Conficker Worm: Not An April Fools Joke

After analyzing the disassembled code for the Conficker worm, experts have determined that it will strike on April 1, 2009, otherwise known as April Fools Day. The worm has the ability to spread across networks and infect all unprotected computers within that network. In order to counter security measures that either block the spread of the worm or change its contents, the transmission is encrypted and only executes if the signature matches the public key. Originally, the worm created 250 new domains every day across 5 top level domains, which is the extension a website uses (.com, .net, etc.). Each of these domains is then used to send out more copies of the worm to computers within a network. As a countermeasure, TLD registrars (those who assign domains) stopped all traffic to these domains. The creator responded to this by releasing a new version, Conficker.C which will create 500,000 new domains everyday. This prevents TLD registrars from being able to stop all traffic caused by the worm due to the sheer number of domains that need to be blocked.

Even though the disassembly has shown how the worm operates, experts are still unsure what the worm will actually do once it becomes activated on April 1st. This is because the creator took considerable care in scrambling the source code, also known as obfuscating, which makes it difficult to turn assembly code (the code that is used by computers) into a higher level language that is easily read and understood by humans. The worm can prevent important Windows services from functioning, including Windows update, which contains the patch that will fix the exploit the worm is using. It may cause denial of service attacks, or it may simply just be an April fools joke that eats up network bandwidth. Either way, the situation is critical and Microsoft has offered a $250,000 reward leading to the arrest and conviction of those involved with the creation or distribution of the worm.

Linux: More Secure Than Windows

When security and reliability become vital to a software package, a Linux-based operating system is almost always used. For example, software that NASA and The Department of Defense uses to keep their secrets safe are based off of a Linux operating system. The main reason Linux is safer is because it is open source. Being open source allows for anyone to view the source code of the software and find bugs. This is especially true for The Department of Defense. They simply cannot leave the security of the nation up to an operating system that they cannot verify for themselves. Since most operating systems, such as Microsoft Windows, hide their source code they are not a viable option for highly critical applications. The Department of Defense is able to verify every single line of code in the Linux-based operating systems they use, but they cannot view the source code of Windows due to copyright reasons, therefore they use Linux.
Since Linux is open source, bugs are fixed much faster than other non open source software. This leaves less security holes for an ill-meaning person to exploit. Also, Microsoft Windows has the majority of operating systems market, meaning that most viruses and other malicious software is targeted towards Windows, and not Linux. Therefore there is less malicious software that can affect a Linux-based operating system. The end result is a safer and more reliable operating system.

Passwords: How Are They Secured?

Just how do passwords work? Perhaps the average user hasn’t given it much thought, however the password has to be digitally stored somewhere within a computer system so that the password-protected program can check the entered password against the correct one. Obviously, this can cause security issues. If the password is stored on a computer or in a database for a company, what will stop a person from simply searching for the file in which the password is stored and reading it?

This solution to this problem is hashing. Hashing uses a mathematical formula to convert the original password into something that is impossible to read by a human. This formula is designed so that it is a one-way process. A password can be converted into a hash but it is almost impossible to convert a hash back into the password. This leads us to another problem. If the hash cannot be converted into a password, how does the program verify the password entered? It doesn’t actually compare the passwords, it compares the hash to the passwords. If the two hashes don’t match, then the password was incorrect. However, this leads us to yet another problem. Certain mathematical formulas can give the same hash value for two completely different passwords. Therefore, before the mathematical formula is used, a formal proof is necessary to ensure that it will produce a different hash for every single password. Once hashing is implemented, even if someone is able to obtain the list of hashes they will not be able to extract the actual passwords.

Buffer Overflows: When Your Computer Loses Control

Often, people wonder just how someone or some program is able to take control of a computer. I know I do at least. One common way this is accomplished is through a buffer overflow attack. While a computer program is running, it will often make a call to a function within the code. Essentially, this function is a piece of code that can be called more than once, and uses different data each time. This saves a programmer time because it provides an outline of sorts. Suppose a program is required to calculate the interest earned in a bank account for a large number of accounts. Rather than writing the same formula over and over, relevant information is passed into the function and the answer is returned. When the function is actually called, a run time stack is used, much like a stack of cards. All local data relevant to the function is placed on the top of the stack, along with the address of where to return to after the function completes its execution, because the program has to return to the same spot once the function is completed. All of the data is popped off of the stack when the function is finished, with the return address being the last piece.

There are two main types of buffer overflow attacks: a variable attack and a stack attack. A variable attack is when a key variable, or piece of information, is changed. Using the interest program as an example, an attacker may be interested in changing the current balance on the account. The program expects a certain type of information to be uploaded, and allocates space for that type of variable. Memory is concurrent, meaning that there is no space between different variables. More information than the program expects is uploaded, so the information overflows into the next allocated block of space, changing its value.

A stack attack uses a similar approach as a variable attack, however rather than changing the value of key variable it changes the return address. Once the return address is changed, the program does not return to the same spot it was before, but rather returns to the beginning of a piece of inserted malicious code and executes that. Thus the user is expecting to run a program, but a different piece of code is executed, allowing the attacker to take control of the computer.

RFID Chips In Credit Cards: Are They Secure?

Often people do not realize that virtually everything somehow relies on a computer chip. What people also do not realize is the security issues involved when a computer chip is used to control a device, particularly one that deals with sensitive data. When a computer chip becomes integrated into a credit card, security issues become paramount.
An experiment done by The Univerisity of Massachussets proved such vulnerabilities. Even though the protocols and commands used by Radio frequency identification chips, or RFID, could not be found publicly, the team of researchers were able to reverse engineer both the readers and the credit cards themselves. They stated that "The experiments indicate that all the cards are susceptible to live relay attacks, all the cards are susceptible to disclosure of personal information, and many of the cards are susceptible to various types of replay attacks. In addition, we successfully completed a cross-contamination attack against the magstripe of one card. All but one of the other cards tested appear to be susceptible to the cross-contamination attack as well." Unfortunately, people are led into a false sense of security when they used credit cards with an embedded RFID chip. If people knew of these vulnerabilities, would they be so willing to use these credit cards? If they also knew that these cards could also be read from a distance of 33 feet away with the proper equipment, would they be so quick to accept them? I know I wouldn't.
For more information, visit the University of Massachussets study here.

Viruses: Not always what they seem

In today’s complicated world of computer security, detecting viruses and other malware has become essential in keeping your computer secure. However, often times security software requires that people use common sense. If a computer file does not contain an exe extension, meaning that it is a runnable program, it usually cannot perform any malicious acts upon your computer. Unfortunately, as blogged about by pccybertek, a new virus is able to embed itself in a gif file, which is a type of file that normally contains an image. Fortunately, the virus cannot be run unless the extension of the file is changed to exe and the user runs it. This blog states that “you don't have to worry about .gif files being a virus at this time”, however I disagree. I think that most people are uneducated in the field of computer security, and they may just unknowingly change the file extension, especially if something pops up telling them to do so. I feel that this actually does pose a significant security risk, since many anti-virus programs skip files that aren’t able to be infected, a gif being one of them, in the interest of faster scanning times. This would allow the file to reside on your computer undetected until someone finally changes the extension and the program is allowed to run. So what should be done? I agree with pccybertek when he states that “You should never have to change the extension”. If you are asked to change the extension, it is probably a virus and should be deleted immediately. Also, if the file is unable to be opened through normal means or if an error comes up when opening the file, then chances are the file extension is wrong and it should be deleted immediately.

Open Source: Is it safer?

Open source software means that the code used to create the program is publicly known, and not hidden like most software packages a person would pay for. These programs, such as the web browser Mozilla Firefox and Linux based operating systems claim to be safer than their counterparts Microsoft's Internet explorer and Microsoft Windows. What makes these programs safer, when there are teams of professionals working on Microsoft's products?
Most security issues arise because of a bug in a certain program. These bugs, such as buffer overflows, allow a ill-meaning person to exploit the error in the code and force the program to do something the developer did not intend the program to do. These bugs are common and every single program has them. Therefore, it is not how many bugs a program has the determines the security of the software but how the bugs are dealt with and how easy it is to find them. When a company hides the code of the software, it becomes difficult for the end user to find where an error in the code is if one occurs. This is where most bugs surface, because it is impossible to simulate every possible use of the program before it becomes available to the public. The user simply sends a report to the software vendor and they try to recreate the exact situation to find the bug. Unfortunately, this is not always possible because a program has an almost infinite number of directions it can go in, thereby constantly changing variable values. However, if the code is publicly available, the end user can debug the software exactly when the error occurred, increasing the probability that the bug can be found. Since more people are looking for bugs than in software where the code is hidden, the time it takes for the bug to be fixed greatly decreases. In fact, according to independent tests, Internet Explorer was unsafe for 284 days in 2006 while Mozilla Firefox was unsafe for only 9. Sometimes the best things in life really are free.