Paul Ducklin’s blog

Free virus scan - Download the Threat Detection Test

ISPs, Governments and Cybercrime

In the past two weeks, all three arms of Australian government – the legislature, the executive and the judiciary – have been in the international IT spotlight.

In a globally-watched lawsuit, the Australian movie industry took local ISP iiNet to court over copyright infringement. The movie guys lost.

Some self-styled hacktivists DDoSed a few public service and government websites, then spammed parliamentarians with porn, in Operation Titstorm. All this to prove to the Australian government how objectionable the "protesters" claim to find its proposed censorship plans.

And the Minister for Broadband, Communications and the Digital Economy condemned the Titstormers as "totally irresponsible" – a pretty mild criticism, all things considered.

Who better to give a calmly rounded overview of these issues than SophOz's very own Rob Forsyth, who is not only Managing Director of Sophos Asia Pacific, but also Deputy Chairman of the IIA and a board member of ISOC-AU?

Find out more by listening to the podcast!

16 February 2010, duration 8:18 minutes, size 4MB

Paul Ducklin and Rob Forsyth discuss recent Australian on-line security issues

Posted on February 16th, 2010 by Duck
Filed under: Cybercrime, Safety online

                                         

How gullible are you?

Consider the following claims:

1. In the Privacy Settings interface in Facebook, there is a search facility to make it easy to find people and groups you wish to block.

2. A Facebook group called Automation Labs consists of people with access to your Facebook account and profile.

Claim (1) is true. Facebook does have a search facility in its "Block people" interface, and this is a helpful and useful feature. Claim (2) is an unfounded allegation that any reasonable person would refuse to accept. It sounds bogus, and it is.

Now put these two claims together, like this:

All FB friends. This is important. Do this asap! Go to settings. Click on privacy settings. Click on block users. in the name box enter 'automation labs'. A list of approx 20 people you dont even know will come up. Block each one individually. These people have access to your facebook account/profile and spy on what You do!

Now you have the perfect Facebook chain letter: you persuade Facebook users to verify claim (1) by performing a "Block people" search, but using the very group you are libelling in claim (2). And guess what? Many of those users are taking this as some sort of proof that claim (2) is true. This chain letter is spreading fast.

Earth to Facebook users! Earth to Facebook users! If this conclusion were logical, then anyone you could locate via the "Block people" search would need to be blocked. And that means that everyone should be blocked, which means that you should stop using Facebook altogether. (As it happens, that might not be such a bad thing for the rest of us on Facebook.)

No wonder that 61% of businesses we surveyed for the Sophos Security Threat Report 2010 said, "Facebook" when we asked, "Which social network do you think poses the biggest risk to security?"

The openness of the internet and of social networking sites is supposed to liberate you from the pressure of conformity, not to make it easier for miscreants or cybercriminals to persuade you blindly to follow orders.

Make sure brain is in gear before engaging mouse!

(If you need to advise friends and family, try Graham Cluley's short video below. It takes a slightly more didactic and conciliatory approach to the issue of internet gullibility.)

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Image of Sydney Harbour Bridge by Adam J.W.C, 2009.

Posted on February 4th, 2010 by Duck
Filed under: Cybercrime, Safety online

                                         

JavaScript tricks and traps

Are you in Brisbane, Queensland this evening, Tuesday 02 February 2010?

If so, why not attend this month's Brisbane Security Special Interest Group, or BSSIG for short? The meetings take place in the CBD, start at 18:00, are done and dusted by 19:30, come with snacks, and are laid-back in style but serious in content. You won't suffer through a vendor schpiel.

This evening's speaker is, ahem, me. I'll be presenting a live demo entitled JAVASCRIPT TRICKS AND TRAPS.

You're supposed to have RSVPed, but if you just turn up, I'm sure you'll be OK. (If you would like to go on the mailing list for future BSSIGs, please email me and I will pass on your details to the committee.)

Venue: Microsoft Level 9, 1 Eagle Street, Waterfront, Brisbane.

Time 17:30 for 18:00 starts (lifts close at 18:00).

Ends by 19:30.

Of course, since it's at the Waterfront, there are plenty of pubs nearby for those who want to continue geeking out on malicious JavaScript after the meeting closes. If you turn up without RSVPing and there aren't enough snacks for you, I'll buy you a pie afterwards, though you'll have to prove that you paid attention during my speech by solving a small JavaScript conundrum first.

Posted on February 2nd, 2010 by Duck
Filed under: Malware and spam

                                         

Australian Taxation Office scammers strike yet again

Scammers have targeted the Australian Taxation Office (ATO) once again, offering a tax refund which you can search for and claim on-line.

The emails are obviously fakes (the from addresses are garbage, the link in the email doesn't go to the ATO, and the ATO never offers refunds in this way), so you'd have to be having a really bad day to fall for this scam. But if you were to click through, you'd reach phishing pages which are visually quite appealing.

First you search for yourself – so no immediate request for credit card details. This brings up a Web-2.0ish "processing" page for a few seconds, before you are thrust into a full-on phishing page, where you are invited to disclose important personally identifiable information.

The sad thing about this sort of old-school phish is that any naive and trusting internet users who might be conned by it are probably the very same users who trust that the Australian government's internet filtering plan would protect them from it. After all, the government doesn't call its mandatory filtering "censorship". It calls it "measures to improve safety of the internet for families."

As I have already argued quite strongly, the government's mandatory filtering plan will do nothing is to protect naive users against cybercriminals. Nor, for that matter, will it protect children against on-line predators who stalk them illegally in legitimate forums.

Those of us who know better will need to continue with the task of advising and mentoring friends and family who are naive internet users. Sadly, we won't get a rebate against the tax money the government will pour down the drain (or will force our ISPs to pour down the drain) pretending to protect us.

Posted on February 1st, 2010 by Duck
Filed under: Cybercrime, Malware and spam, Safety online

                                         

Windows kernel vulnerability adds to Microsoft's woes

Microsoft are under the pump fighting vulnerabilities at the moment. Just six-and-half hours after blogging that the Operation Aurora Internet Explorer fix would be ready the next day, they blogged about a publicly-announced Windows kernel vulnerability.

Microsoft's 979682 advisory about the vulnerability is sadly devoid of any useful (or even interesting) technical details at the moment. You are referred to CVE-2010-0232, but that's still a holding page. The vulnerability number was reserved two weeks ago, but no documentation has been published there yet.

Don't worry. You can find out more about this vulnerability with a search or two. Or you can read about it on El Reg, like the rest of us.

The elevator pitch (Brit: lift summary) is that NTVDM, the 16-bit DOS subsystem in 32-bit Windows, can be abused to trick the kernel into trusting userland memory addresses that it shouldn't. That almost always means an escalation of privilege exploit is close to hand.

The bad news is that a handily-commented C source code of a proof-of-concept exploit is available. The discoverer of the exploit claims that Microsoft didn't fix it when he reported it in June last year. So he decided to go public, presumably to push things along, a tactic which seems to have worked.

The good news is that an effective and centrally-deployable workaround is available. Simply turn off the 16-bit DOS subsystem. You won't be able to run your old 16-bit DOS applications, of course. But then you gave those up years ago, right? As you gave up making all your users Local Admins. So 1999.

I'm not usually a fan of full disclosure, especially where a working but unpatched exploit is published for all to use and abuse. In this case, I don't mind.

Kernels aren't supposed to have bugs. When security assumptions in kernels turn out to be broken, either the bug should be fixed promptly or the faulty code be removed entirely.

In this case, fondly though I remember DOS, I recommend the latter approach. Forget about the patch for the moment, though it will come and you should apply it. Say "G'day" to the Twenty-first Century and say "Exit" to the Virtual DOS Machine.

DOS applications have never cohabited well with Windows NT and NTFS – there are too many impedance mismatches between the OSes in file and directory handling alone for their coexistence ever to be satisfactory for more than a brief transitional period.

To be fair to Microsoft, the 16-bit DOS subsystem was ejected from 64-bit Windows, apparently without any tears or regret. I have no doubt they'd love to eject it from 32-bit Windows as well, but I bet that organisations with legacy applications have leaned heavily on Microsoft not to do so.

Sometimes, the change control guys need a stick to make them let go of the past.

Perhaps this is an ideal stick for Microsoft – if their "patch" to this vulnerability were to get rid of NTVDM altogether instead of fixing the bug, would you mind? Or do you expect Microsoft to keep maintaining the worn-out VDM almost as if it were a tradition?

Posted on January 21st, 2010 by Duck
Filed under: Safety online