Security Watch

Researchers Challenge DOS Attack Data

Also: protecting against EFS-based attacks; banks misappropriating data from other sources.

• By Russ Cooper
• 10/16/2006

A group of researchers analyzed network data to determine details about DoS attacks. They have made several observations that vary from conventional thought. The first is that they believe 70 percent of DoS attacks come from IP addresses that haven't been spoofed. Second, they believe they saw less than 1 percent of DoS traffic using UDP in their backscatter traffic analysis (although this was contradicted somewhat by their own Large-Scale Attack Detection System used in a Tier-1 ISP, which saw 46 percent of DoS traffic as UDP.)

The fact that DoS attacks aren't being spoofed any more is something we've known for a while, although it's nice to see it substantiated in published research. More interesting was their analysis which determined that DoS traffic originated from fewer than 50 Autonomous Systems (ASes), suggesting that DoS traffic could be dramatically limited if the owners of those networks were controlled (intelligently black-holed or simply monitored more closely.)

Protecting Against EFS-Based Attacks
McAfee's AVERT Labs recently expressed concern in its blog over a Trojan that appears to take advantage of the Windows Encrypting File System (EFS) to hide itself on the victim's system. The Trojan, among other things, creates an Administrator account, thereby providing itself with a encrypting key. This key is then used to encrypt the files it downloads, preventing others from being able to see the contents of the files. McAfee says it has been detecting variants of this Trojan since Aug. 2, 2006, and an upsurge in infections over the past few weeks.

It cannot be disputed that such an attack is significant in that decryption of the files would not likely be accomplished easily. However, it is important to note that such a Trojan is not likely to work within a corporate environment where, if best practices are being followed, users should not be able to create Administrator accounts. Furthermore, if a Key Recovery Agent has been established, the files could be decrypted by that key. However, in a home user environment, the Key Recovery Agent is not likely to be present, nor is it likely that a home user could crack the password on such an account. Therefore, the Trojan is likely to stay on the infected system much longer than others.

Warning on Free O'Hare Wi-Fi Connections
According to a study by Authentium, some 90 percent of the apparent wireless connection points at O'Hare Airport were not from actual providers. Instead, they were broadcasts from other travelers' laptops offering up themselves as access points because that's how they are configured by default. The security firm took the opportunity to point out that any of those could have been a hacker hoping to lure people into using their machine to login to bank accounts or other acts which might yield sensitive personal information.

The steps to get a wireless connection set up were so cumbersome in the early days that it had to be automated. That has now been proven so wrong as to be incredibly scary. Granted, it's unlikely that any of the O'Hare access points were actually culling for bank login details, but it could be true. Why physically pick your pocket if I can pick your money right out of the air? As the article suggests, you definitely must ensure that your laptops are not attempting to offer themselves up as connection point, and, whenever you do connect to an access point, it should be verified as being what you thought it would be.

Bank To Pay $50 Million for Buying Personal Data
Fidelity Bank in Florida has been sued by an individual who claims the bank illegally obtained and used information that it purchased from the State of Florida Department of Motor Vehicles. According to the filings, Fidelity violated the 1994 Drivers Privacy Protection Act, a law enacted to force states to seek permission from the owners of the information they hold before such information can be used in any non-authorized fashion, including being sold as lists to third parties.

The ruling does not appear to actually convict Fidelity, but instead simply overrules Fidelity's dismissal request. Fidelity had attempted to suggest that the plaintiff had not suffered monetary damages as a result of the bank's purchase of his information and, therefore, was not entitled to seek remedies from the court. The ruling declared that the law permitted actions regardless whether damage had actually been suffered.

It can be expected that Fidelity will, at some point, point out that it had every reason to believe that the Florida DMV had obtained permission from all the people whose personal information it was making available. That requirement came as part of a 1999 amendment to the federal version of the law which was never enacted in Florida's version of the law.

If Fidelity is found to be at fault, without additional circumstances coming to light, it would definitely be a huge blow to anyone who markets lists or purchases them. If the purchaser must request the permission of the individual whose information they wish to obtain, individuals are going to be inundated with such requests on a regular basis. This would likely be the end of such list distributions.