Tuesday, April 27, 2010

CAPTCHA Cracking: Nice Work, If You Can Get It

This story in The New York Times about people being paid to fill in CAPTCHAs is as much about IT security, as it is about working conditions in the developing world. According to the article, people in India, China and Bangladesh, among other developing countries, are being paid between the equivalent of 80 cents and US$1.20 for each 1,000 deciphered boxes.

CAPTCHAs are those funny sets of numbers and letters set every which way and embedded in an image in a box at the base of some e-mail, and login pages, to prevent automated bots and scripts from signing into accounts. The idea is that only humans should be able to recognize and enter the text from the embedded images.

That is, unless, the humans themselves are deliberately entering the text, opening the e-mail accounts, for example, and passing them along to spammers. Apparently, thousands of people in Asia, most part of sophisticated operations, are in on the act. And projects are even bid out online, and most employees have no idea who is hiring them.

The reaction of Google, one of the targets of these CAPTCHA crackers, glosses over the issue. Macduff Hughes, an engineering director at Google, said “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.”

Tuesday, April 20, 2010

Industrial Control Attacks: Mundane or Prophetic?

This isn't exactly the sexiest part of IT security, but attacks on industrial control systems, such as utility, water and sewage treatment plants, are on the rise, according to data gathered by the Repository of Industrial Security Incidents (RISI). And with recent media attention on cyberwarfare, utilities would be a prime target to bring down for any potential cyberwarrior.

But besides cyberadversaries wanting to hit the US, a major source of infections is more mundane: employees bringing malware on infected laptops and USB keys, for example, according to the study.

Though only a fraction of these control systems connect directly to the Internet, they do connect to business networks, which in turn are connected to the Internet. It's the business networks, to which employees have access, that are the source of the malware.

Industry insiders are skeptical of the threat from employees, let alone foreign hackers engaging in potential cyberwarfare, which might seem even more far-fetched on the surface.

Although utilities and control systems are in private hands, their protection is crucial to any defense of critical infrastructure in times of war, cyber or not. And that defense will rely just as much on government and military, as it will on IT security professionals in the private sector, with they'll need to partner.

Friday, April 09, 2010

Another Adobe Attack Vector Expected

The ubiquitous Adobe Acrobat is back in the security spotlight again with another attack vector discovered by a security researcher this week. The flaw was first discovered by Belgian security researcher Didier Stevens and can be exploited with the "/Launch" function built into the Adobe Reader.

Unlike the recent JavaScript flaw, this one requires a bit of social engineering. A user must be tricked into opening a malicious PDF file. Details with a proof-of-concept are on Stevens' blog.

Adobe is aware of the issue but it was discovered too late to be included in next week's patch cycle for security fixes. In the meantime, security experts are recommending turning off the Launch feature in Reader. This was the same approach given for the JavaScript security bug.

To turn off the potentially threatening feature in Adobe Reader 9.3, the most current version, Go to Edit > Preferences > Trust Manager and uncheck the box labeled "Allow opening of non-PDF file attachments with external applications".