Archive for the ‘Linux’ Category

Scientist-developed malware covertly jumps air gaps using inaudible sound

Tuesday, December 3rd, 2013

Malware communicates at a distance of 65 feet using built-in mics and speakers.

Computer scientists have developed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.

The proof-of-concept software—or malicious trojans that adopt the same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an “air gap” between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

The researchers, from Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics, recently disclosed their findings in a paper published in the Journal of Communications. It came a few weeks after a security researcher said his computers were infected with a mysterious piece of malware that used high-frequency transmissions to jump air gaps. The new research neither confirms nor disproves Dragos Ruiu’s claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today’s malware.

“In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network,” one of the authors, Michael Hanspach, wrote in an e-mail. “Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network.”

The researchers developed several ways to use inaudible sounds to transmit data between two Lenovo T400 laptops using only their built-in microphones and speakers. The most effective technique relied on software originally developed to acoustically transmit data under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communication system (ACS) modem was able to transmit data between laptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and repeat it to other nearby devices, the mesh network can overcome much greater distances.

The ACS modem provided better reliability than other techniques that were also able to use only the laptops’ speakers and microphones to communicate. Still, it came with one significant drawback—a transmission rate of about 20 bits per second, a tiny fraction of standard network connections. The paltry bandwidth forecloses the ability of transmitting video or any other kinds of data with large file sizes. The researchers said attackers could overcome that shortcoming by equipping the trojan with functions that transmit only certain types of data, such as login credentials captured from a keylogger or a memory dumper.

“This small bandwidth might actually be enough to transfer critical information (such as keystrokes),” Hanspach wrote. “You don’t even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction.”

Remember Flame?

The hurdles of implementing covert acoustical networking are high enough that few malware developers are likely to add it to their offerings anytime soon. Still, the requirements are modest when measured against the capabilities of Stuxnet, Flame, and other state-sponsored malware discovered in the past 18 months. And that means that engineers in military organizations, nuclear power plants, and other truly high-security environments should no longer assume that computers isolated from an Ethernet or Wi-Fi connection are off limits.

The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio input and output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is to employ audio filtering that blocks high-frequency ranges used to covertly transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer’s Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would “forward audio input and output signals to their destination and simultaneously store them inside the guard’s internal state, where they are subject to further analyses.”


This new worm targets Linux PCs and embedded devices

Wednesday, November 27th, 2013

A new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.

According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.

The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.

“Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” the Symantec researchers explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.”

The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.

However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

These architectures are used in embedded devices like home routers, IP cameras, set-top boxes and many others.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” the Symantec researchers said. “However, we have not confirmed attacks against non-PC devices yet.”

The firmware of many embedded devices is based on some type of Linux and includes a Web server with PHP for the Web-based administration interface. These kinds of devices might be easier to compromise than Linux PCs or servers because they don’t receive updates very often.

Patching vulnerabilities in embedded devices has never been an easy task. Many vendors don’t issue regular updates and when they do, users are often not properly informed about the security issues fixed in those updates.

In addition, installing an update on embedded devices requires more work and technical knowledge than updating regular software installed on a computer. Users have to know where the updates are published, download them manually and then upload them to their devices through a Web-based administration interface.

“Many users may not be aware that they are using vulnerable devices in their homes or offices,” the Symantec researchers said. “Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.”

To protect their devices from the worm, users are advised to verify if those devices run the latest available firmware version, update the firmware if needed, set up strong administration passwords and block HTTP POST requests to -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4, either from the gateway firewall or on each individual device if possible, the Symantec researchers said.


Dangerous Linux Trojan could be sign of things to come

Friday, August 16th, 2013

‘Hand of Thief’ Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines

Desktop Linux users accustomed to a relatively malware-free lifestyle should get more vigilant in the near future — a researcher at RSA has detailed the existence of the “Hand of Thief” Trojan, which specifically targets Linux.

According to cyber intelligence expert Limor Kessem, Hand of Thief operates a lot like similar malware that targets Windows machines — once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to anti-virus update servers, VMs, and other potential methods of detection.

Hand of Thief is currently being sold in “closed cybercrime communities” for $2,000, which includes free updates, writes Kessem. However, she adds, the upcoming addition of new web injection attack technology will push the price to $3,000, and introduce a $550 fee for major version updates.

“These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux,” she notes.

Getting Linux computers infected in the first place, however, could be more problematic for would-be thieves — Kessem says the lack of exploits targeting Linux means that social engineering and email are the most likely attack vectors, citing a conversation with Hand of Thief’s sales agent.

Kessem also says that growth in the number of desktop Linux users — prompted, in part, by the perceived insecurity of Windows — could potentially herald the arrival of more malware like Hand of Thief, as the number of possible targets grows.

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows install base.

Users of Linux-based Android smartphones, however, have become increasingly tempting targets for computer crime — and with the aforementioned growth in desktop users, the number of threats may increase even further.


Rampant Apache website attack hits visitors with highly malicious software

Friday, July 5th, 2013

Darkleech is back. Or maybe it never left. Either way, it’s a growing problem.

A campaign that forces sites running the Apache Web server to install highly malicious software on visitor’s PCs has compromised more than 40,000 Web addresses in the past nine months, 15,000 of them in the month of May alone.

The figures, published Tuesday by researchers from antivirus provider Eset, are the latest indication that an attack on websites running the Internet’s most popular Web server continues to build steam. Known as Darkleech, the rogue Apache module gets installed on compromised servers and turns legitimate websites into online mine fields that expose unsuspecting visitors to a host of dangerous exploits. More than 40,000 domains and website IPs have been commandeered since October, 15,000 of which were active at the same time in May, 2013 alone. In just the last week, Eset has detected at least 270 different websites exposing users to attacks.

Sites that come under the spell of Darkleech redirect certain visitors to malicious websites that host attack code spawned by the notorious Blackhole exploit kit. The fee-based package available in underground forums makes it easy for novices to exploit vulnerabilities in browsers and browser plug-ins. Web visitors who haven’t installed updates patching those flaws get silently infected with a variety of dangerous malware titles. Among the malware that Darkleech pushes is a “Nymaim” piece of ransomware that demands a $300 payment to unlock encrypted files from a victim’s machine. Other malware titles that get installed include Pony Loader and Sirefef.

“This campaign has been going on for a very long time,” Eset malware researcher Sébastien Duquette wrote in Tuesday’s blog post. “Our data shows that the Blackhole instance has been active for more than two years, since at least February 2011.”

Eset’s research is consistent with April coverage from Ars reporting that an estimated 20,000 Apache websites were infected by Darkleech in just a few weeks’ time. Sites operated by The Los Angeles Times, Seagate, and other reputable companies were among the casualties. Like Ars, Eset found the Web malware employs a detailed array of conditions to determine when to inject malicious links into the pages shown to end users. Among other things, Eset wrote that users will only be attacked when their browser reports they’re using Microsoft’s Internet Explorer browser or Oracle’s Java plugin. Eset’s findings are also consistent with recent figures from Google showing that the vast majority of malware attacks are spawned from legitimate sites that have been hacked.

The chosen few

Darkleech has also been known to pass over visitors using IP addresses belonging to security and hosting firms, people who have recently been attacked, and those who don’t access the hacked pages from specific search queries. By being highly selective in targeting potential victims, Darkleech developers make it harder for security defenders to unravel the campaign and block infections. Visitors who are selected are served an HTML-based iframe tag in a Web page from the legitimate site that has been compromised. The iframe exploits code from a malicious site under the control of attackers.

Darkleech, which also goes by the name Linux/Charpoy, is able to tailor exploits to the geographic region of the infected victim as well. Ransomware that infects US-based visitors, for instance, purports to come from the FBI, while ransomware hitting people in other countries is adapted accordingly.

In October, Darkleech underwent a makeover that changed the format of the URL in the malicious iframe so it’s harder to detect. It works by decrypting four different text strings and then calculating a cryptographic hash to determine if a visitor should be served an iframe. The randomly generated link that leads to the attack site is extremely hard to detect as malicious except for its telltale ending “q.php.”

As has been the case with previous investigations, researchers still don’t know how the Darkleech module takes initial hold of the sites it infects. Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there’s no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software. Darkleech in part uses CPanel and Plesk servers to handle certain aspects of the iframe injection and payload delivery, but other parts rely on the Apache server itself, Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars.

Because there are usually many websites hosted on a single server, there’s often multiple domain names pointing to a single IP address, so Eset researchers are unable to determine just how many Apache-powered websites are infected by Darkleech. The total is “probably lower” than the 40,000 estimate, Bureau said.

The Eset report comes two weeks after researchers from security firm Sucuri unearthed a new malicious module infecting Apache servers. They’re still not sure if the plug-in is a newer, stealthier version of Darkleech or a completely different tool developed by a rival crime group. Researchers in recent months have uncovered a third piece of malware that causes websites to expose visitors to attacks. Known as Linux/Cdorked, it targets sites running the Apache, nginx, and Lighttpd Web servers and, as of May, had exposed almost 100,000 end-users running Eset software alone to attack.

Only you can prevent Web server hacks

With so many threats successfully targeting mainstream Web servers, administrators should take care to lock down their systems by following good security hygiene. One step is to ensure all default passwords have been changed to a one that’s long and randomly generated. Also key is to make sure all software components—including the operating system and all applications—are fully up to date. It’s also not a bad idea to use a website security scanner from time to time and to occasionally check the cryptographic hash of the HTTP daemon of the Web server to make sure it hasn’t been tampered with.


Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

Thursday, May 9th, 2013

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users’ computers.”

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application. According to this month’s server survey from Netcraft, Apache and nginx are the No. 1 and No. 3 packages respectively, with about 53 percent and 16 percent of websites. The survey didn’t rank Lighttpd, a Web server designed for speed-critical sites that’s used by sites including Meebo, YouTube, and Wikimedia, according to Wikipedia. The report of the susceptibility of nginx came as its maintainers issued an update that patches a remote-code execution vulnerability in the open-source Web server. (There’s no evidence the vulnerability is related to the Cdorked infection.)

Linux/Cdorked.A is one of at least two backdoors recently observed causing trusted and often popular websites to push exploits that attempt to surreptitiously install malware on visitors’ computers. Like Darkleech, a backdoor estimated to have infected 20,000 Apache websites, it redirects users to a series of third-party sites that host malicious code from the Blackhole exploit kit. A recent blog post from security firm Invincea reports another rash of website hijackings, but they appear to be unrelated to Cdorked, and there’s no indication Darkleech is involved, either.

Also similar to Darkleech, the Cdorked backdoor makes it extremely difficult for end users and even security researchers to notice their computers are being attacked. Users who speak Russian, Ukrainian, and at least four other languages are never exposed, and people who have already been attacked in recent days are also spared. Common configurations include a large list of IP addresses that are also blocked from exploits.

“We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible,” Eset researcher Marc-Etienne M.Léveillé wrote in a blog post published Tuesday. “For them, not being detected seems to be a priority over infecting as many victims as possible.”

Cdorked-infected servers are also advanced enough to distinguish among different computing platforms used by end users visiting infected sites. Those using Windows machines are directed to sites that mostly host exploits from Blackhole. People using Apple iPads or iPhones are redirected to porn sites that may also be hosting malicious code. Cdorked also stores most of its inner workings in a server’s shared memory, making it hard for some admins to know their sites are infected. Compromised systems can receive up to 70 different encrypted commands, a number that gives attackers fairly granular control that can be remotely and stealthily invoked.

In another testament to the ambition of its operators, Cdorked relies on compromised domain name system servers to resolve the IP addresses of redirected sites. The use of “trojanized DNS server binaries” adds another layer of obscurity to the attacks, since they make it easier for attackers to serve different sites to different end users.

“They are using the compromised DNS server to very accurately filter out who is going to visit the next stage Web server,” Bureau said in an interview. “This means, for example, that security researchers will have a very hard time being served the same content as a victim. It makes the investigation and tracking this operation harder. They are trying to control every step along the way to make every visit very traceable but also very hard to recreate.”

Researchers still don’t know how servers are being infected with Cdorked. Because compromised machines are running a variety of administration controls, cPanel and competing software aren’t obvious suspects. Cdorked doesn’t have the ability to spread by itself and doesn’t exploit a vulnerability in any other specific piece of software, either.

Readers who want to ensure their websites aren’t infected should use the rpm –verify command to see if the HTTP daemon they use has been altered. Eset researchers have also released this free python script (zip file) to examine a server’s shared memory for signs it is under the control of Cdorked.

Bureau said he believes Cdorked and Darkleech are two competing toolkits for exploiting Web servers. Their prevalence, combined with Invincea’s discovery of popular websites also exposing visitors to malware attacks, suggests exploits are expanding beyond the traditional base of machines running Microsoft-based software.

“A couple years ago malware against the Linux operating system was really in the age of its proof of concept,” he said. “Whenever we would discover something everybody would say: ‘It’s not really in wild. It’s just somebody trying to prove a point.’ Now the fact that we see so many instances of infected Web servers out there really shows we’re past the era of the proof of concept. Now serious operators are making serious money by victimizing these web servers.”


Attack hitting Apache websites is invisible to the naked eye

Monday, April 29th, 2013

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”

In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain “adm,” “webmaster,” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.

Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.


OpenDaylight: A big step toward the software-defined data center

Monday, April 8th, 2013

A who’s-who of industry players, including Cisco, launches open source project that could make SDN as pervasive as server virtualization

Manual hardware configuration is the scourge of the modern data center. Server virtualization and pooled storage have gone a long way toward making infrastructure configurable on the fly via software, but the third leg of the stool, networking, has lagged behind with fragmented technology and standards.

The OpenDaylight Project — a new open source project hosted by the Linux Foundation featuring every major networking player — promises to move the ball forward for SDN (software-defined networking). Rather than hammer out new standards, the project aims to produce an extensible, open source, virtual networking platform atop such existing standards as OpenFlow, which provides a universal interface through which either virtual or physical switches can be controlled via software.

The approach of OpenDaylight is similar to that of Hadoop or OpenStack, where industry players come together to develop core open source bits collaboratively, around which participants can add unique value. That roughly describes the Linux model as well, which may help explain why the Linux Foundation is hosting OpenDaylight.

“The Linux Foundation was contacted based on our experience and understanding of how to structure and set up an open community that can foster innovation,” said Jim Zemlin, executive director of the Linux Foundation, in an embargoed conference call last week. He added that OpenDaylight, which will be written in Java, will be available under the Eclipse Public License.

Collaboration or controversy?
It must be said that the politics of the OpenDaylight Project are mind-boggling. Cisco is on board despite the fact that SDN is widely seen as a threat to the company’s dominant position — because, when the network is virtualized, switch hardware becomes more commoditized. A cynic might be forgiven for wondering whether Cisco is there to rein things in rather than accelerate development.

Along with Cisco, the cavalcade of coopetition includes Arista Networks, Big Switch Networks, Brocade, Citrix, Dell, Ericsson, Fujitsu, HP, IBM, Intel, Juniper Networks, Microsoft, NEC, Nuage Networks, PLUMgrid, Red Hat, and VMware. BigSwitch, perhaps the highest-profile SDN upstart, is planning to donate a big chunk of its Open SDN Suite, including controller code and distributed virtual routing service applications. Although VMware has signed on, it’s unclear how the proprietary technology developed by Nicira, the SDN startup acquired for $1.2 billion by VMware last summer, will fit in.

Another question is how OpenDaylight will affect other projects. Some have voiced frustration over the Open Network Foundation’s stewardship of the OpenFlow, so OpenDaylight could be a way to work around that organization. Also, OSI president and InfoWorld contributor Simon Phipps wonders why Project Crossbow, an open source network virtualization technology built into Solaris, appears to have no role in OpenDaylight. You can be sure many more questions will emerge in the coming days and weeks.

The architecture of OpenDaylight
Zemlin described OpenDaylight as an extensible collection of technologies. “This project will focus on software and will deliver several components: an SDN controller, protocol plug-ins, applications, virtual overlay network, and the architectural and the programmatic interfaces that tie those things together.”

This list is consistent with the basic premise of SDN, where the control and data planes are separated, with a central controller orchestrating the data flows of many physical or virtual switches (the latter running on generic server hardware). OpenFlow currently provides the only standardized interface supported by many switch vendors, but OpenDaylight also plans to support other standards as well as proprietary interfaces as the project evolves.

More exciting are the “northbound” REST APIs to the controller, atop which developers will be able to build new types of applications that run on the network itself for specialized security, network management, and so on. In support of this, Cisco is contributing an application framework, while Citrix is throwing in “an application controller that integrates Layer 4-7 network services for enabling application awareness and comprehensive control.”

Although the embargoed OpenDaylight announcement was somewhat short on detail, a couple of quick conclusions can be drawn. One is that — on the model of Hadoop, Linux, and OpenStack — the future is now being hashed out in open source bits rather than standards committees. The rise in the importance of open source in the industry is simply stunning, with OpenDaylight serving as the latest confirmation.

More obviously, the amazing breadth of support for OpenDaylight signals new momentum for SDN. To carve up data center resources with the flexibility necessary for a cloud-enabled world where many tenants must coexist, the network needs to have the same software manageability as the rest of the infrastructure. OpenDaylight leaves no doubt the industry recognizes that need.

If the OpenDaylight Project can avoid getting bogged down in vendor politics, it could complete the last mile to the software defined data center in an industry-standard way that lowers costs for everyone. It could do for networking what OpenStack is doing for cloud computing.


Symantec finds Linux wiper malware used in S. Korean attacks

Friday, March 22nd, 2013

The cyber attacks used malware called Jokra and also targeted Windows computers’ master boot records

Security vendors analyzing the code used in the cyber attacks against South Korea are finding nasty components designed to wreck infected computers.

Tucked inside a piece of Windows malware used in the attacks is a component that erases Linux machines, an analysis from Symantec has found. The malware, which it called Jokra, is unusual, Symantec said.

“We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat,” the company said on its blog.

Jokra also checks computers running Windows XP and 7 for a program called mRemote, which is a remote access tool that can used to manage devices on different platforms, Symantec said.

South Korea is investigating the Wednesday attacks that disrupted at least three television stations and four banks. Government officials reportedly cautioned against blaming North Korea.

McAfee also published an analysis of the attack code, which wrote over a computer’s master boot record, which is the first sector of the computer’s hard drive that the computer checks before the operating system is booted.

A computer’s MBR is overwritten with either one of two similar strings: “PRINCPES” or “PR!NCPES.” The damage can be permanent, McAfee wrote. If the MBR is corrupted, the computer won’t start.

“The attack also overwrote random parts of the file system with the same strings, rendering several files unrecoverable,” wrote Jorge Arias and Guilherme Venere, both malware analysts at McAfee. “So even if the MBR is recovered, the files on disk will be compromised too.”

The malware also attempts to shut down two South Korean antivirus products made by the companies Ahnlab and Hauri. Another component, a BASH shell script, attempts to erase partitions Unix systems, including Linux and HP-UX.

Security vendor Avast wrote on its blog that the attacks against South Korean banks originated from the website of the Korean Software Property Right Council.

The site had been hacked to serve up an iframe that delivered an attack hosted on another website, Avast said. The actual attack code exploits a vulnerability in Internet Explorer dating from July 2012, which has been patched by Microsoft.


We’re going to blow up your boiler: Critical bug threatens hospital systems

Thursday, February 7th, 2013

21,000 vulnerable systems found on the Internet, used by hospitals, others.

More than 20,000 Internet-connected devices sold by Honeywell are vulnerable to a hack that allows attackers to remotely seize control of building heating systems, elevators, and other industrial equipment and in some cases, cause them to malfunction.

The hijacking vulnerability in Niagara AX-branded hardware and software sold by Honeywell’s Tridium division was demonstrated at this week’s Kaspersky Security Analyst Summit in San Juan, Puerto Rico. Billy Rios and Terry McCorkle, two security experts with a firm called Cylance, allowed an audience to watch as they executed a custom script that took about 25 seconds to take control of a default configuration of the industrial control software. When they were done they had unfettered control over the device, which is used to centralize control over alarm systems, garage doors, heating ventilation and cooling systems, and other equipment in large buildings.

Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or to sabotage large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present.

“We actually just used this against one of our premium clients a couple weeks ago,” Rios said, referring to a penetration test he performed to test a customer’s network for hacking vulnerabilities. “They were pretty shocked. They took their device off the Internet before the engagement was over.”

The researchers said a recent query on the Shodan computer search engine found 21,541 Internet-connected Niagara devices, some operated by military installations, hospitals, and other mission-critical facilities. Tests the pair performed on a small sample of the machines confirmed they were accessible over the Internet. The non-descript boxes are often installed by third-party contractors in out-of-the-way closets, so on-site administrators and managers may not even know they’re in use. In addition to opening up critical equipment to tampering, Tridium’s products also expose corporate and government networks to intruders since the devices often are connected directly to local networks using one of two Ethernet ports built into the boxes.

ICS: less secure than iTunes

This week’s hack was only the latest demonstration of the risks created by many industrial control systems (ICS), which are designed to use computers to control building temperatures, turn alarms on and off, and maintain emergency generators and industrial power supplies. Tridium quietly patched its Niagara software last year after Rios and McCorkle found it contained a separate vulnerability that also allowed unauthorized access. A raft of other ICS devices have been found to contain similar critical defects, including those from Siemens-owned Ruggedcom and another line of mission-critical routers made by a Fremont, California-based GarrettCom.

The devices are billed as a way to lower the cost of maintaining large collections of equipment that are often scattered throughout buildings or other facilities. Rather than requiring engineers to physically travel to where each device is physically located, they can make changes remotely, from a single office in the building, or even off site. Indeed, Tridium’s marketing material defines the Niagara framework as a “universal software infrastructure that allows companies to build custom, web-enabled applications for accessing, automating, and controlling smart devices in real time over the Internet.” The company provides a wealth of customer case studies, including one from the James Cook University Hospital in the UK.

Security experts have long argued that the convenience often comes at the price of security, and there are some disturbing examples of the risks from the last couple of years. In 2009, a recently discharged security guard who had physical access to ICS computers was arrested after posting screen shots and videos showing him planning to remotely cripple air-conditioning systems at a Texas hospital, where temperatures regularly reach into the triple digits. Last year, hackers illegally accessed the Internet-connected heating and air-conditioning controls of a New Jersey-based company. The vulnerability the intruders exploited was the same one Tridium patched in secret last year.

Despite the potentially critical consequences of ICS hacks, manufacturers sometimes decline to patch their wares at all, giving rise to the term forever-day vulnerabilities. Last year, Rios said the security of iTunes was more robust than most ICS software.

Game Over

Rios and McCorkle declined to describe the specific series of vulnerabilities behind their latest hack other than to say the bugs allowed them to remotely acquire a configuration file used to customize a Niagara box for a specific network. Among other things, the config.bog file contains user names and passwords that are encoded using “encraption,” the word the research pair uses to describe Tridium engineers’ encryption routines. Using the credentials, they were able to gain access to the “station” layer of the device that provides only limited user rights. Exploiting another series of vulnerabilities allowed them to access Niagara’s “platform,” which gives them full “system” access when it runs on Microsoft Windows or “root” access when running on Linux or a proprietary embedded operating system.

“Once we own the platform, it’s game over,” Rios said.

Enlarge / The Tridium hack in action. The screens on the left show the attack platform. The screen on the right is the Niagara AX framework responding.
Dan Goodin

Rios said he acquired a Tridium box by purchasing one on eBay. He then spent months reverse engineering the firmware it ran. His job was made easy by the fact that much of the Niagara framework uses unsigned, unobfuscated Java code, allowing him to decompile the binary and read the raw source code.

In a statement issued Wednesday evening, Tridium officials said:

Tridium takes these security issues very seriously and we appreciate the efforts by researchers like Billy Rios and Terry McCorkle to raise awareness about them.

Tridium was made aware of the vulnerability cited at the conference in late December 2012, and immediately began working on a solution, in cooperation with both ICS-Cert and the researchers. We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today. We share the concern that Mr. Rios and Mr. McCorkle have in raising awareness about the need to protect Internet-facing control systems. The vast majority of Niagara AX systems are behind firewalls and VPNs – as we recommend — but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.

The Tridium vulnerabilities are among more than 1,000 bugs Rios and McCorkle have reported to ICS manufacturers over the past year, resulting in 30 advisories issued by the Department of Homeland Security-affiliated ICS-CERT. They said the engineers who designed the systems are often defensive and direct their anger back at the researchers once the vulnerabilities are disclosed.

“We don’t think we’re the only ones that are doing this,” Rios said of the research into ICS. “There’s tons of other people that are doing this and they’re not standing on a stage somewhere presenting their work for the whole world to see. That’s what they really need to worry about. These guys are kind of stuck a little bit in the stone age.”


IBM brings Watson technologies to new Power servers for SMBs

Tuesday, February 5th, 2013

IBM’s Watson supercomputer outperformed humans in the televised game show “Jeopardy.” Now the company is moving some of its underlying technologies from the supercomputer into new entry-level servers.

The company’s new Power Express servers announced on Tuesday will integrate some hardware and software elements derived from Watson. The servers start at US$5,947, and IBM is targeting the new products at businesses with over 100 employees.

The new Power Express 710, 720, 730 and 740 servers include IBM’s Power7+ chips, which were introduced in October. By lowering the price of the servers, IBM hopes to take on rivals like Hewlett-Packard and Dell, which sell large volumes of commodity servers based on x86 chips.

With Watson technologies, companies can use the new servers to analyze warehouses of data, and to answer complex queries with high levels of confidence. The technologies will provide insights into structured and unstructured data at a cheaper cost, said Steve Sibley, director of Power Systems offering management at IBM.

“The ability to leverage that capability for analytics is more affordable than ever,” Sibley said.

Watson used advanced algorithms and a natural language interface to answer questions on Jeopardy, but not all advanced technologies will make it to the new entry-level servers. Some common features such as the core customized software to analyze warehouses of data will be available depending on the price, configuration and target market. Another technology being adopted from Watson is Hadoop, a scalable computing environment that deals with large data sets. IBM’s Cognos and SPSS software can be built on top of the integrated offerings for business and predictive analytics.

The servers can be used by mid-size clients to more effectively manage supply chains, Sibley said. Using software and hardware, the servers can help manage inventory or build catalogs, Sibley said.

IBM’s Power offerings have traditionally appealed to large organizations, though some smaller companies have adopted the servers. Power servers have done well in industries like healthcare and retail, and the Power Express servers may be attractive to small or midmarket companies in the same industries, Sibley said.

For example, IBM’s high-end Power servers can help diagnose diseases using technologies derived from the Watson project. While it may be expensive to implement technologies like natural language interfaces in the entry-level servers, IBM will provide analytics capabilities to meet the budgets of smaller businesses.

The new servers also enable virtualization and can help businesses deploy private clouds, Sibley said. The servers are offered with optional PowerVM, which can virtualize memory, processors, networking and storage to effectively manage server resources.

The single-socket Power 710 Express and two-socket 730 Express are 2U rack servers that offer maximum storage of up to 5.4TB. The 710 has a memory capacity of 256GB, while the 730 has more disk bays and supports up to 512GB of memory in eight slots. The servers have five PCI-Express slots.

The single-socket Power 720 Express and two-socket 740 Express are 4U rack servers with storage capacity of up to 7.2TB. The servers support up to 512GB of memory, while the 720 has 25 PCI-Express slots, and the 740 has 45 PCI-Express slots.

Depending on the configuration, processor options include Power7+ with between four to 16 cores. The servers either run IBM’s AIX, Red Had Enterprise Linux 6.2 or Suse Linux Enterprise Server 11.

IBM also upgraded its high-end Power 750 Express 19U rack with Power7+ chips. It also announced the faster and denser PureData System for Analytics for advanced analytics, a new PureApplication System for cloud deployments, and a PureApplication System on Power7+ for transaction processing and analytics in the cloud.


Aruba brings Wi-Fi to wall plates

Thursday, January 31st, 2013

The typical Wi-Fi deployment today involves access points deployed in hallways or rooms as standalone boxes. As the move towards pervasive wireless access grows, so too have the demands on wireless infrastructure. That’s where Aruba Networks (NASDAQ:ARUN) is aiming to fill a gap with a new wall mountable access point.

The AP-93H is a 2×2 MIMO 802.11n access point that can be installed on a standard wall mount for wired Ethernet access. The AP-93H has a gigabit uplink port for high-speed connectivity to the wired network for access. The access point is a dual band radio operating in either the 2.4 Ghz or the 5 Ghz ranges. On the software side the device includes the Linux-powered Aruba OS.

Among the target markets for the AP-93H are hotel and dorm room type deployments.

“Over the past few years, the number of mobile devices have really exploded,” Manish Rai, head of Industry Solutions for Aruba, told “I think we have reached a tipping point where it makes sense to increase the capacity and move to an in-room deployment for better coverage.”


Cisco brings Unified Access to Catalyst switching

Wednesday, January 30th, 2013

Cisco’s $100 million R&D investment results in new silicon that will support unified access and SDN.

For the most part, wired and wireless networks on the enterprise campus have been two separate entities controlled by different technologies.  That’s about to change, thanks to a new suite of Unified Access technologies announced today by Cisco.

At the core of the Cisco announcement is new silicon that will enable the convergence of wired and wireless traffic.  The Cisco Unified Access Data Plane (UADP) is an ASIC that has up to 1.4 billion transistors on it.  Cisco has invested over $100 million in research and development to bring the UADP to market.

“The UADP has high performance and it’s also programmable,” Inbar Lasser-Raab, Senior Director of Enterprise Networking Marketing at Cisco, told Enterprise Networking Planet.  “It also supports the open APIs of the Cisco ONE environment, so you can do some really interesting applications with it.”

Cisco ONE is the Software Defined Networking (SDN) approach that Cisco first announced in June 2012.  With Cisco ONE, the underlying networking hardware can be abstracted via APIs to enable software defined control across a network.

The UADP ASIC is being first deployed on a pair of new hardware appliances.  One of them is the Catalyst 3850 Unified Access Switch, which includes a wireless network controller.

“For the first time, we have single network solution that brings together wired, wireless with high-performance and the same set of features across both types of access,” Lasser-Raab said.  “So it’s not just a single physical infrastructure for wired and wireless, it’s also the same set of network intelligence like QoS, network visibility and control.”

The Catalyst 3850 includes two of the new UADP ASICs to power both wired Cisco 3850 and wireless traffic.  The 3850 can be configured with up to 48 ports and multiple boxes can be stacked to deliver up to 480 Gbps of stacking bandwidth.  The switch also support the PowerOverEthernet Plus (PoE+) 802.3at standard, enabling up to 30w of power transfer per port.

On the wireless controller side, the Catalyst 3850 series can support up to 50 wireless access points and 2000 wireless clients on each switch.

Cisco 5760 Wireless LAN Controller

While the Catalyst is all about combining wired and wireless control in a single box, Cisco figures there are still use cases for a standalone controller as well.  The Cisco 5760 Wireless LAN controller is powered by a trio of UADP ASICS and delivers 60Gbps of capacity.  Lasser-Raab noted that different customers have different needs and that’s why Cisco is debuting a standalone controller.  She noted that the 5760 is the most scalable Cisco wireless controller ever built with support for up to 1,000 access points.

Linux Powered

Both the 5760 and the 3850 are powered by Cisco’s IOS-XE operating system.  IOS-XE in turn is based on the open source Linux operating system, which Cisco has enhanced over the years to support enterprise networking requirements.

“The beauty of that is we’re now using a consistent version of IOS for both wired and wireless access, providing the same capabilities across the solution,” Lasser-Raab said.


Apache plugin turns legit sites into bank-attack platforms

Wednesday, December 19th, 2012

Module found operating in the wild causes sites to push malware on visitors.

A malicious Apache module found operating in the wild turns sites running the Internet’s most popular Web server into platforms that surreptitiously install malware on visitors’ computers.

The plugin, which was discovered by researchers from antivirus provider Eset, is an x64 Linux binary that streamlines the process of injecting malicious content into compromised websites. It was found running on an undisclosed website that exposed end users to a variety of exploits that installed the ZeuS banking trojan, also known as Win32/Zbot. It also pushed malware from Sweet Orange, a newer exploit kit hosted by servers in Lithuania that competes with ZeuS. When Eset discovered the plugin last month, it was connecting to command and control servers in Germany and was being used to target banking customers in Russia and elsewhere in Europe.

“This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate,” Pierre-Marc Bureau, Eset’s security intelligence program manager, wrote in a blog post. “It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot.”

The Apache plugin, which Eset software flags as Linux/Chapro.A, contains several features designed to make infections stealthy. To prevent being widely detected, it doesn’t serve malicious content when a visitor’s browser user agent indicates it’s coming from Google or another automated search-engine agent. It also holds its fire against IP addresses that connect to the Web server over SSH-protected channels, preventing site administrators from being exposed. It also uses browser cookies and IP logging to prevent visitors from being exposed to exploits more than once. By hiding the attacks from search engines and admins—and making it hard to determine how end-user machines are infected—the features make it harder to identify the site as compromised.

The compromised site found by Bureau was injecting invisible iframe tags into otherwise legitimate webpages. The iframes he observed attempted to exploit at least four previously patched security bugs in Microsoft Internet Explorer, Adobe Reader, and Oracle’s Java software framework. The plugin has the capability to inject malicious JavaScript into Web content, giving it another powerful avenue for attack.

Bureau didn’t say how the site running the plugin was hacked. Many legitimate websites used in malware attacks are commandeered after administrator credentials are compromised. He said the malicious Apache plugin is separate from a Linux rootkit discovered last month that also injects malicious content into otherwise legitimate webpages.

Engineers who develop and maintain Apache offer programming interfaces that allow anyone to write modules that give the Web server additional capabilities. The module discovered by Eset is almost certainly written by a third party that has no affiliation with the Apache Foundation.


25-GPU cluster cracks every standard Windows password in <6 hours

Monday, December 10th, 2012 password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft’s LM algorithm—which many organizations enable for compatibility with older Windows versions—will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

“What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate,” Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. “We can attack hashes approximately four times faster than we could previously.”

Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined “Why passwords have never been weaker—and crackers have never been stronger,” Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

Using the new cluster, the same attack would moved about four times faster. That’s because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can’t be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.

The technique doesn’t apply to online attacks, because, among other reasons, most websites limit the number of guesses that can be made for a given account.

The advent of GPU computing over the past decade has contributed to huge boosts in offline password cracking. But until now, limitations imposed by computer motherboards, BIOS systems, and ultimately software drivers limited the number of graphics cards running on a single computer to eight. Gosney’s breakthrough is the result of using VCL virtualization, which spreads larger numbers of cards onto a cluster of machines while maintaining the ability for them to function as if they’re on a single computer.

“Before VCL people were trying lots of different things to varying degrees of success,” Gosney said. “VCL put an end to all of this, because now we have a generic solution that works right out of the box, and handles all of that complexity for you automatically. It’s also really easy to manage because all of your compute nodes only have to have VCL installed, nothing else. You only have your software installed on the cluster controller.”

The precedent set by the new cluster means it’s more important than ever for engineers to design password storage systems that use hash functions specifically suited to the job. Unlike, MD5, SHA1, SHA2, the recently announced SHA3, and a variety of other “fast” algorithms, functions such as Bcrypt, PBKDF2, and SHA512crypt are designed to expend considerably more time and computing resources to convert plaintext input into cryptographic hashes. As a result, the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt.

For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren’t enough. Given the prevalence of cracking lists measured in the hundreds of millions, it’s also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn’t contained in such lists is to choose a text string that’s randomly generated using Password Safe or another password management program.

Slides of Gosney’s Passwords^12 presentation are here.


Linux users targeted by mystery drive-by rootkit

Wednesday, November 21st, 2012

The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack.

Posted anonymously to Full Disclosure on 13 November by an annoyed website owner, the rootkit has since been confirmed by CrowdStrike and Kaspersky Lab as being distributed to would-be victims via an unusual form of iFrame injection attack.

Aimed specifically at users of the latest 64-bit Debian Squeezy kernel (2.6.32-5), the rootkit has been dubbed ‘Rootkit.Linux.Snakso.a’ by Kaspersky Lab.

After trying to hook into important kernel functions and trying to hide its own threads, Snasko sets out to take over the target system. Exactly what purpose lies this general ambition is unclear although the researchers suspect a conventional rather than political or nuisance motive.

The good news is that the rootkit looks like a work in progress, and contains enough programming rough edges to mark it out as ‘in development’.

The malware”s relatively large binary size of 500k, and the inclusion of debug code, is another giveaway that this might be a work in progress.

As significant as its design is where it might have come from. In the view of the CrowdStrike analyst, Russia is the most likely origin which would put it in the realm of the professional cybercriminals.

“Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cybercrime operation and not a targeted attack,” notes CrowdStrike.

“However, a Waterhole attack, where a site mostly visited from a certain target audience, would also be plausible.”

It is at this point in any Linux malware story that we point out the complexity of targeting the platform not to mention the vanishingly small number of examples that have been documented.

The most recent was the ‘Wirenet’ Trojan in August, a browser password stealer discovered by Russian firm Dr Web. Other examples have been based on cross-platform Java malware.

What is apparent is that criminals now have more than a passing interest in the platform and its admin-dominated user base.

“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future,” said Marta Janus of Kaspersky Lab.


DoS vulnerability affects older iPhones, Droids, even a Ford car

Friday, October 26th, 2012

Publicly available code allows hackers to disable Wi-Fi in a range of products.

The iPhone 4 and a slew of older devices from Apple, Samsung, HTC, and other manufacturers are vulnerable to attacks that can make it impossible to send or receive data over Wi-Fi networks, a security researcher said. code published online makes it trivial for a moderately skilled hacker to disable older iPhones, HTC Droid Incredible 2s, Motorola Droid X2s, and at least two-dozen other devices, including Edge model cars manufactured by Ford. The Denial-of-Service vulnerability stems from an input-validation error in the firmware of two wireless chips sold by Broadcom: the BCM4325 and the BCM4329. The US Computer Emergency Readiness Team has also issued an advisory warning of the vulnerability.

“The only requirement to exploit the vulnerability is to have a wireless card that supports [the] raw inject of 802.11 frames,” Andrés Blanco one of the researchers from Core Security who discovered the vulnerability, told Ars. “The Backtrack Linux distribution has almost everything you need to execute the POC provided in the advisory.”

The Core Security advisory said that Broadcom has released a firmware update that patches the “out-of-bounds read error condition” in the chips’ firmware. Device manufacturers are making it available to end users on a case-by-case basis since many of the affected products are older and already out of service.

Blanco said the exploit makes it impossible for an affected device to send or receive data over Wi-Fi for as long as the DoS attack lasts. Once the malicious packets subside, the device will work normally. Other device functions are unaffected by the Wi-Fi service interruption. He said it’s possible the bug could be exploited to do more serious things.

“We are not sure that we could retrieve private user data but we are going to look into this,” he said.


Red Hat, Dell announce OEM partnership

Tuesday, May 8th, 2012

The deal could mean a further expansion of open-source software use in the enterprise

The announcement Tuesday of a new partnership between Dell and Red Hat could mark a further expansion of open-source software use in the enterprise.

OEM customers looking to Dell for custom products will now have additional open-source options. Red Hat Enterprise Linux and JBoss join SUSE as standard choices for Dell OEM.

Red Hat’s recently acquired status as the first billion-dollar open-source business underlines the importance of open technologies and their growing appeal to a wide variety of firms.

“I think everybody’s wanting to have alternatives,” says Ron Pugh, Dell executive director and general manager of the company’s OEM solutions group for the Americas. “Most of our customers have … seen that there are some benefits [to Linux use] from a time-to-market perspective and working with the open-source community.”

Among the most important verticals for this new OEM partnership, he adds, are telecommunications and security equipment manufacturers. The former industry is “entirely green-field” for Dell, while Red Hat’s prominence in the latter area should help boost sales.

“We see this as the next step in companies moving from proprietary architecture to building their own things from the ground up to a commodity … solution, and both companies see that we can help each other,” according to Pugh.

The deal with Red Hat is part of Dell’s ongoing transformation from a pure hardware manufacturer into a vendor of a wide range of business services. The company’s recent run of acquisitions have been focused on some of the hottest areas of enterprise technology, including virtualization and security. Given the increasing popularity of open source — and recent moves by rivals like IBM, which released a line of specialized PowerLinux servers last month — Dell’s move emphasizes its continuing transition.


Hacker commandeers GitHub to prove Rails vulnerability

Tuesday, March 6th, 2012

A Russian hacker dramatically demonstrated one of the most common security weaknesses in the Ruby on Rails web application language. By doing so, he took full control of the databases GitHub uses to distribute Linux and thousands of other open-source software packages.

Egor Homakov exploited what’s known as a mass assignment vulnerability in GitHub to gain administrator access to the Ruby on Rails repository hosted on the popular website. The weekend hack allowed him to post an entry in the framework’s bug tracker dated 1,001 years into the future. It also allowed him to gain write privileges to the code repository. He carried out the attack by replacing a cryptographic key of a known developer with one he created. While the hack was innocuous, it sparked alarm among open-source advocates because it could have been used to plant malicious code in repositories millions of people use to download trusted software.

Homakov launched the attack two days after he posted a vulnerability report to the Rails bug list warning mass assignments in Rails made the websites relying on the developer language susceptible to compromise. A variety of developers replied with posts saying the vulnerability is already well known and responsibility for preventing exploits rests with those who use the language. Homakov responded by saying even developers for large sites for GitHub, Poster, Speakerdeck, and Scribd were failing to adequately protect against the vulnerability.

In the following hours, participants in the online discussion continued to debate the issue. The mass assignment vulnerability is to Rails what SQL injection weaknesses are to other web applications. It’s a bug that’s so common many users have grown impatient with warnings about them. Maintainers of Rails have largely argued individual developers should single out and “blacklist” attributes that are too sensitive to security to be externally modified. Others such as Homakov have said Rails maintainers should turn on whitelist technology by default. Currently, applications must explicitly enable such protections.

A couple days into the debate, Homakov responded by exploiting mass assignment bugs in GitHub to take control of the site. Less than an hour after discovering the attack, GitHub administrators deployed a fix for the underlying vulnerability and initiated an investigation to see if other parts of the site suffered from similar weaknesses. The site also temporarily suspended Homakov, later reinstating him.

“Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated,” a blog post published on Monday said. It went on to encourage developers to practice “responsible disclosure.”


HP firmware to ‘mitigate’ LaserJet vulnerability

Friday, December 23rd, 2011

Hewlett-Packard said today that it has taken steps to prevent a “certain type of unauthorized access” to LaserJet printers.

The company didn’t describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word “mitigate,” the dictionary definition of which is “to make less severe or painful.” Here’s HP’s full statement on the matter:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said “there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers.”

At that time, it described the nature of the problem and promised a firmware update to address the issues:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP also at that time decried “speculation” that the LaserJets in question could catch fire because of a firmware update or “this proposed vulnerability.”

Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.

Source:  CNET

Linux Foundation wades into Windows 8 secure boot controversy

Friday, October 28th, 2011

The Linux Foundation wants OEMs to give control of the PC to its owner

The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft’s Steven Sinofsky for suggesting that PC owners won’t want to mess with control of their hardware and would happily concede that to operating system makers and hardware manufacturers.

Hey why should the Free Software Foundation get the last word, with its anti-secure-boot petition?

To recap: The next-generation boot specification is known as Unified Extensible Firmware Interface. Microsoft is requiring Windows 8 PC makers to use UEFI’s secure boot protocol to qualify for Microsoft’s Windows 8 logo program. Secure UEFI is intended to thwart rootkit infections by using a key infrastructure before allowing executables or drivers to be loaded onto the device. Problem is, such keys can also be used to keep the PC’s owner from wiping out the current OS and installing another option such as Linux. It can also prevent them from loading their own device drivers.

It is possible for OEMs to implement Secure UEFI in a way that users can simply disable it. Sinofsky, who is president of Microsoft’s Windows division, pointed this out in a blog post last month. He also noted that the Samsung Windows 8 developer tablet given away to BUILD attendees could disable secure boot. But Microsoft is not mandating the disable option. Matthew Garrett, a developer that works for Red Hat and has been involved in the UEFI specification process, has said that Red Hat is aware of some Windows 8 PCs that do not allow users a way to disable.Secure UEFI

The issue becomes even trickier if PC owners don’t want to disable secure UEFI and still want to be able to load Linux or to dual-boot Windows and Linux. In that case, they need access to the master platform key. Only the owner of the platform key can authorize new firmware or operating systems to be loaded onto the device. Then they will need a way to manage the signature database that validates the firmware, drivers and operating system.

Many free software advocates fear Microsoft is pushing an approach in which the key does not wind up in the hands of the devices owner. “Steven Sinofsky has suggested in his blog posting … that the average platform owner might wish to give up control of the PK [platform key] (and with it control of the signature database) to Microsoft and the OEM suppliers of the platform. This mode of operation runs counter to the UEFI recommendation that the platform owner be the PK controller,” the authors say in their paper entitled, Making UEFI Secure Boot Work With Open Platforms. The paper was written by James Bottomley, CTO at Parallels and Jonathan Corbet, Editor at , both of whom are on the Linux Foundation Technical Advisory Board.

The paper’s authors concede that some PC owners may have no desire to manage a PK infrastructure to use their PCs and would just as soon give it over to Microsoft to do, even if that means they will not be able to load drivers or operating systems unless Microsoft first approves.

But for those that want control and want the extra security secure UEFI affords, The Linux Foundation is proposing several guidelines:. It wants:

1) all platforms that enable UEFI secure boot to ship “in setup mode” where the PC owner can be the one to initially control the platform key. The owner can choose one controlled by Microsoft at that time. The device owner should also be able to return to setup mode and change the choice. This is particularly important if the owner sells the machine.

2) an operating system to detect when the PC is in setup mode and install keys appropriately at that time and then activate secure boot mode.

3) a firmware-based mechanism used to allow a platform owner to add new keys for validating software while running in secure mode so that dual-boot systems can be set up.

4) a firmware-based mechanism for easy booting off of removable media.

5) At some future time, the Foundation also wants an operating-system- and vendor-neutral certificate authority to be established to issue keys for third-party hardware and software vendors. However, the paper notes while this would make using secure UEFI easier, a new CA isn’t mandatory.

The authors emphasize that secure UEFI doesn’t have to be a technology that drives stakes between Microsoft and free software.

“Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but, as we have shown, there is no need for things to be that way,” they write. “If vendors ship their systems in the setup mode and provide a means to add new [keys] to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements. ”

Still, how much burden will the average Windows 8 consumer want to take on to manage secure UEFI? How much will the typical enterprise want to do? Can PC makers find a balance?