A bold new type of malware has been identified.  Its attack vector is based on hijacking the DNS settings for devices on a local area network. Any device regardless of operating system that depends on an internal or external name server can be affected.

The trojan configures and runs a rogue DHCP daemon on the infected host. Other devices on the same LAN are misled into using name servers settings provided by the trojan DHCP daemon for DNS lookups instead of using the origional configured name servers.

Devices on the network are then sent to fraudulent websites that can be more difficult to identify as imposters since the DNS lookups appear correct.

This is a more advanced attack of a well known vector of attacking a systems hosts file, but by being system agnostic and using the familiar DNS protocol, it is much more effective.

More details can be found at SANS

Technical problems with the license management servers at SonicWall Inc. created havoc last week for users of the company’s firewall and e-mail security products, leaving many companies temporarily unprotected against spam, phishing and malware threats.

The problems resulted in affected enterprise users of the SonicWALL UTM Firewall, Email Security, Content Security appliances temporarily having their content filter, intrusion prevention and antivirus protection disabled due to the reset of license keys that were treated as invalid.

More details on the matter can be read at the Register

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location.

This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI’s cell-phone tracking practices. Since August, they’ve received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

More details on Ars Technica

Early coverage of the Wi-Fi WPA TKIP Key crack indicated that TKIP keys were broken, but ars technica clears up the details of the attack:

They are not. “We only have a single keystream; we do not recover the keys used for encryption in generating the keystream,” Tews said.

To describe the attack succinctly, it’s a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That’s a very critical distinction; this is a serious attack, and the first real flaw in TKIP that’s been found and exploited. But it’s still a subset of a true key crack.

Arstechnica has a fantastic technical review on the subject.

Via Slashdot:

Researchers Erik Tews and Martin Beck ‘have just opened the box on a whole new hacker playground, says Dragos Ruiu, organizer of the PacSec conference. At the conference, Tews will show how he was able to partially crack WPA encryption in order to read data being sent from a router to a laptop. To do this, Tews and Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes. They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack. ‘Its just the starting point,’ said Ruiu.

A national cyber-security strategy that will seek to protect key infrastructure as well as Canadians’ identities is on the way , an RCMP executive says.

Details of the strategy — a partnership between the public and private sectors — will emerge over the next few months, said David Black, manager of the RCMP’s cyber infrastructure protection section. The plan is being put together by Public Safety Canada with input from telecommunications and technology companies such as Bell Canada Inc. and Microsoft Corp.

Source: CBC

Via Wired:

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

BGP is nearly the only WAN protocol anyone takes seriously and is the only one meaningfully deployed. BGP is supposed to be authenticated between peers, but apparently not often enough.

Here’s the PDF of Kapela and Pilosov’s presentation.

Google announced today that it is seeking to develop grass roots support for its “white spaces” campaign at the FCC, its lobbying effort to convert some radio airwaves in order to provide wireless broadband access.

The “Free the Airwaves” campaign invites consumers to sign a petition, create their own video testimonials on the subject for posting to YouTube, and to contact their Congressional representatives.

Via Broadbandreports.com:

Microsoft, Google and Dell have formed the backbone of a six-partner coalition named the Wireless Innovation Alliance. Their goal is to use the so-called unlicensed “white space” spectrum — partially freed by the migration to digital television — to offer un-served consumers inexpensive Internet access via the airwaves (with these companies obviously providing the hardware, software and most importantly to Google: ads).

More on White spaces at Wikipedia.

A new driver by Atheros has been released for use in Linux.  It is licensed under the ISC license, so BSD users  should be able to make use of the drivers as well.

The new driver doesn’t use a proprietary hardware abstraction layer and no firmware is required.

The ath9k driver includes supports for the following chipsets:

* AR5418+AR5133
* AR5416+AR5133
* AR5416+AR2133
* AR9160
* AR9280
* AR9281

Separate problems are plaguing the July 10, 2008 MS08-037 DNS patch released by Microsoft to correct the recently disclosed multivendor DNS Cache Poisoning vulnerability. Interruptions are being experienced in the Exchange Server services components on several of the software giants operating systems.

SBS services blog provides more information on the subject noting that Active Sync, Internet Protocol Security (IPsec) services and Internet Authentication Services (IAS) are failing after the application of the patch.