South Korea attacked from Chinese IP address so it must be North Korea

On Wednesday, South Korea’s government said a malicious code from unknown hackers caused “massive” computer network failures at several banks, the police and TV stations. ATM machines ceased to function. The South Koreans seemed fairly quick to blame it all on the nasty people from the North.

This morning I woke up to the news that the attacks originated from an IP address in China; “apparently” it’s a favourite tactic of the North Koreans to work indirectly through Chinese IP addresses to cover their tracks.

The whole story is starting to pong.

Facts are scarce, but the suspicion is that that this malware was distributed by email in the traditional manner, using files called ‘KBS.EXE’ and ‘MBC.EXE’ (Page in Korean but you can get Google to translate). This doesn’t sound like a targeted attack on critical infrastructure, it sounds like a standard malware delivery to PCs. It’s claimed that the malware activated on Wednesday and wiped the hard disks, displayed skulls and so on. It possible, but another explanation is that malware often attempts to install itself on the boot partition and sometimes goes wrong, leading the luser to believe the disk has been maliciously wiped when in fact it’s just been made inaccessible accidentally, and it won’t boot. The synchronised timing could be accounted for by a botnet software upgrade that didn’t work as expected.

Now let’s consider the “plot”: To knock out critical South Korean infrastructure. If you wished to disrupt the Internet, that’s what you’d have to attack; not the endpoint PCs. Attacking PCs simply inconveniences individual users rather than taking down an organisation. The suggestion that an email virus could take down the ATM network is, frankly, ridiculous. How do you kill an ATM machine by emailing it? Or the bank’s mainframe? If there was ATM disruption, it could have been a side-effect of botnet traffic gone wild, but to say it was targeting the ATM network needs evidence to back it up before I’d take it remotely seriously. A DDoS attack may be possible if it’s not isolated from the Internet, but if that were true they were being very lax about things, and reports are talking about PC malware, NOT a DDoS attack.

And what of the attacking IP address traced back to China? No surprise there. China is botnet central. To be blunt, a lot of the software used on private computers in China is bootleg, which means it’s either supplied with botnet software pre-loaded, or isn’t able to receive security updates from Microsoft making it easy prey. It’s no coincidence that the incidence of zombie computers is higher in countries where interlectual property rights are less vigorously enforced, and that part of the world is a case in point. So, whilst it’s true that North Koreans would use botnets based in China, it also a meaningless statement. Everyone uses botnets based in China and the Far East.

Reports could be wrong, of course. This could be a DDoS attack against the South Korean Internet in general, and specific high profile targets. However, this does not square with the malware reports of computers not booting, and “skulls appearing on screens”.

The whole thing pongs. Here’s my theory: Social engineering emails were used to distribute malware in South Korea. Because the criminals were using emails in Korean, only Korea was affected. Either maliciously, or more likely through incompetence, the malware tried to install some botnet software and broke a number of PCs. The news media in Korea has been quick to blame this on a sinister North Korean plot, and the world’s media has picked this up as a story without enough people sanity-checking the whole scenario.

Another Yahoo mail account pwned

This is getting ridiculous. I don’t monitor Yahoo or other freemail accounts in any way, but it’s seems like almost every week I come across one that’s been taken over by criminals.  I got another email this morning from the account of an old friend sent by Yahoo webmail. He’s a a BT Internet customer, and I’ve no doubt from some features on it that it was sent out by someone sitting at a web browser, logged in as him. It wasn’t him, unless he’s moved to Hyderabad and taken up a life of crime – unlikely, he’s a retired fire officer in the north of England, and it’s not his style.

Yahoo obviously provides BT’s email service, so their customers get a Yahoo webmail account, like it or not.

This happens to other freemail users too, but the number of Yahoo accounts being hit is getting disproportionately ridiculous. Yahoo would need more customers than everyone else put together if this was just a random effect.

So what is going on? My assumption in cases like this is usually that the compromised accounts have been as a result of key loggers at Internet cafes or public Wi-Fi systems. It makes sense, and fits the facts in cases I’ve investigated. But not this time…

Earlier this year there was a problem with Yahoo involving cross-site scripting that could affect insecure web browsers (that includes all of the commonly used web browsers).  A character called Shahin Ramezany uploaded a video to YouTube  showing how to do this. Yahoo very quickly came back with a fix. They said. This just the latest in a long time of embarrassing problems – in Summer last year someone broke in to their computers and pinched a lot of confidential files.

Researchers at Bitdefender have also worked out how do to this, and it’s unclear whether Yahoo really has fixed the problem. For technical details, see CVE-2012-3414. It works by cookie harvesting, taking advantage of the way cookies are shared between different levels of a domain path.

Either this remains very much a problem, six weeks after Yahoo claimed to have fixed it, or the criminals have a large backlog of compromised user accounts and they’re just working through them. Users of freemail beware – how well do you think, with the best will in the world, that their operators will be able to provide technical assistance to hundreds of millions of advertising-supported punters?

If you have a Yahoo or BT Internet account, my advice is to log in and change the password right now, if you want to keep it.

Lighttpd in a FreeBSD Jail (and short review)

Lighttpd is an irritatingly-named http daemon that claims to be light, compared to Apache. Okay, the authors probably have a point although this puppy seems to like dragging perl in to everything and there’s nothing minuscule about that.

I thought it might be worth a look, as Apache is a bit creaky. It’s configuration is certainly a lot simpler than httpd.conf,although strangely, you tend to end up editing the same number of lines. But is it lighter? Basically, yes. If you want the figures it’s currently running (on AMD64) a size of 16M compared to Apache httpd instances of 196M.

But we’re not comparing like for like here, as Lighttpd doesn’t have PHP; only CGI. If you’re worried about that being slow, there’s FastCGI, which basically keeps instances of the CGI program running and Lightttpd hands tasks off to an instance when they crop up. Apache can do this (there’s the inevitable mod), but most people seem happy using the built-in PHP these days so I don’t think FastCGI is very popular. It’s a pity, as I’ve always felt CGI is under-rated and I’m very comfortable passing off to programs written in ‘C’ without there being an noticeable performance issues. Using CGI to run a perl script and all that entails is horrendous, of course. But FastCGI should level the playing field and allow instances of perl or any other script language of your dreams to remain on standby in much the same way PHP currently remains on standby in Apache. That doesn’t make perl or PHP good, but it levels their use with PHP on Apache, giving you the choice. And you can also choose  high-performance ‘C’.

This is all encouraging, but  I haven’t scrapped Apache just yet. One simple problem, with no obvious solution, is the lack of support for the .htaccess file much loved by the web developers and their content management systems. Another worry for me is security. Apache might be big and confusing, but it’s been out there a long time and has a good track record (lately). If it has holes, there are a lot of people looking for them.

Lighttpd doesn’t have a security pedigree. I’m not saying it’s got problems; it’s just that it hasn’t been thrashed in the same way as Apache and I get the feeling that the development team is much smaller. Sometimes this helps, as it’s cleaner code, but it’s statistically less likely to have members adept at spotting security flaws too. I’m a bit concerned about the FastCGI servers all running on the same level, for example.

Fortunately you can mitigate a lot of security worries by running in a jail on FreeBSD (it will also chroot on Linux, giving some degree of protection). It was fairly straightforward to compile from the ports collection, but it does have quite a few dependencies. Loads of dependencies, in fact. I saw it drag m4 in for some reason! Also the installation script didn’t work for me but it’s easy enough to tweak manually (find the directory with the script and run make in it to get most of the job done). The other thing you have to remember is that it will store local configurations in /usr/local on BSD, instead of the base system directories.

To get it running you’ll need to edit  /usr/local/etc/lighttpd/lighttpd.conf, and if you’re running in a jail be sure to configure the IP addresses to bind to correctly. Don’t be fooled: There’s a line at the bottom that sets the IP address and port but you must find the entry server.bind in the middle of the file and set that to the address you’ve configured for the jail to have passed through. This double-entry a real pooh trap, especially as it tries to bind to the loopback interface and barfs with a mysterious message. Other than that, it just works – and when it’s in the jail it will happily co-exist with Apache.

I’ve got it running experimentally on a production server now, and I’ve also cross-compiled to ARM and it runs on Raspberry Pi (still on FreeBSD), but it was more fun doing that with Apache.

When I get time I’ll do a full comparison with Hiawatha.

Red October or Red Herring

Kaspersky Labs has announced that someone had been conducting a hitherto unknown campaign wide-scale international espionage, dubbed Red October, for many years. Except it that I don’t think it has.

The story broke quietly on Friday in the Washington Post and has been repeated over some Internet news sites and blogs, almost verbatim, yesterday and today. Although keen for breaking news (especially where international intrigue is concerned), one should really take a step back and match the claims with the substance.

You can find the report here, although not the the Kaspersky site. It’s not the subject of any press release I’ve seen. No one could be contacted at Kaspersky for comment. Hmm. Specialist IT security sites, like Steve Gold’s IT Security Pro, aren’t treating this as a top story either. The only reason I’m hitting the keyboard is that people keep drawing it to my attention.

The report (assuming it isn’t a hoax) does contain a good analysis of what appears to be a new-ish botnet, although one that’s not very widespread (we’re not talking about Flame V2 here). Kaspersky has a lot of smart cookies working for them, and they do some very valuable research, but reading the posts on the subject you’d think they’d uncovered the next Watergate or similar. Perhaps they have, but all I’m seeing details so far  is of another botnet.

If their analysis is correct, the perpetrators do seem to be targeting government and diplomatic sites in particular, but this isn’t actually novel. They’ve identified targets in most of the developed world, with the interesting exception of England and China. As the code appears to be of Russian origin, and not particularly well obfuscated, it’s also noteworthy that the majority of the attacks have been launched against Russian targets.

So, as it stands, this looks like a competent investigations of a botnet. Well done Kaspersky. Now lets get some sleep.

 

New Java exploit in the wild

Today AlienVault reported yet another vulnerability in Java, similar to CVE-2012-4681. Their head of Labs Jaime Blasco got hold of it and has been playing with it on a fully patched Java installation, and according to them, it works. If you fancy trying  it yourself, here are the details.

With Java embedded in to most web browsers (and if you don’t know about yours, it’s probably is), this is serious stuff. All you need do is go to a web page with some nasty embedded Java on it (by following a link in an email) and your machine is vulnerable to takeover. If you want to check whether Java is enabled on your browser, click here and check the version. If it returns “”No working Java was detected on your system…” then you’re okay. Right now, the only good Java is a dead one.

When Java first appeared as a cross-platform application language, much play was made of it being “sandboxed”, so a Java application was insulated from other applications and the host operating system. It didn’t take long for features to be added to allow it to manipulate files on the local system, providing obvious ways to break out. Security consists of guessing the ways this may occur and blocking them. This is a recipe for disaster unless the code is very taught. Opening the gates and then screening is the opposite of secure system design.

I realised something was wrong when a Sun evangelist tried to sell me on the idea of embedded Java – “We’ve reduced the footprint to 4Mb”. This was back in 1998, and 4Mb of ROM  on an embedded system was a hell of a lot. And it’s not just the size – 4Mb of code for doing what should be pretty straightforward stuff rang alarm bells. I don’t know about embedded Java, but the current JVM running on PCs is now talking in Gb. It’s hugely inefficient, which is a price you might choose to pay, but from a security point of view there’s no way you’re going to have that much code without all sorts of nasty stuff lurking away forgotten. Which explains why it keeps on coming out to bite us.

The only way to avoid your PC (or Macintosh or Linux box) being compromised is to disable the JVM until Oracle issue a patch for it.

 

Bitlocker, PGP and TrueCrypt encryption broken (sort-of)

ElcomSoft has released a utility called Forensic Disk Decryptor that can get the data off encrypted hard drives without knowing the password. According to their web site it:

  • Decrypts information stored in three most popular crypto containers
  • Mounts encrypted BitLocker, PGP and TrueCrypt volumes

Amazing!

In complete decryption mode, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to absolutely all information stored on encrypted volumes.

Wow!

Elcomsoft Disk Decryptor PackageReading the technical details further, it’s not quite so amazing – they haven’t found a back-door to these encryption algorithms. Instead they’re examining the machine’s core (memory/RAM in user-land parlance) and pinching the key when they find it. This does, unfortunately, require that the machine in question is already running and decryption to be taking place ‘cos its user has already entered the password. This isn’t has hopeless as it sounds as there may be a core-dump (hibernation file) kicking around on an unencrypted hard disk, and indeed this is a known technique (one of very few) for getting data off these drives. Other methods are  scaring your suspect with a slap on the wrist if they don’t cough up the password, or running a trojan on the suspect’s PC (questionable legality).

According to ElcomSoft’s CEO, Vladimir Katalov, “Our customers asked us for a tool like this for a long, long time. We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers.”

ElcomSoft is a company that certainly knows what it’s doing, and this tool appears to automate a process that’s a PITA to do manually, but Mr. Katalov’s miraculous claims for the product shouldn’t unduly worry the user’s of this technology. It’s probably a good tool but it can’t do anything that wasn’t possible before.

Government’s Daft Communications Bill

Never mind the privicy aspects, the communication’s bill is worrying because it shows the government has no idea at all about how communications on the Internet work. They seem to thing that passing a law allowing agencies to record the fact of, and possibly intercept, Internet communications will make it technically possible for them to do so. It will not. It’s as daft as passing a law to ban “recreational” drug use and then expecting the problem to disappear.

My name is Elena and I live in small city in Russia.

You may have seen one or more of these in your inbox in the last few days:

Hello,
 
My name is Elena and I live in small city in Russia. I have a little daughter and no husband since he left us. Due to deep crisis recently I losted job and can not pay the heating bills for our home anymore. I finded your address at website and decided to write you from a public library. We urgent need heating because winter arriving and the temperature in our home is very cold. We can heat our home with a portable woodburner, but we unable buy it because it cost too much for us. If you own any old transportable woodburner from cast iron which you don’t use anymore, I pray you can gift to us and transport of it to us.
 
I hope for your answer.
 
Elena.

Okay – it’s obviously a scam, but it’s interesting as it’s getting through most spam filters. It actually originates from Tellas in Greece, from mail servers that aren’t blacklisted – although today it moved on to ADSL lines.

Reading the text, it’s  reminiscent of various “I’m a poor Russian in trouble” panhandles that appear annually at about this time of year. If you reply (it’s been tried) the person at the other end will suggest that instead of sending the stove you just send the money as she can buy one from the local market for a figure just under $200.

What I’m not so sure of is that the scammer is actually even Russian in this instance, as the language isn’t quite right. Russian speakers (in fact most East Europeans) are notoriously bad at using the definite or indefinite article (‘it’ or ‘a’) because it doesn’t exist in their language. This person fails to use it pretty consistently  thus sounding like a Russian trying to speak English, but slips up with “…buy it because it cost…”. She also has “…a little daughter…”. It suggests American, as a linguist friend pointed out, because of the use of “home” instead of “house” and “woodburner” instead of “wood burning stove”.

You might wonder why on earth the request is for a cast iron stove. Are the collecting them from scrap iron? Well, no – when you think about it, if you offer them a stove the shipping will be prohibitively expensive (they are heavy) so you can save money by simply sending the cash.

Anyone up on this kind of thing will  have been thinking “Valentin Mikhaylin” from the start. Okay, he changed the name to Elana in 2007 (or sometimes Valentin and his mother, Elana), but the stove story has been used for at least ten years. It has all the hallmarks, except one: This year the spams are getting through. This could be the scammer’s undoing – as everyone is receiving multiple copies it’s lost all plausibility in 2012. So what will 2013 be about, one wonders?

Don’t use your real birthday on web sites

You’d have to be completely crazy to enter your name, address and date-of-birth when registering on a web site if you had any inkling of the security implications. Put simply, these are security questions commonly used by your bank and you really don’t want such information falling in to the wrong hands. So, security-savvy people use a fake DOB on different web sites. If you want to play fair with a site that’s asking this for demographic research, use approximately the correct year by all means, but don’t give them you mother’s real maiden name or anything else used by banks or government agencies to verify your identity, or the criminals will end up using it for their own purposes (i.e. emptying your bank account).

That banks, or anyone else, use personal details that can be uncovered with a bit of research at the public record office is a worry in itself. It’s only a minor hindrance to fraudulent criminals unless you provide random strings and insist to your bank that your father married a Miss Iyklandhqys. The bank might get uppity about it, but they should be more interested in security than genealogy.

This common knowledge, and common sense advice was repeated by civil servant from the Cabinet Office called Andy Smith at the Parliament and the Internet Conference at Portcullis House a few days ago. I’ve never met him, but he seems to have a better grasp of security than most of the government and civil service.

Enter Ms Goodman – Labour MP for Bishop Auckland. She heard this and declared his advice as “totally outrageous”, and went on to say that “I was genuinely shocked that a public official could say such a thing.”

I wish I was genuinely shocked at the dangerous ignorance of many MPs, but I can’t say that I am. Her political masters (New Labour) haven’t acted nearly quickly enough to suppress this foolish person. In her defence, she used the context that people used anonymous account to bully others. This doesn’t bear any scrutiny at all.

When are we going to find a politician with the faintest clue about how cyber security works? The fact that this ignoramus hasn’t disappeared under a barrage of criticism suggests that this isn’t an isolated problem – they’re all as culpable. Her biography shows just how qualified she is to talk about cyber security (or life outside of the Westminster bubble). I’ve no idea what she’s like as a person or MP, but a security expert she isn’t.

I do hope they listen to Andy Smith.

 

BA e-ticket malware spam

Starting yesterday evening I’ve been seeing hundreds of emails sent to normally spam-free addresses claiming to be British Airways e-tickets. They are, of course, some new malware. It’s coming for a network of freshly compromised servers around the world (with a slight preference for Italy), so spam detection software won’t pick it up, and it’s new malware so virus scanners won’t find it either. As usual it’s a ZIP file containing an EXE, written in Borland Delphi I think.

The spambot code itself appears to be compiled on whatever Linux target the script attack has succeeded on, masquerading as “crond”.