering easy for normal people like me), but we'll work on getting one of these things and testing it out -- if we can get the PO for a "SpyPhone" approved ;).

There are all kinds of other interesting gadgets for you 007 types on the same site -- take a look.

The past months have seen many reports on a new cell phone tapping tactic -- the "roving bug":

• USAToday: Your cellphone is more powerful than you probably know
• CNet News.com: FBI taps cell phone mic as eavesdropping tool
• ABCNews: Can You Hear Me Now?

This new technique was supposedly used against an alleged mobster, John Ardito. According to reports, the FBI was able to send a signal to his cell phone that opened the mic on the phone and allowed them to listen in. Despite all the news reports, I'm not sure I'm ready to believe it and I'll explain why.

The interesting (and somewhat hard to believe part) is that the FBI could listen in without the phone making a call -- they weren't listening to his phone calls, but rather, they were listening to the ambient sounds and voices around the cell phone. That's right, while the phone is sitting in the tap target's pocket it can be instructed to open the microphone and allow listening.

Various surveillance experts and technical gurus find this hard to swallow -- suggesting that the phone would warm up during this event (since it's sending voice data to the intercept location), the tap target would notice, etc. I've learned that new technology can sometimes seem like magic, as such, you should never underestimate the power of smart people and the "magic" technology they create. Therefore, while I also find this form of tapping hard to believe, I know better than to write it off as fiction -- especially since the story has had time to bake and it has been covered, researched, and investigated by numerous media outlets. I've also seen the specs for the currently implemented tapping protocols for GSM, Cellular and SMS systems -- which makes a roving tap seem all the more possible.

The current GSM, Cellular and SMS phone tapping specifications for "lawful interception" (wiretapping) can be found here. These documents explain how the cellular network are setup to allow Law Enforcement Agencies (LEA) to tap a cellular telephone and the data or text it transmits. A picture might provide a better example:

Here are some interesting quotes from those documents:

• To be effective, interception must take place without the knowledge of either party to the communication. Therefore, decryption must also take place without either party being aware that it is happening.

• No indication shall be given to any person except authorised [sic] personnel that the intercept function has been activated on a target.

• The invocation of lawful interception shall not alter the operation of a target's services or provide indication to any party involved in communication with the target.

• ...it shall be a national option as to whether the network provides the CC (Content of Communication) to the agency decrypted, or encrypted with a key available to the agency.

Looking through these documents, it's clear there is a very extensive system in place to allow cellular phone tapping, but so far, I've yet to see any proof of the "passive listening tap" that was allegedly used against John Ardito. And, no one has produced such a document, nor have they shown a phone with such a hidden function. I'd like to see a bit more demonstrative evidence, despite the fact that if the FBI did have such a function, they would probably keep it closely guarded.

As they say, the jury may still be out on this one.

If you or someone you know gambles online, the gamble may be bigger than they think. What stops the "house" from fiddling with the cards? Not much.

In a real casino, you are watching the dealer and the House is watching both of you. The rules are know and are followed. Cards are dealt fairly, according to the rules of the game. The fact they are physically present, in front of you, makes it difficult to cheat. None of this is the same online.

With computers dealing the cards, they select what you and the others get. A computer program, written in secret, decides what you get. You put your faith in the website to be honest. You trust them with all your gambling money. Here are two scenarios that would profit the house - after all, they make money when you play. Win or lose, they just want you to keep on playing.

Scenario 1 - The online casino deals out "good" cards more than "bad" cards. Let's say you're playing poker. When you get good cards, you expect to win and you start betting more, you feel lucky. If the casino also deals good cards to the other player, you're not going to win more, you're just going to feel "close" to winning more and want to keep on playing. The house cheats. The House wins.

Scenario 2 - The online casino deals good cards after bet more. This encourages you to bet and win. You play more. The House wins.

Scenario 3 - The online casino has a secret "super player" category (for friends and people who pay for it) where you get better cards. You win and the house wins.

Scenario 4 - The online casino puts in its own player now and then. Their player gets winning cards and walks away with the money.

Since I'm not an online gambler, I'll present this as hypothetical. A skeptic could call it a "conspiracy theory". The thing is, business practices that pay off are generally followed until the penalty outweighs the payoff. With online casinos, where's the penalty? Who is going to do the work to investigate and prosecute such activity? All you're going to have is anecdotal evidence, people saying one online casino had luckier cards than another.

So you've been warned. Other examples of choices in regulated vs. unregulated services:

- banks are regulated and your money and transactions are protected by law. Online payment systems are not banks and you don't have those same protections.

- credit cards are regulated and you are protected by law against fraud. Debit cards are not credit cards and it is bank policy that decides how much your money is protected against fraud.

- telephones are regulated. With cell phones, the conversations are broadcast through the air where they are essentially unprotected. On the internet, the same privacy laws do not protect you.

Caveat emptor.

"The Register" tells the fascinating tale of the recent rush to register domain names in Europe, websites that will end in .eu (European Union).

http://www.theregister.com/2006/04/07/eu_domain/

But it didn't go smoothly, say some:

http://www.theregister.com/2006/04/11/eu_bent_parsons/

Crafty business people set up sham companies to make dubious claims to the right to domains such as USA.eu. On the lighter side, there is the story of how a Dutch church narrowly missed the opportunity to bid on sex.eu for the purpose of promoting it "the way God wanted it".

http://www.theregister.com/2005/12/13/church_bid_on_sex/

UPI is reporting on a new type of paint created using nano-technology that can block cell phone signals -- and it can be enabled or disabled, not just always block the signals:

"You could use this in a concert hall, allowing cell phones to work before the concert and during breaks, but shutting them down during the performance," said Michael Riedlinger, president of NaturalNano.

Not that I understand much of this new nano stuff, but these tubes are not the conventional carbon based nanotubes, these are made of something called halloysite (made of aluminum, silicon, hydrogen, and oxygen).

What I want to know now: if they can block cell signals, how long will it be until they can block (or for that matter amplify) WIFI signals?

You can read more about this company and what they are working on here.