Security Advisor
Blue Pill Researcher Crosses Into Fuzzy Territory
Also: UK bank's security works for only one browser; trusting trust certs.
At a recent Hack-in-the-Box Conference, Joanna Rutkowska, who developed
the malware example called "Blue Pill," attempted to defend
her malware and also stated she was developing a new version which would
"be even better."
This is a perfect example of a researcher crossing the line between legitimate
research and criminal benefit. Rutkowska's first attempt at creating "100
percent undetectable malware" could, arguably, be an attempt to show
how new technology has been implemented poorly or insecurely. She believes
that the virtualization capabilities of newer processors leaves operating
systems open to being completely subverted. If the operating system doesn't
prevent what is, or isn't, placed into virtual memory, then code of the
type she's developed could take complete control of the OS, preventing
anything the user might trust from being trustworthy.
This first attempt was explained away by virtualization experts, who
stated it could be detected. Rebuffed, Rutkowska has said she's going
to prevent it from being detectable in the ways offered by experts. What
she hasn't acknowledged, however, is how difficult it would be to completely
subvert the OS. While she may be able to achieve this level of subversion,
the question is whether the criminal malware community would ever bother
to do so.
Of course, if Rutkowska gets rebuffed again, or has a lapse in ethics,
her code may become the code criminals use. Why build it anew if it's
already available? And all of this is simply because, according to her,
Microsoft has refused to prevent the kernel in Vista from going into virtual
memory. Now, while it may or may not be a risk for that to happen, the
fact that Microsoft has so far "ignored" her advice would appear
to be her primary motivation for whatever work she's doing.
The reality is more likely that when anyone talks about Windows Vista,
AMD, Intel and malware in the same breath, they get all sorts of media
and speaking requests.
In our opinion, this is actually malware in search of a criminal to use
it. She has created the problem, is refining and showing her proof of
concept exploit code and is apparently not getting enough attention for
all her work. This can only get worse.
Major UK Bank Web Sites with Serious Security Flaws
Numerous major banking institutions fail to take their own advice for
their online customers. According to Heise
Security, the company's tests of many banking institutions showed
that those institutions were using frames for their sensitive processing,
such as where you enter your login information. Frames are not, by default,
disabled in any version of IE (prior to IE7) and so are susceptible to
easy-to-implement spoofing attacks.
Now, before you say this is just another example of someone "not
eating their own dog food," realize that if the banks aren't providing
access that is securable by their clients, they are leaving their clients
susceptible to attack. Heise's demonstration shows that the banks it found
vulnerable had not considered the risks they're exposing their clients
to, and phishers seem to be well aware of it. Furthermore, the issue here
is something that's been around and known for almost 10 years, so there's
certainly been enough time to address it.
Unfortunately, few Web sites bother to implement more secure and sensible
mechanisms that can help to thwart phishing attempts.
| Want
More Security? |
This
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here. |
|
|
Adverse Selection in Online 'Trust' Certifications
Ben
Edelman, the originating force behind McAfee's SiteAdvisor software,
has published a new paper based on a survey he conducted of some 500,000
sites (PDF here).
The survey looked at the trustworthiness of each site (using SiteAdvisor
as a judge). He then compared the percentage of sites that were "Truste-certified."
His conclusion is that Truste-certified sites are twice as likely as non-certified
sites to be considered "bad" by SiteAdvisor.
Edelman concludes that Truste has a systemic problem in how it does business.
He believes it does not adequately vet whom it will grant certification
to, and allow display of their logo prior to actually fulfilling all of
the testing requirements. He also points out that it often continues to
report a site as certified, but meanwhile tells him and others privately
that they are no longer certified.
His bottom line is that if a certification authority is going to be trustworthy,
it must do a better job than Truste is doing in ensuring the sites it
has certified are actually trustworthy.
Hacker Gets Away With It
An unfortunate verdict was handed
down in a New Zealand court. Gerasimos Macridis had pled guilty to
intentionally accessing the New Zealand Reserve Bank's telephone system
without authorization. However, a judge dismissed the case after hearing
Macridis explain his actions. The judge believed "his intentions
were honorable."
Great. So if you're really good at social engineering, then computer
fraud is just fine. Macridis discovered vulnerabilities in the bank's
telephone systems. He then called the bank, informed it of the issues
and sent it an invoice for his unsolicited advice. He did the same thing
with Telecom New Zealand.
He then went on to explain that he had previously done work for Telecom
New Zealand and police, did not use the vulnerabilities for his own gain
and did not divulge the information to any third parties. This, the judge
believed, was sufficient to prove his honorable intentions.
Regardless of how honorable his intentions were, if you ask for payment
when you supply unsolicited security advice, you can certainly expect
a knock on your door. Furthermore, investigating private systems without
explicit authorization should always be deemed a crime, as it has been
recently in various cases in the United States. We can only hope that
the New Zealand case is reviewed, or at least does not contribute to any
future defense cases.