Unlike VMware, which with its acquisitions of Blue Lane, and Determina seems set for head to head competition with the security industry, we believe that this capability set is best added on top of the Xen hypervisor base by an ecosystem of vendors and the community, in a way that allows those vendors to add value to all Xen based products, independent of the particular Xen vendor. If, say, a McAfee or Symantec product were released for the Xen Introspection API, then it is our specific goal that it would work for XenServer and for all other Xen based products on the market.
Hoff, chief security architect at Unisys and a frequent speaker on virtualization security topics, isn’t convinced. He sees the role of hypervisor vendors in the security world differently. On his Rational Survivability blog, he says:
It’s important to understand that I’m not suggesting that virtualization platform providers should secure the actual guest operating systems but they should enable an easier and more effective way of doing so when virtualized.
I mean that the virtualization platform providers should ensure the security of the instantiation of those guests as “hosted” by the virtualization platform. In some cases this means leveraging technology present in the virtualization platform to do things that non-virtualized instances cannot. That’s more than just securing the hypervisor.
Securing the hypervisor whilst closing your eyes to the likelihood that the majority of attacks against it and other guests will come from “guests” within the same system is planting your head in the sand. That means that there will be a need to ensure that certain behaviors specific to the hosted guests are mitigated to ensure that bad things don’t happen — to the guest or the hypervisor.
Transferring the responsibility to secure the environment to third party security ISV’s in order to secure the VM’s and preventing them from compromising one another or the hypervisor is difficult for me to comprehend, especially when they are playing catch up of what virtualization means within the context of security.
So how to settle this? Glad you asked. Hoff has proposed — and Crosby has accepted — a “sumo suit smackdown” at next year’s RSA conference.
What: Sumo Suit VirtSec Smackdown (how Xen/Zen!)
Who: Simon Crosby vs. Chris Hoff
Where: RSA 2009, Moscone Center, San Francisco, Venue TBD
When: During the April 20-24th, 2009 timeframe
Why: You know why…
Wow: This will be a charity event with the proceeds going to Johnny Long’s Hackers for Charity which you can find out about here.
None of the Vegas sports books has a line on the bout yet, but considering that Hoff is an expert in Brazilian jiu-jitsu, I’d make him an early 3:1 favorite. I can virtually guarantee it will be more entertaining than any of the RSA keynotes and the Kimbo Slice-Seth Petruzelli fight.]]>
The loss of accreditation is the result of EstDomains’ president, Vladimir Tsastsin, being convicted of several crimes in Estonia in February, including credit card fraud and money laundering, according to a letter ICANN sent to Tsastsin Tuesday.
Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction.
ICANN is now looking for another registrar or registrars to take over the hundreds of thousands of domains that EstDomains managed.
As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains.
EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names.
The EstDomains termination is set to go into effect on Nov. 12.]]>
Publicity-seeking moves this month included antivirus software maker F-Secure’s call for an international police force to combat computer crime; Panda Security’s release of a study that draws a connection between cyber attacks and the stock-market crash; and McAfee’s appointment of a chief cyber security mom. The goal of that position, says McAfee Chief Executive Dave DeWalt, is to make tech security a “family” issue.
There are a couple of things that deserve some examination here. First, let’s just stipulate that security companies have been using gimmicks, scare tactics and all manner of other trickeration to hype their products since the dawn of the Internet age (and probably earlier). That’s just a given. (One small example: A security company that shall remain nameless once sent me an entire iron-and-wood seat from an old movie theater to promote its involvement with some upcoming movie or other. The thing must have weighed 85 pounds, so God knows what it cost to ship. Your license fees at work.) Second, it’s hard to imagine a more cynical example of this than the McAfee move that Worthen cites: the appointment of a cybersecurity mom. Ugh.
Now, I get that vendors are always looking for new ways to make the security story real, both for consumers and enterprises. There’s no question that people have started to tune out when they hear someone talking about another data breach or identity theft. There are just too many of them to keep track of, and if it doesn’t directly affect you, you’re pretty unlikely to care. And telling people that they should care isn’t going to do it, either.
The faulty assumption behind all of these gimmicks and goofy campaigns is that people don’t understand the threat, so vendors need to play the role of doomsayers or carnival barkers. In my experience, even the least technically savvy people see through these tactics and end up developing a bad image of the companies that employ them. I’m probably shouting into the wind on this, because the vendors have shown no signs of slowing down with this junk, and the threats themselves aren’t going away anytime soon. So I guess we should all prepare ourselves for a vendor to announce the inevitable appointment of Harry Potter as Chief Security Wizard sometime soon.]]>
A user of an Android phone who uses the Web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the Web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into Web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple’s iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised.
Miller and other ISE researchers last year found one of the first security problems with the iPhone, a flaw that enabled attackers to compromise the phones using a malicious Web page. The attack allowed an attacker to read the victim’s SMS messages, address book, call log and other stored data.
Google is aware of the problem with the G1 and is working on a fix.]]>
From the ThreatExpert description of Gimmiv.A:
It starts from probing other IPs from the same network by sending them a sequence of bytes “abcde” or “12345″. The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. As known, Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.
Next, Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA” by calling the vulnerable RPC request NetPathCanonicalize.
Microsoft had some information about Gimmiv.A in its description of the new vulnerability yesterday, saying the company had added signatures for the Trojan to the Microsoft Malware Protection Center and had shared the information with its AV partners as well.
The analysts at F-Secure have a good description of the Trojan’s behavior tool:
On execution, the malware drops a DLL component ( which is also detected as Trojan-Spy:W32/Gimmiv.A ) as
- [System Folder]\wbem\sysmgr.dll
and injects it to svchost.exe. The main executable file will then delete itself.
As part of its routine for connecting to a remote server, the Trojan will take into account both the operating system version and the presence of any security applications in the system. The Trojan checks for the following antivirus programs:
- OneCare Protection
The trojan then connects to:
The two parameters ‘abc=’ and ‘def=’ are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2.
The trojan then harvests the following information from the infected machine:
- MSN Credentials
- Outlook Express Credentials
- Protected Storage Information
- Patches Installed
- Browser Information
- Username (web browsing)
Microsoft said in its advisory Thursday that the MS08-067 vulnerability could be a target for a worm, and other security experts warned of that possibility as well. Gimmiv.A does not seem to be a major threat right now, but these things have a way of gathering steam quickly once they get going.]]>
An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:
1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.
The new RPC flaw is causing flashbacks for many in the security community who remember the RPC DCOM vulnerability that the Blaster worm exploited in 2003. That worm hammered networks across the Internet and was one in a years-long line of worms such as Slammer, Code Red and Nimda. Those kinds of worms are largely a thing of the past now, but this latest vulnerability has all the makings of a worm hole.]]>
We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.
We conclude that wired computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively unexpensive (sic) equipments.
These kinds of attacks against displays have been common knowledge from decades, and other researchers, including Markus Kuhn and Ross Anderson, have identified keyboards as being possible targets, as well.Vuagnoux and Pasini plan to release a paper with their full findings later.]]>
The bureau also estimated that the operation prevented $70 million in economic losses. Now, I’m certainly happy to see the FBI and other agencies around the world making a dent in the cybercrime problem. It’s a global scorpion’s nest that’s gone unaddressed for way too long. But I’m always skeptical when I see this kind of estimate thrown around with no data to back it up. I’m sure the bureau based its statement on something, but we’ll never know what it is. But, the reality is that whether the number is accurate is basically irrelevant. It could be off by an order of magnitude, and it’s still just a grain of sand on the giant cybercrime playground. Online crime is such a low-risk, high-reward activity that criminals who as little as five years ago would have been selling drugs or running kidnapping rings are now setting up dozens of loosely organized online crime cells around the world, and raking in millions in virtually risk-free profits. Not good times.
The FBI knows this very well, but it also knows the psychological value of making even a small dent in the global cybercrime infrastructure. It’s a method that has served the bureau well in its decades-long fight against traditional organized crime: take down the lower-level guys and then use them as leverage to work your way up the ladder. Cybercrime is obviously a different animal, with its worldwide scope and loose, fluid structure. But progress is progress, no matter how small.
UPDATE: Kevin Poulsen on Wired’s Threat Level blog has an excellent post about this investigation, which lays out the evidence that the FBI’s cybercrime group itself was running DarkMarket for the last two years.]]>
The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants’ assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.
According to papers filed with the court, the defendants deceptively marketed a variety of products through spam messages, including a male-enhancement pill, prescription drugs and a weight-loss pill.
Spamhaus, the organization that tracks spammers and keeps a list of all the known spammers online, said that the HerbalKing group had been the most prolific spammers in the world for most of 2007 and 2008 and had been working since 2005. The group also said that despite the indictments and asset seizures on Tuesday, the gang’s spam activities have continued unabated in the last 24 hours, most likely because much of the operation is automated through the use of botnets. And, Spamhaus officials said, “Spammers such as this gang and the Russians, Indians and others they work with care little about the law. Spamhaus notes that most will not quit spamming until they are behind bars.”]]>