Icelandic Espionage

January 21, 2011

An unmarked computer with an encrypted drive was found in the Icelandic Parliament building recently. It has no markings, no fingerprints, no serial numbers, and the police who discovered it powered it down without taking a forensic image of the contents. This computer was attached by an unknown party directly to the internal network for the Icelandic government.

This is an excellent example of the necessity of proper physical security in a network environment. All of the firewall mojo in the world is useless if someone can just plug anything they like into your network, or (even worse) connect to it from the outside using an official or rogue wireless access point.

So, how would you defend against an attack like this?

One possibility would be to use managed switches with 802.1x capability; this requires each device connected to the network to be authenticated against a RADIUS server. If you’re especially paranoid, you can require multifactor authentication using smart cards or tokens to ensure that authentication with a stolen passphrase is impossible.

A simpler route would be to only “light up” network ports that have been requested, in writing, with the names of the requestors recorded in a central repository. MAC locking can be used to make sure that only the approved device is used in that port. This isn’t as bulletproof, of course – you’re expecting all employees to follow a procedure 100% of the time, you need to make sure the ports that are no longer in use are turned off, and a sophisticated attacker would clone an authorized MAC address and use it on another device. But it’s still better than nothing.

Leave a Comment » | Physical Security | Permalink
Posted by matt

Fake AV

January 20, 2011

One of the more common malware scams these days is fake antivirus popups – these are browser windows dolled up to look like Windows Vista or Windows 7 and designed to trick the unwary user into thinking that his or her computer is infested with something malicious. According to the Internet Storm Center, there is another outbreak of these on Twitter today.

Generally, there are two different attacks going on here. The first is that the browser is generally downloading and attempting to execute some malware payload while the fake AV is distracting the user. Some go even farther, prompting the user to enter credit card details to buy the “full version” of the software. The full version does nothing, of course, but by the time the victim realizes that, he or she is already out the money and has turned the credit card number over to a pack of criminals.

This is bad.

If you get an antivirus popup, be absolutely certain that it is from a legitimate piece of software running on your computer. As you can see from the screen shot above, these false ones often fail to obscure the location bar and the other browser controls; some are more sophisticated than others, of course, but most of them are fairly obvious fakes like the one above. And remember that no legitimate antivirus vendor will accost you for additional payment to remove a virus. That’s another sign that you’re being duped.

Leave a Comment » | Malware, Windows | Permalink
Posted by matt

Soundminer

January 20, 2011

Security researchers have developed an application for Android phones that listens to phone calls, and records any credit card numbers or PINs that are spoken or entered on the keypad.

The Android platform does require the user to explicitly allow the application to have access to Phone features at install time, but this is more of a social engineering issue than anything else. Disguising this as another app in a trojan horse scenario would be trivial.

Leave a Comment » | Smartphones | Permalink
Posted by matt

Welcome!

January 20, 2011

This is the newly redesigned blog site for Digital Undercurrents, an information security consultancy based in beautiful Buffalo, NY. It is intended as a repository for news updates and thoughts on the subjects of technology and information security. If you like, feel free to comment or to contact me using the button on the left side of the browser window.

Leave a Comment » | Announcements | Permalink
Posted by matt

Next Entries »