Philosophically Secure

Google has some good content about web security available on their Google Code University portal. There’s introdutory course material, and even some videos. The one titled “How to Break Web Software” is pretty interesting.

Let’s not forget that CHM files can be dangerous. They can contain embedded executables that get launched automatically when you open them. This post on SANS ISC details a particular malicious CHM file that was sent out via email. After some investigation, it was determined that the program it ran specifically targeted PGP keyrings.

The code searched for these files (.pkr and .skr) and copied them off to the attacker’s system. To really make use of a PGP keyring, you need the passphrase. Well, this is why the malware came bundled with a keylogger, just in case you happened to be using PGP while it was running. The ISC post also notes that it collected .doc files, which could be an attempt to harvest documents that users created to help them keep track of their passphrases.

I’m not sure if I see enough evidence to agree with the conclusion that the attacker was simply trying to map relationships between PGP users, but I guess that is a possibility. Do recent versions of PGP even use these same keyring files?

I’m happy to say that the new AOET.org website and blog is up and running. I was able to help out only a little bit on this project, but I hope to do much more on future Hackers for Charity initiatives. This is especially true since my PHP and MySQL skills have been improving much over the past couple of months.

AOET is an independent, indigenous non-governmental organization with the prime mandate of providing an education — formal and/or vocational — to desperately poor, neglected and forgotten orphans whose parents have died of AIDS.

I would encourage anyone reading this blog to get involved with Hackers for Charity, even if it’s just making a donation.

pdp posted an interesting little article. He describes how he can take over a home router (like the kind someone might use with a cable modem) using a malicious Flash application and UPnP (Universal Plug-n-Play). Basically, all the user/victim has to do is load up a website with this particular Flash application embedded in it. Then the attacker can make whatever changes to the router he likes, such as disabling the firewall, forwarding ports to the outside, or even changing the DNS server.

As pdp states, this isn’t necessarily a bug, but rather an unintended consequence of the fact that UPnP does not require any authentication. I guess they figured since it only listens for multicast on the internal interface, that it’s not a big deal. If you don’t actually need UPnP functionality, disabling it might be a good idea.

This isn’t just any rootkit, but rather one that lives in the master boot record of your PC. That means it runs before Windows even fully boots up. It’s also at a lower level in the system than anti-virus software, which makes it quite difficult to remove. Security Fix has a good summary of what was found and where this malware probably came from.

Symantec has a technical discussion of the malware (which they call Trojan.Mebroot), now that they’ve analyzed it. Note the last line: “To help prevent similar attacks in the future, if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!”