Code May Sour BlackBerry Users
Also: software keeps cars garaged and why we shouldn't stop superbugs from breeding.
Two proof-of-concept exploits were presented at DefCon 14 that demonstrated
how BlackBerry handhelds can be used to tunnel data from your internal
network to external sites without being observed by IDS or other monitoring
Not really vulnerabilities, the possibility of exploit exists due to configuration
settings available via the Blackberry Enterprise Server (BES) configuration.
Administrators can allow clients to access internal systems, access external
systems and run third-party applications. In the right combination, this
could allow one of the codes demonstrated to act as a proxy on the BlackBerry
handheld. The criminal, physically using the BlackBerry, could then access
internal resources, collect data and send it on to external sites.
Neither of the programs worked automatically and both required the
BlackBerry owner to be aware of what they were doing. Nevertheless, it's
all a good reminder that if you improperly configure a gateway device,
you can open the way for intruders on your network.
Software Traps Cars in Parking Garage
The city of Hoboken, N.J. decided it would cease its relationship
with the provider of software used for stacking cars into an automated
parking garage. The city did this, in part, by having police escort the
company's employees off the premises. However, not only did the employees
leave, but so did the functioning software required to retrieve cars from
These cars were stacked into slots which they could not be driven out of.
In doing so, the provider claims, twice as many cars can be parked in
a given lot.
This is a good example of what can happen if you fail to understand what
terminating a contract actually means, or involves. Cars were trapped
for several days and lawsuits were filed against the city as it brought
in third parties to figure out how to free the vehicles from their
Breeding Internet Superbugs
Stomping a botnet is actually a bad thing to do. Read that again.
Paul Vixie, famous author of BIND, has written
an interesting blog entry regarding botnet owners. In it, he strongly
recommends not disrupting botnets, but instead, observing them,
tracking the owners and their money. In this way, he believes, it becomes
possible to physically track down the authors and operators in order to
arrest and prosecute them. He contends that by disrupting botnets, we,
the security professionals, are actually teaching botnet authors and operators
how to avoid detection better, making the problem worse.
Vixie is not recommending that we allow botnets, which have infected our
systems to continue to run. Instead, he is referring to the efforts by some
who go out to the Internet at large and stop botnets. These people believe
they are helping the Internet as a whole by performing such actions, much
the same as those who attempt to find and eliminate child pornography.
In this context, Vixie is right; taking a botnet's command and control channel
down does little to affect the botnet. The owner merely alters the C&C
and fires the bots back up again. Each time they do this, he suggests,
they evolve into a slightly better, more refined and potentially less
80 Percent of New Malware Defeats Antivirus
According to the general manager of the Australian Computer Emergency
Response Team (AusCERT), the most popular AV programs fail to recognize
about 80 percent of the malware AusCERT sees at the time AusCERT first receives them. From this, he concludes that consumers are being protected by software
that doesn't work.
Well, strong words again. This estimate may very well be true, and is
acknowledged by the GM to be the result of the fact that malware authors
are testing their malware against popular AV programs prior to releasing
them. The bigger question is not whether AV can detect all malware
prior to it being released, but how many people get infected before
AV companies receive a copy to analyze and provide a defense for. Furthermore,
no mention has been made about the use of heuristic detection, something
virtually all AV products offer but is rarely put into use. Heuristic
detection comes with the problem of false positives, but it is also likely
to dramatically reduce the number AusCERT sees. Unfortunately,
use of heuristics may also increase the overhead the AV program requires,
or slow down its functionality.
Pot Calls the Kettle Black
Recently, F-Secure noted it has received another Symbian mobile
device virus sample, dubbing it Commwarrior Q. Symbian decided it would
try to scare F-Secure into not mentioning such samples, in hopes it
would quell concerns over malware on its mobile devices.
Well, how silly is this: Symbian comes across saying that it's worried
that talk about mobile malware, which everyone agrees is virtually a nonexistent
threat in the wild, will prevent application developers from using its
OS. Well, of course it will, just as it has for Microsoft Windows. Symbian
claims it has hardened the OS to make it more difficult for malware
authors to write successful code, but then says that malware authors have
now been relegated to using "social engineering techniques"
to be successful. Uh, duh, that's what most PC-based malware uses too,
isn't it? So how does a hardened Symbian OS translate into a non-threat to
mobile device users? Bottom line is, it doesn't.
As criminals continue to find ways to compromise mobile devices,
running Symbian or not, their development is likely to evolve into a larger
threat. Trying to keep anti-virus vendors silent on this development process
is just plain dumb. Trying to accuse them of over-hyping the problem is
equally silly, and serves no purpose other than to show the OS vendor
is concerned over their own ability to control the problem.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.