Wednesday, August 25, 2010

Windows DLL load hijacking exploits go wild

Less than 24 hours after Microsoft said it couldn't patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company's software.

Also on Tuesday, a security firm that's been researching the issue for the last nine months said 41 of Microsoft's own programs can be remotely exploited using DLL load hijacking, and named two of them.
On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.
Microsoft also declined to say whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.
Many Windows applications don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full pathname, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking the application into loading a malicious file with the same name as a required DLL.
If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack the PC and plant malware on the machine.
By Tuesday, at least four exploits of what some call "binary planting" attacks, others dub "DLL load hijacking" attacks, had been published to a well-known hacker site. Two of the exploits targeted Microsoft-made software, including PowerPoint 2010, the presentation maker in Office 2010, and Windows Live Mail, a free e-mail client bundled with Vista but available as a free download for Windows 7 customers.
Other exploits aimed at leveraging DLL load hijacking bugs in uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively.
At the same time, a Slovenian security company claimed that it reported bugs in two Microsoft-made programs last March.
"We're going to publish a list of the vulnerable apps we found sometime soon," said Mitja Kolsek, the CEO of Acros Security. "However, since HD Moore's toolkit is already being used for finding vulnerable apps and at this point hundreds of good and bad guys already know about it, I can say that the two we fully-disclosed to Microsoft were in Windows Address Book/Windows Contacts and Windows Program Manager Group Converter.
HD Moore is the American researcher who kicked off a small wave of DLL load hijacking reports last week when announced he had found 40 vulnerable Windows applications . On Monday, Moore published an auditing tool that others can use to detect vulnerable software. When combined with an exploit added that same day to Metasploit, the open-source hacking toolkit that Moore authored, the tool's results produce what he called a "point-and-shoot" attack .
All four of the exploits that went public Tuesday appear to be based on Moore's Metasploit attack code.
Although the Windows Address Book -- renamed Windows Contacts with the launch of Vista in 2007 -- may be familiar to users, Program Manager Group Converter is probably not, Kolsek admitted. But both can be exploited.
"They're part of every Windows installation and are associated with certain file extensions, allowing for 'double-click-bang' remote attacks," Kolsek said. "To increase the likelihood of success, an attacker can create a shortcut with a PDF or Word document icon pointing to such files, which otherwise have different, less familiar icons."
Contrary to Kolsek's claim, Program Manager Group Converter, a holdover from pre-Windows 95 days, is included with Windows XP, but not with Vista or Windows 7.
Altogether, Acros uncovered 121 remote execution vulnerabilities in 41 different Microsoft applications, but reported details of only the pair in Address Book/Contacts and Program Manager Group Converter. The rest were left for Microsoft's own researchers to find, said Kolsek.
Like a number of other companies, notably the French firm Vupen Security, Acros has decided that it will no longer report its vulnerability discoveries to vendors without compensation. "We've been giving them away for 10 years now," said Kolsek, "and it wasn't doing anything for us."
In a long post to a new Acros blog , Kolsek added that there was no bad blood between his company and Microsoft over the former's refusal to identify 119 bugs in the latter's products. "It was a mere incompatibility of business interests," he said.
Wireshark's lead developer, Gerald Combs, said today that a fix for the DLL load hijacking bug would be released in the next few days. Microsoft and BitTorrent, the firm responsible for uTorrent, did not reply to requests for comment about their patching plans.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .
Read more about security in Computerworld's Security Topic Center.

Tuesday, August 24, 2010

Open source Qbo bot makes the jump to ROS, the open source robot OS

While the Willow Garage-initiated ROS is designed to consolidate and accelerate robotics innovation for the long term, it's still a long ways from powering your robotic butler / life coach / best friend, so it's exciting to see it put to use in the here and now. The folks at Thecorpora, responsible for the Qbo open source robot project, have been busy converting Qbo's original Java API into ROS, and just announced they're at 99.9 percent completion of that task.

That means the Qbo gets instant access to some of the fun development going on in ROS, like stacking all its cameras and ultrasonic sensors into a system for machine vision, or controlling the bot with a Wiimote or a PS3 controller. (There's a video after the break of the Wiimote in action). Don't think Qbo will be powerful enough for you? Willow Garage just announced that it's about to put its own ROS-powered PR2 bot on sale soon, after a few months of its (highly successful) PR2 Beta Program.

How to create a 'super password'

The 12-character era of online security is upon us, according to a report published this week by the Georgia Institute of Technology.
The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.
But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.
"The length of your password in some cases can dictate the vulnerability," said Joshua Davis, a research scientist at the Georgia Tech Research Institute.
It's hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project.
The researchers recommend 12-character passwords -- as opposed to those with 11 or, say, 13 characters -- because that number strikes a balance between "convenience and security."
They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there's a big jump when you add just one more character -- 17,134 years.
Passwords have gotten longer over time, and security experts are already recommending that people use full sentences as passwords.
Here's one suggested password-sentence from Carnegie Mellon University:
"No, the capital of Wisconsin isn't Cheeseopolis!"
Or maybe something that's easier to remember, like this:
"I have two kids: Jack and Jill."
Even though advances in cheap computing power are making long, complicated passwords a necessity, not all websites will accommodate them, Boyd said.
It's best to use the longest and most complex password a site will allow, he said. For example, if a website will let you create a password with non-letter characters -- like "@y;}v%W$\5\" -- then you should do so.
There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard. More characters means more permutations, and it soon becomes more difficult for a computer to generate the correct password just by guessing.
Some websites allow for super-long passwords. The longest one Boyd has seen is at, a financial site that lets users create 32-character passwords.
On a Microsoft website devoted to password security, the tech giant tells the password-creating public not to use real words or logical combinations of letters. That keeps you safer from a "dictionary attack," which uses a database of words and common character sequences to try to guess the code.
The Georgia Tech researchers carried out a "brute force" attack when they determined that passwords should be at least 12 characters long.
To do so, they deployed computer graphics cards, which are cheap and can be programmed to do basic computations very quickly.
The processors in those cards run simultaneously, trying to guess all of the possible password combinations. The more characters in a password, the more guesses are required.
But if your password has to be really long in order to keep up with this computational power -- and if you're supposed to have a new password for each website you frequent -- then how are you supposed to remember everything?
That's a real problem, the Georgia Tech researchers said.
There are a few solutions, however.
A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list.
Other companies sell tokens that people carry around with them. These keychain-sized devices generate random numbers several times a minute, and users must enter those numbers and a shorter password to log in.
Some sites -- Facebook for example -- are marketing their log-ins and user names as a way to access sites all over the Web.
That's good for the user but is potentially dangerous because if hackers figure out a single password, they can access multiple banks of information, the researchers said.
The reason passwords have to keep getting longer is that computers and graphics cards are getting faster, the Georgia Tech researchers said.
"These things are really inexpensive -- just a few hundred dollars -- and they have a performance that's comparable to supercomputers of only just a few years ago," Boyd said of fast-processing graphics cards.
Maybe our brains will have to get bigger and faster, too. We'll need some way to remember these tome-like character strings.

Wednesday, August 11, 2010

How to Protect Your Smartphone's Valuable Data

So you just lost your smartphone. It isn't the end of the world, but it sure feels like it.
In addition to the specter of shelling out another couple hundred dollars to replace the hardware, you're facing the loss of all your contacts, your schedule, your to-do lists, your passwords (if you really weren't careful and stored them on the phone), and, oh yeah, the dicey photos you took at the bar last Friday.
All of that is gone, at least for the moment, but if your Apple iPhone, Google Android phone, RIM BlackBerry, or any other smartphone falls into the wrong hands, that vast archive of your personal information won't just be forgotten--it could be cashed in.

The loss of a smartphone wouldn't be so bad if it ended with merely a bit of embarrassment. Since many people now use smartphones for online banking, travel reservations, and storing sensitive business documents, however, a great deal of very private data ends up on the device.
Much of this data is safe behind password-protected applications, but a large portion of it dangles out in the open in e-mail messages, text documents, images, and other files.
What are smartphone users doing to protect the precious data in their pricey handsets?
Apparently not much, according to some industry experts. And that's surprising, given the number of apps and phone features available for safeguarding data. According to McAfee, best known for its antivirus products for personal computers, you're 15 times more likely to lose your cell phone than your laptop computer.

As Good as Cash

Another danger to consider: A lost smartphone may soon be the high-tech equivalent of a lost wallet.
New wireless-transaction services will soon allow a smartphone to replace cash or a credit card at a store's point of purchase. Firethorn, which makes many of the mobile-banking applications that major banks offer, is putting the final touches on SWAGG, an application that will make it possible to purchase, give, and spend gift cards, as well as to manage store-loyalty programs, from a single point. Retailer American Apparel has announced that it will support the SWAGG system for purchases from its stores.
Though the convenience of cell-phone-enabled purchases may be attractive, the danger of losing a cash-enabled phone to a thief is obvious.

Lost or Stolen?
Phones are often lost by accident, but waves of cell phone thefts are nothing new in major cities. For example, passengers of Boston's subway system recently benefited when the Massachusetts Bay Transportation Authority (MBTA) Orange Line was fully wired for T-Mobile and AT&T cell phone service. The other side of the coin, however, has been a rise in cell phone thefts, up 70 percent in the first quarter of 2010 in Boston. According to the same report, 80 percent of the thefts in Philadelphia's subway system are of cell phones.
Though crime stats in New York have declined in recent years, cell phones and iPods lead the way among the types of items stolen. Transit authorities now make regular announcements--in addition to posting signs on platforms and in trains--warning riders not to flash electronic gadgets unnecessarily.
Even people standing still on city sidewalks aren't safe from cell phone thieves.
In July, Covia Labs, a software company based in Mountain View, California, was in San Francisco demonstrating its Alert & Respond personnel-tracking application when CEO David Kahn sent an intern into the street with an iPhone as a test. No sooner did the intern hit the sidewalk than a thief on a bicycle rode up, snatched the iPhone, and sped off.
What the thief didn't know, however, was that the demonstration was already under way, and that he was being tracked on a computer screen by Kahn and others.
Everyone viewing the tracking was initially perplexed as to why the intern seemed to be moving so fast across the city. However, in less than 10 minutes, the thief had been pinpointed via Covia's software and arrested; the iPhone was recovered, according to
Next: Smartphone Data Protection

Smartphone Data Protection
Whether you leave your phone in a taxi or a thief on a bicycle swipes it right out of your hand, what can you do to protect yourself before either (or worse) happens?
Ross Rubin, director of industry analysis for The NPD Group, says locking a smartphone's screen with a password offers a good first layer of protection--a simple process that, unfortunately, phone owners often fail to undergo.
The next layer, he says, could come in the form of an add-on phone-tracking application such as Microsoft's free My Phone for Windows Mobile or Apple's Find My iPhone app, which works on iPhones and iPads but requires a $99 annual subscription to Apple's MobileMe data-syncing and backup service. The $15 Theft Aware for Android is one of several apps that can help you locate your missing Droid.

During an August 5 press event in New York to launch new versions of Kaspersky Labs' Internet security software, Peter Beardmore, director of product marketing, noted that getting cell phone users to install protective software on their handsets is a hard sell. A better business model might be if phone-protection software and services were bundled with handsets and sold as inexpensive add-ons to a customer's monthly phone service plan, he says.
Kaspersky Mobile Security ($30), currently available only for Windows Mobile and Symbian phones, can lock down a stolen phone, preventing the finder from making calls or accessing data; it can also help you track the handset on a map on another device, remotely wipe all of the phone's data, and notify you if someone changes the phone's SIM card. A BlackBerry version of the software should be ready by the end of the year, while an Android version may be available in 2011, Beardmore says.

Protect Your Smartphone as You Would Yourself
McAfee has also seen the cell phone light, so to speak, and recently acquired TenCube, the Singapore-based publisher of WaveSecure smartphone-protection software. Like the Kaspersky application, WaveSecure can track, lock, and data-wipe a stolen smartphone and detect SIM card changes. Once the phone has been locked down, a permanent message informing the finder of the owner and how to return the handset remains on the screen.
"Mobile devices have become an extension of our lives," says TenCube CEO Darius Cheung in a recent press release. WaveSecure is available for Windows Mobile, BlackBerry, iPhone, Symbian, and Android smartphones, as well as for phones that run Java.
Retrieving a lost or stolen cell phone doesn't always require sophisticated software--just a little detective work.
For example, when I left my cell phone on a Milwaukee bus in 2002, I quickly reported the loss to T-Mobile. The representative noticed that a call had been made since the time the phone vanished, and gave me the number. I called it, and the father of the teenager who found the handset answered; after some grumbling, he gave me his address.
An hour later I was met at the door by the teenager, who sheepishly gave the phone back. It wasn't until I walked away that I noticed that the boy--who obviously thought his find was a keeper--had already erased all of my contacts.
Teens love cell phones, and the desire for better ones sometimes adds up to juvenile crime, a trend that many police departments seem to have noticed. According to the New York Times, when school is in session, the Philadelphia police department doubles the number of officers in the subway system at 3:15 p.m., when classes let out.
In Washington, D.C., many cell phones are lost in the backseats of taxicabs as riders scuttle out of vehicles, but very few of them turn up at the District of Columbia Taxi Commission's lost and found, says Dena Reed, the commission's general counsel.
She says that while many interesting things are left behind in cabs daily (including three baby strollers one recent day), most lost cell phones are quickly returned to customers by the cab drivers themselves (if you are lucky) and thus never make it to the commission's office.
In New York, more than 20,000 items lost annually by commuters on the Metro North rail line end up in the fabled lost-and-found office at Grand Central Station. To handle the steady stream of high-tech gadgets and other items ranging from false teeth to false limbs, the Metropolitan Transportation Authority has designed an online claim system.
Riders can use a special Web form to enter a description of the missing item and where it was lost. Once a found item is matched with its owner, the person can pick it up or have it shipped via Federal Express.

Other Protection Tips
What else can you do to protect your cell phone's data?
  • Don't store sensitive information in an easily readable form.
  • If you use a password to encrypt or lock down your phone data, don't forget the password. Data-protection programs have no "back doors," and the only recourse you'll have is to reset your phone--which erases all the data.
  • Back up your phone data using your carrier's Web service or an app that lets you back up to a computer. This step will allow you to get up to speed with your replacement handset quickly.
  • To prevent thefts, be aware of your surroundings. Don't put your phone down and walk away even a short distance, such as from your table at a coffee shop to the counter where the napkins are.
  • Cell phone insurance is a good thing, but it replaces only the hardware, not your data.
In summary, treat your cell phone as a trusted friend--keep it close at hand, since so much of your life is in it.

Monday, August 2, 2010

Apps on your phone putting your privacy at risk?

Do you know what information is being sent through the air from your phone? According to research doen by Lookout Inc, a quarter of free iPhone apps, and half of free Android apps contain code that deliberately collects sensitive information from users. Unfortunately Apple’s review process, and of course Google’s lack of one, have not yet been effective in combating this potentially serious problem.
iPhone tells users when an app wants to see location information about a user, while Android has a pretty detailed list of warnings that users will see when they try to download an application. The problem, however, is that regardless of requested permissions, users generally choose to use an application anyway.
When asked for comment, Google said it “tries to limit users’ risk with the warnings but consistently advises users to only install apps they trust”. Apple had no comment.
When there is a problem, like users’ privacy being at risk, creative solutions tend to crop up. It will be interesting to see what those solutions are, and who they will come from.

Sunday, August 1, 2010

Call to check on mobile network security

Mobile phone users are being encouraged to find out if operators are doing enough to keep their calls secret.
Security researchers have released tools that, they say, make it easy to see what security systems operators use to stop eavesdropping.
The researchers want to expose those operators that have not updated security systems to prevent others listening in.
The tools are based on an attack first demonstrated in late 2009.
"We do want people to go out and study how secure these networks are and to put pressure on the operators to improve," said Dr Karsten Nohl, the lead security researcher behind the project.
Dr Nohl gave a presentation about the tools, called Airprobe, and how to use them at the Black Hat hacker conference held in Las Vegas from 28-29 July.
The Black Hat conference is all about practical attacks on secure systems

"We've built tools that interface with cellular telephone communications," he said.
Most mobile calls are protected with an encryption system that uses a huge number of keys to stop eavesdropping. The vast amount of time it would take to try all the keys just to get at the contents of one call makes it effectively impossible to eavesdrop.
Dr Nohl said he, his colleagues and a few dozen others have found a way to shrink the amount of storage needed to hold a complete list of the keys and speed up the way to find the one that unscrambles a conversation.
Without these innovations the call cracking project would have got nowhere, said Dr Nohl.
"Just generating the key table would have taken 100,000 computer years and storing it would have taken 100 petabytes," he said.
Dr Nohl and his colleagues have squeezed the table into a format only two terabytes in size and produced algorithms that can look through it and find the right key in minutes.
Defeating such an attack would be easy for operators, if they have installed an appropriate software update, said Dr Nohl.
"We want to enable users to test whether their operator has installed the patch," he said. "If not they should call them up or send a letter."
Little evidence
The tools being shown off at Black Hat build on work done in late 2009 to generate the table of keys.
"What we are seeing is mobile phone hacking moving from an obscure sub-culture into a mainstream hacking movement," said Nigel Stanley, a mobile security analyst from Bloor Research.
"When GSM security was originally designed call fraud was the issue, as was a concern that network suppliers would steal each other's customers," said Mr Stanley. "The thought that amateur hackers could break the code would have been laughable back then. Now it's a reality."
Commenting on the work, mobile phone industry body the GSM Association said: "Since 2007 reports of an imminent GSM eavesdropping capability by hacking groups have been common and operators have been monitoring this for some time."
The technical challenges of eavesdropping remained "considerable", said the GSMA.
"We have seen very little evidence that the hackers are able to overcome them," it added. It said that operators could quite easily change the way that calls were set up and handled in their networks to thwart eavesdropping.
It concluded: "GSMA remains convinced that the practical risk to customers is very low and spreading fear and panic amongst mobile users is inappropriate and regrettable."