ZeuS uses unpatched IE exploit

The Eleonore toolkit, which is the tack vector for the ZeuS malware, got support for the
recent CSS vulnerability of IE 8 which is still not fixed. This means that there will be more broken webservers distributing the exploit and bigger damage to affected users.

Position:Zeppelinstraße,München,Deutschland

Identifying PCs by Browser Settings

My browser fingerprint, as determined by panopticlick in a project started by the Electronic Frontier Foundation is currently unique under approximately 500000 browsers. Most of the identifying information comes from browser plugins and installed fonts - my font set alone makes my browser unique. To be more precise, my browser sends out 19 bits of identifying information.

To make things worse: you can even deduce someone's affiliations from the installed fonts to target spearfishing attacks. Big companies as well as political parties like to use special fonts to generate an unique look in their documents.

I get identical results for safari, firefox and chrome. Switching off javascript reduces the amount of information available to the identificator by 3 bits.

The lowest result I get is for my iPhone: only 11.02 bits of information. It would seem to me that most iPhones look equal.

Phishing Damage Estimations

Trusteer operatates the anti-phishing browser plugin Rapport. Based on measurements performed by Rapport, they were able to estimate the average damage done by phishing. A succesful phishing attack is counted if the Rapport plugin detects that the user tries to enter credentials into a phishing web site.

Assuming that each successful phishing attack steals between 500$ and 2000$ they arrive at an average damage of 2$ to 9$ per online banking user per year.

This seems a lot but it also explains why banks seem to take phishing so lightly: Any kind of security token will certainly cost more per user and year.

What about Rapport itself? It seems to be well suited here if it helps against phishing and costs the bank less than the 9 Dollars mentioned above. Which is no surprise, as all the numbers come from Trusteer. I would like to know whether it also helps against trojans and man-in-the-middle attacks.

Google ChromeOS: Computer as a Service

Google has announced it's Chrome OS. They claim that they will take full central control over any computer running Chrome OS. This should be well-known to people who use vendor-branded cell phones: no hassle, quick and simple operation, but restricted functionality.

It seems reasonable to me that a tightly controlled system should be able to defeat malware. However, I don't think tat this level of control is necessary here. The reason to want this level of control should not be security, but the wish to have a computer that "just works", as another vendor of more or less malware-resistant computers calls that.

Also note that Google wants to get into the service business.

Secure Online Banking

The Swiss company Crealogix has announced the CLX.Sentinel, a USB device which promises secure online banking. As I was with them team that developed it, it's no surprise that I like it.

But here is why: It uses a smart card to verify the user identity and set up a SSL connection to the bank. Thus, man-in-the middle attacks are prevented. As an additional security benefit it uses an internal list of legitimate banking sites so that phishers can't use the null prefix issue. The CLX.Sentinel won't connect to anything that's not on its list, so the browser infections are next to impossible.

The software is installed on the flash memory inside the token, so it can't be patched and it contains countermeasures against debugging and code injection at runtime.

I believe that this amount of countermeasures is needed nowadays.

The URLZone Trojan

RSA Fraud Action Research Lab publish an article about a online-banking trojan called URLZone. This trojan has an interesting new feature:

It can determine if whether requests for new "mules" come from a botnet member or a security company. If the request comes from a security company or researcher, the server will respond with account data of innocent people, thus protecting their mules from prosecution.

The accounts are people who received a legitimate transfer from a URLZone victim before.

'Mules' are the people who receive payments from infected PCs and forward them to the gangster's accounts. That's money-laundering, and not only criminal, but also quite dangerous. The fake mule responses will put innocent people under suspicion of money laundering.

Flash Cookies

Kate McKinley from iSEC Partners notes that Adabe's flash browser plugin can be used to store persistent data and thus track internet usage. Even worse, those flash cookies cannot be deleted through the browser settings. She descrribes a complicated procedure for managing and deleting flash cookies. This is annoying.

CAcert Auditor Resigned

This is a long story. There is a not-for-profit certification authority, CAcert, with the idea to apply the "web of trust" to a public key infrastructure. This is a good idea, as many security issues boil down to getting people's identities and having a large network of assurers checking people's IDs and passports is still at least as good as having a large corporation check that someone has access to somebody's email (and oldstyle-mailbox, if done a little more securely).

However, they want their certificate in the default installation of popular browsers, in particular firefox. This requires a security audit. And this means that they have to have the "Infrastructure" in PKI audited, which is extremely painful and led me to the trigger of this post. Some days ago, their auditor has resigned.

The quick way out of this is to say "PKI is too complex" and send people back to classic web of trust. I don't think so. PKI is worth it's complexity if it comes to longterm operation. I should think of a way to help beyond making an assurance here and there (I'm humble number 1592 on their assurer list).