Thursday, June 20, 2013

Monday, June 17, 2013

Linux Non Root Exploits

Don't expect any earth shaking revelations or any mind blowing hack, but this is always a good reminder that even a non privileged user can do some harm. This is true of any Operating System, on any platform: the simple fact of having access to a machine can be enough to cause some trouble.

Friday, June 14, 2013

Vast array of medical devices vulnerable to serious hacks, feds warn

The ICS-CERT has emitted a warning concerning hard-coded passwords in medical devices.  I see there a parallel with the vulnerabilities found in the SCADA devices: applications that used to be on disconnected networks, or even specialized networks now get a web front-end, developers who spent years focusing on the functionalities now have to include security, and not very disseminated devices.

I suspect that before long, there will be other issues found: buffer overflows, authentication/authorization bypass and other tricks.

Wednesday, June 12, 2013

Hard drive failures

An interesting study of hard drive failures. Good statistics background needed to fully appreciate it.

Monday, June 10, 2013

Casting a net : phishing and spearphishing

Phishing and spearphishing are terms almost daily used. The former covers the whole family of attacks in which an attacker tries to gain some information from his victim. The distinction to spearphishing comes when the attacker has a prior knowledge of his targets.

At large, the attacker massively sends e-mails to targets without knowing them, and has a generic message, such as a communication from a bank, a government agency (IRS, FBI, ...), an e-mail or social network provider, or any other entity. The goal is to have the target either provides some information about itself such as first and last names, e-mail or social network credentials, date of birth, social security or credit card number, passport informations and so forth; or click on a link that is serving some malware to compromise its computer. The latter form can be used to install some crimware or a botnet agent, collect personal information, or access bank accounts.

A botnet agent can, in turn, be used to distribute spam or be used as an anonymizing proxy to access illegal content. All the connections will seem to be originated from the victim's computer.

In this scenario, the attackers often use spam lists, address books of e-mail addresses collected by spammers and used to distribute junk mail. These address lists can contain millions of addresses, and even if as low as 0.01% of the targets fall from it, that still represents a significant number - if the list has "only" 100,000 valid entries, and 0,01% of them provide  the information, that is 10 people who will become victims of the phishing attack. On the other hand, an attacker with a list containing 1 million valid entries and a success rate of 1% will make 10,000 victims.

The information collected can either be exploited directly by the phisher or sold to other parties. For example, the credentials to access a valid Bank of America account with an $18,000 balance costs $800 [2].

Corporations, governmental and non-governmental agencies have to face a more specific type of attack: spearphishing. The attacker will gather as much information as possible on the target, including subscriptions, center of interests, relationships between people and so forth. The idea is to be able to craft an e-mail to will have a very high likelihood of being read and reacted upon to achieve a higher rate of success, with industry statistics indicating an average rate of 19% [1].

The aims behind the attack is to gain some information, for example credentials to access a corporate remote access, but also often to plant a piece of code categorized as an advanced persistent threat ("APT"). Once installed, these can stay for months without being detected, quietly sending data off of the network to the attacker. That data can be some intelectual property, but also classified or sensitive information,  commercial offers or client's list.  

Protecting against phishing or spearphishing is not easy as it appeals to our emotions and feelings: the fear of being prosecuted by a government agency or of losing a job, the lust of easy money or of an unbelievable opportunity, the compassion towards people suffering or in distress, the trust we usually have for authority figures. Against that, people have to start questioning and thinking: if it is too good to be true, then it most likely isn't. If it seems legit but a bit off, then it most likely is.

[1] Bimal Parmar, "Protecting against spear-phishing", Computer Fraud and Security, January 2012,
[2] "Zero-Days Hit Users Hard at the Start of the Year", TrendLab 1Q 2013 Security Roundup, January 2013,