Thursday, July 29, 2010

Check Writing Robots Attack Earth

The annual Black Hat conference is underway in Las Vegas... This is "the" event where security researchers try to out-do one another in discovering and exploiting security flaws... One of the more interesting ones this time around involves hacking ATM machines, but what I wanted to share is a diagram that shows the complexity and ingenuity of a check-forging scheme that originates in Mother Russia:
For the full story go check out the CNet article... It continues to amaze me how quickly the sophistication of cyber-criminals is increasing!

Friday, July 23, 2010

Update on MS Shortcut Flaw

Details and corrections about how this vulnerability works and the seriousness of it continue to come out in the infosec world. Episode 258 of the Security Now! podcast lays it out pretty well. Some key points:
  • Microsoft has updated their Security Advisory at least twice this week; it now points to a Knowledge Base article that has a "Fix it" thing you can click on to make the two changes I described in the last post about this. They have also substantially revised their analysis of the flaw - originally it was thought that the AutoPlay/Autorun feature had to be turned on but as we know now, just viewing a shortcut in Windows Explorer can trigger malware if it exists.
  • It is apparently possible that even shortcuts embedded in documents (e.g. MS Word files), emails, or web pages could be used as vectors... Think about that for moment - yow!
  • The SN podcast also points to a Didier Stevens blog post that describes how to use Software Restriction Policies in Windows to combat the flaw. However, it's probably a more advanced "hack" than the ones already described, and you can really screw stuff up if you don't know what you're doing with Policies. I have managed to configure two systems I have (one XP, one Win7) successfully with these changes, and tested it on one of them by trying to run an executable on a thumb drive that I have mounted... The application is blocked and a message comes up saying so.
The big question is how and when Microsoft will fix this. But - no matter what they do - older versions of Windows (e.g. Windows 2000 and XP SP2) are no longer being updated by MS with patches, so unless they make an exception for this very serious flaw, some systems will never be safe from this (unless a 3rd party makes some kind of widget available that blocks it).

Friday 7/30 update: MS has announced that they'e going to release an out-of-cycle patch next week for this. Details are in the MS Security blog.

Monday, July 19, 2010

New Windows vulnerability discovered - be careful with those USB sticks!

Microsoft posted information late last week about a vulnerability in Windows, that can mean that merely loading a USB memory stick onto your PC can cause bad things to happen. Basically, if the file that contains the little picture (icon) that shows up in Windows Explorer is "infected", it can cause whatever bad code that the attackers have attached to the icon file to be executed. At that point your system is pwnd 8^) and they can do whatever they want to it.

At the moment there is no fix and the workarounds are fairly technical. More information and details can be found at The H Security page as well as Microsoft's Security Advisory about it. So until MS releases a patch, be extremely careful about loading USB memory sticks onto your PC or laptop - know where they came from. Don't take candy or USB drives from strangers!

7/19 update: SANS has raised their Infocon Alert level to Yellow just because of the Shortcut bug.

7/20 update: This flaw has gotten more press than anything I remember seeing since the Conficker worm, which happened shortly after I started this blog. Furthermore, more than one industry expert is saying that this flaw is not easily fixable... I've been doing some more research on it, and despite first deciding that I would not make any modifications to my machines to protect against it, just a while ago I changed my mind and made the two mods recommended by Microsoft to my Windows 7 work laptop. One of the mods is to delete a Windows registry key (after making a backup of it), which will suppress the display of icons on shortcuts in Windows Explorer (thus precluding running malicious code that might be embedded in the icon file).


The other is to disable (and stop, if it's already running) a Windows "service" called WebClient, using the services.msc application. (In all likelihood you do not need this service running, unless you utilize the "WebDAV Client Service", which has to do with the interoperability of web page authoring tools. Or something like that.)

As I said before these mods are not the sort of thing that most people do often or even at all with their Windows installations, but if you follow the instructions carefully in the Microsoft Security Advisory, you should be fine. As long as you make the backup of the registry key as described in that document, both actions are reversible, and I therefore recommend doing them.