According to the article, they performed an inventory of the network, finding ca. 6,000 machines, many of whose IPs are accessible “publicly and directly with the system’s source code” (?), as well as a large number of hidden nodes.

There’s a lack of detail, but supposedly the attack involves creating a virus (?) and using it to infect such vulnerable systems in a laboratory environment, and thus decrypting traffic passing through them – again via an unknown, unmentioned mechanism.  Finally, traffic is redirected towards infected nodes by essentially performing a denial of service on clean systems.

I’m skeptical, as the piece contains just too much “oh, and then you hack component x and compromise component y and voilà, you’re in” to necessarily be plausible.  Furthermore, the ESIEA page has a large video presentation on French backwardness in “cyberwarfare” – any time a reputable institution uses such terms, it makes me wonder how much it’s angling for more funding from buzzword-prone politicians, with resulting pressure on researchers to provide supporting, news-grabbing headlines.

However, if it is real, details are to be presented at Hackers to Hackers in São Paulo on October 29/30.  TOR is no more than an additional layer of obfuscation and should  not be relied upon for anonymity or security.  Like any darknet, it is a complement to application-layer encryption and authentication, no more.

Chris Tarnovsky explains how to access and crack the physical protection of a satellite TV smart card. Applicable to numerous card models, just to give an idea of what’s involved.

Picture this scenario:  sometime in the next ten years, a tourist snaps a photo of a common landmark.  What he does not realize is that, somewhere in the scene, a malicious person has put a  sticker advertising a cleaning service on a lamp post.  The sticker is ratty, half-disintegrated, and only semi-legible to humans, who will never call the half-visible number on it.  It also contains a steganographically obfuscated block of data that exploits a weakness within the camera’s image processing software.  The camera is a consumer model, permanently online so shutterbugs can instantly upload and share their snapshots with friends.  The exploit triggers a worm through this channel…and take it from there.

This is pure fantasy — or is it?  Attack vectors for exploits have changed, from floppy diskettes, direct access to vulnerable servers, and email, over web site piggybacking, injection into vulnerable wireless networks, and others — why not consumer devices?  Let’s look at some individual components that already exist or are plausible:

Attacking Digital Cameras

Two things came to mind in this section:

First, Roman Abramovich’s huge $1.2 billion yacht, Eclipse, is rumored to come equipped with an anti-paparazzi system that, according to various accounts, sweeps its surroundings with lasers that detect CCDs (see below) and fires a stronger, “blinding” laser at them, either destroying the sensor or at least blanking the shot.  There are multiple problems with this idea, none of which I’m sufficiently familiar with to go into detail about:

• until a shot is taken, the sensor is masked by the camera shutter (true, but if the thing is fast enough, that might not be an issue)
• most modern DSLRs use CMOS sensors, and I can’t find info on whether such detection techniques would work on these
• photos of Eclipse exist, casting doubt on whether this functions as advertised (then again, maybe it’s just not turned on while in port due to legal restrictions)
• it could be defeated by a one-way mirrored lens

For such a system to work, it implies a computational reaction speed that seems improbable, but remember, we’re talking futuristic here.  Moore’s Law and all that jazz.  The idea itself is not fundamentally invalid.

Second, Adam Harvey claims to be working on an “anti-paparazzi” clutch purse.  This is a significantly simpler context, incorporating photovoltaic sensors that set off a bright strobe light when a camera flash is detected, thus whiting out pictures and supposedly guarding the user’s privacy.

Friends and I have discussed the feasibility of something similar for motorway speed cameras…

The point?  Cameras are already fair game for electronic countermeasures.

Steganography

Not rocket science.  Hiding content in digital images (pdf) is a comparatively new technology, but applications have existed for several years that will do this quickly and easily.

Causing visual content to short-circuit complex systems is doable.  In the case of humans, such a “vulnerability” was inadvertently exploited when several Japanese children suffered photosensitive seizures while  watching Pokémon (it’s making me feel a bit sick).  Subliminal messaging has also been demonstrated to work in a number of studies.  And as my friend Brian astutely pointed out, I completely missed the opportunity to make any Snow Crash references here.

2-D bar code reading applications are fairly common in camera-equipped mobile phones.  Snapping a photo of a given pattern causes an installed application to perform a certain action (e.g. visit a web site.)  That is, assuming you have the application installed and configured.  Now imagine the possibility of a bit of data that causes not an application, but the actual core camera firmware to “do stuff” — i.e. replicate.

Exploiting Camera Image Processors

This is probably the biggest technological leap, but the component elements are in existence.

A digital camera consists of two main internal components (aside from the lens):  a CCD (charged couple device) or CMOS (complementary metal-oxide-semiconductor), which handles incoming light signals, and a miniature computer.  The latter has numerous tasks, from governing exposure and ISO values to processing pictures (e.g. turning RAW format into JPEG, including EXIF data, etc.)  Some cameras include on-the-fly face recognition capabilities (for example, the Fujifilm FinePix F40fd came out in 2007).

Any security professional will confirm that, as a rule of thumb, complexity engenders risk.   Digital camera firmware is generally proprietary in nature, and thus not as subject to widespread review or stress-testing as, say, common workstation operating systems or even certain embedded systems.  Embedded platforms can be susceptible to exploits; it is a function of how they are built and what software they run.  The bigger and more complicated a camera operating system and chipset becomes, the more likely it is that an exploitable security vulnerability could affect it.

Exploit code can be tiny (here is a link (pdf) to a 625-byte exploit of a known vulnerability) so the difficulties of hiding a visual exploit in an image need not face data size limitations.  That is, if you even bother hiding it.  While we’re not restricted to the standard, just for argument’s sake a 144×144 pixel data matrix can contain up to 2KB of information.  Make it A4-sized,  that’s ca. 1.5mm² per pixel.  I won’t do the exact math, but a 20MP camera handles ca. 10,000×20,000 pixels.  The above A4 sheet can be pretty far away for each pixel in the data matrix to still be discernible, at least electronically.

Through the image sensor, you have a data entry path that is fundamentally no different from a network card or any other integrated device.

Oh yeah, and here is a timeline of image file exploits.

Wireless Photo Upload

Remote photo capture via USB cable is pretty standard (I use Canon’s EOS Utility with my Hackintosh).  Wireless photography, via surveillance cameras or bluetooth webcams, is also a common practice.

A common problem faced by even casual photographers is police harassment, leading up to confiscation of equipment and prosecution — often in violation of existing law enforcement guidance and/or local law.  Numerous instances exist of photographers who were forced to delete photos by security guards or police officers [1][2][3].  I’ve read several discussions about the desirability of some sort of immediate camera photo upload; products like the Eye-Fi already offer limited functionality in this direction.

I can think of no good reason (aside from bulk and battery life, which I cannot imagine being problems for a long time) why DSLR cameras in the near future would not incorporate some sort of nG wireless connectivity, fast enough for bulk Internet uploads of even larger images.  IPv6 will do away with the address space restrictions that are also a brake on the direct connection of small end-user electronic devices like cameras to the Internet.

Wait for cameras to incorporate “automatically post to FaceBook” features, and there’s your communication path.

…like I said, just having some fun, enjoy the future.

IF THIS WERE A VIRUS

YOU WOULD BE DEAD NOW

FORTUNATELY IT’S NOT

THE METAVERSE IS A DANGEROUS PLACE;

HOW’S YOUR SECURITY?

CALL HIRO PROTAGONIST SECURITY ASSOCIATES

FOR A FREE INITIAL CONSULTATION.

The recently released Firesheep Firefox plugin demonstrates how simple it is to sniff logins and sessions on open, shared networks.  I spent a little bit of time playing with it; it is dirt-easy to install (OSX requires a workaround when running it in combination with FileVault — the fix is to move the extension directory somewhere outside of FileVault, such as the Firefox application directory in /Applications and to create a soft link back to the extensions directory.)  Although French ISPs are generally very good about providing their customers with home routers/firewalls with wireless encryption enabled by default, and it is thus pretty difficult in Paris to find open networks in comparison with other countries (except for the open access Free/O-Zone/SFR/etc. commercial ones), there are always a few.  Jumping on one of these, I had someone else’s Facebook account within 3 seconds (no, I didn’t use it, not that interested in other people’s private lives.)

In short, the plugin allows even a non-technical user to open a sidebar in a browser, click on “start sniffing”, and within fractions of a second, obtain both session cookies and username/password combinations for a wide range of popular web sites (Facebook, Twitter, and Gmail, among others, are configured by default, while the plugin allows easy adding of more pages.)  Sniffed accounts show up as icons on the sidebar — by clicking on one, you’re immediately logged into that user’s web account.

Taking this a step further, the (not as user-friendly, for now) Idiocy Python script (thanks to Thomas for pointing it out) automatically posts a link to this page “explaining what has happened” to a compromised Twitter account.

This is not entirely a problem of unencrypted wireless networks.  Any sufficiently determined user can attack a wireless network secured with WEP or certain types of WPA.  Even WPA2 may be vulnerable to brute force password cracking (standard password/passphrase best practice applies), although due to its key management methods, a compromised WEP environment allows a sniffer to access traffic from all users since the same key is shared.

Furthermore, malicious administrators with access to any sort of network choke point have access to this traffic anyway.  Most users are protected from such abuse by circumstance or pure statistics;

• many (especially European) countries have extremely strict limitations on what an employer can legally do in terms of intercepting traffic
• a network administrator likely has much better things to do than sniff traffic
• any choke point handling a large enough amount of data to be significant as a threat faces the above problem, but even more so

Security through obscurity is not a problem, but as has been pointed out elsewhere, if you’re in a group of people running from the bear, you don’t have to be fastest, just don’t be slowest.  Generally, any sort of network encryption (yes, even WEP) is a good start, and users of mobile data services and fixed-line networks are generally not at realistic risk.  WEP keys can be compromised in a few minutes under optimal conditions; using reinjection and deauthentication, enough packets can be captured reasonably quickly for this to work.  I maintain, though, that an attacker faced with an unencrypted network and even a weakly encrypted one will first go for the former — but a WEP network is only as secure as the most malicious person using it (whether they got on legitimately or not.)  Mr. Lakofski has a very valid point about shared WEP networks (e.g. hotels) insofar as their user base is a lot wider than a private one (which you should set to WPA2 anyway.)

Lastly, there are other, more amusing ways of collecting user data, beyond trojans, keyloggers, and this sort of thing.  A really amusing bit of evil villainery would have been for Eric Butler to have actually included a password stealing trojan in Firesheep itself — thus obtaining massive numbers of unsuspecting would-be crackers’ credentials as they connect to Facebook to boast about their “exploits”.  Yes, that would be illegal and bad, but still pretty funny.

Most popular websites allow SSL; Facebook, Google search, Gmail and Twitter all allow https:// connections (although in Facebook’s case, clicking on a Facebook link within the site redirects to a non-SSL page.)  Other services (LinkedIn, Amazon, Plaxo, and most social news sites e.g.) redirect https:// URLs to plain-text, at least for pages that do not involve entry of payment details or password changes.   Still others mix SSL- and non-SSL elements in their pages, which is about as good as having no SSL at all.  Most modern browsers, and some older ones, display a warning when this is the case.

Widespread SSL use is a good thing.  While it is computationally more expensive than cleartext, even SSL using self-signed certificates is an improvement — this is why I object strenuously to the way some browsers handle self-signed certificates; obnoxious warning messages discourage casual users from using crypto for the sake of crypto (rather than authenticating a web site.)  SSL is not necessarily a fix, due to the fact that a cookie not marked as ‘secure’ is still transmitted in clear text.  Once a user is authenticated, the certificate may be intercepted using passive man in the middle.  There is not much you can do about this, except to bug website owners / web app coders to fix the problem.

SSLStrip can also force a transmission to drop into cleartext.   One fix for this is Strict Transport Security, currently supported in several browsers.  FFixer also lets you force SSL (Facebook chat may not work.)  Another workaround is HTTPS-Everywhere (currently Firefox 3 only).

Gunnar Atli Sigurdsson of the University of Iceland has recently released FireShepherd, which floods nearby open wireless networks with packets designed to disable nearby Firesheep instances at ca. 0.5 second intervals.

Computerworld has an article about protecting against Firesheep that’s worth a look.

Update: the Blacksheep Firefox plugin seeds bogus session information to see if Firesheep is being used, then warns if it detects an attempt to hijack that session.  It’s not a defense, but could be a fun toy.

Die in a fire, you Nigerian shit.

The first symptom, as far as you can tell, is probably a bunch of your friends asking you casually, what the kind of crap is that you’ve been sending them.  It’s only when you ask them to show you the messages they’re referring to that you realize that some Nigerian, Russian, Chinese, (or, for that matter, American, French, Japanese, what-have-you) son of a bitch controls your account and is blasting out garbage to all your friends.

Even more nefariously, a lot of these are plausible-sounding messages, like one I received recently from an email contact purporting to be stranded in Madrid after his wallet, passport, keys, phone, and plane ticket were stolen, begging his friends to call him on a local number for instructions on how to wire some emergency cash.  Frequently, the only thing that gives such messages away at a cursory glance is the piss-poor spelling and grammar used by the scam artists responsible.

This post is sort-of directed at the non-technical people, who maybe don’t check their personal mails all that often.  Yes, it’s confusing, and yes, it’s not fair, and yes it’s hard work.  So are taxes.  If you’re not lucky, not only do all your friends now think you’re an idiot, but all your email has been deleted.

First, see if the mail is still around.  Check the trash and ‘all mail’ links.  Maybe you’re lucky.  Google does not restore deleted mail from backups.

To make sure nobody is able to hack your account again (i.e. with backdoors) go to

https://www.google.com/accounts/ManageAccount?service=mail&hl=en

Under “personal addresses” go to “email addresses” (top right).  Make absolutely sure that any addresses for which password recovery is enabled are only ones you trust.  Otherwise an attacker could just say “hey, I want a password reset sent to my address”.  Smart attackers leave their own addresses there.

To understand how this could have happened, here are some more common ways in which someone can “hack” your gmail account:

• trojan on your PC
• sniffed password (you do use SSL by default, right?  It’s a gmail option to always force SSL)
• sniffer on a shared system (Internet cafe)
• untrusted app
• xss / cookie stealing

Trojans

That is short for “trojan horses”.  These are often self-replicating viruses either downloaded from malicious web sites that were hacked (in some cases you won’t even know, you may be using an older browser like Internet Explorer 6) or via an unpatched Adobe Acrobat, or Flash.  May also come from someone attacking your PC by network, say in an Internet cafe.  You may not see these;  you open up a website like you usually do, but it’s been compromised, and boom, that’s it.  Invisible, annoying.  Or, your laptop/workstation may be attacked remotely, using a security hole in the operating system.

How to deal with them?  Regularly update your browser to the latest version and install operating system security patches.  Make sure you have an up to date virus scanner.  Do regular scans.  Turn on your PC’s firewall (google for Windows firewall or Mac firewall.  Both systems have a semi-decent one built in that will at least give you rudimentary protection.)  Avoid using open wireless networks and visiting sites you don’t know whenever possible.

Sniffed password

You do have a strong password, right?  Strong passwords have

• 8 characters or more
• a mix of upper/lowercase letters
• numbers thrown in
• non-alphanumeric characters (e.g. !, ?)

Use mnemonics to more easily remember passwords (Ih8h@ck3rs!) or pass phrases (actual sentences) if a website / application supports them.

Your password can still be stolen by being “sniffed” — this means that you are logging into Gmail without the connection being encrypted.  Have you bought stuff online and seen the little lock at the bottom of the page?  That means your browser is using encryption to make sure anyone listening in cannot “sniff” your password.  SSL, or “secure socket layer” is that little lock on the web browser.  To enable it by default in gmail, go to settings->general->browser connection.  Set it to ‘always use ssl’

Next, check your applications and make sure there’s only stuff there that you yourself enabled.  Delete anything you didn’t.

Lastly, on your gmail main page, go to google labs (the green erlenmeyer flask icon at the top right next to the “settings” link) and make sure that only labs apps you yourself enabled are active.  Deactivate all others.

Sniffing on a shared system / Internet cafe

Password sniffing is quite difficult when, say, you’re connecting from home.  It is _very_ easy when you are at an Internet cafe.  Wireless connections can be encrypted, via WEP or, better, WPA or WPA2, both supported by almost all wireless cards in laptops.  If a wireless connection requires a password, it’s usually at least somewhat safe.  WEP is not so much safe, but it’s better than nothing.  If you are at an Internet cafe using a common PC, you risk that someone will have installed a piece of software that can “read” whatever password info you type (known as a “keylogger“).  There are ways to ensure that this doesn’t happen (e.g. the system is reinstalled from scratch after each reboot — not so complex) but that is tough.  Your best defense is to buy a small netbook or something and take it with you.

When using an Internet cafe, never click anything that offers to remember password.  When you log out, always clear any stored information, e.g. cache, passwords and cookies.   Here is a link that explains how on various browsers.

Furthermore, most modern browsers have a feature called “private browsing” or some variation thereof.   This means that nothing is stored while you’re online.  Use it.

Untrusted applications

See above with google apps.  Also, when you download software or docs, obviously never run/open anything you do not explicitly trust.  Have a good virus scanner, run it regularly.

Cross-site scripting (XSS) / cookie stealing

Cookies are bits of information that websites use to remember things about you — for example, when you log into amazon and return later, a cookie is what is placed on your PC to let you auto login again.

These can be “stolen” and used to impersonate you, i.e. when you use an Internet cafe system.  To help protect against this, whenever you are done browsing, manually log out of everything, and go to your browser’s “clear history” link (e.g. on Firefox, under tools-> clear recent history).

They can also be stolen while you are online, although that is a bit more complex.  XSS is “cross site scripting”, which basically means that if you have a browser open and visit a trusted site in one window and a malicious site in another window (again, the “malicious” site may just have been hacked and not be aware of it) the guy who has taken over the “bad” site can intercept and steal your session with the “good” site.  This is probably where most google account hacks come from.

To guard against that, when you log into gmail or another service, make sure it’s the only browser window you have open; don’t multitask with several tabs unless it is to visit sites you know are legitimate.

This can all happen even if you take all due precautions, but it is rare.

Also, regarding passwords, make sure you have a STRONG one.  I.e. at least 8 characters, alphanumeric, mixed case, some special symbols thrown in (!?*whatever) and nothing that could be tied to you (name, birthday, etc.)  Use a mnemonic (i.e ilikechinese -> 1l1k3ch!n353!)

A precaution:  back up your email account.  Here are 3 million search results for “gmail backup”.

From my latest victim friend:

Thanks for helping me John – it’s been a fucking nightmare as a freelance writer – I’ve lost so much material!

The same thing can happen with Hotmail, Yahoo!, LinkedIn, Facebook, Plaxo, anywhere you store large amounts of contact info.  Standard precautions apply.  And as always, nothing is foolproof.

This particular article lists examples of electronic warfare by regime-friendly groups such as the “Iranian Cyber Army”, recently suspected of numerous attacks against organizations seen as hostile to the Iranian government.  Ironically, these included Chinese search engine baidu.com in retaliation for some perceived slight by the Chinese government — this shortly after several Chinese organizations have become increasingly implicated in online hits against U.S. and other Western government and corporate targets; a recent report in The Associated Press / The Guardian mention the Chinese universities Shanghai Jiaotong and Lanxiang Vocational Institute as sources of the “Aurora” attacks against Google and others.  On a humorous side note, if 1337 xenophobic script kiddies friendly with one totalitarian regime are now going after 1337 xenophobic script kiddies friendly with another totalitarian regime, it might become difficult to figure out who’s on whose side…

That said, there’s not much an outsider with technological know-how can do to help victims of censorship and repression in any country beyond providing them with the education and means to get around official repression of communication with each other and with the outside world, and to avoid being detected by government thugs while doing so.  A friend of mine, when asked to to provide help and information about censorship avoidance to an Iranian group, took a very cautious line, making it very very clear that he was reluctant to offer anything that carried even the slightest possibility of someone being arrested, tortured, or even killed if they were found using it.  I take a bit of a different view — solutions like PGP, TOR, Haystack, anonymous remailers, or SSL enabled CGI proxies, combined with private browsing available on most newer browsers, are powerful stuff, and with a modicum of care on the part of their users, can conspire to throw a hefty wrench into the surveillance machinations of dictatorial spooks.  The best anyone can do is to make users at risk of brutal crackdowns aware of what could possibly go wrong, give them a good head-start on how to use their new toys, and let them be adults about making an educated choice.  After all, in the case of the Iranian protesters, these are people who’re willing to go out on the street and be shot at for what they believe in.

So much for “passive” assistance — giving people better anonymous / encrypted communications tools and the knowledge on how to effectively use them.  What about active help, though?  Beyond the usual low-level stupidity found in IRC channels (e.g. background noise of the “www.bobsautodetailing.com pwn3d by H4X0RZ 4 ALLAH AGAINST 4m3r1kkkAH” variety), attacks on the infrastructure of Western countries and organizations from Russian, Iranian, North Korean, Chinese, and other groups, presumably with at least some tacit blessing from their governments, are pretty common.  Botnets designed to carry out probes and hits on infrastructure, launch DDoS attacks, create economic sabotage, steal sensitive data, and other bad things, are pretty common in the wild.

Cybercrime legislation in most developed countries is designed to pursue and allow prosecution of even casual probes by unauthorized persons.  Whether one agrees with laws or enforcement tactics or not, the goal is to keep anyone, no matter what motivates them, from generally screwing things up by spying, stealing, or vandalizing.  Unless it specifically takes into account intent, the law doesn’t differentiate between amateurs or professionals — it’s all a crime.  Why?   Partially because attacking a person/host/company/government via a network is the technologically easiest, least physically risky way of getting to the goodies, and because it’s often impossible to differentiate between the casual hacker and the much-vaunted bugaboo of organized cybercriminals and government-sponsored electronic espionage.  The idea, I suppose, is that tolerating any intrusion means that the world economic system as we know it will grind to a standstill (or at least your job and mine will be made that much more difficult.)  Maybe, maybe not, but without such laws as a deterrent, I’m sure the barriers to causing grief to legitimate business would be a lot lower.

But what of aiding and abetting attacks against distasteful regimes or their allies / henchmen?  A few years ago, the idea of counter-hacking, or ethical hacking aimed at taking out threats either by sabotaging those responsible or by “cleaning” affected infrastructures when unsuspecting owners could not or would not, was in high discussion.  Most security professionals in my circle of acquaintances seemed to be roundly against this concept, due to the potential for a slippery slope, and for unacceptable collateral damage — plus, what good is it to have and enforce laws against illicit intrusion when the “good guys” themselves are guilty of violating them, even if they are perfectly well-meaning?

Given how hungry my non-technical Iranian friends were for any information about “passive” tools as those described above, I’d imagine groups in opposition to the government (supposedly there’s now a “Green Cyber Army“) would imaginably be equally happy for any assistance from sympathetic types in the West.  As someone strictly in favor of the rule of law, I can’t condone any illegal actions of the sort these guys are indubitably carrying out, but anything that helps cause grief for kiddies hacking in the service of thugs is ok in my book.  A few dozen clicks to waste here and there to waste the bad guys’ bandwidth, a Metasploit download mirror, or an open proxy or TOR gateway probably wouldn’t violate the spirit of the law.  Wink wink.

A few years ago in a fit of mental masturbation, some colleagues and I postulated an online environment incorporating elements of Neal Stevenson’s Metaverse, Freenet, grid computing, various virtual currency incarnations such as e-gold, and various obfuscation, security and communications technologies. Underlying the concept was the nature of a computer; a processor, a bus and storage. And if you combine distributed computing, distributed storage and the Internet, voilà, a big computer.

With this in mind, the idea was basically to create a totally non-judgmental, uncontrolled secure and anoymous failure-resistant platform for online transactions — for legitimate business, tax evaders, kiddie pornographers, whoever. However, the parallel with the Metaverse doesn’t just stop at its distributed nature. Given the seemingly rising trend in attacks hitting MMORPGs and online communities, the villain Raven’s actual “Snow Crash” virus in Neal Stevenson’s book is something I can see being prototypical for a pretty big problem.

Picture this: just like with telephones and the Internet, commerce will adopt any new medium as a functional part of its business technology. So let’s say you have a totally decentralized, purely reputation-based, entirely secure transactions network of the sort that we’re postulating. For argument’s sake, let’s assume someone figures out how to exploit weaknesses in some of the protocols and/or client software used by participants in this kind of environment.

Given that the idea is to create a generally lawless state (i.e. not run by a company or controlled by a government agency, but designed to allow a green field for pure commerce), someone _will_ figure out a way to grief — be it for reasons of gain, sabotage, or pure vandalism. How do you respond to this? You have no recourse to Linden Labs, WIPO or the FBI. A community at large may not be sympathetic to, say, a Citibank under concentrated attack, and even then the response may be slow and ineffective.

A solution that comes to mind are variations on William Gibson’s “Black ICE” (i.e. the sort of strikeback capability that’s often poo-pooed and illegal in the real world.) However, in most virtual communities, there’s not enough of a “pay to play” mechanism to make vandals fear retribution, that they might lose their investment, and even if such a thing existed, there’s too much room for abuse (remember, who controls this? Even if there is a governing body, do you trust them?)

Just some thoughts.

According to the NZZ, the Swiss company ERA IT Solutions is behind the trojan’s development, although no technical information is given. I especially love the claim that “it’s designed to be undetectable by firewalls or virus scanners.” Or Macs, or tripwire on Solaris, but maybe they can have a chat with Joanna Rudkowska about how to do it. Regardless, F-Secure probably won’t cooperate, and seemed to take a dim view of this toy’s chances of success.

The DBA, created as the Uvek’s “dirty tricks and espionage” department, lists wiretapping among its core tasks. According to Swiss telco law, when to deploy such toys is still within the purview of the local authorities, although data protection and warrant mechanisms are not mentioned. The trojan may apparently be either surreptiously installed by the police, or through ISPs. Under the threat of coercion, I assume.

More information is at PC Pro. I honestly can’t imagine what the hell ERA’s marketing directory was thinking; if I were him, I’d be doing PR damage control like mad now. Needless to say, Keystone Kop trojans don’t seem to be listed on their products page.

According to Rutkowska, this is OS-independent; the malware can be injected at runtime through a privilege weakness in how Vista handles paged memory, and is persistent across reboots. Theoretically, this could be ported to Intel VT as well.

George Ou has an ZDNet blog entry that raises the interesting question of being able to detect this by running timing analysis — apparently, there is a possibility of hybernating the malware if a timing analysis is detected. He doesn’t address the possibility of something like just hitting the host in question with constant, random semi-DoS attacks to generate load and thus obfuscating results of a system timing check. On second thought, I assume any such well-written process would take this into consideration (as the network stack would just be handling additional load within its design parameters.) But as he points out, any malware could just diddle with the system clock anyway.

Virtualization.info has an interview with Anthony Liguori titled “Debunking Blue Pill Myth” that doesn’t really go very far towards debunking anything — part of his point is that virtualization under Vista will rely on TPM-based attestation, which is interesting, seeeing how a lot of enterprises I’m familiar with actually turn off TPM functionality, especially in laptops due to management issues.

We’ll see, I guess. Very cool though.

More links at

Computerworld

Enterprise IT Planet