I’ve been doing some fooling around with alternate data streams lately. I’ve found two interesting things which haven’t really been given a lot of attention before.

The first  is just how ADS aware IIS is. IIS will serve up an ADS as a file. So for example, if you have a file called boring.html, which has an ADS called interesting.jpg, you can access the ADS by entering http://somedomain.com/boring.html:interesting.jpg as your URL. (I’m sorry I can’t provide an example here as I’m not using Windows to host this domain). If instead of a jpeg the ADS is server side code (like php), IIS will even execute the php code as you would expect. I suspect this is a great way for hackers to silently leak data from inside a network to the outside. All of that aside though, if you download a file from a web server which has ADS, IIS will not send the ADS along with the file – it will only send the main part of the file.

The second thing I’ve come to realize is that a lot of applications use ADS for “legitimate” reasons. The most common one is Internet explorer. Every file you download using IE has an ADS called “Zone.Identifier” attached to it. This ADS contains a ZoneID, which is a number from 0-4. The number indicates which zone the file was downloaded from. If the file was downloaded from the internet (zone 3) Windows XP SP2 and newer bring up the dialog box you see on the right, prompting the user to ensure they really want to run the app. If you want to disable this behavior, you can follow instructions found on the Microsoft website.

On a related note, I just want to quickly put in a plug for LADS – List Alternate Data Streams – it is a very good, simple, easy to use, quality program. Also, it’s free.

phpbb.com was broken into recently, and 20,000 passwords were revealed. There are two articles which attempt to draw conclusions from the data. One lists the 500 most common passwords, and the other does some analysis to try and get aggregate groupings.

The bottom line: no matter how much training we do, even reasonably internet literate people like the phpbb users, still pick crappy passwords. People don’t like remembering passwords, and therefore they find every conceivable measure to circumvent them. (See my previous post: all passwords are weak). If you’re developing a security system where the people who are supposed to be protected feel the need to circumvent the security, they will usually bring your security system down. Better to make a different system which is more transparent to the people who you’re trying to protect.

I recently borrowed a copy of Hacking Windows XP from a friend. (I was under the impression that it would be about, well, hacking). It’s really all about customizations that you can do to your system, through changes to the system files and registry. One useful thing it did have was a link to a very good resource editor called Resource Hacker. It’s been years since I’ve used a Windows resource editor, and I’m starting to remember how fun (and utterly time consuming) it can be to mess around with the look and feel of your Windows apps and OS. In short, Resource Hacker lets you open up an executable or library file (exe, dll, ocx, scr, or cpl), and see that various resources within it – things like text string and icons – and lets you change them. Say you don’t like an error message, just find that text string and change it. Don’t like the way an app looks? Just change the icons. Don’t like the fact that the start button says start? Change it. (It’s just a text string after all). I know someone will point out that a hex editor can do many of the same things, however a resource editor organizes the data for you making it easier to find that string you want to change (or just browse), and it should (in theory at least) keep you away from the executable code which could break the app. It also let’s you see and edit graphics. If you ever want to find a fun way to kill a lazy Sunday afternoon, I highly recommend it.

Next time you need to scare someone into action (a boss, a client, a vendor, your child), make up a term for the risk that may occur, and make sure the name you make up is long and hard to pronounce.

In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were difficult to pronounce than when their names were easy to pronounce;
[...]
In Study 3, amusement-park rides were rated as more likely to make one sick (an undesirable risk) and also as more exciting and adventurous (a desirable risk) when their names were difficult to pronounce than when their names were easy to pronounce.

Hat tip: Bruce Schneier.

ISC is reporting that they’re seeing exploits of MS09-002 in the wild. MS09-002 is an exploit which allows for remote code execution on IE7. The vulnerability was first reported to MS in October of 2007 by the Zero Day Initiative. Microsoft issued the patch a week ago. Given this, ISC is also claiming that it is likely that the patch was reverse engineered to find the vulnerability, and I would have to agree. I’m sure the anti-disclosure crowd will be using this one as proof positive for their position in the future.

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

While trying to dig up the conversion rate for phishing attacks in the previous post, I stumbled across some very interesting findings from paypal on their anti-phishing techniques. Paypal has actually managed to put together a fairly decent anti-phishing program. Most importantly – it works! (It is amazing how many people implement anti-phishing strategies that don’t work). They have implemented a multi-pronged approach to combating phishing, smartly realizing that there is no single strategy that will work. You can read their whole white paper (which I highly recommend), but here are the highlights:

• Implement Sender Policy Frameworks (SPF).
• Implement DomainKeys Identified Mail (DKIM).
• Work with ISPs to enforce those previous two.
• Use EV certificates
• User education
• Publish blacklist data
• Block old browsers
• Offer two-factor authentication
• Pursue litigation against fraudsters
• Two factor authentication

Honestly this looks like a pretty good and fairly comprehensive anti-phishing program. Some of those things (SPF and DKIM in particular) are things which have had an immediate impact for Paypal, and should have an immediate impact for anyone who implements them. They can also be implemented for minimal cost. IMHO, the industry should be getting behind these initiatives big time as it will have an almost immediate positive impact on their bottom lines, as well as making users happier with less spam.

I know sms fishing attacks (known as smishing) are nothing new, but based on a recent smishing attack I received, it looks like combining phishing attacks with phone numbers has made it possible for attackers to increase the attack effectiveness. Previously, phishers went by the same methods that spammers popularized ages ago – send your message to as many people as possible, and try to make it applicable to as many people as possible. Given the low conversion rates (Gartner estimates 3.3%), you need it to be seen by many people in order to have a few successful scams. That’s why phishing attacks always seemed to attack places like Paypal and bank of America – they had more customers, and therefore more people getting the fake email were likely to be fooled.

With that in mind, I was surprised when I got the following text message a few weeks ago:

This is an automated message from Lafayette Credit Union. Your ATM card has been suspended. To reactivate, call urgent at 888-xxx-xxxx.

I had never even heard of Lafayette Federal Credit Union before, and found it odd that a scammer was targeting such a small financial institution. A few days later I got another similar message purporting to be from FedChoice federal credit Union – another small financial institution. What I soon realized though is that both of these credit unions are local to the Washington DC area, and my cell phone has a 202 (Washington DC), area code. The scammers have decided to improve their business model. They’re targeting credit unions around the country and only sending people attacks that purport to be from local credit unions. In this way they hope to increase their conversion rate by only sending people relevant attacks.

There was a brief flutter of noise around the fact that Fannie Mae discovered a logic bomb on its systems, placed there by a fired systems administrator. Logic bombs can be frightening things. Often placed by the disgruntled employees who know the systems the best, they can do significant damage. There are two main things people always recommend to defend against logic bombs, and one that they forget. The two people always point out are:

1. When firing anyone (especially a sysadmin) do not let them return to their work area until all of their access has been terminated. (Fannie Mae appeared to fail at this one).
2. Review logs and systems periodically to make sure nothing is amiss. (Fannie Mae apparently did this as another employee found the logic bomb before it did any damage).

The other factor that people often overlook is the simplest, and one you probably do already:

1. Back up your files!

If your data is backed up, it doesn’t matter if they get wiped out by a logic bomb, virus, natural disaster, hardware failure, or human error – the cost of recovery can be minimized. If the culprit wipes the OS in addition to the files, then restoration may take time as you’ll have to rebuild the OS also, but I think everyone agrees that rebuilding the OS is a far better solution than not having backups at all.