Security Watch

Code May Sour BlackBerry Users

Also: software keeps cars garaged and why we shouldn't stop superbugs from breeding.

Two proof-of-concept exploits were presented at DefCon 14 that demonstrated how BlackBerry handhelds can be used to tunnel data from your internal network to external sites without being observed by IDS or other monitoring tools.

Not really vulnerabilities, the possibility of exploit exists due to configuration settings available via the Blackberry Enterprise Server (BES) configuration. Administrators can allow clients to access internal systems, access external systems and run third-party applications. In the right combination, this could allow one of the codes demonstrated to act as a proxy on the BlackBerry handheld. The criminal, physically using the BlackBerry, could then access internal resources, collect data and send it on to external sites.

Neither of the programs worked automatically and both required the BlackBerry owner to be aware of what they were doing. Nevertheless, it's all a good reminder that if you improperly configure a gateway device, you can open the way for intruders on your network.

Software Traps Cars in Parking Garage
The city of Hoboken, N.J. decided it would cease its relationship with the provider of software used for stacking cars into an automated parking garage. The city did this, in part, by having police escort the company's employees off the premises. However, not only did the employees leave, but so did the functioning software required to retrieve cars from their berths.

These cars were stacked into slots which they could not be driven out of. In doing so, the provider claims, twice as many cars can be parked in a given lot.

This is a good example of what can happen if you fail to understand what terminating a contract actually means, or involves. Cars were trapped for several days and lawsuits were filed against the city as it brought in third parties to figure out how to free the vehicles from their slots.

Breeding Internet Superbugs
Stomping a botnet is actually a bad thing to do. Read that again. Paul Vixie, famous author of BIND, has written an interesting blog entry regarding botnet owners. In it, he strongly recommends not disrupting botnets, but instead, observing them, tracking the owners and their money. In this way, he believes, it becomes possible to physically track down the authors and operators in order to arrest and prosecute them. He contends that by disrupting botnets, we, the security professionals, are actually teaching botnet authors and operators how to avoid detection better, making the problem worse.

Vixie is not recommending that we allow botnets, which have infected our systems to continue to run. Instead, he is referring to the efforts by some who go out to the Internet at large and stop botnets. These people believe they are helping the Internet as a whole by performing such actions, much the same as those who attempt to find and eliminate child pornography. In this context, Vixie is right; taking a botnet's command and control channel down does little to affect the botnet. The owner merely alters the C&C and fires the bots back up again. Each time they do this, he suggests, they evolve into a slightly better, more refined and potentially less detectable entity.

80 Percent of New Malware Defeats Antivirus
According to the general manager of the Australian Computer Emergency Response Team (AusCERT), the most popular AV programs fail to recognize about 80 percent of the malware AusCERT sees at the time AusCERT first receives them. From this, he concludes that consumers are being protected by software that doesn't work.

Well, strong words again. This estimate may very well be true, and is acknowledged by the GM to be the result of the fact that malware authors are testing their malware against popular AV programs prior to releasing them. The bigger question is not whether AV can detect all malware prior to it being released, but how many people get infected before AV companies receive a copy to analyze and provide a defense for. Furthermore, no mention has been made about the use of heuristic detection, something virtually all AV products offer but is rarely put into use. Heuristic detection comes with the problem of false positives, but it is also likely to dramatically reduce the number AusCERT sees. Unfortunately, use of heuristics may also increase the overhead the AV program requires, or slow down its functionality.

Pot Calls the Kettle Black
Recently, F-Secure noted it has received another Symbian mobile device virus sample, dubbing it Commwarrior Q. Symbian decided it would try to scare F-Secure into not mentioning such samples, in hopes it would quell concerns over malware on its mobile devices.

Well, how silly is this: Symbian comes across saying that it's worried that talk about mobile malware, which everyone agrees is virtually a nonexistent threat in the wild, will prevent application developers from using its OS. Well, of course it will, just as it has for Microsoft Windows. Symbian claims it has hardened the OS to make it more difficult for malware authors to write successful code, but then says that malware authors have now been relegated to using "social engineering techniques" to be successful. Uh, duh, that's what most PC-based malware uses too, isn't it? So how does a hardened Symbian OS translate into a non-threat to mobile device users? Bottom line is, it doesn't.

As criminals continue to find ways to compromise mobile devices, running Symbian or not, their development is likely to evolve into a larger threat. Trying to keep anti-virus vendors silent on this development process is just plain dumb. Trying to accuse them of over-hyping the problem is equally silly, and serves no purpose other than to show the OS vendor is concerned over their own ability to control the problem.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular