Beware the unexpected attack vector
Threats from all sides
A new round of attacks and phishing attempts use some unexpected attack vectors that we should have been paying attention to, but weren't, writes Scott Granneman of SecurityFocus.
Back in 1882, Los Angeles was a rough, dry town of 12,000 people that had been an incorporated municipality for a little over 3 decades. 1882 also saw the introduction of telephone service and electric streetlights. At the time there were several newspapers in town, including the Los Angeles Tribune and the Los Angeles Times. Competition between newspaper rivals was fierce, but no one at the time realized where the biggest threat would come from: a young 19-year-old sharpie named Harry Chandler, who had just moved to Los Angeles and had started working for the Times.
In 1882, Los Angeles newspapers were delivered by independent contractors spread all over the city. Chandler saved his pennies and began buying those routes, one by one, until 1886 when he owned virtually all the paper delivery routes in the city, including those of his employer's rivals. Soon newspapers weren't getting delivered to subscribers, or if they did show up, they were so late as to be useless. That is, newspapers weren't being delivered... except for the Times. And the delivery boys began to whisper to their customers that all newspapers papers were unreliable, except for the Times. Lo and behold, people began canceling their subscriptions for anything but the Times until finally all but the Times were out of business.
If only those other publishers in the late 1880s had paid attention to the real threat, they might have had a fighting chance. Having focused on the obvious danger - other publishers and other papers - they ignored an attack on their business that came from an unexpected source. They should have been paying attention to the mechanisms used to deliver their product to their customers... instead they paid for their blunder with their livelihoods. It's not a bad lesson for security pros to learn as well.
Multiple attack vectors
We've seen a lot of interesting attacks recently, ones that arose from leveraging unexpected openings that we should have been paying attention to, but weren't.
For instance, most of us know that virtually all anti-virus software packages will now scan ZIP attachments, and this is obviously a good thing. You'd think, or assume, that A/V software would also scan other compressed filetypes as well, like GZ, SIT, and RAR. However that's not usually the case, as some people discovered just a few days ago when it was revealed that viruses hidden inside RAR files passed right by A/V software from major vendors.
This is pretty shocking. I know that RAR isn't widely used - I've seen it only a few times in my years online - but still, it is in use and it's trivial to encode a virus inside a RAR file. Why wasn't it part of the A/V protection that millions of people, in hundreds of thousands of organizations and homes, use and depend upon?
Further, what other filetypes are currently not being scanned but should be? What about SIT? GZ? TAR? 7Z? ARJ? BZIP? CPIO? RPM? DEB? ACE? Z? DGCA? LHA? SHAR? SEA? ZOO? (If you know what all those mean, consider yourself awarded with a nerd gold star.)
The big example of an attack that we should have expected, but didn't, came just a few days ago when the "everyone-but-Microsoft" International Domain Name exploit was revealed at Shmoocon. As the explanation presented by the Shmoos (you do know what a shmoo is, don't you?) puts it, "International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs." Want to see it in action? Head over to either Shmoo or Secunia and try it out for yourself.
You're not really at Paypal's website; instead, you're viewing content served up by the Shmoos or Secunia. In the case of Shmoo, you're really at a site owned by Shmoo, with the domain name of www.pàypal.com - it's just that Firefox, Mozilla, Opera, Konqueror, and Safari don't display the real URL. Due to vagaries in the way that certain browsers use punycode to display URLs using homographs - letters from one character set that resemble letters in another) - it's incredibly easy to fool people into thinking they're at one site when they're actually at another. A new vector for phishing attacks! Wonderful! (And by the way - IE doesn't support the IDN spec yet, so it isn't vulnerable ... unless you installed the Verisign IDN plugin, which fortunately has an auto-update feature that we can hope will deliver a patch soon.)
A range of fixes almost immediately cropped up for Firefox and other Mozilla-based browsers, actions which display the speed and ingenuity of the open source community at its best. The first proposed solution was to edit the
prefs.js file, affected by entering
about:config in the Location bar, and then changing
network.enableIDN to "false". Unfortunately, this doesn't stick when you restart Firefox; the safer and more permanent route is to edit
user.js and add this line:
One blogger, among many others, proposed editing the registry on Windows machines, but unfortunately that solution gets overwritten any time an extension or theme is installed. Kevin Jarnot modified the SpoofStick extension for Firefox so that it clearly labels any URL homographs, which isn't a bad solution if you don't mind having the SpoofStick extension constantly visible in your browser.
You can also use the Adblock extension to block sites that use IDN - just add the following filter to your list of blocked sites (thanks to Firefox and Mozilla uber-expert John T. Haller and the WWWAC list for this one):
Actually, though, all of these fixes are no longer required. In a burst of speed, Firefox and Mozilla developers have already patched the browsers to solve the problem. Expect an update to be pushed out automatically soon; in the meantime, if you're highly paranoid (and I know that most of those reading this are), implement one of the suggested solutions above.
Unfortunately, Opera's Norwegian developers appear to have misunderstood the threat since, according to Shmoo, "They believe they have correctly implemented IDN, and will not be making any changes." Unbelievable. Go ahead and test the vulnerability in Opera - I did, and the flaw is clearly evident. I'm hoping that Opera soon realizes that they need to fix this fast if they want to maintain any semblance of goodwill and respect in the security community.
And where's Apple's response? So far we've heard nothing. I'm confident they'll quietly issue a patch soon that corrects this problem, but it would be nice for the company to at least acknowledge that there is, in fact, a problem.
The sad thing about this whole mess is that it really didn't have to happen this way. In February 2002 Communications of the ACM published a paper by Evgeniy Gabrilovich and Alex Gontmakher titled "The Homograph Attack" that described the problem in detail. At the time, however, IDNs were still something exotic, and no browsers supported them. Flash forward a few years, and we have browsers that support IDNs, domain registrars that are aggressively pushing them and paying absolutely no attention to the associated phishing problems... another example of the growing problem of phishing.
It just goes to show that security pros need to stay on top of things by trying to think of attacks and vulnerabilities from every possible angle, arriving from every possible direction. Remember that sometimes it is the obvious things, the ones we should have seen but didn't, that make us smack our head and shout "d'oh!" - that are the most dangerous.
As for Harry Chandler and the Los Angeles of the last 19th century, he was rewarded for his near-criminal avarice. Harrison Gray Otis was impressed with the cleverness of his young charge, and allowed one of his daughters to marry him in 1894. In 1917, Chandler took over the paper from his father-in-law Otis, a job he held for almost the next 30 years. Eventually he got into land speculation, holding over 1.5 million acres around L.A. Not too bad for a man who at one time controlled all the newspaper delivery boys in Los Angeles. Chandler succeeded, but let's hope that the virus-writers and the phishers fail.
If you'd like to read more about Chandler and the history of the Los Angeles Times, check out Privileged Son: Otis Chandler and the Rise and Fall of the L.A. Times Dynasty by Dennis McDougal. You can find reviews of McDougal's book at Business Week or in the 23 & 30 April 2001 issue of The New Yorker.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in internet services and developing web applications for corporate, educational, and institutional clients.