Security News Collected by AWSODA-SYSTEMS: 2008-03-30

Here are the latest updates for security-news@awsoda.net

Charlie's Angels, James Bond or Ethan Hunt could not have done it any better. British researcher Matthew Lewis recently unveiled a mechanism that captures fingerprints used for secured access in doors and computer systems. And he did not even have to dodge bullets or wear prosthetics to do it.

Universally known as biometrics, it is the study of methods for distinctively recognizing humans using one or more fundamental physical or behavioral qualities. Perhaps the most popular form of biometrics is fingerprint recognition technology, which is slowly gaining use in laptop computers, smart cards, and employee identification.

Lewis, who works for Information Risk Management, demonstrated his proof-of-concept device during March's Black Hat Amsterdam conference. The researcher believes that despite biometrics' reputation as a suitable replacement instead of a mere supplement for existing security protocols, it will soon serve as a bane for users and companies alike.

Dubbed as a biometric keylogger, or biologger, Lewis demonstrated how he, by means of a man-in-the-middle laptop, was able to intercept unencrypted transmissions between a certain access control device and a back-end server. Using a certain algorithm, he was able to reconstruct an image of a fingerprint that can be used to unlock computers or building doors. Furthermore, he was able to issue commands on to the said access control device such as adding new users with full administrative privileges without using a valid fingerprint ID.

Despite some limitations in his study, Lewis was pretty clear in his message that biometrics is not the immaculate end-all solution that people may perceive it to be. So long as biometric technology and its surrounding infrastructure are vulnerable, the threat of biologging looms in the horizon. The surprising indication of biometric data going about unencrypted should be a worrying item on developers' to-do lists. True to Isaac Asimov's words, good Hollywood science fiction is indeed based on real science.

ShareThis

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Iâ€™ve Got Your Fingerprints Under My Skin'

Flash Vulnerability Takes Down Vista in PWN to OWN

After the famous two minutes it took three security researchers to hack the equally famous Apple MacBook Air, Computerworld reports that another security researcher accomplished a similar feat, this time on a Vista notebook.

The said notebook was running on the Windows Vista Ultimate platform and comes with an installed Flash Player from Adobe. A critical vulnerability in Flash was successfully exploited by Shane Macaulay, a consultant at Security Objectives, enabling him to break into a Fujitsu U810 running Windows Vista Ultimate SP1, and making him the owner of the notebook as well. Macaulay and two other researchers also received a cash reward for this.

This would be the second high-profile hacking in “PWN to OWN” — a challenge that seeks to expose vulnerabilities and bugs in PCs and laptops. The contest offers prizes to researchers who successfully unveiled unknown system and software glitches that may be exploited by malicious users in the future.

The challenge requires the winners to remain silent about their hacking method until after the vendors of affected software have provided the necessary patches and solutions.

If it would be any consolation, no one won the “PWN to OWN” first day challenge, which required that laptops be broken into without user interaction and using only remote code execution. The two successful exploits were done by tricking users and by replicating their behaviors.

Tend Micro advises users to consistently update patches of all applications installed to address known vulnerabilities.

ShareThis

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Flash Vulnerability Takes Down Vista in PWN to OWN'

Massive Site Compromise: The Siege Continues

Numbers of legitimate Web sites have again succumbed to another case of iFrame Search Engine Optimization (SEO) poisoning. Among those reported compromised were the Washington State University site and several news sites such as Sun Gazette and Tribune-Chronicle. Proof is the following screenshot which shows how many search results turned up when the unlikely search term “nmidahena.com” is used:

This is yet another incident following what looks like a never-ending string of attacks that has compromised high-profile Web sites such as ZDNet Asia and TorrentReactor early last month. Shortly after, Wired.com and History.com also got affected and was then followed by another attack, this time affecting a number of news Web sites. This may suggest that cyber criminals, apart from taking advantage of this SEO vulnerability are also testing which type of Web sites they may get more out of. From social networking and entertainment to news and education, the trend may depend on where cyber criminals think the traffic is at.

Trend Micro detects the JavaScript in the inserted iFrame tags as JS_IFRAME.US. It then downloads a file from the URL http://www.{BLOCKED}ena.com which is detected as JS_DLOADER.TVP. This in turn downloads a file detected as JS_NEVAR.A.

Further investigations by Trend Micro Researchers reveal that the tool used in conducting this massive attack is not new, but in fact was already used in a similar attack last year. The toolkit that previously used the domain yl18.net and compromised hundreds of Web sites in November last year is the same toolkit used in this attack, this time using the domain nmidahena.com. This is a screenshot of one of the tools:

This recent turn of events shows that cyber criminals are clearly capitalizing on this method of distributing malware. More than 40% of Web threat incidents both in January and February involved the use of legitimate Web sites to distribute malware, with most affected sites related to social networking and entertainment. However in March, almost all incidents involved the compromising of legitimate Web sites, this time affecting Web sites related to education. USA Today also reported that several hundred thousands of corrupted Web pages returned by common Google search queries were found by security researchers in March alone.

Despite this clear involvement of Google in this malware distribution, security researchers have taken Google's side on the case, saying that the search engine is not directly responsible to these attacks. This I believe still does not put Google off the hook; the search engine being used as a channel for malware distribution seriously calls for the development of security measures.

ShareThis