[SecurityRatty] tag: blue

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Tue, 15 Jul 2008 12:22:35 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Malware Install Hides Behind Fake Blue Screen Of Death

Wed, 09 Jul 2008 14:42:24 +0000

This hijack typically begins with the following file opened up from the web:

If the file is allowed to execute on the PC, depending on what files the bundle is rotating for download at the time of install you may well see the dreaded Blue Screen Of Death (or BSOD to its friends).

However, all is not what it seems. While the end-user is faced with the horrors of the BSOD, behind the scenes Malware is installing by the bucketload.How is this possible, I hear you cry? Surely if the PC has crashed, nothing can be installing?

Not in this case, because the blue screen of death is fake - to be more accurate, the bad guys have taken Sysinternals blue screen of death screensaver and bundled it in with the hijack files. This is what the .scr file looks like on the PC:

And this is what you see if you explore the code:

It seems the bad guys are not without a sense of humour. Hiding a blizzard of infection file installs behind a legitimate screensaver created by a security expert is pretty bizarre. Here is the registry entry created:

Meanwhile, here are just some of the files installed onto the PC during the download:

Click to Enlarge

The PC pretty much grinds to a halt while all of this is taking place:

When the computer finally comes back under your contol, you can expect to see numerous warnings related to fake antispyware programs appearing all over the desktop:

Click to Enlarge

Collectively, we detect the various bundles on offer here as Fake.AV and Smiddy.

Discovery and Research: Chris Mannon, FSL Senior Threat Researcher

No, I Dont Know the Answer to the Big DNS Secret

Wed, 09 Jul 2008 11:26:37 +0000

Rich Mogull’s executive overview of Dan Kaminsky’s latest DNS vulnerability fluffed a few feathers yesterday:

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses.

The typical response I heard was “what do you mean, it can’t be reverse engineered? I’ll just look at the diffs!”

In hindsight, after examining the BIND diffs (yes, I did it too) and discussing with colleagues, all most people saw was UDP source port randomization and a better PRNG for generating the transaction ID, the latter of which would appear to be related to Amit Klein’s cache poisoning attack from about a year ago.

What Rich was really saying is that you can reverse engineer the patch until you’re blue in the face, but that won’t reveal the specifics of the vulnerability.

Dan’s blog post this morning appeared to confirm that interpretation:

DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.

There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.

Such is the mark of excellent design. Excellent design protects you against things you don’t have any information about. And so we are deploying this excellent design to provide no information.

To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from Anonymous to Authenticated User only, or even all the way to Admin Only. Or wait, just remember Windows XPSP2 :) This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why. Astonishingly subtle bugs can be easily hidden, or even rendered irrelevant, by a suitably blunt fix.

Nate McFeters appears to think that Tom Ptacek has figured it out. I’m going to go out on a limb and say that Tom didn’t figure anything out yet but still wanted to write a pithy blog post. I think that if Tom had figured it out, he would have written it down privately and posted the SHA-1 hash, as is the trendy thing to do these days.

Speculation aside, the title of Tom’s blog entry, Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!, does make an important point — Dan didn’t sell the details to ZDI, he used his influence and reputation to coordinate a massive vendor patch effort. That’s an admirable move.

Life Is A Technology Museum

Sat, 05 Jul 2008 16:13:08 +0000

I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting;. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released 8 years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM". I did a little Googling and struck out on what that means. If any of you can help me out I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as-is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

Life Is a Technology Museum

Sat, 05 Jul 2008 16:13:08 +0000

I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released eight years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM." I did a little Googling and struck out on what that means. If any of you can help me out, I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

Insurer offers mobile health records

Wed, 25 Jun 2008 09:00:00 +0000

The mobile phone as mobile computer now has the added dimension of being a secure storage device for personal health records, with a rollout of an application by Blue Cross in Pennsylvania.

Tucson area Domino's Pizza customer information exposed

Wed, 18 Jun 2008 06:43:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.

Past Breaches:
Unknown

On braces, baseball and Fathers Day

Sat, 14 Jun 2008 17:05:00 +0000

Image via Wikipedia

So it is quite an exciting Fathers Day weekend here at the Shimel house. On Friday my oldest son Landon, 8, had braces put on his top teeth. I know that 8 is early for braces, but evidently today they do this as a "Phase 1", so that hopefully he won't need them as long later on. Seeing my little boy come out of the room with braces was quite a sight. Unlike the trauma that kids had about braces when I was younger, he thought it was awesome. The picture to the left are not his braces. Landon's are black and gold, Steeler braces. In 6 weeks they will change them to Yankee blue and white. Braces have certainly come a long way since I was a kid. But my son Landon has come a long way too. Looking at him with his braces and talking to the office staff I realized that the little, fuzzy red headed baby we brought home from the hospital almost 9 years ago now has grown into quite a boy. Where is the little toddler that I would toss a sponge ball to underhand and tell him to use two hands to catch? Could this kid with the catchers mitt catching everything I throw at him and firing it back to me be that baby?

Saturday is a day filled with both boys. I am taking Landon and Bradley to breakfast and than off to Baseball City to practice our hitting and pitching. Then Bradley has a birthday party he is invited to and Landon and I will go swimming.

Sunday Landon has a travel baseball team game at 10am. Landon was selected for the team because of the great season he had in Little League and is now in tournaments for the next few weeks. Than we are all going to visit my Uncle and Aunt for Fathers Day at the house near the water with a pool.

I could not think of a better way to spend my Fathers Day weekend. My mother-in-law always used to say that she was the richest woman in the world because of the treasure that were her children. When I was younger I laughed but would have taken the cash. As I have grown older and have had a chance to watch my boys grow up and have come to understand what it truly is to be a Father, I know that she was right. There is nothing like the love of a child and watching, helping and sharing in their adventure that is life.

To all of you celebrating Fathers Day this year whether as a Dad with your own kids or with your own Dad, congratulations and savor every minute of it. Happy Fathers Day!

On braces, baseball and Fathers Day

Sat, 14 Jun 2008 16:05:02 +0000

Image via Wikipedia

So it is quite an exciting Fathers Day weekend here at the Shimel house. On Friday my oldest son Landon, 8 had braces put on his top teeth. I know that 8 is early for braces, but evidently today they do this as a "Phase 1", so that hopefully he won't need them as long later on. Seeing my little boy come out of the room with braces was quite a sight. Unlike the trauma that kids had about braces when I was younger, he thought it was awesome. The picture to the left are not his braces. Landon's are black and gold, Steeler braces. In 6 weeks they will change them to Yankee blue and white. Braces have certainly come a long way since I was a kid. But my son Landon has come a long way too. Looking at him with his braces and talking to the office staff I realized that the little, fuzzy red headed baby we brought home from the hospital almost 9 years ago now has grown into quite a boy. Where is the little toddler that I would toss a sponge ball to underhand and tell him to use two hands to catch? Could this kid with the catchers mitt catching everything I throw at him and firing it back to me be that baby?

To all of you celebrating Fathers Day this year whether as a Dad with your own kids or with your own Dad, congratulations and savior every minute of it. Happy Fathers Day!

Blue Box SE#025 - An interview with Eric Hernaez about Solegy and the OpenSBC Project

Tue, 10 Jun 2008 18:53:28 +0000

Synopsis: Blue Box Special Edition #25: An interview with Eric Hernaez, CEO of Solegy, about the OpenSBC project

Welcome to Blue Box: The VoIP Security Podcast Special Edition #25, a 13-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this interview, I sat down with Eric Hernaez, CEO of Solegy, to talk about the OpenSBC Project and how it provides an open source implementation of a session border controller (SBC). We talked about how OpenSBC came about, who is using it, how scalable it is and where users can learn more. We also discussed Solegy, the company supporting the open source OpenSBC project and what they are doing. It was an enjoyable talk that really came about randomly when I met Eric near the press room at IT Expo in Los Angeles back in September 2007. We had been wanting to learn more about the OpenSBC project so I put my recorder on a table and we started talking.

More information about the OpenSBC project and other open source SIP-related projects can be found at opensourcesip.org.

Production assistance on this Special Edition was provided by Sergio Meinardi.

Thank you for listening and please do let us know what you think of the show.