Take THAT IE Fan Boy

Bruce Schneier just posted an interesting article on his blog entitled “Interview with an Adware Developer“.

This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in.

I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do—which means basically anything.

Aside from reinforcing that Internet Explorer is a poor choice to use for web browsing (unless you enjoy collecting and cleaning malware… you know, for practice), it also outlines an interesting new technique that I recently witnessed as I was cleaning a machine.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did—actually I should say what I did, because I was pretty heavily involved in this—was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it.

During my live analysis of this machine I used the ms/sysinternals filemon program to watch for a bit and noticed explorer.exe doing something similar to what the author describes.

34139    6:32:11 PM    explorer.exe:2916    OPEN    C:\NTDETECT.COM:QebiesnrMkudrfcoIbamtykdDa.exe:$DATA    NOT FOUND    Options: Open  Access: Read

The article explains how they will create a seemingly random named file (a hash of the mac address) and use that as the installer.  This one appears to be a variant on the technique that takes it a step further and uses hidden data streams (or alternate data streams). These are data streams that I had previously detected and removed.

The article also has an interesting point about evasion.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

In the virology and malware world this is known as polymorphism, and is a very effective technique for evading most anti-virus/spyware programs.

Now the truly frightening part mentions using interrupt handlers instead of executables and states that they decided not to do it.  Because the concept is written, someone will run with it.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

What this all boils down to is that the malware authors once again have leap frogged the anti-virus industry.  Microsoft also needs to take a more proactive role in securing IE and Windows against these sorts of threats.

The days of recycling the old code as variants is over and its time that we prepare ourselves for a whole new world of malware threats.

More on Heartland

Dark Reading posted an article entitle “Report: Law Enforcement Closing In On Heartland Breach Perpetrator

“Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the “sniffer” software used to collect the data was located only last week.”

If this turns out to be true, heads should roll.

Heartland Breach

Heartland Payment Systems acts as a payment gateway for credit card transactions for over 250,000 businesses.  At some point a sniffer was installed in their data center intercepting all transactions.  Some media outlets are calling this the “largest data breach ever”.  They process “100 million credit card payments a month and more than 4 billion transactions per year” but currently have no idea when the malicious software was installed.

Most states (and federal and industry regulations) strictly mandate how breaches are reported to consumers and how quickly.  Unfortunately this incident falls into a bit of a gray area in that consumers are 2 steps removed from the breach.  As best I can tell, heartland simply has to notify their customers (mostly restaurants and other businesses) and then its the responsibility of these 250,000 or so businesses to inform their customers.  I assure you that some will slip through the cracks or intentionally not be notified by small businesses fearing bad PR.

Heartland just launched a site to provide some positive PR and is sending it to their customers (not end consumers).  They did not distribute this URL to the general public.  The reason this entirely new domain (that does not contain “heartland” at all) was launched is because Heartland’s main site makes no mention of the breach at all.

After reading the heartland statement by Robert O. Carr, CEO it becomes abundantly clear where their loyalty and concerns lie.  With statements like:

“In fact, since our disclosure of the breach on Tuesday, January 20, 2009, more than 400 new merchants, new payroll clients and new check management clients have demonstrated their continued trust in our services by joining as new customers.”

This is clearly damage control.  It’s in poor taste to mix marketing with breach notifications.

“As a cardholder, you will not be held financially responsible for any unauthorized transactions. You should regularly monitor your card and bank statements and report all suspicious activity to your issuing bank (the bank that issued the card, not the card brand).”

That last statement is the only thing that even makes reference to the end consumers whose data was compromised.  Most breach laws require that the responsible party (Heartland) purchase credit card monitoring services for a year for each effected person.   This statement indicates that “you will not be held financially responsible” but does not provide the why or how.  This statement does not indicate that Heartland will reimburse you as a consumer nor does it say they will purchase credit monitoring services for you.

This is just another example of how we, as modern consumers, need to take responsibility for our own safety and proactively monitor our own accounts.  We are obviously in this alone.

Massive World Bank Comprimise

FoxNews (not one of my normal news sites… I promise) just posted a story entitled “World Bank Under Cyber Siege in ‘Unprecedented Crisis’“.

The details are fairly chilling and include some amazingly upbeat quotes like…

“While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.””

And…

“The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.”

This is certainly disturbing news for a number of reasons.  Most importantly the fact that the worlds financial system is serious peril and this…

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

The italicised text is what I find very disturbing.  GLB, SOX and a slew of other laws all have strict disclosure guidelines.  Trying to hide something of this magnitude is not only futile but also illegal.

geeks.com comprimise

The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.

A few items that concerned me about the disclosure are…

Genica Corporation dba Geeks.com
1890 Ord Way Oceanside, CA 92056
January 4, 2008

[snip]

The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.

Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.

Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…

Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery

The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.

3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions

I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.

This Week in Links: 12/31/07 – 1/6/08

Best of 2007

Tech

Security

Privacy

Apple

Pretexting

I have seen “pretexting” in the news far too much without commenting on it.

What is pretexting? According to wikipedia it is “the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone”.

So in other words its a specific type of social engineering. Or as I like to call it: fraud.

Lets not beat around the bush on this one. If you contact a company and pretend to be me in order to get information about me, or acquire a service or funds that you are not entitled to, you are committing fraud (and I will beat you down).

Having been the victim of both identity and credit theft, I take privacy very seriously. But yet even a thorough understanding of privacy and paranoia is still not enough.

The first time it happened someone forged my signature (convincingly too) to have all of my mail forwarded to Texas. The motivation on this one is still unclear, but it took the post office months to straighten my mail out.

The second time I was a victim of credit card “double-swipe”. While at a gas station in Ontario, CA someone swiped my debit card through a modified card reader. This reader recorded the information stored on the strip on the back of my card. They also recorded my CVV (the 3 digit code on the back of the card) and used the information to print a new magnetic strip and clone my debit card. It was used for ‘card in hand’ transactions in Toronto.

Neither of these events could have been prevented… by me. However with proper legislation our government could force private industry to implement effective safe guards against these sorts of attacks. Unfortunately until these safe guards are mandated or they become cost effective, they will never happen, and we as consumers will continue to suffer.

A prime example of this country moving in the wrong direction is the recent HP verdict. The top levels of the company condoned (nay, encouraged) pretexting and got off with no jail time.

And now we are seeing pretexting causing issues with xbox live.

We have to be clear with law makers that we will no longer sit by and let our personal data be stolen and sold.

Until we can convince law makers that this sort thing will not be tolerated all we can do is learn how to protect yourself and support organizations that are trying make things right.

Electronic Privacy Information Center (EPIC)
Identity Theft Resource Center
Privacy Rights Clearinghouse
Privacy Laws by State (source: Epic.org)

Texas County Clerks Want to be Above the Law on Data Privacy

In case you haven’t been following security and privacy related news, last week Texas Attorney General Greg Abbot ruled that exposing SSNs in public documents violates state and federal laws.

To me, this is common sense and good news for the common good of everyone in Texas. Why would you want anyone printing your social security number in a public document? It makes no sense and is outright dangerous.

Now we have this little gem (source: computerworld.com)

The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents “in the ordinary course of business.” […] The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid.

This sounds like a group of people so set in their ways and fearing of change that they are unwilling (or too lazy?) to change operating procedure to comply with the law and the good of the general public.

I’m appalled that the Texas county clerks would ask legislators to exempt them from this law and I am even more disgusted with the fact that the legislators are considering it.

Apparently even the privacy concerns are bigger in Texas.

Help! My Identity Has Been Thefted… Again!

Well, not really.  This time it was only my debit card.

I received word, last Saturday evening, from bank (National City) that my debit card had been used for a ‘card-in-hand’ transaction at a gas station in Canada (they made a physical card containing my debit card information on the back strip).  The women from the bank asked if had been in Canada earlier that day.  After telling her that I was at home all day she informed me that my card number had likely fallen prey to the recent rash of debit card information thefts.

From what I was able to gather from previously reading about this, is that a number of merchants illegally retained debit card PIN information and the information was subsequently stolen and used all over Canada and Europe.

The woman from the fraud department at National City informed me that the transaction had occurred about an hour earlier, that she saw no additional fraudulent transactions (I verified with my online account view), that my card had been frozen to prevent further charges and that the bank maintains no liability policy.  In other words I was not responsible for the transaction in any way.  She asked that I stop by a branch and fill out an ‘Affidavit of Fraud’ and that a new debit card was being mailed first thing Monday.

All and all I was very impressed with quickness of detection and the fact that they took the initiative and corrected things.  They turned what could have been a disaster into only a minor inconvenience.

I am, however, unimpressed with the fact that government still has not passed any law that will hold the vendor(s) accountable for allowing the information to be compromised.  I am certain that once a law of this sort passes, the frequency of these sort incidents will drop like a stone.

The number of articles about this whole debacle indicate that hundreds of thousands of others have also fallen victim.  A couple from security focus are as follows:

Seven arrested in online fraud crackdown
Debit-card fraud underscores legal loopholes
Debit-card fraud continues
Citibank issues ATM fraud statement