Compression lets attackers tap VoIP calls

June 17, 2008 – 7:56 AM

A common compression technique can make internet telephone calls significantly more susceptible to bugging, according to recent research from Johns Hopkins University.

Internet telephony has become widely used through consumer-centric applications such as Skype, and is becoming more common in enterprises.

The new research suggests, however, that standard encryption and compression methods, when used together, are not sufficiently secure.

VoIP calls are commonly encrypted using a technique that preserves the lengths of voice patterns in the original, unencrypted conversation, the researchers said.

Such calls are relatively difficult to listen in on, they said. But when length-preserving encryption is used with the variable bitrate (VBR) compression technique, the combination leaks a significant amount of information about the conversation, they found.

“Previous work has shown that combining VBR compression with length-preserving encryption leaks information about VoIP conversations,” the researchers said in the report. “We show that this information leakage is far worse than originally thought.”

In such conversations, particular phrases could be identified within encrypted VoIP calls with more than 90 percent accuracy. Even in decoding entire conversations, accuracy was significant, the research found.

“On average, our method achieves recall of 50 percent and precision of 51 percent for a wide variety of phonetically rich phrases spoken by a diverse collection of speakers,” the researchers said.

The problem arises because VBR compression alters the compression rate based on the type of sound being compressed, using higher compression for simpler sounds and lower compression for more complex sounds.

Read the rest of the story…

Security Bonuses for Vista Programmers

June 16, 2008 – 2:46 PM

In this era in which software, especially prominent software, must be presumed to be under attack, you need the best tools to defend yourself. Much has been made of security features built into Windows Vista, such as IE Protected Mode, which accrue to all users. However, programmers can easily gain new security defenses for their applications if they code Vista-specific sections in them.

Some of these facilities are famous and don’t actually involve any coding changes at all, at least not for their own sake. Take ASLR, or Address Space Layout Randomization. This feature loads program images into random locations, making it hard for shell code in many attacks to run reliably. Note that this defense presumes that the attack code has begun executing, but it prevents it from doing meaningful damage. All a programmer has to do is to link the program with a relatively modern version of the linker and use the /DYNAMICBASE linker switch.

What happens if attack code executes in an ASLR program? The program will almost certainly crash. This is a good thing, in the sense that it’s a lot better than the shell code in the attack program executing. This is a common theme among many of the new Vista-specific defenses.

DEP, or Data Execution Prevention—also known as NX support—is similar in effect. All reasonably modern processors, and certainly anything that can run Windows Vista, can be set to throw an exception when program code is run from an area marked as data. This is a fundamental technique for vulnerability exploit: Send data to a program that tricks the program into transferring program control to attack code sent by the attacker, and this code will inevitably be stored in a data area such as the heap. All programmers need to do to take advantage of NX is to link with the /NXCOMPAT switch. This is not a Vista-specific feature, by the way; it was added in Windows Vista SP2, and even after all that time relatively few programs opt into it, which is both surprising and appalling. We should expect more from developers.

Read the rest of the story…

YouTube Addicts Beware

June 16, 2008 – 11:38 AM

From Web sites related to online banking, credit unions, financial departments, and social networking sites, phishers are chucking their rods into relatively new territory: video streaming sites.

Trend Micro Content Security team learned about this latest (and very interesting) phishing technique a few days back. Several phishing domains (see Figure 1) carry scripts that refer to legitimate YouTube video links.

This nifty social engineering technique means that the user can actually search and watch videos not knowing they are within malicious domains. In fact, when a user finally logs on to YouTube (still within the malicious domains), the browser redirects to the real YouTube site. However, the key risk here is that since the fake login console resides on the malicious domains, it is highly possible that whoever is behind these servers is going after the users’ login information.

The motives? To get the user names and passwords of YouTube users and use them in order to gain a high page ranking. While monetary gain seems unlikely, a slight stretch of creativity points us to the possibility of phishers selling this “service” to fly-by-night promoters and ad agents, or basically to anyone willing to buy stolen data to increase their hits.

We are still closely inspecting how this technique works and are monitoring domains that use similar techniques. We believe these sites may have been set up in preparation for a spam run that contains links pointing to these sites. But we are not waiting for that spam run to show up in our honeypots. As early as now, the two malicious domains are already blocked by Trend Micro Web Threat Protection technology. As usual, users are advised to visit their regular online haunts using their clean bookmarks and to refrain from clicking on links in unsolicited email.

To create a bookmark (in Windows), type in the URL of the desired site in the browser’s address bar and press enter. Once the site shows up, go to Favorites and click Add Favorites, then press enter to save the bookmark.

Read the rest of the story…

Details emerge of Safari “carpet bomb” flaw

June 16, 2008 – 5:51 AM

The vulnerability known as the Safari carpet bomb has still not been fixed, despite Microsoft releasing a security update for Internet Explorer last Tuesday evening. The consensus is that Microsoft’s browser is the main cause of the problem, which can create a security hole in combination with Apple’s Safari.

When Internet Explorer starts up, it searches for DLLs not only in the windows system folders where they are expected to be stored, but also on the desktop. Unfortunately, it also searches the desktop first when it is launched via the desktop shortcut, regardless of whether the SafeDllSearchMode function is activated.

This, in combination with Safari’s much criticised behaviour of downloading files directly to the desktop without asking, creates the security problem. If a crafted DLL makes its way onto the desktop while a user surfs with Apple’s browser, it could cause a system infection if Internet Explorer is subsequently started. According to reports, the unusual DLL loading process occurs in Internet Explorer 6, 7, and the forthcoming version 8 under both XP and Vista.

Security specialist Liu Die Yu has released the code of a demo exploit, which causes Notepad to open when Internet Explorer is started. He also provides a proof of concept page, which saves a file named schannel.dll to the desktop when visited with Safari. Normally, this library contains the functions for secure communication via SSL/TLS.

Since there are currently not many Windows users browsing the web with Safari, the problem is relatively limited in scale. Affected users should follow Microsoft’s advice and define a separate download folder for Safari (Edit/Settings/Save downloads in). Firefox also saves downloaded files to the desktop by default but it asks the user beforehand.

Read the rest of the story…

A Guide to Protecting Your Identity Online

June 14, 2008 – 5:42 PM

With identity theft on the rise and personal information at a premium, it’s never been more important to be cautious about what you reveal online.

Social-networking sites such as Facebook have largely usurped chatrooms and forums — at least in the grown-up world — as fun places to hang around online and engage in harmless distractions. Unfortunately, they’ve also replaced chatrooms in the tabloid consciousness as the place where paedophiles go to pick up victims.

But while we conscientiously monitor our kids’ internet use and apply restrictions to the sites they can visit and the times they’re allowed to go online, we may be putting ourselves in other sorts of danger.

Practice What You Preach

Having taught your kids to chat only to people they know and to limit the amount of personal information they give out, consider whether you practice what you preach.

Announcing to the world (via your Facebook profile) that you’re bungee-jumping at Victoria Falls tells us you’re still game for a laugh. If your profile also states your birth date, home town, address and phone number, along with a reference to your current and past employers, you’ve left yourself wide open to someone becoming the new you.

In the past, a tell-tale message on your phone stating that you’re on holiday would have been brilliant news for an opportunist thief. The equivalent these days is the careless status update or unprotected online profile that enables a cybercrook to sell on your personal details.

Read the rest of this story…