The GhostNet: cybersecurity = national security

Malware and cyber attacks are no longer the province of alienated hackers and international crime syndicates. National governments are using the same tools to spy on dissidents and rival nations. Recent research by the CitizenLab :: Version 4.0 has unmasked a far-reaching

suspected cyber espionage network of over 1,295 infected hosts in 103 countries. This finding comes at the close of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions that consisted of fieldwork, technical scouting, and laboratory analysis.

Using freely available Windows malware and some customized command and control software, the developers of GhostNet (who at the very least speak Chinese) have managed to penetrate an incredible number of sensitive governmental and political groups. Not surprisingly, China denies playing a role in 'GhostNet' cyberspy ring and of course, it is very difficult to prove the exact origin of these attacks. Listen to an interview with the researchers on the podcast Unmasking ‘GhostNet’ | WBUR and NPR - On Point with Tom Ashbrook.

Free Anti-Virus Software

Although anti-virus programs won't protect you from many wireless network exploits, they will help detect malware after it's been installed, and are an important part of any security toolkit. Anti-virus programs are not perfect, however:

• They don't detect all malware, and really only can detect viruses that have already been released in the wild. This means that you can still be infected even with an anti-virus program installed.
• Many anti-virus programs add a huge amount of overhead to your system. Although there have been improvements recently, the Norton Anti-Virus suite was notorious for using tremendous amounts of system resources (processor cycles and RAM, mostly). Some benchmarks indicate that installing Norton cuts processor performance in half. This means that, if you have a 2 GHz CPU, installing Norton is like downgrading to a 1 GHz processor!
• You must maintain your virus definitions regularly. Often, the update is a scheduled task that fires off when you boot up, slowing down performance and delaying the time until you can use your computer. Many people will cancel the updates out of frustration.

Having said all that, installing anti-virus software is a good idea for most Windows computers, and you should be able to scan files or your hard drives on a regular basis to be sure you haven't been infected. Here are some free programs that can do the job:

• Windows: AVG Free.
• Macintosh: iAntiVirus program for Intel Macs from PCTools.
• Linux/Unix: F-Prot

In my Open Source & Linux Blog, I describe how you can Virus scan Windows using a Linux live CD using F-Prot.

Google's new Chrome browser is not secure

Google’s new open source browser, Chrome, made a big splash when it was introduced earlier this month: Meet Chrome, Google's shiny new browser - CNET News. Perhaps the bloom is off the rose now that we’ve had a chance to take a closer look at the security, or lack thereof, in the new browser:

Early security issues tarnish Google's Chrome browser, note several publications, including PC World. Most alarmingly, Chrome is a security nightmare, indexes your bank accounts. Computerworld calls Chrome: Google's biggest threat to your privacy.

Since the product is in beta, it’s too early to say that Chrome is a complete disaster, but it should certainly be avoided when you want to log in to your bank or any other site that requires a password that you like to protect.

One of chrome’s most notable features is an impressive speed up in JavaScript performance. You can realize most of these benefits by using the The WebKit Open Source browser, which is based on the same HTML engine as Chrome: the Konqueror Web Browser from the K Desktop Environment, or KDE, project.

Surf safe!

More Gmail & Cookie hacks, plus a solution

Now there’s another Good Reason To Go Full-Time SSL For Gmail: a new exploit that captures session cookies to give hackers access to your Gmail account.

Details here: Gmail Account Hacking Tool | Hacking Truths (since the original article is not available, I’ve posted the text below).

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

This is Google’s (and all web application developers) responsibility, because only the app developer can ensure that all transactions between the client and server are secure. To Google’s credit, they now offer an option to permanently switch on HTTPS. Details here: Enabling the HTTPS setting - Help Center

Update

This exploit is also a problem for financial institiutions -- as if they don’t have enough problems already: CookieMonster nabs user creds from secure sites • The Register

The solution: web application developers need to take the following steps:

1. Write their applications to ensure that all communication between the browser and the web server happens over SSL (https protocol, on port 443).


2. When the application uses cookies, mark all sensitive cookies (cookies that contain passwords or other authentication data) as secure, i.e., to be sent over encrypted connections only.

Clearly these are fixes that are not available to the end user. Only web developers can implement these basic security precautions. In the meantime, here’s what you can do as an end user:

1. Perform transactions that require a secure connection only on a secure network. The best option is a wired-only network. Since these are becoming more and more rare, it’s important to ensure that your wireless network is completely locked down with good encryption (WPA) and strong passwords.


2. Contact your bank or favorite email provider and request that they use https (SSL) and secure cookies to protect your account.

Surf safe!

Here’s the full text of the article Gmail Account Hacking Tool | Hacking Truths from hungry-hackers.com, which was offline earlier:

Gmail Account Hacking Tool

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

11 charged with massive ID theft

Boston has become somewhat of a hub for what is looking like the biggest ID theft in US history (to date, of course). The US Attorney General Michael Mukasey annonunced yesterday here in Boston that a ring of 11 were charged with massive ID theft in a series of successful attacks on the wireless networks of major retailers:

“They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said.”

The ring is notably international, which shows how this type of crime is not in any way limited by geography. Note in the following quote that the hackers used better security than their victims:

“The defendants - one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin - allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States.”

The key to the operation: breaking into the networks of these large retailers through the weakest link in the perimeter, their poorly secured wireless network.

nmap scanning

One of the most useful tools for IP networks is nmap, available as an open source command line program, with various "graphical" front ends for the different platforms.

Here's how to do a quick network scan of your wireless router to see what machines are using your air space, and then what services are available on each box.

I use two commands. Use sudo to ensure you get all the info:

sudo nmap -sP 192.168.X.*

then,

sudo nmap -sV 192.168.X.Y

You'll need to replace X and Y with the correct numbers for your router. To find out what IP address space you are in, run ifconfig (UNIX/Mac) or ipconfig for Windows at the command prompt.

Ping Scan

Here's the nmap command to ping all the devices attached to your router, including wireless connections (nmap doesn't care how the devices are attached to the router):

sudo nmap -sP 192.168.X.*

This checks all 256 addresses in the Class-C address space 192.168.X, where X is an integer from 0 to 255. Most retail browsers use this type of address space; a high-end corporate or data center router might use a Class B address.

192.168 is a private, reserved Class B network that limits access to the addresses inside from external visitors by default. See Private Network (http://en.wikipedia.org/wiki/Private_network) for all the geeky details.

So, here's how to ping scan all the devices attached to your router:

neil@shubuntu:~$ sudo nmap -sP 192.168.3.*
[sudo] password for neil:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 14:54 EDT
Host 192.168.3.1 appears to be up.
MAC Address: 00:17:3F:45:09:30 (Belkin)
Host 192.168.3.3 appears to be up.
MAC Address: 00:1E:52:76:17:CC (Apple)
Host 192.168.3.5 appears to be up.
Host 192.168.3.7 appears to be up.
MAC Address: 00:E0:29:86:CE:02 (Standard Microsystems)
Host 192.168.3.8 appears to be up.
MAC Address: 00:0D:93:EA:68:2F (Apple Computer)
Host 192.168.3.9 appears to be up.
MAC Address: 00:19:1D:F6:63:C6 (Nintendo Co.)
Nmap done: 256 IP addresses (6 hosts up) scanned in 11.005 seconds

Version Scan

Now that you know what's out there, responding, you can check each address to see what services are running on each box. This is particularly useful for diagnosing problems, or identifying an intruder.

Let's take a closer look at the Macs on the network:

neil@shubuntu:~$ sudo nmap -sV 192.168.X.3

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 13:53 EDT
Interesting ports on 192.168.X.3:
Not shown: 1710 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
88/tcp open kerberos-sec Mac OS X kerberos-sec
548/tcp open afp Apple AFP (name: SilverSurfer; protocol 3.2; Max OS X 10.4/10.5)
5900/tcp open vnc Apple remote desktop vnc
MAC Address: 00:1E:52:76:17:CC (Apple)
Service Info: OS: Mac OS X

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.634 seconds
neil@shubuntu:~$ sudo nmap -sV 192.168.X.8

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 13:55 EDT
Interesting ports on 192.168.X.8:
Not shown: 1713 filtered ports
PORT STATE SERVICE VERSION
548/tcp open afp Apple AFP (name: gforce; protocol 3.2; Max OS X 10.4/10.5)
MAC Address: 00:0D:93:EA:68:2F (Apple Computer)

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.679 seconds

HoverIP: Free Network Tools for Windows

HoverIP v1.0 beta

HoverIP is a  powerful set of IP utilities, all inside a single box !

With HoverIP you can display your IP configuration (on all network cards), perform different tasks like NSLOOKUP, PING, TRACEROUTE,  SCAN PORTS or network, and manage your ROUTES  in a very convenient way !

Important Note : HoverIP will not work with Windows 95 and has not been tested on all Windows platforms.

Go to the HoverDesk Freeware page, or download HoverIP directly.

Mac OS X users: no need to download anything for the same features. Just run Apple's Network Utility. Quick tip: open Spotlight (Apple-Space) and start typing Network Utility -- by the time I got to the letter "e" I could just hit Return to launch it as the Top Hit.