Archive

Posts Tagged ‘Security’

AVG CTF problems

December 27, 2008 2 comments

avgctffilesA few days ago AVG, which is a nice lightweight and free anti virus program, started giving me strange error messages when I tried to update my AV definitions. It was complaining that the “CTF control files” had been corrupted somehow, but offered neither explanation nor remedy. After realising it wasn’t going to go away by itself :P, I did some digging and found the “ctf” files it was complaining about. To save you time looking, the files can be found in :

C:\Documents and Settings\All Users\Application Data\Avg8\update\download

Luckily this problem is very easy to fix, just delete the ctf files in that directory (but don’t touch the bin files as I believe these are the incremental AV definitions) and run a manual update.

I hope that helps anyone in a similar position. :)


Categories: Security, Software Tags: , , ,

Serious Android Flaw

November 10, 2008 2 comments

Just a brief post to direct anyone who has or is considering buying an Android device to an article detailing a rather shocking security glitch. It turns out, probably due to a botched debug code cleanup, that the devices run with a terminal in the background capturing any and all keystrokes!

When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!

Be careful what you type in your text messages or URLs otherwise you might end up with a trashed software stack…

Oyster card security broken.

June 26, 2008 2 comments

Oyster cards are cards containing RFIDs which facilitate transport on the London Underground (and overground) networks. I had been wondering for a while how exactly they worked, but not finding much detailed information online I based my conclusions initially on my observations.

Here is what I have deduced.

1. Each RFID card has a unique ID which is recorded during each transaction with a card scanner.

Any Oyster user can access their usage history, either online or via a Oyster top up machine. This presents an interesting problem – if you can check up on where your card has been, what is to stop Transport for London from using the same information? Either individually or as part of the collective, it presents a very detailed picture of individual and mass use of the transport network.

2. The RFID works passively and contains a small amount of EEPROM.

Given that the Oyster card needs to be ‘tapped’ on the reader every time, it is safe to assume that the RFID does not have an internal power source. Instead, it only becomes ‘active’ with the energy it obtains via induction from the electromagnetic field close to the surface of the Oyster touch point. This energy is sufficient to power up the (presumably) CMOS device which then sends the encrypted data to the reader. It is not clear at this point whether the reader then sends back a response with the new balance to the card, or whether the entire ‘transaction’ process is done on the RFID card.

3. The information stored on the EEPROM is encrypted, most likely with symmetrical cryptography.

4. When scanned, the information from the Oyser card is used, it is not pulled from a central server.

When updating the Oyster card the card itself must be touched against a scanner. If this is not done the balance is not applied. I initially believed all balance and travel card information was securely stored on a ‘mothership’ server. This clearly can’t be entirely the case. Although, when a top-up is bought online, it is stored in the Oyster system until the Oyster card is touched on a reader somewhere in London. This suggests there is a ‘mothership’ server which records all this information, although it is likely it is only linked to newsagent kiosks and top-up points, not the barriers themselves otherwise there would be no need to store the information on the card.

5. Not only can the RFID store a balance, it can also store season tickets for a variety of durations and zone validities.

However, the title of the post suggests the security is broken, and indeed it is, although not through my investigations. A Dutch team took this a step further.

It turns out almost all my assumptions were correct, the Dutch team used a portable device to ‘touch-in’ on an Oyster reader, this disclosed the encryption key used on the Oyster device which they then stole. In possession of this, not only could they decrypt any Oyster card to determine how the information was stored but they could also theoretically generate any balance or season ticket, which encrypted properly would be indistinguishable from the real (paid for) thing.

However, to avoid no doubt countless hours of reverse engineering, the Dutch team brushed up against commuters on the tube and wirelessly interrogated their cards, stealing the information that was on them. This allowed the team to effectively clone cards which were valid, entitling them to free travel.

But the story does not end there, it turns out the company that makes the RFIDs for Oyster cards is called MIFARE, and their chips are used in a wide variety of sensitive installations in a variety of countries.

Vista SP1 and the Red Herring (+ breaking the 32bit 4Gb limit)

May 29, 2008 6 comments

We all knew it was looming, the mathematical limit to address referencing in 32bit computing. A 32Bit number can only be between 0 and 4,294,967,295 which neatly adds up to 4Gb and what this means is, using existing architectures, a program (or Operating System) will not be able to address more than this number of bytes of system RAM via the existing system called byte addressed memory allocation.

What this means for those among us who do not speak geek, is a system which is built or shipped with 4Gb of RAM (and some other cases*) will not be able to fully utilise all of that space.

Lets take a trip back in history and imagine a room with a cupboard containing 256 drawers. Each drawer could hold one bit of binary information and was administered by a librarian. Anytime anyone wanted a piece (or pieces) of information, they had to ask the librarian. What I am describing here, is the era of 8bit computing circa late 1970/ early 80s with the cupboard representing system memory and the librarian representing the Operating System’s memory management system. During day to day running of the system the librarian takes data in and returns data to people (program threads) from the corresponding drawers where the information is stored. Everything works, everyone is happy.

Now what happens if we introduce a second cupboard containing another 128 or 256 drawers? The librarian can only keep track of information stored in the first 256 drawers and as a result, nothing can be stored or retrieved from the newly added cupboards; in effect, they do not exist. Time to get a new secretary i.e. goto 64bit computing (or in this example, replace the 8bit librarian with a swanky 16bit one – who will even ever use 65536bits of RAM? :D )

But wait, there is more… I read today that Windows Vista SP1 changes (depending on hardware configuration) the total amount of displayed RAM from 3.5 Gb (current the RTM limit when 4Gb is put in the machine) to the full 4Gb, although this still does not help, given the limitation previously discussed. But this made me curious, if the Operating System could see RAM, then surely it was not a BIOS / mathematical fundamental limitation. Turns out I was at least half right …

You see, although the fundamental mathematical limitation can not be breached, there is a rather interesting technique called Physical Address Extension. Using this process, a 32bit Windows system can address more than 4Gb of RAM upto a (present) maximum of 128Gb. To explain what Physical Address Extension (PAE) is, lets go back to the previous example and introduce a new figure – an administrator.

The role of this new entity, is to allocate and manage the time of their underling. Lets also assume we are still running a 8bit system (with the 256bit limit) and have 1024bits of memory i.e. four times the mathematical limit. On the face of it, the extra memory is invisible to the librarian however the administrator is smart enough to both know about the extra memory and who (i.e. what program) is currently using what amount of it. As such, any person (program) can request the full mathematical limit 256 drawers for their own use at the same time as another person (and another …etc) requests more memory.The administrator can instruct the librarian which series of drawers to use per person (program).

This is loosely referred to as 36bit computing and, as the non power of 2 number suggests it is a bit of a tweak. The physical address size was increased (on a 32bit processor) from 32 to 36bits back during the days of Pentium Pro (circa 1997) and most modern CPUs have maintained this legacy. It is important to point out, this does not make all 32bit processors 36bit processors as the change happened in the MMU (memory management unit). Modern Operating systems use page tables to store information about the Virtual Memory system and allocate it based on processes requirements. In effect they act like the administrator from my trivialised example and allow multiple processes to benefit from a pool of memory which traditional 32bit systems (without PAE) would not.

I know what you are thinking, you are rejoicing at being able to avoid the negative aspects of migrating to 64bit computing, but hang on, there are a couple of important caveats. Firstly, each thread (person in our example) can only access a maximum of the mathematical limit of RAM. That means, in a system with 16Gb of RAM, you could quite easily have 3 or 4 processes each taking up 4Gb, but no one process taking up 8 or 16Gb. The other bad point is, it is not supported** in Vista or XP. In-fact, to use such a feature, you would need to be running a Server Operating System from Microsoft or a Linux equivalent. Interestingly enough, Linux contains support for PAE since kernel version 2.6 although I will not discuss it further in this post.

Presently, the only Operating Systems with suitable (or rumoured) PAE support are :

Windows 2000: Datacenter Server and Advanced Server Editions

Windows Server 2003: Enterprise and Datacenter Editions

Windows Server 2008: Enterprise and Datacenter Editions

As you can see, non are particularly home desktop friendly. So, despite Vista displaying the correct amount of RAM in Service Pack 1, it is still fundamentally limited to the 32bit mathematical limit despite Microsoft having the technology to at least improve on the functionality of such systems.

On a side note, I brought this up with a few people at my head office. I work for a large UK retail company that sells PCs and Laptops. I was surprised to see when our first 4Gb models came into the stores a few months ago that they were running Vista 32bit Editions. The UK is not a litigious as the United States, but I can’t help wondering how long it will be before the lawsuits start flying. After all, it is misrepresentation in my book to sell something that, due to a software shortcoming, can never be fully utilised to the specification it was advertised at. Particularly since an alternative is available to OEMs and yet, all retailers not just the one I work for seem to be taking a cavalier attitude towards this.

*The total amount of addressable space inside a 32bit system must add up to 4096Mb, this includes system and Video RAM, so if you have an all singing, all dancing SLI graphics card with 2Gb of Graphical RAM, the total amount of system RAM you will be able to address is around 2Gb.

**Actually this is not true, ever since Windows XP Service Pack 2, Microsoft has used PAE for security purposes coupled with the NX bit. This is a hardware security feature built into a processor which allows program and system developers greater control over what they designate to be executable and non-executable user/memory space. Microsoft has set a fundamental limitation of the amount of RAM being used by home versions of 32bit Operating Systems to 4Gb regardless of the fact the technology to increase this is in place.

The 2k bug

May 12, 2008 1 comment

Whilst it seems the Internet enjoys a good Microsoft Vista bashing (see previous post on topic) research today came out suggesting Windows 2000, an eight year old operating system that recently entered long term support phase by Microsoft, is more ‘secure’ than Windows Vista. (Cue fanboy and antiboy posts.)

But this is rather misleading, let us not forget, Windows 2000 was released in February 2000, a dark era where firewalls, security software and Windows Update were treated with suspicion previously reserved for black magic. Ok, so maybe I am exaggerating slightly, but back then the average PC had either a Pentium 2 or 3 processor between 600Mhz – 1.2Ghz, between 32-128Mb of RAM and a 20Gb hard disk and was aimed at the business market not consumers who had the privilege of running Windows ME (let the justified ME bashing commence.) But we are still missing the point here, now the only users that run Windows 2000 (which accounted for about 2% of all Internet traffic in March 2008 ) are those who are comfortable power users (like Steve Gibson) or those with old hardware (e.g. Third world etc.) As such, it is not worth the malware authors’ time to target such a small percentage of the userbase when they are more likely to snare the vulnerable XP or Vista users.

Worse still, serious doubts have been raised over the validity of this study given PC Tools did not scientifically determine the states of key security within the operating like Windows Vista’s UAC or even which service packs were installed on the computers. As noted by Ars technica, often the first action by typical malware is to download the target package(s) onto a system immediately after it has been compromised with the usually relatively small initial exploit. This could mean that their numbers are greatly misleading when three or four ‘infections’ could actually be a single instance of malware.

The only way to scientifically conduct such a test, would be with three virtual machines, one running Windows 2000, one with Windows XP and finally one with Vista each running a with a comparable set of security tools and the latest patches. That way, after each exposure, the virtual machine could be examined to determine if the exploit was successful and if so, the degree to which the target machine was compromised. At the end of the experiment, the virtual machine is ‘switched off’ without writing the changes to it’s virtual disk and restarted to test the next exploit. Using this methodology, all exploits can be tested equally and methodically and various configurational permutations can also be tried (e.g. Operating systems with only default security measures etc.)

Let us also not forget, there is no way to tell whether these threats are serious silent drive by download style exploits (which would constitute a serious threat) or as a result of user ignorance which even the most secure operating systems and security applications can not guard against. Playing Devil’s advocate, I can see a case that unscientific tests like these better represent real world conditions, however it can not be used to judge to reliability or security of Operating Systems nor the users using them as no conditions nor variables have been made constant. As such, unfortunately, these results have no validity as far as I am concerned.

When the file extension… is not the file extension.

May 8, 2008 Leave a comment

I was bemused to read on bbc news earlier that a trivially simply ploy stung half a million file sharers. The concept is nothing new having been started a fair few years ago by virus / malware writers and adopted by Copyright enforcement agencies in recent years. Do the anatomy of a decentralised file sharing system, anyone can seed a file. Once this seeded file is made available to the peer-to-peer network it either becomes advertised to a localised central file distributor (referred to as a Super Node or Server) or is found during a spider search query run by another user logged into the peer to peer network. If these files are topical or sought after, they can be transferred onto a different node (client) rapidly. There they are stored in the second user’s ‘shared’ directory where more people can download it.

Once a seeded file has been downloaded and spread over a few tens of nodes the rate at which it can be downloaded by others increases almost exponentially with a cascade like effect. Other people of the peer to peer network are lured into downloading this file based on the number of people who have it therefore assuming it must be genuine and would be comparatively quick to obtain. Couple this with a topical or sought-after song / album or file aimed at the masses (who statistically would contain a fair percentage of PC-illiterate users and those with a penchance for agreeing to all the pop ups they come across) means these files explode across networks.

This malicious file in question appears to have masqueraded as a MP3 by Girls Aloud. Given the fact that on running the file pops up a message saying the computer requires a codec to play the song and tries to direct you to a website in order to download it, most computer users would stop and reexamine what they had just downloaded. People that brazenly proceeded and downloaded the malicious ‘codec’ package had spyware installed on their system which would ‘bombard’ users with pop ups. Also, the download file would spawn copies of itself within the User’s shared folder under different names to try to make itself attractive to a greater audience.

But what happened? How were people tricked into downloading an MP3 file but ended up running a malicuous program? The answer to this lies in the file type. Broadly speaking, there are two ways in which a file can be opened:

1) via script or binary execution (e.g. .exe, .com, .vbs, .java, .scr … and some others)

2) via program read from an external application (e.g. .txt, .doc, .wav, .mpg, .avi …. and MANY more.)

MP3 files (Moving Picture Experts Group version 1 audio layer 3) are the latter, upon execution, Windows searches through its list of known file extensions stored in the registry to see what it should do. It instantly finds the entry for MP3 and sees this type of file is handled by a media player like Windows Media Player, WinAMP, iTunes etc etc. Windows then executes the media player which, on loading, opens the MP3 file specified in the command line argument, decodes a block, fills its buffer and starts to play. Unless a clever trick like a buffer overflow is used, which have historically been responsible for security breaches in various Windows programs as well as console homebrew development, this renders all ‘program read’ type files harmless*. As such we have to look elsewhere for the source of this problem.

That brings us nicely to the point I wanted to raise in this post, file extensions and more specifically, security vulnerabilities in their implementation. Recent versions of Windows from XP (and possibly earlier, I can not remember) have automatically hidden the file extension by default leaving the user to distinguish between file types by iconographic representations. Whilst at times this is both cleaner looking and more functional, it does present an interesting security problem, what if there are two file extensions? Window will quite happily truncate the file .xxx from a file name leaving the first extension, despite the fact Windows ignores anything before the final .xxx . As a result, if you name a file SomethingInteresting.mp3.exe, in its default state, Windows will happily display the file as SomethingInteresting.mp3 but will execute the file as an EXE when double clicked. Obviously, if you quieried the file by right clicking on it and selecting properties you would be immediately told what type of file it is, but most people will take the file at face value.

Luckily there is a very simple way to gaurd against such black magic, in Windows XP and Vista** in the file browser, goto the Tools menu and select Folder Options.

In this dialog, uncheck ‘Hide extensions for known file types’ and click Apply followed by clicking Apply to all folders.

And that’s it! A simple check box and some common sense now separates you from being lured into downloading fake or malicious files.

* Some files like some movies can have containers which direct the media player or operating system to web pages. It is not just media files which are vulnerable but this is a completely different topic.

** In Vista you may have to enable the classic menu

MSN Spamharvesting – A Caution…

January 28, 2008 5 comments

Let me set the scene, I was randomly on MSN when a friend of mine sent me a message saying “http://www.almanbirasi.info/list :)” On inspection, the site appears to offer a service to tell users who has blocked them on their contact list, a function not available in regular MSN.

I would highly advise anyone looking at any such ‘third party’ service to do a bit of background digging before giving ANY of their details over to a dubious third party. I was immediately suspicious and I will detail for you why.

1) The page looks well designed, but has no google page rank. This can mean one of many things, but usually it means a site or page is new. A service such as a MSN block checker is likely to spread virally (if it worked and was genuine) and this would likely lead to it being assigned a google page rank. An example where this SEO based tool can be very handy.

2) Whenever you are prompted for personal or account details, you should immediately stop for a sanity check – look to see who owns the site (can be done by a whois) and if your data will be secure. This takes on two forms, one – is the site reputable (can be checked a number of ways) and two – will your data be secure ? For the latter, considerations of encryption (is the page SSL secured) and data storage (does the site have a privacy policy etc)

3) The link ‘http://www.almanbirasi.info/list’ infact takes you to a page ‘http://www.msnliststatus.com/’ which is a bit odd.

4) The .info TLD – call me a domain-ist if you will, but I don’t trust this TLD.

5) The terms of service explicitly state that by using their service you are opting in to (a doubtlessly un-opt-out-able) advertising service.

As it turns out I was right, I sent a message back expressing my concerns to this person, assuming he had stumbled across it and sent me the link. Here is the conversation we had, edited to remove the name of the person.

Person A says:

http://www.almanbirasi.info/list

Konrad says:
what is this?
Konrad says:
haha no way!
Konrad says:
it has no page rank, i.e. its a great way to loose your login details to do something you can do within gaim / pidgin
Person A says:
huh?
Konrad says:
I would not use it
Person A says:
huh?
Konrad says:
looks like a big security hole
Person A says:
what?
Konrad says:
lol you tried it didnt you?
Person A says:
what?
Person A says:
did it just send a message for me?
Person A says:
fucking thing
Konrad says:
hahahaha!
Person A says:
sorry, just changing my password
Konrad says:
lol
Konrad says:
thats funny
Person A says:
did it send a message to you
Konrad says:
yes

So, as you can see, he used this utility and it logged into his account, sent me (and presumably others) a link back to its page without him either knowing or expressing his permission for this. It appears this has been going on for a few months with users also reporting having their accounts hijacked. Luckily there is a very simple way to determine whether you are on a person’s contact list or whether he/she has blocked you on a variety of accounts not just MSN like Googletalk, ICQ, AIM etc. It involves using a free open source program called Pidgin.

Install it, setup the account you want to use and login. Right click on the contact and select ‘Get Info’ this window should tell you everything you want to know about a certain contact as illustrated below.

My friend is very clued up about systems, IT and security but he fell for it, just be careful on the web.

Categories: Funny, Random, Rant, Security Tags: ,

Local Client Insecurity

December 23, 2007 Leave a comment

Any tech-savvy user will know of a handful of security vulnerabilities relating to desktop computing, these can range from remote attacks (Man in the middle / Malware / DDoS / Brute Forcing / Port Scanning) to local exploits ( hardware & software keystroke logging / more Malware / dailers etc.)

In-fact, apart from the distant days of Windows 95 I cant recall a time when there were more things for security conscious users to be worried about. Back in the middle to late 90s, the internet was gradually becoming common place and within the reach of the layman. Unfortunately these users typically didn’t (or didn’t have a sufficiently fast connection – 4hrs for IE 4.0 update?) update software to patch security holes. The term script-kiddy was coined, referring to individuals who would use “off the shelf” exploit programs to wreak havoc. These easily found resources would be effective for months (if not years) due to the majority of users being completely clueless or disinterested in protecting their digital homes.

Fast forward to modern day, wireless hacking tools exploiting the poor design and implementation of WEP encryption have been commonplace for a number of years now. Wireless equipment manufacturers have taken on the role of securing their client’s networks by shipping routers with WEP (and more recently WPA) enabled by default which has helped secure many home networks from a variety of threats, from freeloading neighbours to network peeping toms. Security software companies have helped raise awareness while peddling their, often rather poor offerings to the unsuspecting public. (Norton anyone?)

By now everyone must know that running WEP on a Wifi connections is potentially extremely risky, those reading this who are still running an unencrypted Wireless Access point without some kind of secondary encryption system should stop what they are doing and read up on this.

It would appear that even wireless keyboards (using 27Mhz radio transmitters not Bluetooth) are vulnerable (although Bluetooth ones are also but via a different type of attack.) It turns out that security was probably very low down on the list of priorities during development of this common interface extension. The security system emplyed uses a single bit XOR encryption. The best explanation of how rubbish this is stems from TechFaq’s definition / explaination of XOR :

“XOR encryption is a trivially simple symmetric cipher which is used in many applications where security is not a defined requirement.”

The article concludes that there are only 256 possible keys that are set once a keyboard / receiver have been paired with no periodic shifting. It does make you wonder how easy it would be to build a portable device designed to record all 27Mhz data it can pull off the air for later analysis. Whilst the majority of the time it would capture useless keystrokes or harmless IM conversations, it could potentially capture bank details (although most banks now use secondary non input based authentication) or email / shopping account passwords. As if we didnt have enough to worry about with both software and hardware keyloggers already.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: