Wednesday, November 25, 2009

Run, Chrome OS! Run!

It seems that the news on Chrome OS release have left no one neutral; some observers are beating the drums of its imminent failure and premature death, by relying on rather oversimplified concepts of cloud computing and insinuating about the reasons why careless moms and dads just can't grasp the concept of strong passwords ("how many times did we tell them to memorize Qp%n#82r$7D, but they keep writing it down on a piece of paper or even worse - keep choosing 12345?").

From the point of view of these observers, the new security model of Chrome OS is not much different from this:



Let's step back for a moment and try to give it a fresh and fair look. Let's also keep in mind that many good projects make their way into our lives by having 3 stages of its public perception: strong criticism (almost always, and that's where many fail), gradual, painful at start, then easier adoption, followed with a final stage that can be characterized as "Well, what's so special about it?". We don't want to fall the victims of the first stage, no matter how natural for humans it is, right?

Well, Google claims that under Chrome OS hood "all apps are web apps". Boo! But hold on a second, isn't it already true for Hotmail, Skype, online banking, and lots of other online web services that we are relying on so much every day?

Now come into a computer store (mentally) and look (again, mentally) at the average mom and dad who want to buy a new computer. Is it really a surprise to learn that most they're going to use it for will be "web apps" anyway, such as web, email, IM/chat/forums, Internet phone, documents editing/printing (bills/taxes/records), personal finance services (online banking, trading stocks), online gaming, etc. ?

Sure enough, with a web-only machine they won't be able to scan documents, but given the market exists, there will be dedicated scanners for the home users that will scan the documents and send the images over to their online accounts. They won't be able to listen or watch CD/DVD, but there are specialized devices that do it better anyway. They won't be able to play games with the powerful graphics, but there are plenty of gaming consoles for that purpose too.

Somehow it comes to a point – would you prefer to have a TV, a DVD/BD player, and a sound system as dedicated stand-alone devices, maybe from the different brands, or have all of them combined in one (cheaper) device? Would you prefer to have a printer, a scanner, and a telephone as separate devices, or a combined (cheaper) unit?

If you choose the second option, then you must really adore your phone's camera! If you choose first, even if it's a pricier option, doesn't it sound reasonable to have a dedicated device to handle web-only services?

For start, let's stick to just one such service – Internet Banking. Imagine having a dedicated 100% secure tiny netbook that allows you to bank online. It boots in 10 seconds and it can't run malware by design. Sure enough, hackers will try hacking a device like that to run Windows on it, but that won't be YOUR DEVICE. If your device gets stolen, it's useless – it stores nothing and you can't be impersonated with it. If you spill hot coffee on it and it shuts down instead of running faster, you'll buy another one (not coffee, netbook). Will it give you an extra hour of a good night sleep by knowing that no hacker can compromise your online banking account?

Now try to imagine how many threat families (keyloggers, banking Trojans, rootkits) instantly become irrelevant for you. Even if your other computer gets compromised with them, the only valuable thing the hackers might eventually steal from you will be a serial number of your antivirus product.

If you love your netbook, you might extend its application to online shopping or online trading. Then to anything that's online and is asking you for a password from that little soiled notes book from the middle section of your wallet. Extending its application further becomes a dangerous business as a flaw in one web service may affect your other services (e.g. a phishing email may affects your online banking account if you do both on one machine), just like it's not wise to put all your eggs in one basket.

The security overview of Chrome OS is an interesting read.

By openly discussing the security challenges and suggested approaches to circumvent them the Chrome guys talk to us this way:

"Look, in our bank there is a vault with so much gold in it. The system is secure, but we're not sure about that air con duct – we think it's a weak point and the intruders may potentially crawl through it".

Given the source code is open, the potential intruders will get access to the internals' scheme immediately. But the moment they start studying it, the highly qualified white-hat professionals will start doing that as well. The idea is that any bugs, flaws or weaknesses will be revealed and fixed instantly, without leaving the intruders any chance to plan an attack.

Compare it with an alternative approach: "Look, in our bank there is a vault with so much gold in it. The system is secure." After the robbery: "The system is secure." After another one: "Ok, we fixed it, the system is secure", and so on.

With the security being the main cornerstone of Chrome, it's a step away from the "traditional" development philosophy that we all are used to: "make it usable and release it first, think about security later, when the bugs/flaws are discovered". Usability being priority #1 creates a cash flow that allows investing into security and fine-tune usability at a later stage. The problem with this approach is that when under-invested security fails, usability falls with it. Not just declines, but crashes spectacularly.

The only company that can afford to have security in the first place, in the blueprints, even before the developed software becomes available for users, will likely have a "cash cow" in a different product or solution. Otherwise, it will be trapped in a vicious circle when the product is not released because its model is not secure enough, thus there are no sales and therefore, no funding to make it secure enough to be released. Google's "cash cow" is in its ads program, giving it all the required conditions to build a truly secure OS.

Not an OS that replaces all other OS (this will never happen), but at least an OS that can safely and narrowly be used for those critical web-only applications that create so much headache for the customers in terms of stolen identity and money.

Will Google blow this chance or not, time will tell.

Saturday, November 21, 2009

Dissecting Limbo Dropper [old]

A routine laptop clean-up revealed a few month old video of unpacking the Limbo trojan dropper. Before it gets deleted, posting it here just in case some folks might find it useful [link to video].

PS The sample was received from Michael Hale Ligh. Thanks, Michael.

Sunday, November 1, 2009

The New Moon Trojan

While the sentence of the Pinch Trojan authors is about to expire within the following few months, the code of their Trojan is still being morphed by others into other nasty forms.

Apart from its known ability to gather system information and steal confidential information such as user names and passwords, the Pinch is now capable of delivering the stolen details to the remote website by utilizing a powerful news management system called "Cute News".

What's not cute in this case however is that the name of the website established by the remote attackers to collect stolen credentials is disguised under the name of the forecoming movie blockbuster New Moon.

The infection starts from an image displayed with the purpose of distracting user attention while the Trojan gets activated. While the user stares at the picture, the Trojan starts harvesting user details, passwords, email addresses and other contents from the configuration files of the installed email clients Eudora, Thunderbird, Outlook, The Bat!, FTP clients FileZilla, WS_FTP, CuteFTP, and several other applications.

The Trojan then collects system information that includes installed application names and their versions, serial numbers, user and computer names, the names of the running applications, user’s email account settings, and some other system details.

The collected information is then encoded into Base64 format and posted into the remote Cute News service hosted by the attackers at http://www.newmoon-movie.net.



The post takes place via HTTP protocol allowing attackers to use the power of the Cute News system to accept, collect and use the stolen information without setting up any databases as all information is stored in flat files.




Automated analysis is available here.