The new JavaScript speed king, Google Chrome web browser is getting hammered by security researchers over security vulnerabilities ranging from crashing the browser to potentially running malicious code on the user’s computer.  Here’s a quick round-up of what I have come across so far:

1. “Carpet bomb” – September 3, 2008. Security researcher Aviv Raff managed to discover this vulnerability hours after the browser was released. The vulnerability, when exploited could litter the user’s download directory with numerous irrelevant files or could potentially be used to exploit other vulnerabilities that may exist on the user’s machine.

Raff describes on his site how a specially-crafted java archive file (JAR), combined with a social engineering ploy could trick a user in to downloading and executing the file without any warning from the browser.

The vulnerability comes from Google’s use of an outdated version of WebKit, the open source browser engine toolkit used also by Apple’s Safari browser. The WebKit version used in Chrome is the same used in Safari 3.1, which had its own set of vulnerabilities.

2. URL Handler Crash – September 3, 2008. Rishi Narang discovered an issue in Chrome that can crash Chrome altogether when the user visits a specially-crafted URL, throwing the following (G)message:

Whoa! Google Chrome has crashed. Restart now?

(more…)

The Sunday Herald is reporting that an international gang of computer hackers has penetrated the booking system of the Best Western Hotel group and stolen the identities of an estimated 8 million hotel guests.

The report states:

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Update (August 27 – 11PM +4GMT) – FOX News is reporting that Best Western has denied the extend of the hacking incident claiming the report by the Sunday Herald as “grossly unsubstantiated” and “largely erroneous.”

Best Western did, however, confirm that a hacker was able to penentrate its computer network in one of the hotels in Berlin and install a trojan on one of the computers designed to steal data.

Fedora Project Leader, Paul W. Frields, in announcement released yesterday, said that some Fedora servers were “illegally accessed” last week.

Here’s more from the announcement:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

(more…)

Scientists have finally worked out a “cloaking” device or a shield for existing Implantable Cardioverter Defibrillator (ICD) devices, following a report detailing weaknesses in the communications mechanism that can lead to leak of patient information and risk of loss of life. ICDs are similar to pacemakers and used by heart patients to slow down the heart.

Earlier this year in May, a team of researchers from were able to exploit a weakness in the wireless communications protocol used by ICDs operating in the 175kHz frequency range. The research team was able to intercept the wireless signals used to communicate with the ICD and reprogram the signals, and even retrieve patient information. The complete research can be found here (pdf).

Figure: Communications between an ICD and ICD Programmer (computer)

The cloaking device, invented by Dr Tamara Denning, a computer scientist at the University of Washington in Seattle, is designed to resist any instructions that come from anyone other than the doctor. The device itself is wearable like a wrist watch and technical working details have not been released.

Is this really a practical solution? Not everyone thinks so:

However, Dr William Maisel of Harvard University, who led the pacemaker hacking experiment earlier this year, said the cloaker was unrealistic.

In an emergency, a cloaker could be hidden in clothing and be hard for doctors to find.

‘You’re asking hundreds of thousands or millions of people to wear something every day for a theoretical risk,’ he said.

Google’s recently announced open source cross-platform cryptographic toolkit, Keyczar, is an excellent time-saver for security application developers. 

Keyczar simplifies implementing of cryptographic functions in applications which typically involves selecting a cryptographic algorithm along with the key length and operation mode, handling of initialization vectors, rotation of keys and the signing of ciphertexts. Keyczar selects “safe defaults” for all these options resulting in fewer mistakes from the developer.

Examples from Google:

Java
Crypter crypter = new Crypter(“/path/to/your/keys”);
String ciphertext = crypter.encrypt(“Secret message”);

Python
crypter = Crypter.Read(“/path/to/your/keys”);
ciphertext = crypter.Encrypt(“Secret message”);

Other open source security projects from Google include RATproxy and Flayer

Here’s a round-up of some of the interesting interviews from this year’s Black Hat event:

1. This year’s most popular Black Hat speaker – Dan Daminsky

(more…)

CNN is reporting that 11 people were charged yesterday for allegedly stealing more than 40 million credit and debit card numbers. The hacking incidents relating to the accused took place at various major retail outlets in the USA over the past three years.

The defendants come from U.S.; Estonia; Belarus; China, with one individual whose country of origin still remains unknown.

From the report:

Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

(more…)

DNS Multiple Race Exploiter simiplifies exploitation of the latest DNS vulnerability and even attempts to poison patched servers. According to the author:

Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours.

Unlike the previously released tools that work on poisioning uncached “NS” and “A” records, this tool can overwrite any A record by using a CNAME response. 

The tool uses a static TTL of 0x7BEDABED in all spoofed replies, which should be sufficient to create an IDS/IPS signature to protect against the script kiddies out there.

cname_rr = (struct cname_RR *) (payload + sizeof(struct dns_hdr) + hostname->size + sizeof(struct query_RR));
cname_rr->name = htons(0xC00C);
cname_rr->type = htons(0×0005);
cname_rr->clss = htons(0×0001);
cname_rr->ttl = htonl(0x7BEDABED);
cname_rr->length = htons(entryname->size);

PA Vietnam, a Vietnam Government affiliate and the second largest hosting company in the country, saw over 10,000 websites being crippled after the provider’s .COM and .NET Top Level Domains (TLDs) were hijacked by attackers on Sunday, 27th of July. The crippled websites used the provider’s domain name servers (DNS) that were registered under the hijacked domains. 

According to VNCERT, the country’s National Computer Emergency Response Team:

“It’s believed the hackers broke in through a hole in DNS to control the administration,”
-VNCERT Technical Branch Chief –  Do Ngoc Duy Trac. (more…)

Meru Networks has introduced RF Barrier, a solution for wardriving threat that uses wireless technology itself to produce a barrier to protect corporate wireless networks.

The RF Barrier system involves mounting a specialized Wireless Access Point on the inside Wireless perimeter with an advanced antenna extending to the outside of the Wireless perimeter. The technology inspects the traffic in real time to differentiate the “sensitive” (internal) traffic from the outside traffic. Sensitive traffic is protected by the RF Barrier by simultaneously transmitting harmless, but stronger RF waves through the external antenna. The stronger RF waves in turn degrade the sensitive traffic outside the internal wireless perimeter, leaving the wardrivers with very weak or no signals to work with.

The official press release states:

RF Barrier is the first solution using exclusively 802.11 technology to offer wireless perimeter protection for organizations with regulatory requirements or policies regarding data privacy, such as retailers, financial and government institutions, manufacturers and health-care organizations.  RF Barrier protects clients with legacy security mechanisms, such as handhelds and scanners equipped only with WEP or WPA/TKIP, as well as modern WPA2- and EAP-based networks, where it helps prevent the exposure of potentially exploitable information such as user identities.  Furthermore, it provides physical wireless security in remote branch offices where no IT personnel are present to detect or stop an attack from outside the site’s physical boundaries.

(more…)