ZeuS uses unpatched IE exploit

The Eleonore toolkit, which is the tack vector for the ZeuS malware, got support for the
recent CSS vulnerability of IE 8 which is still not fixed. This means that there will be more broken webservers distributing the exploit and bigger damage to affected users.

Position:Zeppelinstraße,München,Deutschland

ZeuS Botnet under Reorganisation

Reuters reports that the author of the ZeuS botnet announced that he will stop developing and maintaining ZeuS. Probably he has sold the sources and the customer base to a competing botnet , Spy Eye. Spy Eye has been fighting hard against ZeuS, but could not overtake ZeuS.

One may safely assume that the ZeuS author will use this sabbatical to come back with something even more dangerous, as it was the case in 2007 and 2008 when he also took a break.

Will Apple kill the SIM card?

GigaOM reports rumors that Apple and Gemalto work on integrating a SIM into iPhone circuit board. Everyone believes that this is totally unaccaptable for the network operators, but probably they want the iPhone badly enough so that they would accept this.

Here is what would come out of that:

• precious space on the PCB is saved
• the new security element might also contain payment applets
• the general security of the iPhone might be improved.
• changing the mobile network operator could become extremely simple, even automatic.

There were rumors before that apple wants to enter the NFC universe. It will be important to see if Apple makes SIM switching really easy. They could if they wanted to. Also, it will be very interesting to see if such a device could also get EMV certifications.

ZeuS attacks m-TAN

ZeuS e-crime toolkit now supports man in the mobile also. It seems that the malware on the PC tricks the user into installing malware on their phone with a classic social engineering manipulation.

The fraud is then straightforward: The trojan on the PC starts a transaction, the telephone malware grabs the m-TAN confirmation message and forwards it to the malware on the PC where the fraudulent transaction is completed.

This will become increasingly dangerous with the success of smartphones, which allow more attack vectors, in particular if the telephone is regularly connected to the PC, e.g. for synchronizing or charging.

I have written about this problem already one month ago.

Smartphones Not Ready for Mobile TANs

In the last weeks we had an outbreak of security issues with smart phones. The most famous was the pdf font bug that hit the iPhone and other iOS devices which was fixed by Apple with iOS 4.0.2. This one was really dangerous because it could infect iPhones just by opening an infective web site.

Then we had a rootkit for Android phones. A first criminal exploitation was a Trojan, also for Android, that sent text messages to premium numbers.

Of course there is much more. The reason for this is, of course, that there is no magical security for telephones. Old-style telephone-and-SMS-only phones were simply too dumb to be hacked (if we disregard the occasional bluetooth hack). Modern smartphones are normal computers that happen to contain a radio baseband chip.

However, we have that security feature M-TAN or Mobile TAN for online banking. When a M-TAN user has entered their transaction into the online banking website, they get a SMS with some details on the transaction and the M-TAN number. If the details of the transaction look good, they enter the M-TAN into the web site to complete the transaction.

So, here is the criminal master plan:

1. own as many PCs as you get
2. own as many smartphones as possible
3. match smartphones and PCs
4. start phony transactions on the PC
5. capture the resulting SMS
6. send the M-TAN to the Trojan on the PC
7. Profit

Sounds complicated, but if everyone has a backup of their smart phone on the PCs step 3 should be quite easy and the only remaining issue for the criminal is whether they find enough matches so that the plan is worth the effort.

A promising version of this plan would be to attack the smart phone via the infected PC. In iPhone speak this would be called the "trojan jailbreak". If this can be done without the user noticing it, the M-TAN is completely broken.

I don't recommend using M-TANs on a smartphone.

FBI can't break TrueCrypt

The FBI failed to decrypt a hard disk encrypted under TrueCrypt and another unnamed program. Of course, this is the expected result if AES is secure and the password the suspect had chosen is also secure. Still, this is a nice argument that the whole things worked.

On a side note: this is exactly why authorities want to put trojans into computers of suspected people: The Trojans would be used to "confiscate" the data or the password while the suspect uses them.

Graham Cluley from Sophos claims that Apple have secretly patched their OS against a Tojan. Of course the claim that Apple computers were immune against malware have always been absurd. It is reasonable to expect that more malware will target Macs, and we will see how Apple will deal with that. It will be hard work just like in the case of Windows, not some magical pixie dust.

German Police publishes ATM Crime Numbers

The german federal police has published the 2009 numbers for ATM fraud. 964 ATM machines have been manipulated, that#s 20% more than 2008. Usually the PIN is spied out and the magnetic stripe data of the banking card is read. The data is transferred via a wireless connection who make a copy of the card and use that at another ATM.

Usually customers won't note the manipulations. Removing the magnetic stripe would improve the situation, but note that the cards must be authenticated with a real challenge-response protocol if a real security improvement is the target.

Bumping Telephones for small Payments

Bump is an API and service that allows people to initiate a data transfer between their telephones by bumping them together. The service matches location, time and kinetics of the bump between the phones. Then contact data may be exchanged or, more interesting, small amounts of money my be sent.

The bump procedure ensures that users understand what's happening and privacy may be added by adding a PKI to the bump matching service: if the match is made, the service can send public keys of the bump partner.

Professional Man-In-The Middle Product

The Packet Forensics LI-5B is a nice professional man-in-the-middle device. Combined with fake ssl certificates or well known SSL vulnerabilities this results in a very nice packet inspection tool. If a trustworthy SSL connection is needed you need to do use something better than a standard browser solution.

EMV Broken by Inventing Card Response

EMV user verification uses several methods, one of them is a PIN entered by the user. However, please note that this proves the user identity to the card, not to the terminal. If no-one checks the security state of the card, this is pretty pointless. They simply catch the verification request sent to by the terminal to the card, throw it away and reply with a code that means "PIN was OK".

So what now? Actually, the responsibility for a correct transaction is with the merchant, because only the merchant has at least a possibility to ensure a correct transaction: If a proper terminal is used and there is no strange cable coming out of the card (see the video on the linked page) the transaction is still good. However, the damage goes to the customer, not the merchant.

And, of course, there is a huge hole in the protocol.

There is only one way to do it properly:

• User enters PIN
• Terminal asks card to sign the transaction
• card signs the transaction if and only if it has received the correct PIN

And everything done with mutual authentication end, message confidentiality and message integrity.

Where is the problem with this? It requires chips that are a little more expensive than the most simple ones. It's called "dynamic data authentication"and "Transaction Cryptogram" in the EMV world, but unfortunately it is not used in this case.

Identifying PCs by Browser Settings

My browser fingerprint, as determined by panopticlick in a project started by the Electronic Frontier Foundation is currently unique under approximately 500000 browsers. Most of the identifying information comes from browser plugins and installed fonts - my font set alone makes my browser unique. To be more precise, my browser sends out 19 bits of identifying information.

To make things worse: you can even deduce someone's affiliations from the installed fonts to target spearfishing attacks. Big companies as well as political parties like to use special fonts to generate an unique look in their documents.

I get identical results for safari, firefox and chrome. Switching off javascript reduces the amount of information available to the identificator by 3 bits.

The lowest result I get is for my iPhone: only 11.02 bits of information. It would seem to me that most iPhones look equal.

The Missing Bus Error

Apple was slammed for not fixing an exploitable bug. That made me curious and I compiled and ran the following:

#include
#include

int
main()
{
char s[]="111.111111...11";

float a=atof(s);
printf("%f",a);
}

which is said to cause a bus error. However:

Opportunity:misc ullrich$ gcc -o buserror buserror.c
Opportunity:misc ullrich$ ./buserror
111.111115Opportunity:misc ullrich$

on my trusty MacBook, which looks more like a rounding error to me. Maybe they just fixed it - I use 10.6.2