[SecurityRatty] tag: skype

Securiy Briefing: June 6th

Fri, 06 Jun 2008 08:56:35 +0000

Working form the home office this morning. The best kind of commute. Now, back to my research.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

Google to allow third party code in Gmail? | Builder AU
Skype patches security policy bypassing vulnerability | ZDNet
Experts warn of security-dodging Trojans | vnunet
Microsoft Patch Tuesday promises seven fixes | The Register
6 burning questions about network security | Network World
ArcSight and VeriSign Enterprise Security Services Launch Global Business Relationship | Compliance Home
EU gives mixed response to new U.S. travel laws | Reuters
Conroy launches service to warn of e-crimes | Australian IT
Are you a computer security professional? | InfoWorld

Tags: News, Daily Links, Security Blog, Information Security, Security News

Thinking out the box

Thu, 22 May 2008 01:50:00 +0000

I am going to predict the future of the WWW and how Information Security will have to adapt in the next few years.

This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there.

This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be.

WEB 1.0
This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people.

Web 2.0
This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data.

Web 3.0
This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed.

Web 4.0
Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too.

Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe.

This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time...

The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network.

Of course, cloud computing is a walk in the park compared to what will be next:

Web 5.0
This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it.

Skype Phishing Pages Serving Exploits and Malware

Fri, 09 May 2008 03:00:15 +0000

"Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.

Scanners result : Result: 3/31 (9.68%)
VBS/Small.W.1; Exploit-MS06-014
File size: 13569 bytes
MD5...: 4d6a559adf0602f7fd58b884e00894dc
SHA1..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2
SHA256: 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.

Harvesting YouTube Usernames for Spamming

Tue, 06 May 2008 23:21:17 +0000

With a recently distributed database of several thousand YouTube user names, spammers continue trying to demonstrate their interest in establishing as many contact points with potential receipts of their message, or even malware given the harvested user names database ends up in someone else's hands.

Building such "hitlists" of end points to be spammed, or served malware, is setting up the foundations for the success of popular tools used for spamming video and social networking sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the message. Moreover, these developments seem to indicate an emerging trend of building databases that would later one be efficiently abused, starting from the Thousands of IM Screen Names in the Wild uncovered in October, 2007, and going to the spamming of Skype users.

Direct applicability for spamming and malware campaigns, or a bargain for finalizing a deal, databases of any kind are prone to be abused in principle, and it's malicious parties in general I'm refering to in this case.

Traffic stats and the top 10 blogs

Wed, 30 Apr 2008 01:00:00 +0000

This is the 300th published entry onto this blog. I thought it might be interesting to do a quick review of how many visitors it's getting, where you are all coming from and what the most popular postings have been over the past 12 months. Traffic figures are pretty good - weekly page views are generally between 600 and 800. Not too bad for a niche subject. As expected, most readers are from the UK but there's good interest from the US. I also have a small number of regular readers from the far east. My top ten blog entries (by unique page view) have been as follows: 1. Building an Information Security Strategy (5 March 2007) 2. What CIOs should be doing about security in 2008 (14 Jan 2008) 3. The 10 deadly sins of Information Security management (31 October 2007) 4. Portable wireless hacking device (9 Feb 2007) 5. HSBC new two-factor authentication system (7 September 2007) 6. Data Protection Act - What's the Damage? (20 September 2007) 7. RFID Passports (6 Jan 2008) 8. Incident definition and response (11 January 2007) 9. Use of Skype (28 March 2007) 10. More on PCI - the audit guide (24 March 2007) Ironically, those entries where I personally think I've hit the sweet spot and I sit by the phone waiting for the book-deal and television show hosting offers to come in don't do as well as the entries that are more "off-the-cuff." Your comments and feedback are always welcome.

Microsoft mislabels Skype as adware

Thu, 24 Apr 2008 09:00:00 +0000

Skype users wondering what Microsoft's security products have against their communications software of choice can relax -- the error message misidentifying the program as adware was a mistake.

Microsoft mislabels Skype as adware

Tue, 22 Apr 2008 20:00:00 +0000

Skype users who have been getting strange error messages from Microsoft's security products over the past week can breathe easy now. It was all a mistake.

ICQ Messenger Controlled Malware

Mon, 14 Apr 2008 03:28:05 +0000

IM me a command, master - part two. Diversifying the command and control channels of malware is always in a permanent development phrase, with malware authors trying to adapt their releases in order for them to bypass popular detection mechanisms. IM controlled malware is a great example of such a development, and now that I've already covered a Yahoo Messenger controlled malware in previous post, it would be logical to come up with more evidence on alternative IM networks used as a main C&C interface, such as ICQ in this case. The ICQ controlled malware's pitch :

"With this program, you will always be able to access the necessary functions of your computer using ordinary ICQ. It has the opportunity to add their scripts and commands, thus becoming a universal tool for controlling the computer - it all depends on your imagination and skills. Through the program operations like the following can be run by default - viewing directories, displaying messages, lauching programs, killing processes, shutdown, view active windows, and much more."

Released primarily as a Proof of Concept, its source code is freely available which as we've already seen in the past results in more innovation added on behalf of those using the idea as a foundation for achieving their own malicious purposes.

The whole concept of abusing third-party communication applications for malware purposes, has always been there, in fact two years ago, there were even speculations that Skype could be used to control botnets. A fad or a trend? The lone malware author who's not embracing malicious economies of scale and looking for reliable and efficient ways to infect and control as many hosts as possible, is taking advantage of this, the rest are always looking for ways to port their botnets to a different C&C without loosing a single host in order to benefit from what a web application C&C can provide in respect to the old-fashioned IRCd command line commands.

Skype Spamming Tool in the Wild

Mon, 07 Apr 2008 06:51:23 +0000

Have you ever wondered what's contributing to the rise of instant messanging spam (SPIM), and through the use of which tools is the proccess accomplished? Take this recent proposition for a proprietary Skype Spamming Tool, and you'll get the point from a do-it-yourself (DIY) perspective. This proprietary tool's main differentiation factor is its wildcast capability, namely searching for John will locate and send mass authorization requests to all usernames containing John. So basically, by implementing a simple timeout limit, mass authorization requests are successfully sent. The more average the username provided, the more contacts obtained who will get spammed with anything starting from phishing attempts and going to live exploit URLs automatically infecting with malware upon visiting them.

There're, however, two perspectives we should distinguish as seperate attack tactics, each of which requires a different set of expertise to conduct, as well as different entry barries to bypass to reach the efficiency stage. If you find this DIY type of tool's efficiency disturbing in terms of the ease of use and its potential for spreading malware serving URLs, you should consider its logical super efficiency stage, namely the use of botnets for SPIMMING.

Will malware authors, looking for shorter time-to-infect lifecycles, try to replace email as infection vector of choice, with IM applications, which when combined with typosquatting and cybersquatting could result in faster infections based on impulsive social engineering attacks? Novice botnet masters looking for ways to set up the foundations of their botnet could, the pragmatic attacks will however, continue using the most efficient and reliable way to infect as many people as possible, in the shortest timeframe achievable - injecting or embedding malicious links at legitimate sites.

Related posts:
Uncovering a MSN Social Engineering Scam
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware

FaceTime security product scans Skype's encrypted IM

Tue, 01 Apr 2008 09:00:00 +0000

The only product allowed to look at encrypted instant messages between Skype users detects harmful URLs.