Strange Research Rising Out of Ashes on Stolen Logins
Also: E-mail bomber sentenced to scene of the crime; how SMIshing works.
While this news is about a month old, it's worth revisiting: Phoenix Technologies, a BIOS maker, contracted research regarding how prosecuted computer attacks were carried out. The research shows
that eight out of 10 could have been stopped if the machine’s identity were checked in addition to the users.
Phoenix's research presented some highly questionable data. For example, the research claimed that the average cost of a breach involving abuse of user IDs was $1.5 million, while the cost of the average virus was a little more than $2,000. Given that the company was only using 10 cases which had been prosecuted in court, it is not surprising that viruses were not prevalent, as few such cases are ever prosecuted. Also, it claimed that six of the 10 cases analyzed were carried out by individuals who had no prior relationship with the victim, suggesting that insiders aren’t as significant a threat as many think.
The press release points out the company's TrustConnector 2 software as offering a solution to the problem of identifying not only the user, but also the user's computer. Phoenix believes that strong authentication of devices is the solution to eight out of 10 of the cases it examined.
While TrustConnector 2 offers stronger machine identification using a Windows CryptoAPI module to strongly encrypt machine hardware information, the solution is hardly unique. Microsoft has offered relatively strong machine IDs as far back as Windows NT. Any machine joined to a domain received a machine name and an internally generated password, which made bypassing domain authentication virtually impossible. Granted, the use of a machine name only ensures domain resources cannot be directly accessed and does nothing to protect applications that don't incorporate domain security. However, it is an example of what TrustConnector 2 attempts to provide.
We do believe that machine authentication, in addition to user authentication, is a good thing, but there are also many obstacles to its use. How does someone use a machine that hasn’t been sanctioned when they have to, such as when you're at grandma’s house on Thanksgiving and need to check your e-mail? Also, Phoenix suggests that such strong authentication can be incorporated into network switches, but doing so network-wide would likely prove extremely resource-intensive, not to mention create a management nightmare.
Looking at this study without considering Phoenix’s motives, we highly doubt the results are truly representative of the risks facing the average business.
E-Mail Bomber Sentenced to Scene of Crime
After previously being cleared of all charges, a man in the UK last month was sentenced to two months of curfew for e-mail bombing his former employer with 5 million messages.
This story is just plain strange. David Lennon was charged under the UK's Computer Misuse Act as having unauthorized access or making unauthorized modifications. Neither clause represents the act of sending millions of e-mails. This was recognized by a judge in November 2005, who dismissed charges. However the Crown Prosecution appealed the decision and the case was ordered back to Magistrates Court for review. There, a second judge ruled that Lennon should be put under a curfew.
The curfew itself is somewhat ridiculous. Lennon was made to stay home between the hours of 12:30 a.m. and 7 a.m. on weekdays, and until 10 a.m. on weekends. This time allows Lennon's to go to his job at a cinema, and the two-month curfew expires the day before he returns to college. Such a sentence is laughable, given that no mention seems to be made about his ability to use a computer during that time. Surely he was at home when he conducted his e-mail bombing campaign and mostly likely did it late at night -- it's as if he’s being told to stay at the scene of the crime.
The Computer Misuse Act is undergoing review and amendments have been proposed to attempt to strengthen it and fill in such loopholes.
McAfee warns cell phone users to be on the lookout for phishing attempts via SMS, which it has dubbed "SMiShing" attacks. The company says that users in Iceland and Australia have experienced such attacks in the last several months. Here's how it works: The SMS message informs victims that they've been subscribed to a $2-a-day service. When victims attempt to unsubscribe by going to a link in the message, the attacker attempts to install a backdoor trojan as the victim lands on the site. McAfee reports they have just seen a mass-mailing worm called VBS/Eliles.A that performs a similar SMiShing attack.
McAfee believes VBS/Eliles.A was written by script kiddies, a fact it says means the concept of SMiShing has gone from unique to commonplace. Therefore, the company believes we'll see more of these attacks in the future. From Cybertrust’s perspective, the risk isn’t that significant. First, such tools attempt to exploit specific phones and, given the diversity between devices, the attacks typically won’t have any impact on phones other than the specific brands targeted. Secondly, the messages are unsolicited and usually fairly obvious as being a scam, as is the case with standard phishing attempts.
If there is cause for concern, it’s the use of an SMS provider’s e-mail gateway to send the SMiShing e-mails from VBS/Eliles.A. There are thousands of such gateways open to anyone around the Net, and the fact is, these providers aren’t doing enough to ensure the messages they relay are legitimate. Imagine if your phone started to receive the volume of spam your e-mail account does, especially if you’re paying for the reception or connection time.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.