SanDisk USB Flash Drives Come with Built-in Security

March 8, 2008 – 6:52 PM

SanDisk on Monday announced a pair of USB flash drives designed to offer both security and access speed to business users.

Unveiled at the Gartner IT Security Summit in Washington, D.C., Cruzer Professional is designed for individuals and small businesses looking to share files, while Cruzer Enterprise includes such features as central management and regulatory compliance, according to company officials.

Both flash drives include password protection and 256-bit AES encryption and don’t require software installation on the host computer, connecting instantly to the Windows operating system, officials say. Both products offer read speeds of 24MB per second and write speeds of 20MB per second.

Cruzer Professional lets the owner establish a “secure zone” on the drive, which can be from 1% to 100% of the drive’s total capacity. The data inside that zone is password-protected, while information stored outside of that area is open to access by any user.

Cruzer Enterprise password-protects the entire drive, and all files stored on it are encrypted, officials say.

SanDisk also announced Cruzer Enterprise Central Management & Control, server software for performing password recovery, remote disabling of lost drives, centralized backup and restore, and tracking and auditing, according to officials.

Both drives work with Windows 2000, Windows XP, Windows Vista and Windows Server 2003.

Pricing for Cruzer Professional ranges from US$54.99 for 1GB of storage, $94.99 for 2GB and $144.99 for 4GB. Pricing for Cruzer Enterprise is set at $74.99 for the 1GB drive, $124.99 for the 2GB drive and $184.99 for the 4GB drive.

www.pcworld.com/article/id,132540/article.html

Dismantling a Botnet

March 8, 2008 – 6:51 PM

The arrest of Robert Soloway, the so-called “Spam King” who commanded a botnet of zombies that reportedly sent out billions of spam email messages every day, is a case study in just how difficult killing a botnet can be. His capture does not equate to the release of thousands of newly healthy client machines that may once have been his infected hostages.

“You are basically cutting a tapeworm in two. The infrastructure is still there, and it can be picked up by anyone who can find it or knows where it is,” says Ira Winkler, author of Zen and the Art of Information Security. “Authorities might be able to see what servers he connects to that command the rest of the bots, but it is unlikely that they will kill all of the bots.”

Researchers say Soloway had his own botnet for spamming — not for launching denial-of-service attacks like some botnets do, nor was it part of one of the infamous botnet “gangs” out there. And everyone was watching him and his movements. “The botnet wasn’t terribly sophisticated, but it was custom enough that it sort of stood out,” says Jose Nazario, software and security engineer for Arbor Networks. “It seemed to be primarily his own botnet, and he [probably] had a couple of guys in contract helping him out. People had their eye on him for quite a while.”

Even if authorities try to shut down his botnet, there are plenty more wanna-be spam kings and botherders waiting in the wings who probably already are snapping up the infected bots Soloway used, researchers say. “There’s always someone there ready to fill the void,” says Joe Stewart, senior security researcher for SecureWorks. “I don’t expect to see a decrease of spam in my inbox.”

Even if Soloway’s bots are freed, the machines are likely still infected, so another botherder can re-hijack them for his own botnet. “It’s easy to steal someone else’s bots,” Arbor’s Nazario says. Even scarier is if your machine just so happened to be one of a Soloway bot, it may already have been recruited as a member of another botnet and you wouldn’t even know it, according to Nazario.

So how do you dismantle a botnet? It’s no easy task, and it requires infiltration of the botnet. SecureWorks’s Stewart says the most effective way to take down a botnet is to go after the actual hands-on operation, and that’s not the spam king. “There’s always a central server or some sort of central control mechanism, even if it’s a peer-to-peer network. Someone has the keys to control it all.”

That means taking down the command and control, or master, server. “Now all the zombies are dead and defunct because they can’t send mail if they don’t have contact with their master server,” he says. For peer-to-peer botnets — a distributed setup where each bot can send its commands on its own so it’s difficult to pinpoint the source of the command and control — you have to “convince” the controller to shut down the botnet operation, he says.

“There’s usually a way to build in an update to their software to convince them it’s time to shut down,” Stewart explains. “If you take away that person and their controlling of the botnet and get a list of all these infected machines before they are resold,” then you have a shot at taking it down.

The key is chipping away at the guys in the trenches. “It’s good to get rid of a spam kingpin. But you need to know where he’s getting his services from,” Stewart says.

Trouble is, many of the worker-bee spammers are in countries like China and Russia, out of the reach of U.S. law enforcement, Stewart says. “It’s a global economy here in the spam underworld.”

And investigators and ISPs are often in a quandary over whether to shut down a botnet altogether for fear of inadvertently sabotaging an investigation of a researcher or another law-enforcement official, for instance. (See Battling Bots, Doing No Harm.)

Winkler says to truly dismantle a botnet, you need to not only find the servers that the root commands, but also find the bot-infected end systems themselves. “If you observe the behavior of the bot servers to see what systems they connect to, you can then try to get the ISPs to tell the owners to clean up all the systems, which is the most work.”

Nazario says he doesn’t have any firsthand knowledge that law enforcement officials are completely killing the Spam King’s botnet. That would take studying the tools and techniques he used, and then the monumental task of getting antivirus and OS vendors to provide signatures to remove his malware. “That would be a major event,” he says. “They [vendors] have so many things on their plate that they have to triage and prioritize them.”

Shutting down a botnet usually requires not only taking down command and control servers, but with a quick, coordinated effort of officials around the globe, says Kris Kendall, principal consultant for Mandiant. “That’s a hard problem,” he says. “Battling botherders on their own turf is challenging.”

Investigators into the Soloway botnet may instead want to monitor it and see who’s using it and how. “They could sit where he would and watch who’s using it and follow them,” Nazario says. “That way they could find out more about the spamming underworld and his underworld.”

So the bots from Soloway’s botnet aren’t in the clear yet. His arrest was really more symbolic: “They were really looking to send a message to other spammers that they are being watched and can be caught. Until we start seeing a large number of these arrests on fairly regular basis, it’s not going to have a significant impact,” Stewart says.

www.darkreading.com/document.asp

Google Desktop Vulnerable to New Attack

March 8, 2008 – 6:51 PM

Just one day after a security researcher showed how Google Inc.’s Firefox toolbar could be exploited in an online attack, a similar flaw has been discovered in the Google Desktop.

On Thursday, Google hacker Robert Hansen posted proof of concept details showing how attackers could use Google Desktop to launch software that had already been installed on the victim’s computer.

The attack is hard to pull off and could not necessarily be used to install unauthorized software on the victim’s PC, but it does illustrate the kind of security issues that arise with Web-based applications, said Hansen, the CEO of Web security consultancy Sectheory.com, and a contributor to the Ha.ckers.org Web site.

“When you have third parties writing code that interacts with your browser, it inherently breaks the browser security model,” he said.

To exploit Hansen’s Google Desktop vulnerability, an attacker would first have to launch a successful “man-in-the-middle” attack, somehow placing himself between the victim and Google’s servers. This could by done by tricking the victim into logging onto a malicious wireless network, Hansen said.

Once this was done, the hacker could launch Hansen’s attack by changing the Web pages being delivered to the victim’s PC. By returning Web pages that have been doctored with new JavaScript code, the victim could be tricked into clicking onto a malicious link, Hansen said. “When they actually click that mouse button, they’re not clicking on the Web page, they’re clicking on a link to Google Desktop that actually runs code, ” he said.

The steps Hansen took to pull off the attack are complex because of the security features that Google has built into its software, he added. “What I’ve done is combine a lot of different attacks that Google desperately tries to prevent.”

On Wednesday researcher Christopher Soghoian showed how a man-in-the-middle attack could be used to install malicious software on computers that used a variety of popular Firefox add-ons, including the toolbars from Google, Yahoo Inc., and AOL LLC.

Hansen has posted a video showing how this attack could be used to launch Windows HyperTerminal. But it could be used to launch virtually any application that has already been installed on the PC, he said.

This is not the first bug in Google Desktop. In February, engineers at Watchfire Corp. showed how a flaw in the program’s Advanced Search Feature could be used to gain access to data or even run unauthorized software on a victim’s computer.

Two days after the Watchfire bug was disclosed, Hansen himself showed how attackers could steal information from Google Desktop users using what is called an anti-DNS (Domain Name System) pinning attack.

Google was not immediately available to comment for this story.

www.pcworld.com/article/id,132470/article.html

Don’t trust Google Toolbar, researcher says

March 8, 2008 – 6:50 PM

Popular Firefox browser plug-ins are not doing enough to secure their software, a security researcher has said.

Many widely used Firefox extensions, including toolbars from Google, Yahoo and AOL do not use secure connections to update themselves, according to Christopher Soghoian, a security researcher who blogged about the issue.

Soghoian is best known as the researcher who attracted the attention of the FBI late last year after publishing a tool that could be used to print fake boarding passes.

The Indiana University doctoral student discovered the Firefox issue last month while examining network traffic on his computer. He noticed that many of the most popular Firefox extensions are not hosted on servers that use the Secure Sockets Layer (SSL) web protocol. SSL web sites, which begin with “https://,” use digital certificates to provide users with some level of assurance that they’re not connecting with a fake server.

Although the corporation behind Firefox, Mozilla, hosts the majority of Firefox extensions on its own SSL-enabled web site, it is common for commercial extension-makers such as Google to host their software on an unsecured site, Soghoian said in an interview.

This leaves users vulnerable to a “man-in-the middle” attack, where Firefox could be tricked into downloading malicious software from a site it mistakenly thought was hosting an extension.

It wouldn’t be easy for an attacker to pull this off, however. In one scenario, the hacker would set up a malicious wireless access point in a public area where people are using wireless connections. He could then redirect extension update traffic to a malicious computer.

“An attacker who sets up a wireless access point can then infect anyone who connects to it,” Soghoian said.

The Del.icio.us Extension, Facebook Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker are also vulnerable, Soghoian said.

Though Soghoian said Firefox users should avoid extensions that are not from the secure Firefox add-ons site, not all security researchers see this as a major issue.

“It’s just yet another vulnerable design among billions,”said Gadi Evron, security evangelist for Beyond Security, via instant message. “I don’t see it as that critical. There is no inherent vulnerability, but it does make the over-whole design weaker, and that should probably be addressed.”

Evron said it was “silly” that sites weren’t using SSL for these extensions.

Soghoian said he notified Google, Yahoo, and Facebook of the issue in mid-April but nobody had addressed the issue as of Wednesday. Just hours after Soghoian went public with his findings, Google said it would “soon” have a fix for the problem.

It’s common for web developers to ignore security in the rush to push out new and cool features, Soghoian said. “Your average Web 2.0 developer doesn’t learn about security,” he said. “Google has a spectacular security team… my suspicion is that one hand wasn’t talking to the other.”

www.techworld.com/security/news/index.cfm

Encryption: 1024 bits are not enough

March 8, 2008 – 6:49 PM

The strength of the encryption used now to protect banking and e-commerce transactions on many Web sites may not be effective in as few as five years, a cryptography expert has warned after a new distributing key-cracking achievement.

Arjen Lenstra, a cryptology professor at the Ecole Polytechnique Fédérale de Lausanne (EPFL) in Switzerland, said the distributed computation project, conducted over 11 months, achieved the equivalent in difficulty of cracking a 700-bit RSA encryption key, so it doesn’t mean transactions are at risk – yet.

But “it is good advanced warning” of the coming dusk of 1024-bit RSA encryption, widely used now for Internet commerce, as computers and mathematical techniques become more powerful, Lenstra said.

The RSA encryption algorithm uses a system of public and private keys to encrypt and decrypt messages. The public key is calculated by multiplying two very large prime numbers. By identifying the two prime numbers used to create someone’s public key, it’s possible to calculate that person’s private key and decrypt messages. But determining the prime numbers that make up a huge integer is nearly impossible without lots of computers and lots of time.

Computer science researchers, however, have plenty of both.

Using between 300 and 400 off-the-shelf laptop and desktop computers at EPFL, the University of Bonn and Nippon Telegraph and Telephone Corp. in Japan, researchers factored a 307-digit number into two prime numbers.

Lenstra said they carefully selected a 307-digit number whose properties would make it easier to factor than other large numbers: that number was 2 to the 1039th power minus 1.

Still, the calculations took 11 months, with the computers using special mathematical formulas created by researchers to calculate the prime numbers, Lenstra said.

Even with all that work, the researchers would only be able to read a message encrypted with a key made from the 307-digit number they factored. But systems using the RSA encryption algorithm assign different keys to each user, and to break those keys, the process of calculating prime numbers would have to be repeated.

The ability to calculate the prime number components of the current RSA 1024-bit public keys remains five to 10 years away, Lenstra said. Those numbers are typically generated by multiplying two prime numbers with around 150 digits each and are harder to factor than Lenstra’s 307-digit number.

The next target for Lenstra is factoring RSA 768-bit and eventually 1024-bit numbers. But even before those milestones are met, Web sites should be looking toward stronger encryption than RSA 1024-bit.

“It is about time to change,” Lenstra said.

www.techworld.com/security/news/index.cfm