Defense in Depth

Spammers are going legit, and they're using Yahoo e-mail authentication servers to do it, said Mark Sunner, chief security analyst with MessageLabs.

Most people use the Web interface for Yahoo Mail, which attaches a banner of advertising on the e-mail somewhere within the message. Yahoo also provides a service, Yahoo Plus, that allows the sender to use SMTP and traditional e-mail clients such as Outlook Express or Thunderbird. Mail sent via SMTP passes through Yahoo's servers, signing the mail as legit using the Yahoo Domain Keys Identified Mail (DKIM) service.

What this does is strip out the usual Yahoo advertising banners and help validate the mail as legitimate to escape most spam filters. MessageLabs found that anyone with a standard Yahoo account can also authenticate to the Yahoo Plus servers and send mail, without necessarily paying for the premium service. Sunner said in a interview with CNET News.com that this isn't a flaw; it appears that's just how the Yahoo service was designed.

In April, MessageLabs found that around 1,127 unique Yahoo user IDs were used in the distribution of this new kind of spam over 28 days. Sunner said around 40 new IDs per day are being generated, with the IDs not being shared between different infected computers.

Further, says Sunner, the Yahoo! accounts used--all from the same domain of @yahoo.co.uk--appear to have been automatically generated. That implies that the criminal hackers have somehow defeated the Yahoo CAPTCHA mechanism.

Details of ... Read more

Last week on my Security Bites podcast I talked with Jeremiah Grossman, CTO of WhiteHat Security, about the recent spate of SQL injections affecting Microsoft SQL.

Grossman said that if users surf to an SQL-injected site, their browsers will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins. Grossman also said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

Below is a transcript of part of my interview. The entire podcast can be heard here.

Me: Why don't you walk me through what a traditional SQL attack looks like.

Jeremiah Grossman: A traditional SQL injection usually starts off with a bad guy looking at your Web site (and) finding a spot in the Web site like a URL parameter that takes in some user supply data and constructs the database statement out of it. So a login form, user name and password fields, search fields are all possible. What a bad guy will do to test the vulnerability is to throw in some meta characters like a single tag or a semicolon into the input of the Web site. If the Web site doesn't properly handle these characters you'll get a database exception error message and they'll say things like ODBC error messages and some weird ... Read more

Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.

On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.

In the talk, Kuza55 included details on how various attacks use logged out cross-site scripting (XSS), cross-site reference frame-protected cross-site scripting, JavaScript hijacking, session fixation, XSS reference frame token fixation, and CSRF vulnerabilities to compromise desktop Internet browsers. The talk was provided to CNET as a PowerPoint presentation.

Dan Kaminsky, of IOActive, told CNET News.com that Kuza55 talked about the "obscure internal elements of things you can do to Web browsers. Like how to use browsers to attack other protocols. Or how to use text in a browser to attack other particular protocols."

Kuza55 started his talk by showing ways to use browser cookies for XSS attacks. In one method, "by abusing the path attribute (within a cookie) we can effectively overwrite cookies very specifically, or for the whole domain by setting lots of them." Kuza55's noted that in Firefox and in Opera there is a limit to the number of cookies that can be stored within each browser, with the oldest cookie being removed to make room for the new. Thus, it is possible for an attacker to overwrite the existing cookies in these browsers by exhausting the limit. Internet Explorer does not

On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.

At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies have reported decreases in the past," he said because of different methods of studying the botnet, "but this is first decrease we've seen."

He credited the most recent patches from Microsoft with the decline. He said that in the weeks following the most recent Patch Tuesday there was a sharp drop off.

Given that the creators of Storm managed and maintained a constant flood of variations for more than one year, it's a little odd that they would just take their money and walk away. Sunner said that they are seeing an increase in Srizbi, named for the one of the Web sites from which is downloaded. A Trojan, Srizbi uses rootkit technology to hide on an infected machine but, like Storm, it is also known to relay spam.

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) is available only to law enforcement.

(Credit: Microsoft)

This week, as first reported by CNET News.com, Microsoft talked publicly about COFEE, its free Computer Online Forensic Evidence Extractor. The company demonstrated the tool as part of a law enforcement conference held in Redmond.

COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example.

COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate's (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft's Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.

COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.

Although Microsoft would not confirm any specific tools included ... Read more

On Thursday and Friday, Microsoft will once again gather select security researchers in Redmond, Wash., for its seventh annual Blue Hat talks.

The conference, by invitation only, has gained a reputation for providing Microsoft engineers with a first-hand opportunity to hear from and question leading security researchers. There will be an executive event on Thursday, with general sessions on Friday. Microsoft has more on the Blue Hat schedule here, and a blog here.

Among those invited to present is Cesar Cerrudo, of Argeniss, who will update his Hack the Box talk on Token Kidnapping. Cerrudo defines an access token as "an object that describes the security context of a process of thread," which includes the identity and privileges of the user account. He will show, according to Microsoft, "how it's possible in Windows XP and Windows Server 2003 to elevate privileges to Local System from any process that has impersonation rights."

What's interesting is that Microsoft issued a pre-patch advisory shortly after Cerrudo's April 17 Hack the Box talk. CVE-2008-1436 states that "Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the NetworkService and LocalService accounts, which might allow context-dependent attackers to gain privileges...related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services. " Look for a Microsoft patch announcement regarding this in May.

Other presentations at Blue Hat worth noting are Alex "Kuza55" K. of Sift on "Web Browsers and Other Mistakes";

Despite the threat of legal action by one voting machine vendor, Princeton University professor Ed Felten is continuing his independent investigation of perceived irregularities in New Jersey's February 5, 2008 presidential primary election. On Friday, a New Jersey state judge ruled that voting rights activists will also have the right to have their own independent expert examine the state's electronic voting machines.

The question is integrity. What Felten has found so far isn't enough to change the election results, but evidence presented on his blog site suggests there might be enough to undermine our confidence in the electronic system as it stands. Various county clerks in New Jersey who perceive the February counts as being off have supplied Felten with voting machines and paper audits. Sequoia Voting Systems, which produces most of the voting machines in New Jersey, has threatened legal action against Felten and his team if they pursue an independent investigation. Sequoia has said it would appoint its own team of investigators.

The threats haven't stopped Felten.

On March 19, Felten wrote that the "opinion switch," meaning the number of times the ballot was changed to Democrat or Republican, didn't add up to the total votes cast for each party. In this case, there was always one extra vote.

On March 20, Felten posted Sequoia's response. In part, the vendor said that "we have found that when a poll worker selects the lower of the two assigned selection codes, followed by pressing

After year's of prodding from pesky security software reviewers like myself, Symantec has finally created a user forum for its Norton products. Although still officially in beta, the forum is has been operating in-house for a few months and thus has been generating some useful how-to information.

Moderator Dave Cole sums up the project in a welcome note:

We've been working on re-launching our product forums for several months now and are happy to finally officially open the door on the beta. We kicked off this project with the intent of creating a place where Norton customers, employees and other people interested in dialogue could meet online to discuss our products and related topics, from system tune-up to scrubbing malware from PCs. Whether it's an idea for a new feature, a feature you love, or something that simply doesn't work for you, go ahead and register as a user and let us know what's on your mind.

So far only Norton Internet Security has its own support thread. Under "Other Products," however, you will find separate discussions of Norton 360, Ghost, and Norton Antivirus. No word yet when the project will be out of beta.

Jerome Kerviel, a former high-risk trader at France's Societe Generale, last week started a new job at Lemaire Consultants & Associates, a computer security and system development company.

Kerviel remains under investigation for one of the largest bank frauds in history. In January 2008, Societe Generale accused 31-year-old Kerviel of being a computer genius who took on trades far beyond what he was authorized to do. As a result, the company has declared a loss of $7.6 billion.

In his defense, Kerviel told investigators he did nothing more than what others were doing.

On March 18, he was released from jail, and last week started work at Lemaire Consultants & Associates, a computer security and system development company. Jean-Raymond Lemairer, the company's founder, reportedly made the job offer before Kerviel served his sentence.

The New York Times reported that until last week Lemaire was on a list of those Kerviel was barred from contacting. The Times also reports that in his new job, Kerviel is forbidden to set foot inside a trading room or an exchange and may not engage in any activities related to financial markets.

On Tuesday, Check Point Software Technologies announced support for the Apple iPhone through its Virtual Private Networking (VPN) software tool VPN-1.

Using the iPhone's embedded Layer 2 Transport Protocol (L2TP) client, VPN-1 is able to provide secure, encrypted access for iPhone users communicating with enterprises currently running Check Point's VPN-1 gateway.