Wi-Fi

Automated updates: Why they may not be such a good idea

It's the time of year that software developers dread. Black Hat and Defcon security conferences just finished, the fallout is starting to be digested, and everyone is figuring out who got hit the worst. Micahel Kassner addresses the potential of a new threat involving automatic updates.

It's the time of year that software developers dread. Black Hat and Defcon security conferences just finished, the fallout is starting to be digested, and everyone is figuring out who got hit the worst.

-------------------------------------------------------------------------------------------------------------------

There's been more than enough tech press about the big issues, which is okay; I want to discuss one that doesn't seem to be on anyone's radar yet. It's a sleeper app, but with huge potential if I'm right.

People are usually glad if computer applications are configured to update automatically, less to worry about. That may change. What if an attacker could hijack the update request and download malware instead of the update?

Meet Ippon

I'd like to introduce you to Ippon (Japanese for "game over") an attack tool created by Itzik Kotler, security team leader and Tomer Bitton, security researcher for Radware. Ippon is one of those ideas that's so obvious I'm sure many are saying why didn't I think of that.

How Ippon works

Ippon looks for computers that are asking for updates and tries to replace the update with malware. One thing in Ippon's favor is that most applications are setup to check for updates automatically. Kotler and Bitton have ported Ippon to scan open Wi-Fi networks specifically for Hyper Text Transport Protocol (HTTP) update request traffic. When traffic is detected, it becomes a race to see if Ippon can respond before the update server for that particular application.

If Ippon wins, a message is sent informing the application that an update is available, even if it's not. To avoid suspicion, Kotler and Bitton have built in a reference library to allow Ippon's response to closely mimic the actual one. Once the connection is established a malicious file is then downloaded from the attacker's server and game over.

Vulnerable update processes

Kotler and Bitton in an informal poll determined that approximately 100 applications are vulnerable to the Ippon attack, but won't specifically mention which ones. Thankfully Microsoft applications aren't. All MS updates are digitally signed and can't be spoofed. Actually, that's the way to tell if an application is not susceptible to Ippon.

Preventative measures

Some of the suggested solutions are a bit obvious. Such as don't use open Wi-Fi networks. Or if you have to, don't update your computer while connected to an open Wi-Fi network. I said they were obvious.

But what about an application that updates automatically and in the background. The only visual indication usually happens after the process is complete. Technically, the only way to avoid the Ippon attack while using open Wi-Fi networks is to use a secure VPN tunnel.

A friend of mine suggested that I mention to update proactively, maybe using Secunia PSI. I think that's a good idea, even if Ippon didn't exist. Still, I'm concerned about a false sense of security, automated updaters follow a schedule and will check for updates regardless.

Final thoughts

As of this writing Ippon has been released, so it's only a matter of time. I have e-mailed and left voice mails with several of the major application developers, Adobe for instance. When I learn whether an application uses signed updates or not, I will add a comment with that information.

I have one last question. Kolter and Bitton are focused on Wi-Fi, because it's the simplest attack vector. What if Ippon could be developed into an exploit that infiltrated wired networks?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

82 comments
Neon Samurai
Neon Samurai

I don't get to say that often so I'd best take advantage. Windows Update is not vulnerable to this particular attack vector.

dhanushkapg
dhanushkapg

MS updates are must for OS as well as any application,So plz install MS update, Becuse it release after massive testing process and it's use high secure severs

Neon Samurai
Neon Samurai

I agree that critical updates (excluding IE8) from Windows Update are not at all optional once checking the report sites. Always good to see if the updates break anything before applying them to my own systems. "massive testing process" may be a bit of a stretch.. or massive effort in the wrong direction given some of the past updates that re-open vulnerabilities or break existing software leading to a sudden out of band patch. Updates are surely not optional though and I am happy to hear that Microsoft's update utility is not vulnerable to this.

JCitizen
JCitizen

Now I know why Comodo never seems to remember that updaters are allowed. I'm glad it forgets now. Of course the latest version works a little better on x64 - will have to watch that! Great article, as usual. Discussion always great!!!

Michael Kassner
Michael Kassner

I didn't know that. So an annoyance is actually a feature. You may just get me to convert to Comodo, yet.

JCitizen
JCitizen

This feature is like that described by the other poster talking about Sunbelt firewall watching files and processes. It has an easy to understand warning system that helps you make quick decisions, because it IDs known files with well know icons. Comodo continues to improve Defense+ and on Vista x64 it is still functional even after IE 8! In the believable tests I've studied, it scores consistently higher that all other personal software firewalls on leak tests. I can vouch for this as I have tested many of them myself, to failure. The only one that may have been better was purchased by Norton, and I can't find a new enough version of that utility that I can actually use. The name slips my mind(what is left of it)

shryko
shryko

If I was in charge of a security system's design, I'd try to find some paranoid staff, because they would suspect things to fail... and design around it. Comodo may have just had that advantage! either way, it's time to push for a new set of protocols that support identity as a core piece of the system... digitally signing, encrypting, etc... then again, TOR is useful for many things...

sfeatherston
sfeatherston

If you are using a firewall that is set to alert you of any new application that is being run would not the firewall block this type of attack since it is not really installing a file that is part of the original application? I think anyone not using some sort of good firewall and I am not talking about Microsofts when using an unsecured WiFi is crazy anyway.

Michael Kassner
Michael Kassner

The attack vector is so new that there is no real data that could answer your question. I suspect it would depend on the malware being dropped.

CG IT
CG IT

that's so consumers don't flood help desks because they can't get to the internet because the firewall blocks internet enabled applications. Windows firewall allows known apps outbound access via exceptions. The trick is to get an application installed that looks legitimate and thus allowed via the exceptions, but has the hidden remote code. The firewall will then allow the outbound traffic and even if the firewall prompts the user to allow or deny, Joe or Jane consumer isn't knowledgeable enough to allow or deny some techy looking program. So in order to not mess up their internet connection, they allow access. Once allowed, the traffic is always allowed and there's not real GUI to show Joe Consumer just what is going out through their internet connection in a manner they can understand. Example, Syslog Watcher. Great program but only great if you know what your looking at and what to look for.

Ocie3
Ocie3

allows known apps outbound access via exceptions." Are you referring to a firewall that is distributed with Vista and/or with Windows 7?? As far as I know, the Windows XP firewall included with SP2 is just a "one way" firewall that stops only incoming traffic. It doesn't stop any program from establishing a TCP connection to another computer via the Internet, or from sending UDP packets via the Internet. There are some configuration options with regard to ICMP messages and whether ports are opened for some services to "listen" for traffic.

Michael Kassner
Michael Kassner

You always have good input. I see no reason why the bad guys wouldn't do that. This attack is sophisticated to begin with. Besides, most users including me aren't well enough informed to argue with a firewall when it's asking us whether we want to allow a process or not.

JCitizen
JCitizen

is that a add-on to syslog? Just wondering! I like syslog to watch for outbound blocking. My gateway is very adept at catching miscreants, but wouldn't necessarily block a trusted program.

Hagstrom
Hagstrom

I'm guessing you are talking about an application monitoring program, which checks for if any program is getting changed. Normally a valid update would also throw an alert for the monitoring program, when it updates the program in question, which you expect and then allow, but if the virus does the same thing, "updates" the file in question and even does it in a way where the original program still sort of works, then what?

Ocie3
Ocie3

when the malware starts to run. I can't say that all personal firewall designers take the same approach (or whether it is properly implemented if they do). Also, what happens when any particular event occurs is subject to the configuration of the firewall. First, when a program starts, the firewall obtains the pathname of the executable file when the OS is about to launch it. If that data is unavailable, then the firewall notifies the user and stops the program from being executed, by default. Else, the firewall makes a hash from the executable file and looks in its database for an executable that has the same pathname and a matching hash. However, if the firewall cannot find the executable file (by using the supplied pathname), then it cannot make the hash. In that case, the firewall notifies the user of those facts and stops the process from executing, by default. Second, if the firewall cannot find the same pathname (for the executable) recorded in its database, it assumes that the executable is a new program. The firewall notifies the user that it cannot find a record for the progam, and queries whether to allow it to run. So, in that case the user has an opportunity to stop a malware process from executing, although I suspect that there are ways that a malware process can run regardless of what a firewall might do to stop it. Of course, the user's decision is likely to depend upon whether the filename is familiar, etc. If the user consents to the program running, then the firewall records the corresponding pathname in its database, together with the first hash that it created for the file. Third, for each and every process, the firewall makes a hash from the corresponding executable file when the process _exits_ from its execution, and the firewall records that "exit hash" in its database. The next time that the same program starts (one that has the same pathname), the firewall makes another hash of the file (as described above) and compares it to the "exit hash" on record. If they are not the same, then the executable has been changed (probably by an update). In that case, the firewall notifies the user that the file has changed since its most recent execution, and asks whether to allow the program to run. Again, the user has an opportunity to stop a file from being executed if they have reason to suspect that it has been altered by malware. Two things to note, also. One is that many anti-malware programs have an "active scan" feature that can be enabled, so that it will scan every file that is opened and/or every process that is loaded into memory, looking for suspect code. The other is that many software firewalls have a "Host Intrusion Prevention" feature which scans each process after it is loaded to ascertain whether it can find anything suspect. It usually also watches for events such as a process that "injects" code into the memory space allocated to another process, or whether there is a buffer overflow while a process is running. There are varying implementations of HIPS among firewall vendors, particularly when the firewall is integrated with an anti-malware program, usually one sold by the same vendor.

JCitizen
JCitizen

Your description sounds like what I 'thought' was going on with Comodo's Defense+.

Michael Kassner
Michael Kassner

Always work? There must not be very many people using firewalls then. Just from the shear amount of infected computers.

Ocie3
Ocie3

FYI: most software firewalls that are intended for individual "personal computer" users (not for an"enterprise" environment) have a "monitoring" feature(s). For example, Sunbelt Personal Firewall has an Application Behavior Blocking feature that allows the user to control whether a specific executable is (1) allowed to start, (2) allowed to run after it has been modified, and (3) allowed to launch other programs. For each of those three options, the user can choose "permit", "deny", or "ask". That is just a brief description of a relatively simple approach to the matter. :-) Other personal software firewalls typically have the same sort of options and choices, but differ a bit in the details, for example, in regard to whether the rules are applied to .DLL files as well as to .EXE files.

Michael Kassner
Michael Kassner

My firewall does that. Still many new pieces of malware are not being picked up by any scanners. My reasoning for this article was to invite discussion and I think I may have succeeded in that regard. Thanks for the insight.

boxfiddler
boxfiddler

I long ago stopped using any automatic updating feature. I make a point to sit down once a week to update various 'anti' programs on my machines, and inspect Windows Update offerings. I've been burned one too many times by Windows Update, in particular. Thank you Michael, for reinforcing my policy. :)

andy.gravett
andy.gravett

I agree manual checks and updates are a good idea in Ubuntu this is the default the checks are done automatically but you are prompted to install or not before downloading, but you can see why this can be an issue in some enterprise environments it is complex, slow and cumbersome to manually check and update thousands of client machines manually. This is why virtual desktop's will be big where you have a few virtual client machine images to maintain patch and update for thousands of users connecting in via a broker that will greatly reduce the complexity and cost of managing the desktop estate and improve security and patch testing. For the home user manual checks are the way to go or swap to linux :-) Andy G

Michael Kassner
Michael Kassner

Having to ask isn't a guarantee that the update wasn't replaced by malware. The researchers mentioned that they tried hard to simulate the actual update process for several of the vulnerable applications. Virtual machines or dumb terminals will rule in the not-to-distant future.

LocoLobo
LocoLobo

If your referring to update programs for apps like Adobe reader, Sonic, etc. Not for this reason, but they would pop up once a month/week etc and demand attention sometimes crashing another app running at the time. I tried setting them to 'do not auto check' but they still pop up. MS updates are set to download only. Of course this all assumes we are talking about app updates on a MS domain.

Michael Kassner
Michael Kassner

Is exempt from this issue due to digital signing of updates.

Ocie3
Ocie3

Does the Windows XP update installation program authenticate the digital signature on each downloaded file before it installs the patch?? Personally, I rarely allow any vendor's update program to "automatically" do anything except, in a few cases, to check whether an update(s) is available. For a start, the software vendors always want to do the updates at their convenience, not mine. For another, in my experience, allowing a computer to do anything "automatically" is assuming the risk that it will eventually automatically make a mistake. But I do allow Secunia PSI to do a weekly scan on schedule. Somtimes I run Belarc Advisor, mostly to check whether all Microsoft Windows XP security patches have been applied.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

will take you no where fast. Pretty much the only organizations that exist are commercial and governmental. Both are run by people and are therefor not trustworthy according to your line of reasoning. Bill

jevans4949
jevans4949

Digital Signing may not be vulnerable to THIS sort of attack, but that's not to say that in the future somebody will not find a way to break that as well. Also, a certification system is run by just another commercial organisation. Is there any guarantee against there being malevolent intent somewhere within that organisation?

Michael Kassner
Michael Kassner

Sounds like a viable attack vector and it is.

CG IT
CG IT

From an old [2008] ITSecurity Web site article on the banking industries security problems with Joe or Jane "No Clue" Consumer. Read the whole article here: http://www.itsecurity.com/features/banking-security-woes-051308/ "Addressing the Problem Gossels and Steinhoff said that banks need to pursue education programs to make customers more aware of the threat environment. Pal suggested that banks could also help safeguard customers by providing them with anti-virus software with a whitelist feature. He said that such software only permits a certain set of programs to run on a computer and blocks unknown applications from executing. This approach, he added, would address the problem of keyloggers, rootkits and other types of malware." While "white list" software has been around a while in some of the firewall applications, and UAC in Windows Vista is in a small way, something like it, it has been talked about secretly for cloud computing as well. Apple's App Store is basically a "white list" of applications a non "jail-broken" IPhone can use. But I see "white listing" applications on devices as the future in Cloud Computing. Smart net devices can only have certain apps on em, those that aren't on the white list won't run. There will be hacks but I believe there are some guys working on a way to disable the device is it's tampered with. Joe and Jane No Clue Consumer is a big risk for banks and credit card companies. Since Joe or Jane Consumer only risks $50.00 if their bank accounts are cleaned out, there will come a time when the losses are to great. Cloud Computing and Cloud devices that will only run "white list" applications and stop working if hacked open, is one answer that some in the industry might recommend.

Michael Kassner
Michael Kassner

Something. How would that help with updating being intercepted by an attacker?

JCitizen
JCitizen

and it teaches them how files can be manipulated by processes, hopefully initiated by the user. If not by the user, then the alerts definitely need to be paid attention to. To keep them from getting information overload, I have them set it to "learning mode", then either lower the alert level later or disable it. After a while they learn to what to expect from their system and learn miscreant behavior in real time. The new 64 bit version works best, the 32 bit XP version was blown away with the latest IE 8 and updates.

dhanushkapg
dhanushkapg

You are wrong, Updates are critical for any system that considering effectiveness , reliable and security. if u are saying updates have malware or virus u r source is not trust, so dont use untrusted software or components for ur system.

Neon Samurai
Neon Samurai

I don't believe the author's point was that updates are optional or irrelevant but that automated update processes are a real concern. On that point, I'd have to also agree. If a bad update comes out that breaks the system or re-opens vulnerabilities previously patched your auto-download is going to suck it in and your screwed. An update may not actually address a vulnerability making it undesirable yet the auto update system will suck it in and your screwed. Though only once in the last decade, I've even seen a Mandriva Linux update break (phpBB 3 listed as an update of phpBB 2 but replaced the board instead of gracefully updating it). I've not seen a Debian update break a system yet but I still wouldn't set my workstations or servers for automatic updating. Ippon demonstrates the real risk in allowing autoupdates as it listens for those calls and answers them with "yes, your not the latest version; here's the update" then feeds it's own malware into the waiting update utility. Other grievances include: - Processes not directly approved by the user running on the user's system. - Processes causing network traffic without direct consent or intent of the user. - Processes on by default requiring the user to "opt out". Updates are essential. Vulnerability patches are absolutely not optional. Automatically accepting any and all un-vetted updates into your system is the real issue. And it's an issue for all platforms.

JCitizen
JCitizen

that article where that already happened! Why it is always an "Outlook update", I don't know why. I'd think any official update window would fool the unintitiated. Obvious Vista pages when your using XP are a sure show stopper. And then there is the newest "fake BSOD" message, with obvious spelling errors. And in a HTML window none-the-less! =)

Michael Kassner
Michael Kassner

A pop-up window saying that an update is available and it really malware.

Neon Samurai
Neon Samurai

Five minutes ago I ran a google search and the page a result linked me to was a red background with a single box in the middle; this site has been blocked due to malware detection [get me out of here] [provide more details] funny.. if it was blocked from my side, I'd know about that filtering device.. pretty sure that stung a few people foolish enough to push either of those two buttons. It's all a stats game; send out enough bate and enough fish will bite. "oh.. an update window.. better download that" --> zzWApp!

Michael Kassner
Michael Kassner

I'm starting to wonder if any update that's not digitally signed is suspect. What if an attacker can mimic the update window and the user installs malware instead of the update manually. Sure a firewall may bark, but the user will think it's the update causing it.

IronCanadian
IronCanadian

Particularly the software packages that install and run the update client in the background and "on" by default. Not necessarily because of the security aspect of it, more for the fact that that process is using some of my systems processing power and I'd like to have chosen if that happens or not.

Michael Kassner
Michael Kassner

If manual updates would work or not. The researchers mentioned that they try to mimic the update window, so maybe it would still fool the user.

CG IT
CG IT

in other words, there are literally billions of cell phones, so how come hacks aren't targeting cell phones? If smart devices or even the Apple Tablet using ARM processor[???] http://www.pcworld.com/article/165354/apple_tablet_coming_in_2010.html?loomia_ow=t0:s0:a41:g2:r9:c0.074198:b22858826:z0 with Google wanting their voice app available on apple store, and then the big beef with Apple and Palm Pre I think that the Cloud computing providers are going for closed systems. while a consumer can download and play Itunes on a PC, it need the Itunes software. Just like Quicktime format doesn't play on WMP, what app you get from you Cloud provider and what device you have will tie you up to use a specific Cloud provider.

Michael Kassner
Michael Kassner

Is it because the telcos have a tighter rein on the networks?

Michael Kassner
Michael Kassner

You are right. I'm trying to visualize if I like that new world or not. Actually I have lived through it once already. Kind looks like the pendulum is swing back finally.

Neon Samurai
Neon Samurai

I was thinking of the viruses and mobile phone AV from about four years ago separately from the SMS attacks currently known. I guess we'll see how it turns out in the end, if there is profit to be ill gained, criminal enterprise will find a way.

CG IT
CG IT

nothing of importance is on a cell phone except phone #s. But with smart phones, some users are checking bank info. I think Cloud Computing is going to end up a closed system much like a cell phone is. Applications are provided by the cloud, not really installed on the netbook. O/S will be firmware and connections on the next generation 3G system. want to save data? flash card or even a flash drive. If you read about the PC makers plans, it all points to a shift away from PCs and either into netbooks or enterprise markets. Acer announced their plans for an e-reader, Apple has their upcoming tablet, Intel, Microsoft, Google are all investing in ARM processor based devices and cloud computing. and here's Sprints foray into the cloud. http://www.networkworld.com/news/2009/080509-sprint-wimax.html?hpg1=bn

Michael Kassner
Michael Kassner

With SMS issue. That's a vulnerability. AV may help with what the attackers do after they use the SMS exploit.

Neon Samurai
Neon Samurai

I've even seen AV software for mobile phones now. Smartphones are a step up from that so I'd assume the malware is out there given the recent SMS worm that was discovered. I'm not sure why it's not more prevalent other than temporary good luck on the user's part.

eryk81
eryk81

Personal, I don't like any program doing whatever it wants; consequently, I disable all automatic updates on any program (except AV programs). I even do it for my customers and the same go's for add-on programs like Apple's Bonjour. The biggest problem is that they don't tell you that they are installing and running these update processes. Even still, there is a bigger problem, what if the service has a hole in it and it is then connected to the Internet all the time (DSL/Cable). Your computer (and personal Information) would be a risk and you wouldn't have even know. Software vender's need to disclose this information upfront rather that burying it in EUA and then give the option (upfront) to disable it. So, to recap, you now you have a program running on your computer that you didn't know about that has opened a port to the Internet (witch can be attacked form the outside world) and when the update service is used by the program/programs that installed it, can be fooled into installing malware of all sorts. I'm glad there are people out there that provide job security for me ;-).

CG IT
CG IT

reason not to use freeware and in some cases open source. Whether anyone will own up to it or not is another matter, however , code can be included in that software program you got for free or the open source software you got and unless your a really good progammer, you'll never know. The really scary part is that once the app is intalled, the firewalls are going to allow outbound traffic and it's return traffic by default. And on consumer stuff, they don't know anything and won't risk blocking something which might cause them to loose their internet access. That's because of the hours on the phone to crappy help desk support. The threat isn't inbound attacks anymore. The threat is in install applications that have malicious code embedded in them. And don't think that the guys who want your comp for a botnet haven't figured that one out. They will sell legitimate applications with the malicious code in them. That's why there's a push for Cloud Computing and devices that use embedded software for O/S like WinCE or Azure, Google Chrome, etc.

dagda825
dagda825

If the project allows for inclusion of code that's not reviewed by others, then yes it's fairly easy to embed a spy. On the other hand, if the project requires a developer to submit it for peer-review then it's much harder to sneak in rogue software unless the malefactor forks the project for their own nefarious purposes; which will get them caught fairly quickly because there are a lot of people looking for things like this.

Neon Samurai
Neon Samurai

cheap shot I know but I saw it.. I took it.. :D

Neon Samurai
Neon Samurai

I mean, I'm in on the betting tables; I just don't want to be a judge. ;)

CG IT
CG IT

don't need a dictionary for terms. I'm way to cynical.

Neon Samurai
Neon Samurai

Your understanding of the term Hacker is incorrect. Real Hackers are the computer enthusiasts who want to know there area of interest down to the most minute detail be it computers, security, phsycology, cars (gear heads), sterios (audiofiles), radios (hams) and so on. Simply put Hacker is the same mentality and person the 50s referred to as the DIY croud. Heck, the people who wrote the framework for the US constitution and government where political hackers. The US is founded on the very values of Hackerdom; freedom of learning and though, freedom to explore and create. To stick close with your suggested category, the Security Hacker is interested in understanding security systems and how they can be improved. How can they provide real security instead of security theater as so many systems seem to do. Computer hackers want to understand the computer down to it's core and how they can make it better, make it do things it wasn't expected to do or otherwise bend it too there amusement. What you mean when talking about criminal intent is criminals. script kiddies, crackers.. the scum of the technological world whos actions Hackers get blamed for in the mass media. If your interested, I can provide links to proper definitions of the terms rather than the purely pejorative meaning the technology ignorant media brainwashes the non-tech types into fearing. If someone broke into your computer without permission and it wasn't your close friend with a harmless prank then it wasn't a Hacker. Even for those who are purely about deriving an ego boost, that is not inherently destructive or detrimental. The irony is that "ethical hacker" is completely redundant. It's like saying "round sphere" as if that's somehow more descriptive of a sphere. This is but one of many terms that Hackerdom is offered mass media to differentiate. It always comes back to corrupting the original ethical title in favor of generating more new paper sales through fear. The mass media can't be helped but technology literate can be.

CG IT
CG IT

am I reading that right? There are hackers who figured it's better to get paid to find the hacks than to get caught and setup house in a jail cell with some criminal. I think some call themselves ethical hackers and ethical hacking. I've met some and while they talk sincerely, it's still an ego game for them.

Neon Samurai
Neon Samurai

A brief tangent, the "real" hacks just want to understand and improve technology or whatever there particular form of Hackerdom entails. It a grave injustice to associate obsessively self directed learners with the criminals intent on and responsible for crime be it online or offline. But crimnials are definately a threat and very much more interested in maintaining undiscovered control over a computer. As you point out, even 1 percent reponse to a spam blast can be a huge profit margin. It's too easy to blast out a billion fishing notes for a million or a hundred thousand returned. Controlled machines are much more valuable than destroyed ones. heck, outside of fraud there is botnet rental and a complete service industry of source let alone outright business espionage. With the trojan type adware, I found the peak of it to be on those early years after 2000 when the advertising companies discovered the internet. Suddenly every freeware helper app had data collection malware included with it. Every website wanted to install monitoring software. The marketing industry acted like the Internet was there own private involuntary database. And these where legitimate companies. The Gator downloader app was a good utility except for the three or four adware infestations it included during the install. Kazaa had it's own adware apps; remove one and Kazaa wouldn't run. Even for them, it's far more important to gain access and maintain it rather than simply placing a logic bomb to eat the drive in a week. Nothing new about any of this, just a much bigger criminal market for it now. I wish it where still the days of the majority of these things being well natured pranks rather than today's social and technologically destructive forms.

CG IT
CG IT

programming days. Administrators writting in a bit of code for a back door. Admin tools that allow you to come in an fix something without letting the keys to the kingdom out. Script kiddies are looking to "mess up someone's computer". The "real" hacks aren't looking to do that. Their looking for the free way to get $$. If a hack can sit at home and collect thousands of $$ a day simply sending out millions of spam that will never get read, hey why not. If a hack can syphon off $1.00 from 150 million people, that's a big chunk of change and most aren't going to make a "big deal" for a $1.00. Since the internet is world wide and there's about 6+ billion people, if we have simply 1 billion that has online banking and you syphon off $1.00 from each of those 1 billion people, that's a big chunk of $$ that for the most part, the $1 billion people will overlook. The banks will miss it but the account holders won't. How do you do that? Get 1 billion people to buy a legitimate program with some code that creates an encrypted darknet and well as long as your not greedy taking big chunks of $$ from individual accounts, you've got a really big chunk of $$. Think the banks are going to turn it in? Bankers are as greedy as the next guy.

Neon Samurai
Neon Samurai

I happily admit to missreading that last comment. Trojans intentionally funneling in malware definitely an issue. Those particular freeware offerings are rightly considered malware. Bonzi, the malware laden file sharing clients including all the rest of the advertising malware popular in the late 90s, early 2k. Download any and every freeware gimic out there and one is bound to get hit hard more than a few times. Even with my *nix boxes, I stick to the repositories unless it has to come from a vendor. In that case it's the source and only where trusted (as far as unknown third party companies can be). The list of items outside the repositories is pretty short: - VMware Server - Adobe Flash Player - Various security utilities from known researchers but this last one means a higher knowledge in identifying valid utility versus trojan code. With Windows I stick to Download.com and well known programs if I can't go directly to a trusted source like mozilla's own download links.

CG IT
CG IT

just create the application with the code already in it. No need to infect anything. There have a lot of applications over the years that had exploits built right in. Anyone remember Bonzi Buddy? you almost couldn't get rid of it. But that was a really crappy way to do it. The hacks have code that setup darknets and the AV doesn't even see it. [A ghost on the PC] Applications with the code as part of the application is where hacks are concentrating. Script kiddies use the old methods.

Neon Samurai
Neon Samurai

It's far easier to provide a currupted setup.exe through a spoofed downloads website or file sharing network than it is to get a currupted software package into a repository. The people who maintain FOSS repositories tend towards dilligence rather than convenience. A criminal has to break into the repository management accounts, break the signing keys, infect multiple repositories to have any real effect and do this all before the malware is discovered or nightly repository sync fixes the issue based on the master. Unless Red Hat, Debian, Mandriva, Novell or Connonical are the perpetrators behind the break-in on there own repositories; it's a snowball's chance of tanning on the beach in the tropics. Unverifiable Freeware has a greater chance as it's a closed binary posted on any old website. FOSS distribution repositories are unlikely, not outright impossible but very unlikely. If that's the benchmark then retail software updates are as likely if not more so. I just had the opportunity to download the Java update from multiple websites though I knew to go strait to Sun for that. A good firewall will also monitor outbound as well as inbound traffic. The key reason I prefer to use third party Windows firewalls is being able to select one which does both inbound and outbound well. Cloud still brings a number of other risks into play the least of which is not trusting the amoral corporation that your giving ownership of your data too through the user agreement.

eryk81
eryk81

Cloud Computing and SaaS all have there problems as well. Compromising in any part of those systems will cause huge amounts of damage. I'm more afraid of the mass adoption of Cloud Computing and SaaS than I am of whats in the wild right now. So a few (OK, A LOT) unknowing users get infections, you can fix that in many ways;however, no madder how skilled or knowledgeable, you will have an incredibly difficult time trying to find out if your Cloud/SaaS is infected. Truthfully, it all comes down to implementation and security testing. If the it's all put together the right way (and it rarely is) then I don't see any problems with it. But on the flip side, the same is true traditional software offerings. So, I guess the best thing to do is: put out better software and don't cut corners when it comes to code and security review.

Michael Kassner
Michael Kassner

How do you keep all the applications up-to date? Secunia or have users run every application manually?

Michael Kassner
Michael Kassner

Mentioned that digitally signing the updates defeats their attack. So, that seems to be the simplest approach. Until you realize that all application developers have to change their update process.

Neon Samurai
Neon Samurai

Once you go software repository package style, you can never really go back. I still wouldn't suggest it run automatically but ten seconds for an "aptitude update && aptitude full-upgrade" or "urpmi --auto-update" during my login ritual is nothing. (Synaptic, rpmdrake or the menu-bar icon if you can't live without pretty graphics) By comparison, I'll be spending today checking Windows Update, then the JRE v6u15 install, then CCleaner update check, then Quicktime update check, then ... and on.. and on.. (I really have to see about fitting the secunia app into my budget) I don't think the Windows world could ever move itself into a repository style distribution though. It would be a huge step forward benefiting the end user but there are just too many competing companies and shareholder interests to ever allow it to happen. Imagine Windows Update including Firefox, Chrome and Safari.. while I zip down hills in hell on my snowboard.

eryk81
eryk81

The only other way to do it is use a service like Linux. Have packet distribution sights that hold the updated software, then you could run the update agent once a month or so and update all of your software. Also, it probably wouldn't be to much for software vender's to use some type of authentication process like and IP address range with the response having a MD5 hash for the download that would be created through a combination of version # and the ASCII values of the user name. Both sides would be able to genarate the MD5 hash on there own so there would be no need for it to be transmitted from the users computer. I'm sure most of this information is given at the time of update anyway, right? So there is a good solution that wouldn't cost software vender's too much money and would almost eliminate this threat. Do you think thats a good idea?

CG IT
CG IT

I remember couple of years ago there was the spoofing of update site. WiFi is easiest becasue you don't need physical access. Wired, you gotta put a device in there. I still look at the utility, cable and telephone guys suspciously. The phone junction boxes are sitting right in the open with just a key lock. Pretty easy to just drive up in a truck with all the right markings and stick a device in there.

Michael Kassner
Michael Kassner

I'm curious, do you have any more information?

CG IT
CG IT

which really wasn't for security updates. While there aren't a lot of research papers still around publically for Windows 95 security vunderabilities, the update service was a target. Internet Explorer got hammered because Windows Update uses IE. The URL redirect exploit was aimed at getting users to download what they thought were legitimate updates except they got viruses. I remember when broadband first came out, you connected your comp directly to the modem, thus directly to the ISP and your comp had a routable address on the NIC, therefore direct connect to the Internet with no firewall protection. Scary times. Microsoft built in a firewall in XP because of the statistics. While 50% bought AV with a firewall from the major AV vendors, that left a large # without protection. Then the Telcoms got into the act by putting a router into their DSL modems. Mostly to conserve addresses but also gives some firewall security.

Michael Kassner
Michael Kassner

Windows Update was getting hammered. That must be the time frame when they started signing the updates. Also, glad you are still reading my stuff.

CG IT
CG IT

and It's IE that windows Update uses. exploits that take advantage up IE holes that can have a user be redirected to a web site where the user believes they are getting updates but are actually getting exploits. http://support.microsoft.com/kb/818529 This is an exploit used to take advantage of IE Here is another in 2006. http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx http://www.pcmag.com/article2/0,2817,2256892,00.asp http://www.cio.com/article/171800/Hacked_MySpace_Page_Serves_Up_Fake_Windows_Update and look at the references in this paper by http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html Also, Windows Update, Auotmatic Update notification tool [recursor to windows update] all used active-x controls and active-x has lots of holes.

Michael Kassner
Michael Kassner

Have a link, please. I'm feeling silly. I did a fair amount of research and didn't get any hits about earlier exploits. Now I'm curious to learn about it. If you have the time, I'd really appreciate it.

CG IT
CG IT

Windows Update was being spoofed there back oh, around 2004/2005. Same technique. Capture and redirect then download. The gimmicks [types of hacks] tend to repeat themselves exploiting new weaknesses. Wireless is a weakness because it doesn't require physical access. Today's sophisticated firewalls, access lists, spam filters, and user awareness, the old gimmicks don't work. That's not to say the gimmick is no longer usefull, rather can not take advantage of known weaknesses. If a new weakness is found, hacks will exploit it using the tools they know did work.

Editor's Picks