|
Internet Security News
Breaking news and updates in Internet security
Last Updated: November 21st, 2008 07:47:00 CST -0600
Microsoft Fixes Flaw After Seven Years
If you've ever forgotten an appointment, anniversary, or birthday, you know that being late by even a little bit can be terribly awkward. It almost seems worth it to get an arm or leg set in plaster just so you have a proper excuse. Now Microsoft's trotted out its version of a cast story to explain a seven-year patch delay.
 | | Microsoft Fixes Flaw After Seven Years |  |
Microsoft security bulletin MS08-068 addresses a flaw in the Microsoft Server Message Blog protocol, and in a post on the Microsoft Security Response Center, Christopher Budd acknowledged, "We've received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack. Specifically, we've gotten some questions about why, in 2008, we're releasing an update that addresses an issue first discussed in 2001."
Budd, a security communications program manager, then stated, "[W]e could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."
So, according to Budd (and/or Microsoft, since it's hard to believe someone would volunteer to be the messenger), Microsoft kept tinkering with things, and finally figured out a way to address the issue without bringing everything else to a halt. And, the Security Response Center post implies, perhaps people shouldn't complain too much, since implementing SMB signing remains a better idea than applying MS08-068.
Take or leave the explanation as you see fit.
Skype Scrambles After Breach And Censorship Revelations
American companies operating in China have what might be considered a tradition of getting in trouble over privacy and censorship, and Skype, the Internet communications company, is the latest to encounter hot water. Its president has done his best to explain the situation.
 | | Skype Scrambles After Breach And Censorship Revelations | |
As Josh Silverman wrote, "In China, TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens." Skype - and anyone who bothered to listen to an old announcement - has known for some time that TOM obeyed Chinese laws requiring them to block messages containing certain terms.
The problems began when it turned out that TOM stored the messages; there's a real concern about what government authorities might have seen them. And what's more, a security breach may have exposed the messages to all other sorts of people.
Silverman wrote, "We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM."
Still, Skype's reputation has taken a big hit due to these developments, and we may see the security and censorship issues have a similar effect on the eBay property's growth.
Defense Companies Hit By Malicious Code
Some security stories relate to fairly harmless issues, but this one might go well beyond "whoops." It seems that LIGNex1 and Hyundai Heavy Industries, two Korean companies that construct things for the military, have had malicious code planted within their computer systems.
 | | Defense Companies Hit By Malicious Code | |
So you know the (potential) scale of the problem: LIGNex1 deals with missiles, radar, and communications systems. Hyundai Heavy Industries is the world's largest shipbuilder. And it was the National Security Research Institute that found the malicious code. This sounds like the start of some near-apocalypse novel by Tom Clancy, right?
As for who planted the code, how they did it, and what files were affected, details are scarce right now. Chalk it up to government secrecy or (and this is a slightly scarier possibility) true ignorance at the same level.
Anyway, as reported by SC Magazine UK, a National Security Research Institute representative said, "The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."
There are a few silver linings and good signs in all of this, however. One came as the spokesperson acknowledged, "It's shocking that our major defense industries are open to attacks from hackers and that our missiles are vulnerable to theft by cyber terrorists. A general review of our cyber security system is needed."
And in all honesty, having the blueprints to something doesn't necessarily mean that a person or country can build it. There are matters of resources and skill to consider, even as spy satellites presumably keep an eye on large factories and shipbuilding facilities.
Finally, at least the blueprints secrets were (maybe) stolen from companies connected to a close ally like South Korea, instead of a government less willing to cooperate with the U.S.
So, assuming we aren't all soon destroyed in either an economic or military sense, things at Korean defense companies may be better in the long term. And hopefully defense corporations located elsewhere in the world will also learn from this development.
After Airport Stop, Kevin Mitnick Shares Travel Tips
The next time you have to take off your shoes and belt at an airport, keep in mind that things could be much worse. You might get detained and questioned for four hours, for example, which is something hacker-turned-security-consultant Kevin Mitnick recently experienced on a return trip from Colombia.
 | | After Airport Stop, Kevin Mitnick Shares Travel Tips | |
People and companies needn't worry too much that Mitnick's fallen back to the proverbial dark side; accusations weren't really made, and charges were never brought. As told by Elinor Mills, his detainment instead seems like a cautionary tale about wrongful accusations and the defensive measures traveling computer owners should take.
Mills writes, "Agents from the Immigrations Customs Enforcement arrived to question him. They asked why he was in Atlanta and he told them; he was there to moderate a panel at a security conference sponsored by the American Society for Industrial Security. Asked for proof, he fired up a laptop to show them the itinerary in his e-mail. But when he clicked 'yes' to have Firefox clear his private data--an automatic response to a default setting--the agents snatched the laptop away from him, thinking he was deleting evidence."
So be careful about every click and keystroke, for one thing. Otherwise, "To protect his privacy and that of his clients, Mitnick encrypts all the confidential data on his laptops, transmits it over the Internet for storage on servers in the U.S., and wipes it from the computer before returning from any international trips, just in case officials decide to search or seize his equipment. He also encrypts his hard drive. And now, he says he is going to keep a 'clone' of his MacBook at home so he will have an exact duplicate of it if it is ever seized."
Depending on what sort of stuff you keep on your computers - and whether or not laws about laptop searches are changed - these steps may be worth imitating. The average business traveler isn't as likely to get stopped as Kevin Mitnick, of course, but the story seemed worth relating.
Oracle WebLogic Hit With Zero-Day Exploit
A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.
Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability.
SANS Internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication.
Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle.
The other workaround calls for an edit to httpd.conf and a restart:
It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:
LimitRequestLine 4000
See: Apache LimitRequestLine documentation for more information
Note: This parameter limits the maximum URL length to less than 4000 bytes.
The problem sounds like a buffer overflow, which IBM Xforce said is stack-based in nature. ZDNet noted Oracle has disclosed 112 vulnerabilities in its products in 2008.
The zero-day nature of the flaw's disclosure, and the lack of a need for authentication, makes it likely an active exploit will emerge. Web application servers like WebLogic regularly provide functionality to sites where financial details pass between visitors and the business site.
As such information holds great appeal for criminals, applying a workaround quickly should be a priority for security pros.
75 Percent Of World’s Spam Knocked Offline
Score one for the security industry-a big one, a massively ginormous and temporary strike against spam. A slew of security companies and the Washington Post tracked massive amounts of spam back to one San Jose-based hosting company, now offline, and 75 percent of the world's spam went offline with it-for about 12 hours.
 | | 75 Percent Of World's Spam Knocked Offline | |
But hey, that's a pretty good leap right?
Alert after alert went out about spam operations tracing back to McColo Corp. servers. Complaints were made to the company, which gave lip service about addressing the issue before simply moving offending clients to different addresses.
Spam traced back to McColo servers covered pretty much all forms, from pharmaceutical spam to child pornography hosted there. Upon the evidence, two providers, Global Crossing and Hurricane Electric took the company offline.
"MessageLabs documented a massive drop in spam volume to levels eight times less than typical volumes for a period of 12 hours immediately following the takedown before spam levels began to rise again, proving that taking out the kingpin members of the underground spam economy can have a massive effect on global spam levels," Matt Sergeant, Senior Anti-Spam Technologist for MessageLabs told SecurityProNews.
"First with Atrivo and now the demise of McColo is a testament to how community action is absolutely vital in the fight against spam."
Said community, which also includes the investigative security reporting from the Washington Post, was made up of SecureNetworks, FireEye, ThreatExpert, and SysInternals, and published data confirming McColo as the host for all of the top botnets.
It's unclear what, if any, criminal charges can be made against McColo. Most laws regarding hosting companies protect them from liability for third-party content. However, there may be grounds for exception if the company knowingly hosted illegal content, which in this case includes copyright infringing content and child pornography.
While this is a major coup, realists understand that massive takedowns like this only spread out offenders across the Web as they relocate to other dummy hosting providers. But recent actions by service providers and by ICANN, which used a contract breach to takedown a Russian network, have shown more aggression toward where malicious content is known to be hosted.
Indeed, researchers seem to be getting more skilled at locating, even manipulating sources of spam. For a recent study out of Berkeley and UCSD, researchers successfully hijacked the Storm botnet to study the profitability of spam. The study concluded it was unlikely offenders were spread out over third-party affiliate networks. Spammers and the malicious websites they attempt to lure people to were likely run by the same central operation. For example, to generate a profit, a pharmaceutical site selling knockoff drugs is likely to be run by the same people generating botnets.
In the future, then, it's likely security experts will find ways to target hives of malicious material, as it seems taking one offender down could be highly efficient.
Zombies, How to Fight Them
Just so you're warned: If the zombies come back it could be your fault. "It is only a matter of time until the next W32/ZMist heads our way," premonishes McAfee's Vinoo Thomas. And it could all be because of something stupid.
 | | Zombies, How to Fight Them | |
Thomas warns IT security may be so focused on the more sophisticated threats of the day-botnets, rootkits, and spyware-that they may be letting their guards down when it comes to good old-fashioned parasitic file-infectors out there in the wild. Such carelessness could result in "widespread damage to computer systems."
"We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network," writes Thomas in a free whitepaper he presented at the 3rd International Conference on Malicious and Unwanted Software. "And administrators are at their wits' end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect."
File-infecting viruses are on the rise, says Thomas, and they're getting more sophisticated, but IT administrators can avoid them with common sense practices. If for example an employee with low computer skills has managed to contract the simplest of worms, the virus is likely blocked from the company network for lack of administrator access to the network.
But what happens with apparent alarming frequency is IT administrators log onto the computer using their own account and password in order to address the employee's computer problem.
"[W]hen an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected-by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account."
He uses lots of other condescending adjectives like "dumbest" and "hapless" in his whitepaper, too. But he also recommends a course of action that mimics systems in place at McAfee. Thomas proposes using area networks (VLANs) technology to mass deploy a SAMBA-based honeypot to the entire site. In addition, Thomas recommends setting up a server message block (SMB) based sniffer to capture file-infector activity.
Maybe then you won't be the hapless harbinger of network-brain-eating zombies.
AVG Update Labeled Windows File As Trojan
File this one under super embarrassing: Some users of the latest two versions of AVG's free virus scanner ended up with a computer in eternal boot mode. The antivirus software had falsely identified a critical Windows XP file as a Trojan virus.
 | | AVG Update Labeled Windows File As Trojan | |
And when you remove that, see, Windows doesn't work anymore.
Alarms went up soon after the release of an update to AVG 7.5 and 8.0, when forum posters reported an incorrect virus signature identifying Windows XP file user32.dll as containing Trojans PSW.Banker4.APSA or Generic9TBN. AVG recommended deleting this file, which is a really, really bad recommendation.
Fortunately English speakers, the problem only affected users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.
AVG was pretty quick about addressing the problem, even though it was the middle of the night in Amsterdam, so kudos to them on that. The company confirmed it was a false positive and offered instructions for how to fix the problem from safe mode or recovery console. Soon after that, they issued this press release:
AVG is actively working to remedy the problem some users are experiencing related to the most recent update to commercial and free versions of AVG 7.5 and AVG 8.0 in some languages. A number of users who installed the update mistakenly received a warning that the Windows system file user32.dll product version 5.1.2600.3099 was infected with a Trojan virus and were prompted to delete a file essential to the operation of Windows XP.
The problem only affects users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.
AVG is taking these steps to assist users in remedying the problem:
- Immediate release of a new update to correct the problem.
- Creation of a specific informational section on the AVG website that enables users to resolve the problem.
Affected users should follow the weblinks below for further information and to download the fix tool:
(1) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll
(2) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll - fix tool
Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them. After running the fix tool, users should run the AVG update program to download and install the correct AVG update.
AVG sincerely regrets the inconvenience users have experienced. We are working to remedy the problem and ensure that any other potential vulnerabilities are identified and eliminated before they can impact users.
Spam Alert: Obama In Sex Tape Scandal (Again)
Malicious spammers/hackers are continuing their efforts via shocking Obama-related subject lines. And why not? With a success rate of 1 in 12.5 million, that's at least 30 dopes in the US who might fall for it.
 | | Spam Alert: Obama In Sex Tape Scandal (Again) | |
Apparently, thanks to Bill Clinton perhaps, Democrat President is synonymous with pervert. The recent rash of malicious emails come with the promise of a Barack Obama sex tape.
The text of the email reads: "Barak Obama p0rn video, file attached, watch him".
Once again they've proven their skill with spelling, and this particular strategy isn't new either. They tried it back in September, too, at the beginning of the great political spam surge.
Attachments to the emails prompt the download of a zip file labeled zeland-01.zip, but Sophos says it's actually Troj/Agent-IDO Trojan horse.
According to a recent BBC report, it doesn't take much to encourage spammers to continue. What we might consider utter futility they view as reasonable return on investment, at least as far as closing an actual sale. Researchers found that out of 350 million spam messages sent, 28 sales resulted.
It's unclear how much malware makes it through.
This week it was an Obama sex tape, and last week was a fatal heart attack (they said "heart stroke") for one John McCane. Uncanny name. Fortunately, John McCain is still alive and ticking. Perhaps the heart attack was caused by the news of Cindy McCane's private video.
Express Scripts Reports Massive Data Breach
Pharmacy benefit management company Express Scripts sent out warning that millions of patient records could be exposed by extortionists following a data breach.
 | | Express Scripts Reports Massive Data Breach | |
The St. Louis-based company received a ransom note from an unknown entity asking an undisclosed sum of money to prevent the leakage of the records. The letter included the personal information of 75 Express Scripts members, along with their names, birthdays, social security numbers, and some prescription information.
The company notified affected members along with the FBI and began conducting its own internal investigation regarding the information in the letter, which arrived in early November. The company said it wanted to give authorities a chance to be on the trail before alerting the rest of the public.
We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," said George Paz, chairman and chief executive officer. "We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act."
Paz called the breach and threat "outrageous."
The company has set up a special website for members looking to get more information about the data breach. The web address is www.esisupports.com.
"As security experts know," said Paz, "no data system is completely invulnerable.We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft."
|
