You are viewing a read-only archive of the Blogs.Harvard network. Learn more.

Nessus outlaws text editors

I’m working on creating a vulnerability scanning engine which will be offered free to non profits. I have the machine and the open source code is mostly there. I went to the scanning engines web site tonight to download a copy for the test machine. There was a special note for anyone who is a consultant or MSP (Managed Service Provder). Even though I’m doing this for free and only to non-profits who can’t afford to pay someone (like Qualys) to scan them I do qualify as a MSP. So I was directed to a form that I have to sign and fax in to make sure he knows that I’m possibly making money from his open source project.
One important piece of information here is that the engine itself isn’t what the (now) company is charging for. It is the plug-ins. The plug-ins can tell the engine what a vulnerable host looks like. It’s like a definition file for an anti virus program. What’s interesting is NASL (Nessus Audit Scripting Language)is written in plain text. They are just text files that are put into a directory and read by the scanning engine. Here is the LINK to one and notice the copyright on it.
One paragraph in the consultant and MSP contract states that we may not reverse engineer or decompile the scripts. How do you decompile or reverse engineer a text file? Hex Editor?

“CIVIL AND CRIMINAL FINES AND PENALTIES under all applicable laws, including,
without limitation, 17 U.S.C.

Jurisdictional Issues of Internet Fraud

     The Internet is a medium that seems to transcend jurisdiction.  Whenever case
law involves the Internet several pages can be found trying to explain the nature
of this network. Simply put the Internet is a network comprised of many other
networks. This meta network allows users from around the world to interact
with each other. The majority of these interactions are legal and good.
The remaining interactions are either dubious, depending on the legal codes
established by the country of residence, or simply illegal for all parties
involved. This paper will focus on the easily identifiable illegal activities
and the difficulties in prosecuting the criminals behind those actions.
In particular this paper will look at several different Internet scams, the
methodologies behind them, jurisdictional questions that arise and possible
solutions.

Traditionally jurisdiction means both the right and the power to apply law.
To derive jurisdiction several tests are applied to each case. One test
regards subject matter as in the example of a patent case. Courts who hear
patent cases must be competent in such laws. This ensures that a speedy trial
is more likely since precepts of specific laws don’t need to be explained
time and again. Another test involves the monetary value involved. In the
United States small claims courts are a limited jurisdictional arena for
litigants to argue over sums less then $5000.00 . Since jurisdiction is
generally limited to specific territories another test must decide whether
the case falls within the court’s realm of influence. The venue of a case
is often based on where the crime occurred. So if a car accident occurred
between a United States citizen and a Canadian citizen in the state of Washington
then the United States would have proper jurisdiction to hear the case.
The last and most important test of jurisdiction regards enforcement. A
court may decide on a case and issue a ruling but not have the power to
enforce it. This contention is highlighted in the on going case between
France and Yahoo!. Ironically this case shows that even though a court may
not have the power to enforce it’s laws the other criteria being satisfied
can make courts believe they have jurisdiction anyway. The cases examined
in this paper will be of a more criminal nature. The crimes, known as
phishing and pharming, are growing rapidly because prosecution seems impossible.

Phishing has a much longer history then some would imagine. Originally coined
from the contraction of “Password Harvesting” , phishing was a method of extracting
fresh usernames and passwords in the early to mid 1990’s. There is even anecdotal
evidence that the crime reaches further back into the late 1980’s on certain
Bulletin Board Systems (BBS). The procedure of the crime is very simple and
relies on two elements. First is distribution. The first major site for harvesting
was America Online. Criminals would use the Instant Messaging feature to pose as
System Administrators and demand the user reveal their password. The wording of
the messages changed often but generally stated “our records are in need of
correction, please submit your password now. Failure to comply will result in
account termination.” Users who were used to not understanding the magic of the
technology behind their service would comply out of fear. Even today users will
see warnings in their AOL Instant Messaging windows stating that, "Reminder: AOL
staff will never ask for your password or billing information.".

As the Internet blossomed the crime changed its nature. Obtaining passwords
was not as lucrative as obtaining credit card numbers. This was also due to
the changing nature of credit card verification systems and the relative value
of credit card numbers. Generating fake credit card numbers was no longer
possible as of the mid to late 1990’s so “carders” needed real credit card
numbers. On AOL, the messages phishers used changed to reflect the newly
sought after prize. “Our accounting records have been damaged. Please submit
your credit card number, social security number, date of birth and mother’s
maiden name. Failure to comply will result in a loss of service.” During the
early days this type of crime was easier to prosecute. Calling long distance
was expensive so phone records could narrow down a jurisdiction in which to
prosecute. Even if the caller was a “phreaker” (one skilled in hacking the
phone system to place free long distance calls) one could assume that the
caller was probably operating out of the United States. Even more one could
generally assume that both parties (plaintiff and defendant) were both citizens
of the same country.

With the Internet everyone was local. Instant messaging moved to the global
network and now criminals as far away as Spain could easily phish for new
credit card numbers in New Mexico. This development allowed phishing to take
on newer forms although the same name is still used for the crime. The newer
forms are even more difficult to deal with from a jurisdictional viewpoint.
Spam is sent out to millions of potential victims masquerading as official
bank memorandums. These memos state that “our records are in need of
verification, please submit the following information”. The victims are
presented with a hyperlink that will take them to a fake site. The graphics
and layout for these fake sites will exactly mimic the real web site. The
only difference of course is that instead of updating information at the bank
the victim is submitting their most personal details to criminals.

Pharming is yet another tactic used by more technically adept criminals, or at
the very least by criminals who have paid off hackers to help them with their
operations. Pharming uses advanced techniques such as DNS poisoning to effectively
hijack a website. A simple way to think about this type of subversion is a
standard telephone number. If one dials 1-800-WALMART the
numbers 8 0 0 9 2 5 6 2 7 8 are pressed every time. What if a virus changed
the values for each of the buttons? So instead of ringing Wal-Mart the criminal’s
phone was dialed. Now instead of placing a phone order or asking about a
shipment the criminal could extract your personal information. Pharming works
in a similar fashion by changing the numeric values associated with the names
typed into a URL. This technique was most visibly noted when China first began
“negotiating” with Google in 2003. Chinese citizens who typed http://www.google.com
into their browsers were sent to various state run search engines. China didn’t
try to disguise the sites to look like Google; however, in pharming operations
the end result isn’t as overt. When a victim types the name of a hijacked
website into the address bar, the look of the website, even the certificates
can appear to coincide with the actual site. The difference is overwhelming.
Phishers must fool victims one at a time while a pharmer will capture every
person who happens to visit during a certain time period. This is even more
troubling given the nature of certain virus attacks seen lately. One of the
tools used to disable the victims anti virus capabilities is to modify the host
file. This file is like a local directory and overrides all DNS settings. In
the virus attacks, every update site (Microsoft Windows Update, Symantec Live
Update, etc) are set to 127.0.0.1 in the host file. 127.0.0.1 is a technical
address which describes a “loop back” or local host. This will stop cold any
attempt to contact the anti virus update sites for a current definition of the
threat attacking. An analogous situation is an attacker changing 911 to dial
the number of the phone the victim is using thus creating a constant busy signal
when help is most needed. Should pharmers start using this tactic, and evidence
in reports are showing this to be true, they can easily point a request for a
bank’s website to servers under their control. With so many countries involved
it is difficult to state who would have the right to try these criminals in a
court of law.

Personal jurisdiction, the power of a court to hear a case out of its normal
territory, are cloudy in cases such as Internet scams. In tort cases such as
Gutnick v. Barons it was established that an Australian court could hear a case
even though the plaintiff was based out of the United States. Yahoo! v. France
is yet another case where personal jurisdiction has brought foreign plaintiffs
into courts. In both cases an element of “minimum contact” was satisfied. Minimum
contact is the established contact of the two parties in the jurisdiction of the
court. So in these cases, even though the defendants didn’t technically fall
within the jurisdiction of the court, contact was made via the Internet. This
contention is still the subject of much debate since the Internet could
technically satisfy minimum contact for any person against any other person in
any country with an ISP. The criminals behind phishing would satisfy minimum
contact for at least 50 countries with every swarm of spam that is released.

With such an obvious danger to the public one may wonder why things have become
progressively worse. The legal enforcement arms of the United States have
increased budgets and training yet the crimes seem to flourish. One of the
largest reasons is that many victims are too ashamed to come forward. In the
case of phishing and pharming victims choose to deal with the banks. Banks
must consider their own brand which should imply trust. As such they tend to
accept losses in favor of derogatory media coverage. Of the small percentage
of victims who do report the crime an even more difficult problem arises. The
crime committed has crossed not just state lines but international borders.
Sometimes the crime takes place in more then two countries. In the instance
of a phishing website let us assume a standard operation. A criminal in
Nigeria has harvested email addresses from web based guest books across the
Internet. The criminal then emails millions of victims with a hyperlink
pointing to a website under his control. The web site is setup on a web
server located in London. Victims of the scam enter their information from
their personal computers in the United States. To properly prosecute this
crime police from all three countries would have to work together. Even
worse, courts from all three countries may feel they have the personal
jurisdiction to hear the case.
Phishing, which falls under identity theft, is illegal in the United States.
It is specifically covered under the Identity Theft and Assumption Deterrence
Act of 1998 (ID Theft Act). In the global nature of the Internet the ID Theft
Act is simply a local statute. Legally speaking phishing also violates United
States trademark laws since the web sites erected use the logos of the banks in
unauthorized ways. The typical reaction by banks is to contact the responsible
Internet Service Providers (ISP) and have the site shut down immediately. Unlike
cases such as Playboy Enterprises, Inc. v. Universal Tele-Talk Inc., and
Jay D Sallen v. Corinthians LTDA the banks realize they don’t have a chance of
getting trademark infringers in court. Even if they were able to find the
criminal and get them into the court the damages would be so high that the
criminal would never pay them.

One possible solution is to enforce absolute location information for every
computer on the Internet. As Global Positioning Systems (GPS) drop in price
it is reasonable to assume that computers could all transmit their exact
coordinates in the future. While this may technically fix the problem of
verifying jurisdiction and even the location of alleged criminals there are
other problems. The state of Georgia attempted to make legislation that made
illegal the masking of identity on the Internet.

The code, Georgia Code 16-9-93.1, was brought down by the ACLU of Georgia
because at times anonymity is needed on the Internet. The case of whistle
blowers and even medical patients seeking help online underscored the need
for a person to not identify who they are. Assuming all privacy rights were
thrown out the window and this type of legislation were enacted it would not
entirely help the situation at hand. Most criminals of this nature are
operating out of cybercaf

What does phishing look like?

I’ve been working on a few different projects in what’s left of my spare time. One of them is battling 419 scammers. I’ll post about that some day soon. The other is phishing investigations. Most have no idea what this really looks like. In one of my catcher email accounts I received an email with the following subject line:
“Action Required – ID Verification”
A catcher account is an account that is not used for any other purpose the attracting spammers, phishers and the like. I “seed” the account by posting comments in random but highly visible guest books. The place most likely to be harvested by these types of criminals. Gmail, as a side note, had already labeled this Action Required email as spam.
The body of the message reads like an offical document:
“Dear Wells Fargo customer,

As you may already know, we at Wells Fargo guarantee your online security and partner with you to prevent fraud. Due to the newly introduced Comprehensive Quarterly Updates Program (which is meant to help you against identity theft, monitor your credit and correct any possible errors), we urge you to go through the 2 steps Wells Fargo Account Confirmation process. The operation involves logging in and confirming your identity over a secure connection at:

 https://online.wellsfargo.com/signon?SIG…

First thing to notice is the salutation. Companies like Paypal repeat over and over “we will always adress you by name”. So notice that this mail begins “Wells Fargo Customer”. Ironically the first thing this mail talks about is fraud! This disarms victims. What criminal would speak of the crime right away?? The less technically savvy would not see the second give away. The hyperlinks to the words (which I didn’t copy over in the paste above) do not go to wellsfargo.com. They point to numerical IP’s.

“online security” and “prevent fraud” both have links going here:
 http://80.168.169.20/.update/www.wellsfa…
Without the use of more sophisticated attacks which would hide even these initials signs one notices www.wellsfargo.com IS in the URL. Just not where it counts. This hyperlink would point one to a server located at 80.168.169.20. The server appears to be offline already but a traceroute (program which shows us the path of a packet) gives an approximate location of this server.

17 112 ms 113 ms 112 ms  g1-0-t6-br1.router.uk.clara.net [213.161.70.12]

18 112 ms 114 ms 116 ms  t6-cr1-ge-6-0.router.uk.clara.net [195.8.86.205]

19 114 ms 114 ms 113 ms  gs-cr2-ge-2-2.router.uk.clara.net [195.8.68.253]

20 114 ms 136 ms 115 ms  gs-cr1-ge-2-2.router.uk.clara.net [80.168.0.137]

21 113 ms 115 ms 113 ms  fe-2-0-gs-ar5.router.uk.clara.net [195.8.86.26]

22  fe-2-0-gs-ar5.router.uk.clara.net [195.8.86.26] reports: Destination net u
nreachable.

The last stop before getting a “server not found” signal as in the United Kingdom. Interesting.

But the server itself IS still up. And it is located in China!

12 19 ms 18 ms 21 ms 12.118.94.10
13 114 ms 116 ms 114 ms p10-0.zur01b04.sunrise.ch [195.141.213.225]
14 114 ms 114 ms 114 ms g5-1.zur01b03.sunrise.ch [193.192.234.197]
15 113 ms 114 ms 114 ms 212.161.164.37
16 155 ms 134 ms 136 ms 62-167-19-21.adslpremium.ch [62.167.19.21]

Looking at the site will show an exact replica of the actual Wells Fargo Site. And if you think about it copying and pasting from another web sites design is very simple.
No matter what is entered for the account and password the site goes to the next page. There a pin number is asked for.

Again any entry is accepted and then, this is clever, a page thanking them for cooperation. The clever part is that all the links go to the actual Wells Fargo site!
This all seems interesting to me at the moment as my paper on Internet jurisdiction looms over me. Suppose you were one of the unfortunate who gave away the information sought. What can one do? Try to contact the police? Interpol? United States Secret Service? The only people that can even possibly help would be the Bank itself. And then they will treat you with indifference if purchases have been made. They have to assume that perhaps you made these purchases on your own and want to get out of paying for them.
As far as jurisdiction prosecuting may be possible for those involved in the UK. We (the US) seem to have good relations with England. Getting someone in China to hand over citizens, even those stealing from the US, will likely get derisive laughter.

Microsoft UK Sponsers Short Film contest

It’s almost funny given Microsoft’s track record for similar computing “innovations”. The Thought Thief contest is looking for films under 45 seconds revolving around the idea of IP theft. I’d love to enter but it’s only for UK citizens.
Even more ironic is that the rules of entry say that the copyright of the film belongs to the entrant but the entry form says:

“I will formally licence, on terms acceptable to Microsoft, all intellectual property rights in my film and agree to waive all moral rights in relation to my film if requested to do so.”

source: http://g.msn.co.uk/UK7/136567.1?http://w…

The line regarding moral rights is particularly brilliant. In that evil sort of way.

Microsoft Enters the Anti Virus market

It’s hard to know how to interpret this move. Clearly this is a sign that working at an Anti Virus firm is good right now. If Microsoft enters your market that means you are in the right place. But it also seems like a signal from Microsoft that says, “Our trusted computing promises are not going to materialize for a VERY long time”. Why would I think that? TC supposes that a combination of hardware and software can eliminate malicious code, e.g. virii. With this move Microsoft clearly knows that TC isn’t likely to solve the problem that is plauging them right now.
More virii have come out for Windows then any other platform to date. This is partly what scares me about this latest move from Microsoft. It could be a possible vector for them to defer any responsibilities in protecting the core operating system from infections. Instead of focusing efforts on reducing vectors of infection they can simply say “go buy the annual service for our anti virus”.
The less suspicious side of me notes that this could be a good thing for end users. If the OS has at least some baseline of security then everyone is a little bit safer. Although the service would have to be free to any OS user for the altruistic vision to really come alive. Perhaps if Google *really* wanted to shake up the world and take a jab at Microsoft they could offer an anti virus solution.

New article on vulnerability disclosure

I have been a big fan of Jennifer’s attitude toward vulnerability disclosure. This particular article discusses the subject of full disclosure for software security vulnerabilities. Is it wrong? Is it right?
Opinions vary. Mine happens to conflict with my employers (I side with Granick on this topic) so I have written about this weeks after discovering the article. Why so long? I wanted to make sure my name didn’t appear anywhere on the blog so my current employer doesn’t become my most recent employer. It’s a heavy price to pay for the volume of users this blog *could* reach. Ironically only one person has ever bothered responding to this blog.
Back to the topic at hand. The article demonstrates that disclosing the facts about vulnerabilities is helpful. Many in the industry don’t feel this way and will do anything to keep vulnerability information out of public hands. Including the very existance of the vulnerability. They [the software corporations] feel that circulating details about the vulnerability will only aid attackers. It is a unique situation for computer security since anyone with sufficient knowledge and an internet connected computer could in theory use the vulnerabilty to attack others. “In other scientific fields, for example medicine, an explanation of how to synthesize polio does not endow an audience with the particular tools necessary to do so.” *
The paper goes on to explain some of the containment methods for vulnerability details and their effectiveness. Perhaps the most lucid argument of this paper is the empirical proof that disclosure does work. There is solid evidence that the constant public exposure of buffer overflows has helped educate a community of software developers. This education has significantly reduced the number of buffer overflows in software. This isn’t to say that Buffer Overflows don’t exist anymore. But having spoken to security researchers the overflows certainly don’t exist like they used to. It is very difficult to find them in many of the applications that have been targeted by researchers over the last few years.

* THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS, By Jennifer Stisa Granick, page 7