EYE ON SECURITY

The World of Secure Development.

December 2006

Hang on to your money belt because in a recent report, PandaLabs has revealed a new and disturbing trend -- 72 percent of the malware detected in the third quarter of 2006 was designed for obtaining money.

Adware and spyware were the threats most frequently detected by Panda ActiveScan, accounting for 41 percent of all detections. Both spyware and adware are related to advertising, as they aim to gather personal data about the online store websites users visit, in order to offer them products and services that adapt to their preferences. This practice is illegal if carried out without the affected user’s consent, as it involves a violation of their privacy for commercial purposes.

According to Luis Corrons, director of PandaLabs: "Financial motives are determining the activity of threat creators almost exclusively now. These are professional criminals who create malicious code not to achieve notoriety or show their programming skills, but simply to get money. We believe that this trend will not only be maintained in the future, but it will increase further. In this situation, it is essential to keep one’s guard up at all times and use all technological means of protection at hand."

The report, which is freely available for download, also points out other interesting issues about computer security in the third quarter of 2006, such as the impact of the new software vulnerabilities detected in Microsoft products, threats associated to "social websites" such as MySpace, or the new ways in which cyber-crooks use Google to distribute their creations.

Posted by Jon Erickson at 03:50 PM  Permalink |

When you stop and think about it, the AKC098 keyboard from Access makes a lot of sense -- it puts fingerprint recognition at your fingertips, right on the computer keyboard.

Of course, what would be really cool is if the fingerprint recognition was actually built into the individual alpha-numeric keys. But that's probably asking too much in terms of complexity and cost. Instead the AKC098 has a built-in "U.are.U" fingerprint reader module manufactured by DigitalPersona. The Windows-compatible keyboard has a USB interface and users can be enrolled so that any of their eight fingers and two thumbs can be used for log-on. The fingerprint data is stored as a binary number string, not as an image, so user identity is not put at risk.

The keyboard can be supplied with an optional integral magnetic swipe reader. It has a 36-key QWERTY block with a space bar and a matrix area of 46 freely-programmable key switches. Most commonly used functions can be programmed into the keys and made available with a single keystroke. Custom made key tops layouts can be supplied to match a users point-of-sale software requirements. The AKC098 stores its layout permanently in non-volatile memory. A USB glide-point touch pad mouse can also fitted as a customer specified option.

Posted by Jon Erickson at 11:52 AM  Permalink |

Considering that security and electronic voting go hand-in-hand, it was only a matter of time before computer security legend Ron Rivest (the "R" of "RSA") got involved.

In his paper The ThreeBallot Voting System, Rivest (who is a recipient of Dr. Dobb's Excellence In Programming Award and inventor of the RC5 Encryption algorithm), focuses on providing a high degree of verifiability, in which "voters can verify that their votes are cast as intended, and can check that their vote is included in the final tally."

Rivest claims that this is the first time such end-to-end verifiability has been obtained without encryption.

This is an interesting and important paper by a security expert who knows what he is talking about.

Posted by Jon Erickson at 11:31 AM  Permalink |

Urban legends exist about everything from alligators in the sewers to computer security. That's one reason why the recent note about "security myths" from the folks at security firm Panda Software was so interesting.

Rather than trying to summarize it, I'll take the easy way out and present the entire paper here. Don't worry, it isn't that, but it is most certainly interesting. Thanks again to Panda Software for sharing this.

Security Myths

The IT world is full of myths and legends circulated via email or simply spread by word of mouth. These legends are not the infamous hoaxes or chain letters, but assume that certain things are true, when they usually aren't. However, they are so difficult to prove that they are accepted as true without any evidence whatsoever.

And these strange myths also exist in the IT security world. One of them, based on an accepted fact, is being increasingly refuted: creators of malicious code are good programmers. Some time ago, when viruses were in their prehistoric era, this was true.

For a program to multiply automatically, without users realizing or prehistoric security programs detecting it, it must have been created by a good programmer. Programmers needed a wide knowledge of systems, the options they offered and a huge capacity to innovate.

However, nowadays, these programmers are no longer the "stars" of IT coding. Malicious codes are becoming coarser, less innovative, and sloppier.

The Gaobot.AAF Case

The statement that creators of malicious code are poor programmers (or at least, not as good as we think) is not unfounded, as there are methods for scanning programs to see how they were built. One of them, which is widely used for its visual results, offers graphic representation of the components of a program. These graphs are lines that relate each sub-routine of the code, so that a simple and well-built program would return a simple and clear graph. However, a program without any internal organization and without adequate systemization would offer an extremely complex and disorganized graph.

What's more, two similar programs would offer similar graphs. PandaLabs, Panda Software's malware detection laboratory, has used them to establish the similarities between different variants of a malicious code. They have done this because calls to the same function in different programs are shown graphically.

When PandaLabs analyzed a bot (Gaobot.AAF), they were surprised with the result: not only because it was spectacular (they called it "Death Star" due to its resemblance with the space station from Star Wars) but for its strange complexity.

Why is this strange drawing returned? Simply because the original source code of the Gaobot bot family was released to malicious code writers and each one created a new variant. But these variants were not optimized, and therefore, each variant was more complex.

Instead of demonstrating that they were good programmers, all the creators of the Gaobot variants did was prove that their in-depth knowledge was a myth and that they are simply apprentice thieves who copy others' code.

The "Undetectable" Viruses

Another widespread myth, which is fed by many false email messages is that there are viruses (worms, or Trojans, etc.) that no security solution can detect. And unfortunately, even though this is not true, this myth is sometimes rumoured.

A recent news article reported that a student had created a Trojan that recorded the images of his classmates' webcams and then blackmailed them with the recordings. It was said that the Trojan was "undetectable."

The statement that a Trojan is undetectable contradicts this information, as the authorities created a system to detect and eliminate this code. So, is it undetectable or not?

The problem lies in the difficulty to detect a certain Trojan. The majority of manufacturers of antivirus solutions depend on samples of malicious code to develop a detection and disinfection routine. For this to happen, two circumstances must arise:

• The malicious code arouses suspicion from a user. If a message is not displayed or if it does not carry out any special action on the computer that makes the user realize that something strange is happening, the system will remain infected, as a sample will not be sent to the laboratories for analysis.
  
• The malicious code must have a certain rate of propagation. This increases the probability of affected users notifying the laboratories of the appearance of the code.
  

This is an example of the malware situation today: reduced and well-hidden examples. Therefore, antivirus companies will not detect it, as the report says. However, this statement is not complete: it will not be detected until it has been discovered.

In spite of this, this problem only arises with old malicious code detection systems. These system rely exclusively on data stored about malicious programs and do not incorporate any other detection systems. Therefore, anything that is not stored in its program signature database will be considered valid.

More modern technology for combating malicious code prevents these problems, as instead of clinging to previous knowledge of malicious codes, it seeks them out by analyzing their behaviour. Therefore, a program that tries to carry out a malicious action on a computer will be blocked, not because it can be identified, but because of the action it was going to perform.

While users continue to trust in partial and outdated solutions to detect viruses and other malicious programs, they cannot adequately protect their computers, as "undetectable malicious codes" will continue to exist for them, instead of simply "dangerous programs unidentified up until now".

Posted by Jon Erickson at 04:53 PM  Permalink |