Friday, June 23, 2006
Wireless Device Driver Hacking - The New Trend
Source Taken from Infoworld
Researchers hack Wi-Fi driver to breach laptop
One of many flaws found allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver
Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver.
The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California.
Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview.
The two researchers used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.
Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).
The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms.
"This would be the digital equivalent of a drive-by shooting," said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range.
The victim would not even need to connect to a network for the attack to work.
"You don't have to necessarily be connected for these device driver flaws to come into play," Ellch said. "Just because your wireless card is on and looking for a network could be enough."
More than half of the flaws that the two researchers found could be exploited even before the wireless device connected to a network.
Wireless devices are often configured to be constantly sniffing for new networks, and that can lead to security problems, especially if their driver software is badly written. Researchers in Italy recently created a hacking lab on wheels, called project BlueBag, to underscore this point by showing just how many vulnerable Bluetooth wireless devices they could connect with by wandering around public spaces like airports and shopping malls. After spending about 23 hours wandering about Milan, they had found more than 1,400 devices that were open to connection.
"Wireless device drivers are like the Wild, Wild West right now," Maynor said. "LORCON has really brought mass Wi-Fi packet injection to script kiddies. Now it's pretty much to the point where anyone can do it."
Part of the problem is that the engineers who write device drivers often do not have security in mind, he said.
A second problem is that vendors also make devices do more than they really need to in order to be certified as compliant with a particular wireless standard. That piling on of features can open security holes as well, he said.
Researchers hack Wi-Fi driver to breach laptop
One of many flaws found allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver
Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver.
The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California.
Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview.
The two researchers used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.
Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).
The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms.
"This would be the digital equivalent of a drive-by shooting," said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range.
The victim would not even need to connect to a network for the attack to work.
"You don't have to necessarily be connected for these device driver flaws to come into play," Ellch said. "Just because your wireless card is on and looking for a network could be enough."
More than half of the flaws that the two researchers found could be exploited even before the wireless device connected to a network.
Wireless devices are often configured to be constantly sniffing for new networks, and that can lead to security problems, especially if their driver software is badly written. Researchers in Italy recently created a hacking lab on wheels, called project BlueBag, to underscore this point by showing just how many vulnerable Bluetooth wireless devices they could connect with by wandering around public spaces like airports and shopping malls. After spending about 23 hours wandering about Milan, they had found more than 1,400 devices that were open to connection.
"Wireless device drivers are like the Wild, Wild West right now," Maynor said. "LORCON has really brought mass Wi-Fi packet injection to script kiddies. Now it's pretty much to the point where anyone can do it."
Part of the problem is that the engineers who write device drivers often do not have security in mind, he said.
A second problem is that vendors also make devices do more than they really need to in order to be certified as compliant with a particular wireless standard. That piling on of features can open security holes as well, he said.
Tuesday, June 06, 2006
Experts to the Rescue - Encrypted My Document folder by Hackers?
Source Taken from IT Vibe
Experts have warned about a Trojan horse that encrypts victims' computer data, and then attempts to force users into making a purchase from an online pharmacy in order to get files back.
The Troj/Arhiveus-A Trojan horse (also known as MayAlert) scoops up files in innocent users' "My Documents" folder and creates a file called EncryptedFiles.als.
When users try to access their files they are directed to a file containing instructions on how to recover the data. The instructions begin:
INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND - READ AGAIN.
This is the automated report generated by auto archiving software.
Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.
You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).
Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.
To retrieve their files (which may include personal photographs, letters, household budgets and other content), users must enter a 30 character password -which, they are told, is only available after they make purchases from one of three online drug stores.
Files cannot be accessed until the correct password is entered.
"Internet hackers are getting bolder in their attempts to steal money from innocent web users. Once your valuable data is locked away you may be tempted to pay up to rescue your files, but this will only encourage more blackmail attempts in the future. Companies who have made regular backups may be able to recover easily, but less diligent home users may feel forced to cough up the cash," said Graham Cluley, senior technology consultant for Sophos. "Today, most of the viruses and Trojan horses we see are being written with the intention of making money and we wouldn't be surprised to see much more ransomware being written in the future. Attacks are becoming more organized and more malicious, and every computer needs to be properly defended with up-to-date anti-virus software, firewalls and operating system patches."
Sophos experts who have analysed the Trojan horse have determined the password used to encrypt users' data.
The password if you need it is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
As always it is recommended that you use up to date AV and Firewall solutions such as those available from Sophos
Experts have warned about a Trojan horse that encrypts victims' computer data, and then attempts to force users into making a purchase from an online pharmacy in order to get files back.
The Troj/Arhiveus-A Trojan horse (also known as MayAlert) scoops up files in innocent users' "My Documents" folder and creates a file called EncryptedFiles.als.
When users try to access their files they are directed to a file containing instructions on how to recover the data. The instructions begin:
INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND - READ AGAIN.
This is the automated report generated by auto archiving software.
Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.
You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).
Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.
To retrieve their files (which may include personal photographs, letters, household budgets and other content), users must enter a 30 character password -which, they are told, is only available after they make purchases from one of three online drug stores.
Files cannot be accessed until the correct password is entered.
"Internet hackers are getting bolder in their attempts to steal money from innocent web users. Once your valuable data is locked away you may be tempted to pay up to rescue your files, but this will only encourage more blackmail attempts in the future. Companies who have made regular backups may be able to recover easily, but less diligent home users may feel forced to cough up the cash," said Graham Cluley, senior technology consultant for Sophos. "Today, most of the viruses and Trojan horses we see are being written with the intention of making money and we wouldn't be surprised to see much more ransomware being written in the future. Attacks are becoming more organized and more malicious, and every computer needs to be properly defended with up-to-date anti-virus software, firewalls and operating system patches."
Sophos experts who have analysed the Trojan horse have determined the password used to encrypt users' data.
The password if you need it is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
As always it is recommended that you use up to date AV and Firewall solutions such as those available from Sophos
