Thursday, 30 October 2008

Near misses

Hello all

It has been an interesting few days for me. I have been involved in a couple of things that I can talk about and a few that I can’t. So, on to the ones that are fine to chat about.

Microsoft released an out of band patch – let me remove the jargon around that. There was a security update that came out when it wasn’t a regular patch Tuesday. Patch Tuesday falls on the second Tuesday of the month except for the March before last when there weren’t any. Well, this one (MS08-067) was released on October 23, 2008 which is fairly close to the November patch date which will be the 11th – I don’t have any inside information but that would be what every system administrator expects and the MSRC blog should confirm that soon. So, this out of band patch was released pretty much in the middle of two patch cycles and that would mean that it was something special.
Well, it is. From the bulletin (and again, no special knowledge here), it was a vulnerability in the computer browser service and the server service. The question that MS always ask themselves when a vulnerability is reported or found is “Could this be used to write a networked virus, or a worm for short?” For the answer to be yes, the following things have to be true:

1. It has to be a remote code execution vulnerability.

2. It has to attack software that is running all the time on vulnerable systems

3. It can’t require user action for the exploit to work

Well, this one ticks all those boxes. It is an RPC based vulnerability. You have probably heard of a worm that used an RPC vulnerability. Blaster did that. However, this wouldn’t be as limited as Blaster since it affected more versions of Windows. Accordingly, I would advise installing this one pretty damn quickly. The proof of concept code was released on the 24th and the black hats have it now. Oh, and just to add to the fun, the malicious code would be running as SYSTEM and would be able to do what it liked to the target machine.

One of the things that I did related to this was quash a rumor that Microsoft is releasing viruses that utilise flaws in Microsoft software. I have heard that one so many time and it has never made sense to me. The point of malware is to put code onto the box that the attacker wrote. What a Microsoft written virus would do would be to... uh, well, patch Windows. MS already has control over what code is in Windows. As for the motive, that is even more puzzling. Do you think that Microsoft wants to steal your product keys? They already have loads. Your credit card details? I think that someone would notice. No, the main reasons that I hear behind this insane rumour are that it is to force people to install patches (uh, they are provided free so where is the motive) or to encourage sales of Microsoft Antivirus products.

Did you know that Microsoft markets anti-virus products? Their home anti-virus is called One Care and it is not a huge seller. The business solution is Forefront Client Security. They are decent enough products but could the profit possibly be worth doing something illegal and easily traceable to the company that is perhaps the most monitored company in America? Clearly not. Also, given the respective market shares, this would help Microsoft’s competitors much more than it would help Microsoft. Clearly, this is nonsense.

However, imagine that I believe that MS kicks puppy dogs and eats small children. Imagine that I didn’t know for a fact that MS doesn’t do these things and that they can normally be traced to some well known sources. The question would be, why on earth would Microsoft bother? There are hundreds of malware writers, maybe even thousands, who will write these things for free.

The other thing that I can mention is that I saw a SPAM email the other day. Nothing odd about that. This one read:

“Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!”

The website was actually listed and had been hacked using a fairly simple attack. There is nothing unusual about this as a technique but it reminded me so much of the first wave of attacks that built the Storm bot net, now largely defunct. However, this malware proved to be the much less interesting Zbot while Storm was an evolution of RBot. Storm was much more flexible and much more resilient than Zbot – and the malware servers were the bots themselves rather than a normal website. It did look very familiar for a moment though as some of the early cases were used hacked websites as the hosts before they developed their fast flux DNS capability.

Anyway, I helped out the company that got hacked. It didn’t take long so there was no charge in this case. They wanted a French speaking consultant so all that I did was prepare enough information to hand over and let them find their own man.

So, it has been something of a week of "might have been"s

Signing off

Mark Long, Digital Looking Glass Ltd

Monday, 27 October 2008

BBC reports rise in script kiddie activity

As you may have noticed, I like to keep an eye on the main stream media as well as the technical press. When you see a technology story appear on national news, it is either an important news story or a slow news day – but what is news to one person might be olds to another. So, the BBC report that young people are getting more involved in hacking. So, what triggered this comment? Why, that would be this BBC video

What they have there is known in the trade as a Script Kiddie. They blur the screen but it is clear that one of the forums is talking about the world’s easiest and commonest attacks, the SQL injection attack. It may be easy to do but that doesn’t make it less effective. Quite the reverse. Some very big names have been hit by that one. So, it seems that kids are being more active in low level cyber crime. Let us look at the various types of hacker that might be testing your web based solutions or sending files to choke your app through email.

The Script Kiddie. The script kiddie gets very little respect. Even the journalist was not much impressed by that one. They tend to be scavengers, picking crumbs from a rich man’s table. They will use techniques that they have learned from more experienced hackers. You might think that people with useful hacking skills would keep these things as trade secrets. Well, some do and some don’t. Those that don’t feed the script kiddies. One thing that is new is that they seem to be doing this increasingly much for profit. They used to “tag” websites with their screen names or just cause damage but it seems that they are now dabbling in a little credit card fraud. Well, times are hard and pocket money is not as easy to come by. They are sometimes minors and rarely over the age of 20. 18 is often a critical age because at that point, it stops being a problem for the parents and becomes an offence against the 1990 Computer Misuse Act punishable by 6 months to 2 years in the UK. You can get longer in the US, of course. British law is rather lenient in this regard.

“Hacker” is a bit of a problematic term because you can be a hacker and never once compromise someone’s security. A hacker can just be someone who codes down near the metal which always struck me as damn good fun. Rather than hacker, let us talk about hats.

White hats are hacking for non-malicious and generally legal reasons. You can hire white hats if you want. Just look for “Penetration testers” which is what they prefer to be called. Oh, while I am on the topic, Digital Looking Glass will be launching a PenTesting service next year. Some companies combine testing and penetration testing and that gets a lot of the glitches out of the software before it is released. It makes testing very slow and expensive but you pay your money and take your choices. There are also universities that study the techniques and responsibly report flaws to the software authors.

Grey hats have the same skills and they use them for… well, other reasons. They are not normally criminals or at worst will only break civil law rather than criminal law. As with so many things, there are shades of grey. Some will work with software vendors to get vulnerabilities fixed. Others will write exploit code and publish it to “encourage” the vendor to fix the bugs. You better bet that the script kiddies love sample code, especially when it is in a high level language that they can understand. A lot of the rootkit developers were nominal grey hats. The rootkits that we find in commercial malware (yes, there is such a thing) are normally pretty much unchanged from the sample code provided by the grey hats. The code is readily available. No really. Don’t believe me but see for yourself. Just go to You will find a lot of script kiddies begging in the forums.

There are lots of other site for the aspiring and practicing hacker. Here are a few that I have been to in the last week: An excellent site with graded exercises to enable anyone to learn how to crack systems. The forums are also very useful. is a bit less up to the minute but has some nice exercises for helping the scripters make progress towards the big time. The cult of the dead cow is a well known group that have produced some remarkable tools such as Goolag which uses Google to search for vulnerable parts of sites. has a whole collection for a range of platforms – the formatting is not excellent but the material is generally very good.

There is plenty of material out there. If a grey hat wants to go black hat or a script kiddie decides to play in the big time then the techniques are no further away that your browser search bar. So, what sort of black hats are there?

There are some who work solo – not all computer users play well with others. They will typically be looking for anything that they can get. If they find a home system, they will gather credit card details if they can and pay for their web use for a while. Small amounts are likely to go unnoticed for a while. If they get into a company network and can steal a few then they will sell then. A good solo worker with the right connections can clear $250,000 which is not too bad when you don’t file a tax return.

The black hat gang. There are some small independent groups but generally they are run by another group. The hacker gangs are generally small although there have been reports of larger ones in China. Some have suggested that corrupt government officials are running them. Well, I don’t know because they don’t publish their accounts. All that can be said for sure is that the security guards who were standing outside were wearing Chinese military Uniforms and armed with the AK47, just like Chinese military usually are. As for the non-military ones, a lot of them are eastern European. The Solntsevskaya and Dolgopruadnanskaya organisations run multiple cybercrime gangs. They have a number of approaches. There are botnets which are used for extortion (denial of service against websites, typically online casinos), SPAM, data gathering (passwords and credit cards) and rental. They have phishing operations too – typically against western banks but also against paypal and similar organisations. Sometimes these are combined. I have seen spam bots churning out spam advertising the stolen credit card numbers for sale. I had to get the message translated. Of course, that could well have come from the next type of black hat. Some of them will be looking for whatever they can get, working much like solo black hats. You can hire them by the hour if you know the right people.

Finally, there are state run black hats – or maybe white hats. It depends where you are standing. After all, we sponsor freedom fighters and they sponsor terrorists. A number of states definitely have some very smart people hacking for them. Is this good or bad? Well, it depends on the target. The computer that you are using depends on principles developed in Bletchley Park, Station X. That was a project to break German codes and it gave us the finite state machine.There are ethical questions there which I can’t answer.

So, the BBC may well be right in saying that younger kids are getting involved in cybercrime – but let us be honest here. It is not as if there was a shortage of cybercriminals without waiting for junior to grow up.

Interesting times indeed

Signing off,

Mark Long, Digital Looking Glass Ltd

Tuesday, 21 October 2008

How private is private? Not so much.

Swiss PhD students from Swiss Ecole Polytechnique Federale de Lausanne have been trying to sniff data as it is typed on a keyboard. That is something that they are supposed to do since they work in the Security and Cryptography Laboratory there. They have been listening to the radio signals emitted by keyboards including laptop keyboards. They were doing this mostly with keyboards that were not attached to PCs to reduce the amount of radio mush that was in the environment. A quick attempt to recreate the experiment using a $4 radio purchased at Woolworths did not give any results but there is no doubt that snooping of this sort can be done.

The traditional way of using a radio to snoop on a computer was to look for emanations from a CRT – a conventional monitor has an electron stream whipping backwards and forwards, painting a frame dozens of times a second. With a monochrome monitor, this was easy enough but much harder with colour – and the higher resolution made it harder still. There was a paper written by Wim van Eck, a Dutch researcher, back in 1985 which described the technique. This became known as TEMPEST (Transient Electromagnetic Pulse Emanation Standard). This wasn’t too hard from CRTs because there was a lot of power going through the monitor and accordingly a lot of radio emanations to tap into.

There was also a technique referred to as optical TEMPEST that used the same principle as the light guns on the old Nintendo Entertainment System. The electron beam swept the screen 50 times a second on a conventional TV – actually twice 25 as the frame was interlaced with half of the picture painted each time. When the trigger was pulled on the light gun, the target (for example, a duck) blinked white and the light gun would, if correctly aimed, see this in its narrowly focussed barrel with its crude light sensor. No flash? You were not aimed at the target.

However, this could be refined. You could have a very fast camera look at the screen and record the variations in the luminance of the screen and work out what was being shown on screen. Ok, not so interesting because you can see the screen anyhow – but here was the kicker. You didn’t have to see the screen, only the light from the screen. That is reflected from things in the room and can, with the right equipment, be detected from a long way off. The reflection would vary microsecond by microsecond giving you a fuzzy rendition of the screen after much processing. Of course, none of this works with LCD monitors because they don’t scan that way. The monitor is always back lit and pixels change when they change – or more accurately, the red, green and blue elements change and several of these make up a pixel. Because the old techniques don’t work as well with LCD monitors, research has moved on to detecting the much smaller signals output by the digital electronics. This is a trickier proposition but not impossible, as has been shown here. In practice, it would be harder still to do because computers rarely live in an electrically quiet environment. They are often surrounded by other computers and sources of radio emissions. I am writing this from home and I live in the countryside. I can “see”:

- 4 wireless networks, one of which is mine
- My mobile phone which is connected to the provider, the wireless network and via Bluetooth to a keyboard
- My PC wireless keyboard
- My PC wireless mouse
- My toothbrush (I have an Oral B Triumph and it has its own wireless network. Why yes, I am a geek. Thanks for noticing)

Because it is cold, the fan heater is on and it is generating radio mush. I am listening to one of my favourite folk singers and the room is wired for Dolby surround sound and none of the speaker wires are shielded. Come to that, nor is the phone line that is carrying the broadband that I am posting this with is not shielded. That will be generating some noise. That is in a quiet country location. Imagine how much worse a city office is.

Of course, there is one advantage to these techniques over conventional key logging software that runs on the PC. These are undetectable. Key loggers can be detected if you know how they hide. However, key loggers can work even inside a Faraday cage. Still happy that your system is all that private?

Signing off

Mark Long, Digital Looking Glass Ltd

Thursday, 16 October 2008

1984 project delivered late? Big brother database.

You have probably seen the splashes on the news pages. The British government are considering a database that logs a degree of internet traffic. There is a report here if you missed it

What are they considering logging? Well let us look at what is currently logged. Details of the times, dates, duration and locations of mobile phone calls, numbers called, website visited and addresses e-mailed are already stored by telecoms companies for 12 months. Any of these details are surrendered to an appropriate agency on request. The proposal is that these records should now be held for 2 years and be held directly by the government.

Jacqui Smith went on to say: "There are no plans for an enormous database which will contain the content of your emails, the texts that you send or the chats you have on the phone or online.”

Hmmm… let us consider what is being said here. Not the content then. What reasonable use would there be in storing the email header information only? Well, you would have the IP address it was sent from, the email account that it was sent from and you would have the time that it was sent. That is no great trick for SMTP since it is sent in plain text by default. SMTP (mail) protocols are really just special purpose TCP/IP chatter on port 25. This stuff is defined in RFC 821 and 822. It is easy enough to log that stuff if you can record any packet on a network. You can do similar things for IMAP and POP3. So, to effectively you would need to be sitting on the email servers to record this. Ok. The UK government can enforce this on UK servers if they want to – you can’t fight city hall… but what if the email is not on a UK server? Hotmail is not based in the UK and I am willing to bet that it doesn’t internally use SMTP or IMAP – when sending a message from one hotmail user to another, you are effectively doing a database operation and that is how I would implement it if I were you. I bet that most web based email services such as Yahoo, Gmail and so on work that way. The UK government could ask Google to send it this data but would they? It seems unlikely. How about (a Russian free webmail) or which is in Jordan. Now, Jordan and the UK get on pretty well but would they reasonably hand over that sort of data to the UK government? I don't think so. The Russians? Even less chance. There are hundreds of web email providers.

Oh, and here is something else that makes me wonder. You know why the industry doesn’t chase down the people who send the SPAM? Well, how would you tell who they were? It is trivial to fake an SMTP header and that is what the spammers do. There is nothing to stop the terrorists doing the same.

How about SMS messages? Well, they are a bit different because the whole message is sent as a packet. Longer messages are sent as multiple messages and stitched back together later, it seems. The message and the header are all in the same packet. I suppose that a scheme could overwrite the message content before recording the packet to a log but I would be surprised if that were done. The Multimedia Messaging Service protocols are more complex and more problematic.

Logging all phone numbers and times of calls and location of the caller? Well, that is pretty powerful if you know who the number represents. More than 75% of the UK population have a mobile phone. What other government can claim to be able to track 75% of their population at any time? Of course, pay as you go phones can be a problem. Pop into Tesco with some cash and you can buy a phone and some air time. Name? You are not required to give it. You want a free SIM card? You can have a dozen. Companies want to give them away. Why would a terrorist use the same one twice? This measures strikes me as an excellent way of monitoring the honest and the stupid but a rotten way of monitoring the intelligent and devious. There is also the question of the sheer volume of data as there is with emails. There are 60 million people in the UK roughly. About 75% have a mobile. That is 45 million mobiles to track. Some of those are teenagers who send dozens of texts a day. That could easily be 450 million texts per day. That is more than 160 billion texts per year. Good luck analysing that many. As for emails, that boggles the mind. There are more than 100 billion SPAM emails per day. Britain punches above her weight her because computer ownership is common. Let us say that 5% of these are in the UK. So, 5 billion SPAM emails per day. That is 1.8 trillion emails per year. Good luck in storing and scanning all those.

Hmmm… what websites were visited? That could be a useful one. In the course of writing this post, I have been to over 100 sites and I made no attempt at all to hide where I went. I don’t mind anyone knowing that I was looking at news sources and RFCs. Had I minded, I would have used a proxy. There are over 2000 free web proxies, hardly any of which are in the UK. You could investigate everyone who uses a proxy, of course. He who would keep a secret must keep it secret that he has a secret to keep, if I may quote Carlyle. You would be looking at trillions of web addresses each year though. It would be difficult data to mine. Where would you capture the data? The DNS servers would seem to be an obvious choice but I don’t need to go via a DNS server at all – indeed, the local cache serves most of my needs and I can keep a hosts file as large as I need. I don’t have to use a UK based DNS service at all and unless data is harvested at every router along the way, I don’t see how the traffic could be recorded as it doesn’t go through a central point. Again, you can monitor those who let you but those that want to slip through the net will find it easy enough to do so.

What about other forms of communication? Instant messaging would be hard to monitor – text messages for most types go via the server but voice and data go from peer to peer via UDP. That would be hard to monitor without something very like the Bundestrojaner, a bit of software created by the Austrian government to monitor individual computers using malware type techniques. That would be politically difficult to implement widely. Audio and video data is hardest yet to capture and when you look at structures like the Skype cloud architecture where there is little centralised control, it is tempting to throw up your hands in horror.

Of course, the more data you collect, the less effective your screening is. You really want to monitor the smart and criminal ones – and you have data on the dumb and the honest. You have so much data that it could only be analysed by machine, even if you have an army of spooks. The more data you have, the lower the signal to noise ratio and the less intelligent scrutiny you can give to the signal.

The problem is actually still worse. Let us consider what data related to terrorism might look like. Would it be a message saying “On Tuesday, we will meet at the town hall at 7:30. You bring the semtex and I will bring the guns. If wet, meet in the King’s head”? Why would it be in English? Why would it be in plain text? I could send that information as an MP3 of speech, as a JPG, as a video, as an encrypted file or hidden in a dozen ways, many of which are well known and have been used in dozens of films. We can safely assume that any terrorist worth his salt can do 20 minutes research. Code books are old hat but they still work. No scanning program can work out whether a discussion of the health of an aged relative really means something different when decrypted the old fashioned way with a look up reference such as the old book ciphers. There are also some cool things that you can do with steganography.

So, what does this cost us if it is implemented? Well, maybe not much. If the data is mostly ignored then there is little loss of liberty and the intelligence services will not be wasting much of their time. It might be useful in a case where our friends in the Office for Security and Counter Terrorism were trying to work out who a suicide bomber had been talking to.

However, if it is misused, it will have a massive effect on civil liberties and will blind the intelligence services because there will be too much data to ever process.

There is also a problem that you always have to consider. Even if you trust this government (and I am making no statement at all on that), do you trust every government that will come after? Will none of them use this to oppress their opponents or police the ranks of their own party? Will no future government use this to control its population? Forever is a very long time. There will be a bad leader some day. I leave it to you to decide how happy you are with that thought.

Signing off

Mark Long, Digital Looking Glass

Tuesday, 14 October 2008

Debugging war stories

Fishermen tell of the one that got away. Golfers tell of the amazing shot that happened when there was no-one to see. People who like debugging (and we are an odd breed) tell of the worst bug that they ever faced.

Well, there have been some really obscure ones. There was one that I tried to find every working day for 4 months in an operating system where the problem took 40 minutes to create, couldn’t be automated, there was no debugger and the crash killed the OS stone dead with no diagnostics. That was one to remember but with modern tools, you don’t get that sort of thing any more. Modern nightmares are a bit different and I would like to talk about some of the ones that I sometimes see. Oh, most of these will be in C++ because it makes more sense that way. They also happen in the runtime systems of various languages, most of which are in C or C++.

References to COM objects fail apparently randomly with a null pointer or a pointer that leads to garbage but there doesn’t seem to be any error in the code. Ah, how often have we seen this one? A variant is that a DLL has disappeared between function calls into it. The explanation is simple – the reference count is wrong so the (whatever type of thing it was) unloaded. You can’t see what unloaded it because it was on another thread or the system has cleaned it up under you without you doing anything because it looked unused. That is always fun because there can be dozens of areas in the code where you are seeing the access violation and you don’t know if you are seeing one bug or a dozen. It is relatively easy to track these down with a little judicious breakpointing and stepping just so long as you consider that you are altering the behaviour as soon as you add a debugger. If it doesn’t reproduce when there is debugging or tracing, oh, that can be a horror.

Data being wildly wrong for no obvious reason, more or less at random – for example, maybe you get a currency value that was fine when it went into the record being NAN (a binary pattern that can’t be a number) when you come to use it. Old hands will recognise that one as being probable heap corruption. There are great tools to help you with that one. If you are a fan of WinDbg, have a look at the GFLAGS command. In managed code, you can get similar things if you pass a data structure of some kind to an unmanaged DLL and don’t pin it in memory. As with the previous example, the cause of the crash is nowhere near where the actual error is. These are nasty types of error for most people but there are techniques for dealing with them.

Memory leaks used to be very popular – and very often misdiagnosed. People are sometimes a bit confused by memory usage. As regular readers of my old blog know, I am a big fan of object brokers. If you haven’t come across them before, they are memory allocators that you write yourself that will give you an object to use when you need it and you return it when you are done. From the point of view of the client code, what you have looks a lot like the heap – I ask for a blank MyObj structure by calling a function and I get a pointer. When I am done, I return it with a different function. They are not called new and release but so what? The difference is that the object broker isn’t creating and destroying them – it is maintaining a pool of them and they are not taken from and returned to the heap. I always like to have my object broker tell me how many objects it currently has on loan. That makes debugging memory issues much simpler. Oh, and some people will tell you that there is no need for object brokers now there is the low fragmentation heap. Well, I will hang on to mine. Why have the system do work that it doesn’t need to do? However…

Object brokers often cause reports of memory leakage. A common concern was that more memory was being held after an operation than before it. A lot of people raised this issue in the early days of managed code. What you commonly see with code that uses one or more brokers is that the memory usage will grow and then reach a stable plateau with a little variance caused by allocations that are not brokered – and there will always be some of those. It is always worth waiting to see if a rise in memory levels off after a while before deciding that you have a leak. However, you can get a situation with managed code where the garbage collector is overwhelmed and under very heavy load, the memory grows until the GC is forced to collect because allocations would otherwise be impossible. This is a pretty major housekeeping job and it requires access to a good deal of memory to keep track of what is going on – and there isn’t take much memory around because the process space is full of objects waiting for GC. Things get messy then.
Multithreaded hangs are always tricky and I have spoken at length about them before in my old blog. Nothing much has changed about how you debug those. It is still like trying to untangle a mad woman’s knitting in the dark while wearing gloves. This is certainly one case where prevention is much better than cure.

Of course, there are also logic bugs but each one of those is subtly different and it is hard to come up with a common approach more detailed than “Step through it and see what it really does”.

When I was a dev, I was told that I spent too much time debugging code but I have to say that the experience has stood me in excellent stead.

Signing off

Mark Long, Digital Looking Glass Ltd

Thursday, 9 October 2008

ClickJacking, the new kid in town

There is a lot of buzz about this at the moment. I thought that there would be after it was requested that it not be mentioned in the OWASP meetings So, what is it?

Well, to start with, let us say what it isn’t because that is important.

It is not:

1. A single exploit. It is a class of exploit rather than a specific example.

2. It is not a really a remote code execution sort of vulnerability so it doesn’t allow an attacker to take complete control of your system. It is more like a cross side scripting attack against the browser if such a thing were possible.

3. It is not a code defect in any particular browser and it is not a bug in Macromedia Flash. The first proof of concept just used Flash.

4. It is not browser or OS specific.

What it is:

1. A browser based exploit. If you are not viewing HTML, it can’t have an effect.

2. A way of getting a mouse click on a web page to mean something other than what the user means it to mean.*

3. A way of getting the browser to do what it could already do had the user asked for it

So, the exploit hijacks a click hence the name ClickJack. By why did I put a * by the side of the entry? Well, that is because the name is a little misleading. No-one else seems to have mentioned that you should be able hijack keystrokes that have the same effect as mouse clicks. I am willing to bet that you have accidently hit on this functionality a dozen times. In a text box that doesn’t accept multi-line, hitting the enter key will normally submit the form – I have cursed a hundred times when a logon was submitted without the password because I typed Enter when I meant Tab. Backspace takes you back one page. Tab and Shift Tab change the focus and that can fire an onFocus event. Accordingly, I don’t see that this is limited to mouse clicks.

What could be done with this class of exploit?

Well, the proof of concept was rather clever. It fooled the user into turning on their microphone and web camera. There has been malware that did this and then relayed the image before and it was much loved by paedophiles. However, this was just a proof of concept and didn’t do anything malicious.
Essentially, a malicious page could persuade the user (through social engineering) to take an action such as clicking a button that could be converted into a click somewhere else on a page. In the case of the proof of concept, it was a dialog provided by flash to enable or disable the webcam and microphone features on Flash. However, it could be used to submit a form or open a new link – basically, whatever you could trigger with a click. It hijacks the click for its own purpose.

So, what does this add to the mix? Well, not as much as you might think. Pages that advertise scareware tend to be one big bitmap including the “close” button and any action takes you to the next stage in the process of installing the “potentially unwanted software”. Essentially, when you are viewing a malicious page, any interaction with it was likely to do things that you didn’t want. So, Clickjacking is another way that this can be done.

How does it work in practice?

That hasn’t been made public but it is fairly obvious how you could do it. If you put the object that you want clicked under a graphic that the user will click on and then make the graphic invisible for part of the time, the graphic will seem to flicker – and repeated mouse clicks will sometimes hit the graphic and will sometimes hit what is underneath it. That sometimes happens in regular form based programs when controls are hidden and shown to customise the form. The required DHTML is trivial. Maybe you could have a simple game where the user has to click repeatedly on a butterfly as it flits around the screen. That would do the job nicely. The best use for this would probably be to hack a bank site or a stock trading site to add a malicious iFrame that covered the real content of the page. Of course, if you can do that, you have probably already won.


Well, the old rule applies. Do not interact with sites that are malicious. Of course, the malicious functionality could be in a banner ad or something like that and accordingly, clicking on banner ads may be unwise. I never do it anyhow which must come as a disappointment to those that pay for these things.

Running the browser with fewer rights is always a good idea. On Vista, Server 2003 and Server 2008, this is the default state. On Linux, you can spawn the browser with lower rights manually. This doesn’t mean that you won’t get exploited. It just means that the exploit will be able to do less.

Disabling DHTML in emails (again, default post server 2003) is also helpful.

Fixing the problem

Now, that is a tricky one. A lot of people want this fixed but it isn’t a security flaw in the classic sense. There is no buffer overrun. The browser is doing what it was asked to do. If you fool people into clicking the wrong thing then that isn’t really anything that the browser can fix. I think that you would need to disable at least the following things:

* Making controls visible or invisible under script control or in response to events

* Allowing controls to move under script control or in response to events

* Allowing irregular shapes

Doing that would break a lot of critical sites.

Hope that this information was of use to you.

Signing off,

Mark Long, Digital Looking Glass Ltd.

Tuesday, 7 October 2008

Who is liable for computer crime? Us, apparently.

I have, in the past, had the good fortune of helping the police with their enquiries. I don’t mean that in the euphemistic sense of “arrested but not yet charged” but in terms of answering technical questions such as “Does this record in this structure mean that the document was once edited on a Macintosh computer?” As computers have become more and more integrated parts of our society, so they have become part and parcel of police work. Of course, some bits of detective work are harder than others. I read with interest that a car thief, specifically a Mr Aarron Evans, had been successfully prosecuted in Bristol after a camera equipped car caught a clear and readable image of his neck. Mr Evans had been kind enough to have his name and date of birth tattooed onto his neck making the investigation a lot easier.

Sadly, most cases are not that easy. The House of Lords Science and Technology Committee will be asking the government to do more against online crime. Some of the proposals from the committee will be a challenge to the industry including holding software developers liable for security flaws in their software. I can see that one getting very expensive very quickly and possibly killing off some shareware providers. A smallish company would struggle under a hefty fine, especially in these difficult days. However, I am talking about policing here and it would be tricky for the police (because where else would crimes be handled) to assess how serious a software flaw was. That recommendation has not (yet) been passed into law but it opens up a whole can of worms for the software industry and the police alike. Imagine a website being hacked to host a malicious download – an everyday thing, really. Is the web developer liable for the damage done to those that downloaded the component? That would seem to be the literal reading.

Ahead of Friday’s session, Lord Broers, chairman of the committee said:

“In our initial report we raised concerns that public confidence in the internet could be undermined if more was not done to prevent and prosecute e-crime. We felt that the Government, the police and the software developers were failing to meet their responsibilities and were quite unreasonably leaving individual users to fend for themselves.

Some of our recommendations, such as the establishment of a specialist e-crime police unit, are now being acted on by Government. But others, such as software developers' liability for damage caused by security flaws and enabling people to report online fraud directly to the police rather than their bank, have either been ignored or are awaiting action.”

The bolding was mine.

Apparently there is going to be a replacement for the e-crimes police force that was disbanded in 2007. In a world where the required skills are rarer than hen’s teeth, there are going to be a lot of people scrabbling around to get things looked at and, where needed, fixed.

The discussion of the committee’s report is at 12 PM (GMT+1) on October 10th – the url for the live webcast is

Interesting times, gentle reader

Signing off,

Mark Long, Digital Looking Glass Ltd

Wednesday, 1 October 2008

Scareware? No thanks

Sometimes it feels like I am a lone singer in the darkness. It is always nice to know that I am really singing with the choir. I have been rattling on for quite a while about social engineering and greyware – that is to say software that is essentially useless and misleads the user into installing it. Some people use the phrase “potentially unwanted software” instead which is thought to be less legally actionable but I will never learn and will continue to say what I think.

Anyway, according to the dear old BBC, my former employer and Washington state are taking joint legal action against both Branch Software and Alpha Red, two companies owned by the extravagantly named James Reed McCreary IV. The most problematic of these “potentially unwanted softwares” was one called Registry Cleaner XP which is not the old programmers tool popular back in the late 90s but a rather different application that seems to be sold from this website - Please don’t install it unless you think that my opinion and that of my former colleagues is a nonsense. I do not recommend this software. The state of Washington suggests that the fine should be $2000 for each false warning made by this software. Since it is not unusual for this software to pop up over 200 warnings over the course of 24 hours and we are talking of thousands of systems, the fine c ould mount up rather quickly indeed.

Let us think for a moment though. What could a registry cleaner actually do? Well, we need to consider what the registry is – this is the XP version. If you are interested in what is different in Vista and Server 2008, please let me know. By the way, no trade secrets here. All of this information has been revealed in one form or another over the years.

The registry is a database of entries on a huge range of different things. Let us look at the sections.

HKEY_CLASSES_ROOT relates to COM objects and who would have thought that there were so many of them? File associations, Class IDs, interface IDs for COM components that can be remotely instantiated and such like are stored here. So, how could you have duff entries in here? For developers, it is pretty simple – developing new COM components all the time meant that there were a lot of dead entries in here unless the developer took good care to clean up the box. Visual Basic 6 was a bit of a devil for bloating this section of the registry. It allowed you to extend a COM interface which technically speaking you really shouldn’t be able to do and it fudged the mechanics by using interface forwarding which was completely undocumented last time that I looked. There were two results of this. The first was that you could change the interface of a COM component and the clients that expected the old interface would still work on that machine but probably not on a client system which is not actually that much use for a developer tool. The second was that you ended up with a great many registry entries pointing at other registry entries. The sensible thing to do was to break compatibility, get new GUIDs and compile the client and the server into a clean version but that left a lot of dead entries. There was a little utility written by a support tech that went through the class IDs and interface IDs and deleted the ones that didn’t point to a valid file. This stopped being useful with hosted components where the reference was not to a simple DLL or EXE but instructions to MTX.EXE or these days SVCHOST to instantiate the component. Running this tool would probably break a modern operating system pretty badly but it was the bee’s knees in 1998. So, that was the only registry cleaner that ever had a good excuse for existence in my opinion. Could you get dead entries on a normal end user XP box? Well, if they deleted an application that was a COM server or had a file association without uninstalling it, then yes, it would happen but to be honest, a handful of redundant references would have little effect on performance. The only time that I see broken references like this on a consumer system is where malicious browser helper objects have been whacked out by an antivirus product and it has been sloppy about the cleanup. So, no need for cleaning in this bit of the registry.

HKEY_CURRENT_USER is a phantasm. It just points to a specific user in HKEY_USERS. RegEdit is a habitual liar. Just because you can see it is no reason to think it exists and just because you can’t doesn’t mean that it doesn’t exist. So, no need for a registry cleaner there.

HKEY_LOCAL_MACHINE is the home of some interesting things. All the driver settings live here and the settings for a great many third party components and Windows settings. You could have dead entries in here if software was deleted without removing its settings but that wouldn’t have a great deal of effect on performance as there is not a linear search algorithm for these things. Dead entries just use a bit of space. It would be pretty dangerous to clean up entries without knowing what they represented and there wouldn’t be much point. Removing driver settings, security settings and so on would break things badly. No call for a registry cleaner there then. It isn’t that dirty.

HKEY_USERS has a branch for each user account and if you look there, you will see some well known SIDs (security IDs) and some less well known ones that probably represent real users. There will be user specific software settings. Actually, a lot of these settings will never be used for anything. I have a guest account on the system where I am writing this. It is disabled which is the best thing to do with a guest account. If I don’t know you well enough to give you an account of your own, you have no business running code on this box. Looking at the guest account, it has settings for the AV product installed, my Creative Zen, iTunes and all sorts of things that get installed for all users by default. Switching quickly to the admin account gives a last login date for the GUEST account of never. No-one has ever used those settings and they never will. My ASP.NET account doesn’t use those settings either. It exists solely to run ASP.NET code in a very limited environment. Now, something could usefully clean up some of those entries but no tool that I know does that. Oh well, it is just some memory bloat. The one place where it would be of some use, no registry cleaner reaches. Oh well.

HKEY_CURRENT_CONFIG is just another phantom pointing at specific entries in HKEY_CURRENT_USER.

If you want to keep your system nice and spry, here is my advice:
1. Add memory. These days, if you are not hard against your address space limits then you are running on 64 bit.
2. Do not load things that you do not need. Autoruns from Sysinternals as was is a fine tool for seeing how much junk loads each time that you start up. It is amazing what you can remove without ever missing it.
3. Defrag your hard drive once in a while.
4. Stay malware free.

That is what I do and this machine is used every day and still runs pretty darn sweet. The OS was installed in 2004. Remember when the OS had to be reinstalled every few months? No need for that and, in my opinion, no need for registry cleaner tools.

Signing off,

Mark Long, Digital Looking Glass Ltd