Security Advisor

Blue Pill Researcher Crosses Into Fuzzy Territory

Also: UK bank's security works for only one browser; trusting trust certs.

• By Russ Cooper
• 11/06/2006

This is a perfect example of a researcher crossing the line between legitimate research and criminal benefit. Rutkowska's first attempt at creating "100 percent undetectable malware" could, arguably, be an attempt to show how new technology has been implemented poorly or insecurely. She believes that the virtualization capabilities of newer processors leaves operating systems open to being completely subverted. If the operating system doesn't prevent what is, or isn't, placed into virtual memory, then code of the type she's developed could take complete control of the OS, preventing anything the user might trust from being trustworthy.

This first attempt was explained away by virtualization experts, who stated it could be detected. Rebuffed, Rutkowska has said she's going to prevent it from being detectable in the ways offered by experts. What she hasn't acknowledged, however, is how difficult it would be to completely subvert the OS. While she may be able to achieve this level of subversion, the question is whether the criminal malware community would ever bother to do so.

Of course, if Rutkowska gets rebuffed again, or has a lapse in ethics, her code may become the code criminals use. Why build it anew if it's already available? And all of this is simply because, according to her, Microsoft has refused to prevent the kernel in Vista from going into virtual memory. Now, while it may or may not be a risk for that to happen, the fact that Microsoft has so far "ignored" her advice would appear to be her primary motivation for whatever work she's doing.

The reality is more likely that when anyone talks about Windows Vista, AMD, Intel and malware in the same breath, they get all sorts of media and speaking requests.

In our opinion, this is actually malware in search of a criminal to use it. She has created the problem, is refining and showing her proof of concept exploit code and is apparently not getting enough attention for all her work. This can only get worse.

Major UK Bank Web Sites with Serious Security Flaws
Numerous major banking institutions fail to take their own advice for their online customers. According to Heise Security, the company's tests of many banking institutions showed that those institutions were using frames for their sensitive processing, such as where you enter your login information. Frames are not, by default, disabled in any version of IE (prior to IE7) and so are susceptible to easy-to-implement spoofing attacks.

Now, before you say this is just another example of someone "not eating their own dog food," realize that if the banks aren't providing access that is securable by their clients, they are leaving their clients susceptible to attack. Heise's demonstration shows that the banks it found vulnerable had not considered the risks they're exposing their clients to, and phishers seem to be well aware of it. Furthermore, the issue here is something that's been around and known for almost 10 years, so there's certainly been enough time to address it.

Unfortunately, few Web sites bother to implement more secure and sensible mechanisms that can help to thwart phishing attempts.

Adverse Selection in Online 'Trust' Certifications
Ben Edelman, the originating force behind McAfee's SiteAdvisor software, has published a new paper based on a survey he conducted of some 500,000 sites (PDF here). The survey looked at the trustworthiness of each site (using SiteAdvisor as a judge). He then compared the percentage of sites that were "Truste-certified." His conclusion is that Truste-certified sites are twice as likely as non-certified sites to be considered "bad" by SiteAdvisor.

Edelman concludes that Truste has a systemic problem in how it does business. He believes it does not adequately vet whom it will grant certification to, and allow display of their logo prior to actually fulfilling all of the testing requirements. He also points out that it often continues to report a site as certified, but meanwhile tells him and others privately that they are no longer certified.

His bottom line is that if a certification authority is going to be trustworthy, it must do a better job than Truste is doing in ensuring the sites it has certified are actually trustworthy.

Hacker Gets Away With It
An unfortunate verdict was handed down in a New Zealand court. Gerasimos Macridis had pled guilty to intentionally accessing the New Zealand Reserve Bank's telephone system without authorization. However, a judge dismissed the case after hearing Macridis explain his actions. The judge believed "his intentions were honorable."

Great. So if you're really good at social engineering, then computer fraud is just fine. Macridis discovered vulnerabilities in the bank's telephone systems. He then called the bank, informed it of the issues and sent it an invoice for his unsolicited advice. He did the same thing with Telecom New Zealand.

He then went on to explain that he had previously done work for Telecom New Zealand and police, did not use the vulnerabilities for his own gain and did not divulge the information to any third parties. This, the judge believed, was sufficient to prove his honorable intentions.

Regardless of how honorable his intentions were, if you ask for payment when you supply unsolicited security advice, you can certainly expect a knock on your door. Furthermore, investigating private systems without explicit authorization should always be deemed a crime, as it has been recently in various cases in the United States. We can only hope that the New Zealand case is reviewed, or at least does not contribute to any future defense cases.