WeekEnd Feature:
Hackers, Crackers and Gaps in the Wall

by Ian Thompson, CCSP Staff Editor
May 15, 2004

This week has been a bit of a whirlwind. Not only have I had it up to here with some of the silly stuff going on at work, but also the Google news doohickey has come up trumps again. I mean, only last week we were all under a barrage of Sasser-related shenanigans, rewinding clocks (if we knew that this was a work-around) and patching lsass on affected PCs. Good ‘ol Windows 98, s’what I say to that one…

Sven’s another attack going to happen?
Ouch! Weak joke alert system not quite up to speed yet.

Okay, so German police closed in on Sven Jaschan last week, and now he’s not only owned up to writing Sasser, but also for being the original author of NetSky, as predicted in these here pages. Actually, all I do is keep my ear to the ground and listen to the real experts who are busy analysing and pattern matching the millions of examples of viral code captured over the years.

That’s how they are pretty sure he’s the guy (erm, barely). There’s been another version of Sasser released since Sven’s arrest, but according to analysts it was merely a hex-edit of the previous version, perhaps to try and convince others that the actual author is still at large.

This seems like the tip of the iceberg, since there’s perhaps another round of the NetSky/Bagle slanging match being played out here. You see, reports claim that Sven actually fell foul of a tip-off to the Microsoft Anti-Virus Reward Program – the ultimate ‘up yours’ from the rival coders. And by all accounts, he didn’t work alone – police are pursuing several suspects in what may turn out to be an organised coding/distribution ring. At the very least, if the rest of the gang have control over a variety of bot networks, they will fall foul of the German computer sabotage laws.

All in all, you’re just another brick [missing] in the wall.
Pink Floyd clearly missed that word out, but had always meant it to be there. Allegedly.

Remember when Witty whacked ISS BlackIce Defender? Of course you do – unless you are a goldfish – because it was only a few weeks ago. How time flies in computing! Hold on to your modems, ‘cos I suspect that things are going to go screwy for many more users soon.

Symantec, probably the biggest provider of PC security to the masses, has known for about a month of four critical security flaws that affect its entire range of products. Scary. At least the patches were released this week (Thursday 13 May) and all those diligent users with the AutoUpdate feature switched on will now be protected.

I can’t remember – is that feature switched on as a default…?

Remember though that the Witty coders (no, they aren’t witty, but they are Witty coders – sheesh!) had cracked the patch within a day. I recommend that all users of Symantec security products immediately disconnect from the Internet, especially those using dial-up modems, because the exploit for these flaws will be on your box before you can dial up and collect the patch files. But in case you are fed up with waiting for the pigeon to struggle all the way from Symantec to your door, hot update disk in beak, goggles askew and scarf all raged, remember to try rewinding the clock if anything funny starts happening to your PC…

The flaws? Oh, I suppose you could find out more, but basically;

Flaw 1 is a NetBIOS issue – the packets are not handled correctly;
Flaw 2 is a DOS against the Firewall, using a faked DNS request;
Flaw 3 is back with NetBIOS and could give full kernel access through the firewall;
Flaw 4 is a good old buffer overflow exploit.

Apparently, “due to a separate design flaw in the firewall’s handling of incoming packets, this attack can be successfully performed with all ports filtered, and all intrusion rules set.” So says the team that warned Symantec about these babies in the first place. Anyone for ZoneAlarm? Or a plain, simple NAT router – most ‘home user’ (i.e. cheap) hardware versions have firewall capabilities, so it won’t cost much to help Norton WhatEver out a bit.

If you really get spooked, I used to run ZA and Sygate Pro side by side – and you could always chain a couple of hardware routers together, to see how a system copes with four firewalls, plus maybe the XP chocolate fireguard too. Let us know if anything actually makes it through, but do me a favour and don’t invite stuff in to play – you must resist the cheat code and crack sites – RESIST!!!

Tippex, SnoPake, Liquid Paper – what’s the point?
Have you ever seen those pixelated photos or CCTV images, where they replace someone’s face with a shifting pattern of coloured squares? I bet you’ve squinted, just to see if you can blur the rest of the image enough to get a ‘clearer’ picture of the person. We can do this because of the brain’s ability for pattern matching. It’s like those Mensa tests, where there are sequences to follow or codes to decipher. Oh, which reminds me – Mercury Rising was on TV this week – entertaining, but total rubbish: I never hear modem noises when staring at a wordsearch... We are very good at spotting the pattern in things, so good that we often create a pattern where there isn’t one.

However, you’ll have also seen those pictures of official documents with crucial words blocked out in an effort to retain secrecy, even on declassified stuff.

Well, this week, pattern matching proved this to be as weak as a puppy as well. The method used by Claire Whelan, a computer science student at Dublin City University, involved a series of simple steps:

Step one: Scan in the document so it can be realigned properly.
Step two: Determine the font face (this has to be pretty accurate, for reasons that will later become apparent).
Step three: Determine the exact point size of the text.
Step four: Run through the dictionary and see which words will fit the blanked gapes in the font face and size that has been determined on steps two and three, give or take a couple of pixels.
Step five: use semantic guidelines and a bit of common sense – if the sentence doesn’t make sense using a word that fits, then it’s not likely to be the right word.

In the example given byThe Register, the blanked out word in a memo to George Bush in the sentence "An Egyptian Islamic Jihad (EIJ) operative told an XXXXXXXX service at the same time that Bin Ladin was planning to exploit the operative's access to the US to mount a terrorist strike" was judged to have been the word ‘Egyptian’. No shinola, Sherlock – I mean, it was only a member of an Egyptian group who was quoted here.

However, the software used had narrowed the choice down to a few hundred possible words, of which only a ‘Bruce Almighty’ handful made any sense. Using the same techniques, another memo, about how civilian helicopters could be modified for military use (How ‘Airwolf’ of them – a Bell 222 never looked better!), it turns out that South Korea was the source of the knowledge…

Personally, if a kid tried Tippexing out a word on a piece of work submitted at school, it was always possible to read it reversed through the back of the page. And coloured light sometimes shows the text underneath black marker, depending on the ink. You see, it really is just best to put a single line through any corrections and then move on – otherwise I might suffer from a sense of achievement in having read what wasn’t meant to be read.

And finally…
Firemen today rescued an old woman who had become stuck up a tree. “It was amazing – after I’d spent ages trying to talk her down, all the firemen did was put some DentuGrip and a box of Thornton’s Toffee on the garden wall and waited whilst she literally ran down of her own accord”, said one onlooker. Another commented: “What was really amazing was that it was her cat who rang the emergency services – and they believed it! My dog saw a burglar in the house over there, but no-one took him seriously. Got away with a really good B&O system, too”.

cheers, Ian

by Ian Thompson ComputerCops Staff Editor

Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson All Rights Reserved 2004.