EYE ON SECURITY

The World of Secure Development.

March 2007

The most recent Internet Security Threat Report Volume XI released by Symantec states that Internet threats these days are characterized by an increase in data theft, data leakage, and the creation of targeted, malicious code for the purpose of stealing confidential information that can be used for financial gain.

According to the report:

• More than 6 million distinct bot-infected computers worldwide during the second half of 2006, representing a 29 percent increase from the previous period. However, the number of command-and-control servers used to relay commands to these bots decreased by 25 percent, indicating that bot network owners are consolidating their networks and increasing the size of their existing networks.
• Trojans constituted 45 percent of the top 50 malicious code samples, representing a 23 percent increase over the first six months of 2006. This significant increase supports Symantec’s forecast from previous research, which noted that attackers appeared to be making a shift away from mass-mailing worms toward using Trojans.
• Symantec documented 12 zero-day vulnerabilities during the second half of 2006, marking a significant increase from the one zero-day vulnerability documented in the first half of 2006, increasing the exposure of consumers and businesses to unknown threats.
• Underground Economy Servers are being used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and e-mail address lists.
• Theft or loss of a computer or data storage medium, such as a USB memory key, made up 54 percent of all identity theft-related data breaches.
• For the first time, Symantec identified the countries with the highest amount of malicious activity originating from their networks. The United States had the highest proportion of overall malicious activity, with 31 percent; China was second, with 10 percent; and Germany was third, with 7 percent.

During the reporting period, Symantec observed a rise in threats to confidential information due to the increase of Trojans and bot networks enabling an attacker to gain access to a victim’s computer. Attacks that obtain sensitive data stored on an infected computer can result in significant financial loss, particularly if credit card or banking information is exposed. Threats to confidential information made up 66 percent of the top 50 malicious code reported to Symantec, an increase over the 48 percent reported in the previous period. Threats that could export user data, such as user names and passwords, accounted for 62 percent of threats to confidential information during the second half of 2006, up from 38 percent in the first half of the year.

Posted by Jon Erickson at 11:17 AM  Permalink |

ElcomSoft has released an Enterprise version of its Advanced PDF Password Recovery program which makes it easy to remove both password encryption and usage restrictions from Adobe Acrobat PDF files.

APDFPR Enterprise comes with support of all Adobe Acrobat versions (up to 8.0), including those that use AES encryption, and guaranteed recovery of PDF files with 40-bit encryption using state-of-the-art "time-memory trade-off" technology.

APDFPR is a computer forensics tool that could be used by law enforcement, military and intelligence agencies to open secure documents. PDF documents protected with access restriction passwords can be decrypted instantly, allowing full access to the document. For documents with "user" passwords (that could not be opened without that password), the program uses brute-force password attempts at a rate of a few hundred thousand passwords per second.

The code has been optimized for most CPUs such as Pentium II/III, Pentium 4, Intel Core/Core 2 (Duo) and Athlon. More sophisticated methods are available, such as applying all words from a dictionary. ElcomSoft's web site has dictionaries for more than 20 different languages, from English to Swahili.

Even if the above methods fail because the password is too long and complex, the program runs a special key search attack which gives a 100 percent success rate on files with 40-bit encryption (used in all Adobe Acrobat 4 files, and most files from more recent versions). If you have a dual processor system, APDFPR takes advantage of it to double the performance of this software.

On modern systems with Intel Core Duo CPUs, the document can be recovered in maximum 3-4 days, regardless of the password length and complexity. And in APDFPR Enterprise, ElcomSoft has introduced a new "rainbow attack" subsystem -- it is shipped with a DVD that contains special pre-computed hash tables that will allow you to decrypt most (an estimated 99.6 percent) PDF files in just minutes instead of days, even on slow computers.

Posted by Jon Erickson at 07:14 PM  Permalink |

Have you been following the IOActive/HID Global/BlackHat debacle? What a mess.

At the outset and in the spirit of disclosure, let me point out that Blackhat is a conference run by CMP Media, the parent company of Dr. Dobb's. Not that that has anything to do with the mess at hand.

To recap: IOActive, "a professional services consulting firm specializing in information risk management and application security analysis," planned on presenting a paper entitled "RFID For Beginners" at the recent BlackHat Conference in Washington DC. The presentation was intended to describe the technical foundations of RFID technology (something which Dr. Dobb's has done more than once; see Java and RFID Tags and RFID Blocker Tags, for starters) and show security problems with contactless RFID. Well, as it turns out HID Global, a very big corporation in the access control (aka, "security") arena, sells contactless RFID products. And since IOActive was going to use publicly available information to show how to build a device capable of cloning HID cards, HID Global objected. That the device was akin to other RFID cloners and built using $20 worth in parts bought on eBay didn't quite matter.

The long and short of it is that IOActive is a little company with relatively few resources, and HID Global is a big company with lots of resources. You get the picture. HID Global issued some veiled threats regarding liability and IOActive opted to pull the presentation. However, IOActive later went ahead with the presentation, but didn't include reference to or details regarding anything HID.

What's odd is that RFID vulnerabilities are well known and even HID Global has acknowledged them. But the approach of "hiring more lawyers instead building better products" often wins out these days. HID Global has responded to the topic of "Proximity Card Cloning" in a letter signed by the company president, but clearly written by the lawyers. In other words, it doesn't say much.

IOActive was more specific:

IOActive would like to clarify that the electronic design of our device, the associated schematic diagrams, and the source-code for the micro-controller component were developed by IOActive completely independent of any HID documents, and were principally based on information available on the Internet regarding RFID technology. In fact, we did not view any documentation prepared or produced by HID Global Corporation about their technology until after we received their demand letter.

What's too bad is that valid research that would benefit the public -- including HID Global's customers -- may not be made available.

Posted by Jon Erickson at 09:48 AM  Permalink |