Geo Location based DDOS can target Mobile Operators

The sharp rise of smart mobile phones is introducing a new and concerning attack vector - a geo-location based DDOS.

Example Scenario
Imagine a popular mobile application (bejeweled like game) that is downloaded by many.

  1. The app contains a small amount of code to reference the phone's GPS and also check in with a command and control website.
  2. The attacker decides on a city to target and a popular time of day and then updates the command and control website.
  3. The mobie applications all check in with the C&C site and all mobile applications in the city area begin downloading large video files from YouTube.

  • A massive sudden spike in high bandwidth usage of the mobile data network in a single metropolitan area.
  • Most cellular networks run near capacity during the lunch rushes of popular cities. A sudden massive spike such as this would likely push the network over the edge and bring it down entirely.

This is a tough issue to address and I think it warrants a bit of consideration.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
GSM Encryption Broken - Cellular Calls At Risk
When Will Your Mobile Phone get Hacked?

Free VS Commercial Database Vulnerability Scanning

Part of the vulnerability assessment process must include a vulnerability assessment of your databases.
And the sad reality is that while there are thousands of tools that focus on Web application and network security scanning, there are very few of them which are doing the same for databases.
Today we are comparing the results delivered by Scuba by Imperva - a free tool and NGSSQuirreL for SQL by Next Generation Security Software - a commercial tool.

The tools comparison table
Here is a side-by-side comparison of functionality and results of both tools

The results
To provide the most impartial evaluation of the results, we have generated detailed reports of both tools as PFD files. You can review them and assess the quality yourself.

It is evident that the commercial tool beats the free Scuba in every area. But before you jump into a purchase, you need to assess your requirements and expectations.

So it is very advisable to get the free tool, run it in your environment and understand the results, so you can understand what is missing, and extend your search to a better tool

Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
Quick and Basic Security Assessment for Databases
SQL Server Bulk Import - BCP HOW TO

IP Spoofing Attack in the real world

The guest post on IP Spoofing was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that IP spoofing is a great way to cause a bit of commotion and try out as hackers.

The reality of the internet is actually quite different. First of all, IP spoofing has been around for decades, and has been the cause of a lot of quite nasty attacks to high profile targets.

Most serious ISP's do not want to be related to IP spoofing attacks, and are implementing measures to contain IP Spoofing attacks originating from their networks.

The containment measures are implemented on their firewalls and routers. The basic logic of this protection is this:

  • A Firewall is aware of the networks to which it connects so it can control source addresses. For example, a demo firewall has 5 interfaces
    • A connecting to network 10.1.1.x
    • B connecting to network 10.2.1.x
    • C connecting to network 10.3.1.x
    • D connecting to network 10.4.1.x
    • 'outside' connecting to the rest of the world/internet
It is expected that any traffic coming on interface A will have a source address of 10.1.1.x. If it doesn't, it's most probably an IP spoofing attack and will be dropped. The only interface that cannot apply such logic is the 'outside' interface, since it connects the firewall to the rest of the internet. But the outside interface can have another protection, which protects against 'loop' IP Spoofing attacks. That means that the 'outside' interface cannot see incoming packets with source addresses from a network that is on any of the 'inside' interfaces.
  • Routers have a bit more complex mechanism, since a router can have traffic from multiple networks arriving on any of it's interfaces. They use uRPF (unicast Reverse Path Forwarding) which analyzes whether the packet's source address comes from a network that is known in the routing domain of the router.
So in reality, most IP spoofing attempts will be destroyed on the ISP's network. But these protection measures are not perfect, and there are networks which are still not controlling IP spoofing. An aspiring hacker can do significant damage at networks such as:
  • University networks - apart from the large universities with dedicated IT staff, the netadmins of most universities are the teaching assistants of computer science. And they don't really make much of an effort to control the traffic on the network as long as the university's servers and staff systems are protected. Universities are quite often Autonomous Systems, so an IP Spoofing attack originating from an unprotected network will travel on the Internet backbone.
  • Smaller company networks - these networks are usually maintained by the 'one man band' sysadmin, who really has too much on his/her's plate to think about spoofing protection. The silver lining in such environment is that these companies are just a small user of a ISP, who is very capable of blocking the IP Spoofing attack originating from the small company network.
  • ISP's in developing countries - much like small company networks, manned by personnel who is not properly trained, understaffed and overworked. And the bad news is that these ISP's are also Autonomous Systems, so IP Spoofing attacks originating there will most probably get out.

Please note that this article is not an invitation to start wreaking havoc on these networks, on the contrary, it should serve as a reminder for their netadmins to implement the available and quite simple protection measures.

Talkback and comments are most welcome

Related posts
Summary of IP Spoofing
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Protecting from the CCenter Malware and Trojan

A very common method of distributing malware is disguising it as a useful program. Most common disguises, apart from games are 'malware removal programs'. This is the approach used by CCenter a.k.a. Control Center.

If you find a process with the name ccenter.exe running on your pc means that your pc has possibly been infected with a trojan known as infostealer.lemir.h.
Infostealer.Lemir.H is a Trojan horse program that attempts to steal passwords for the Legend of Mir 2 online game, but can be modified to steal other information.

Apart from installing a trojan, CCenter intimidates people into buying the paid version of this program. Once it’s installed CCenter loads an imitation of system scan every time a computer is started. It also generates large amounts of counterfeit security alerts. All these alerts are designed only to trick people into taking the program as a legitimate and reputable tool. If clicked upon, the pop-ups demand paying for using CCenter.

CCenter has also been seen to redirect the web browser to malicious and fraudulent websites. Depending on version and programmer skill, it may also disable reputable security programs leaving the compromised machine open to future attacks.

Here are the steps to manually remove CCenter
  1. Use "Add or Remove Programs" to remove the installation. However bear in mind that there may be hidden CCenter files, running processes and registries in your computer, so CCenter may recreate all other files after reboot.
  2. Stop and remove CCenter processes:
    • ccagent.exe
    • ccmain.exe
    • uninstall.exe
  3. Find and delete all CCenter files found in %AppData%\CCenter\ccagent.exe
There are other similar Malware programs in the wild. We will cover them in the following articles.

Talkback and comments are most welcome

GSM Encryption Broken - Cellular Calls At Risk

GSM networks in the US and Europe use the A5/1 stream cipher to ensure cellular calls cannot be listened into by unauthorized parties monitoring radio traffic. However, the guarantee of privacy is no longer ensured. New attack techniques were unveiled at the Hacking at Random conference in The Netherlends which would allow an attacker to decrypt cellular calls made over a GSM network. The attacker only needs the new software and about $500 in radio monitoring equipment. The AS5/1 cipher has been criticized for many years, but this is one of the first publicly available exploits to demonstrate the weaknesses first hand.

The presentation is here.
The A5/1 cracking project homepage is here.

GSM is used by many major cellular providers such as AT&T and T-Mobile (see GSM Coverage Map). The main alternative to GSM network is CDMA which is used by providers such as Verizon, Alltel and US Cellular (see CDMA World Map).

The ability to decrypt A5/1 encryption would enable an attacker to listen in to all cellular communications made over a GSM network. To execute the attack the attacker would need to be close enough to the target to monitor the radio waves emitted from the phone. However, this isn't much of a restriction since the radio waves can be picked up from quite some distance.

This attack should raise serious concerns about the sensitivity of information exchanged over cell phones. An attacker with this equipment situated near a major corporate office or within a large city could easily glean very sensitive data from cellular voice calls.

Regarding data exchanged over cellular phones (e.g. 3G or EDGE), this shouldn't really have any impact. All sensitive data should already be configured to use SSL/TLS or VPN for protection during transmission. Therefore, the attacker could break the A5/1 cipher, but they would only see encrypted data being exchanged. However, all data that is exchanged using clear text protocols (HTTP, telnet, ftp, etc) would be visible to the attacker. This is not much of a concern since there should not be any expectation of confidentiality when using a clear text protocol anyway.

About the attack
The attack leverages rainbow tables for a Time-Memory Trade-Off based attack. The A5/1 cracking project is enabling volunteers to help develop the rainbow tables for the A5/1 cipher and distributing the generated tables over bittorrent. Clever adaptations were made to the rainbow table generation to minimize the number of tables that were needed and thus dramatically reduced the required processing efforts.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
Google Voice - No Privacy Remains?

Fighting Enterprise Software Vendor Lock-In

Large enterprises rely on software products. And as everything else in large enterprises, the software products are large, complex, cumbersome and nearly unchangeable. This last attribute is better known as vendor lock-in. Software vendors love vendor lock-in. Here is a definition borrowed from Wikipedia:

Vendor lock-in, also known as proprietary lock-in, or customer lock-in, makes a customer dependent on a vendor for products and services, unable to use another vendor without substantial switching costs
The problem
Vendor lock-in exists in most large enterprise industries like Telco, Healthcare, Finance, Energy. Such industries rely heavily on certain computer systems or software products, usually dubbed Core Systems. Because most of the business transactions, logic and information are stored and processed by these Core Systems, the transition to a different Core System vendor is extremely costly and time consuming.

So most large enterprise companies simply continue to operate with the same Core System vendor, while they suffer:
  1. delays in patch or version delivery
  2. poor quality product versions
  3. inadequate compliance from the Core System to their local law and regulation
  4. ever increasing maintenance costs.
On the other hand, switching to another Core System vendor will result in probably the same end effect, with the added costs of the switchover.

The solution
So is there a way to improve your position? Indeed there is, but with a radical move: there is only one thing that any software vendor reacts to - risk of decrease in earnings from a customer.
To make this risk a reality for the vendor, the customer needs to reach a situation where competitors can successfully bid for software upgrades and new functionality without actually switching the Core System.

This is most easily achieved through the Core System's API interface. Most Core Systems have extensive Application Programming Interfaces (API), which can be used to exchange data with the Core System or issue commands to it.

So instead of asking for every possible modification or new functionality from the Core System vendor, just use it as a processing core - move everything else to other developers, which will need to adhere to the Core System API specification.

This way you can outsource the development of a lot of applications to other vendors, achieve better response from everyone and always have healthy competition. Oh, and it will keep the Core System vendor on it's toes!

Talkback and comments are most welcome

Related posts
Software vendor relationship - can you make it better?
3 rules to keep attention to detail in Software Development
Security challenges in software development
Paying for Software Support - When to do it?

Designed by Posicionamiento Web