Fun With Numbers
The technologies that are used to deliver Internet content such as HTML are subject to interpretation by the Internet browser companies, as they strive to produce a browser which renders Internet content in a consistent manner. As a result, the different browsers rely upon different rendering technologies, which means the presentation of a website will differ from browser to browser. This is seen when a website may not render correctly in FireFox, but will render correctly in Safari. Bodies interested in establishing consistent compliance in rendering have little sway with software developers, but their tests provide interesting insights into browser differences. For example, CSS rendering can be checked against the ACID and ACID2 tests, which establish how well a browser complies with the RFC documents, and webpages can be validated for accurate HTML, XHTML, and CSS to help determine how they should be rendered.
Several months ago, a toolset was released to the security community which was designed to feed improper HTML content to a browser and observe whether it would crash or hang (usually the first step towards an exploitable issue). Bugs identified as a result of this have been fixed in a number of browsers, and some minor exploits were released which played off issues discovered. The same people responsible for this tool have turned their attention to image handling by browsers. Unlike the corrupted HTML tests, pages with intentionally corrupted images will still render (with images turned off), but will cause various browsers to crash or hang if they attempt to render the images. The release of this tool caused a little bit of consternation amongst security researchers as it highlighted some serious vulnerabilities with popular Internet browsers, also that it was far more trivial to implement than the corrupted HTML bugs, and detection was next to impossible without actually attempting to render the image.
For the end user, it is important that you apply caution to your online actions, and be aware that your browser could be crashed or compromised without you being able to stop it. You can't really do much more until the browser vendors release patches to fix the flaws, unless you switch browsers to a less vulnerable browser, or a less vulnerable operating system. In reality, it will most likely be a low rate of exploitation, but the chance exists that a major infection / exploitation vector could have just been opened. Fears like this have started to force people offline, as they begin to feel real risk from the numerous vulnerabilities in existence.
Following the debacle with CardSystems, when more than 40 million credit card details were compromised, VISA has cut their business with CardSystems. According to The Register, VISA USA has given 11 banks until the end of October to switch payment processing companies, away from CardSystems. If other credit card providers followed the same steps, the future of CardSystems as a company could be threatened.
In privacy breach news, the University of Southern California recently admitted to a breach in their network which could have resulted in more than 250,000 people having their application data compromised. The application data also included identity theft staple SSN. The University was unable to verify how many records had been compromised because they had not ability to track which records had been accessed. It was believed that there was no mass theft of records due to only random records being available at any time (although automation can overcome this limitation). The University was also not able to verify exactly who had their records compromised.
As a result of a breach reported earlier this year in this column, ChoicePoint has announced that they suffered a $6 million USD cost in the second financial quarter, along with a $5.4 million USD cost in the first quarter. For 145,000 individual records, that works out to $78 USD per record in direct cost for ChoicePoint. Analysts reporting on the case have noted that breaches of personal information are becoming more costly to the companies at fault due to added reporting requirements, such as those laid down by SB 1386 and similar laws. The result is breaches which have been ongoing for a long period are now becoming publicly announced, and released.
A low threat worm currently doing the rounds of the AIM messaging network aims to trick users into believing that it is related to the Apple iTunes product. Arriving as a message with the title 'This picture never gets old', the message directs victims to download a file named iTunes.exe which, when executed, downloads a number of spyware applications, and joins the affected machine to a network of zombie machines also infected with the worm.
Results of a recently published survey suggest that a third of workers with email access are abusing the privilege to send inappropriate emails, even if it is expressly prohibited by corporate policy. Despite a third of workers abusing the system, only ten percent knew of a case where someone had been terminated as a result of the abuse of corporate email. Although focussing only on UK workers, it can be assumed that similar levels of inappropriate usage exist in other countries, and organisations.
Another recent UK survey is the latest in a number of surveys to suggest that online Identity theft concerns are forcing people away from online commerce. Around 15% of respondents have stopped making telephone-based purchases, with a similar number having stopped online purchases and banking. The younger age groups were more likely to have ceased telephone-based purchasing, whilst the oldest age group was more likely to have ceased internet-based commerce and banking. The survey operators indicated that these figures were of people who have completely ceased transactions through those mediums, and not those who had cut back a little. Even with these numbers, online purchasing is increasing in overall value.
Sticking with surveys dealing with online activities, a US survey suggests that around $200 billion USD are lost in productivity each year due to employees web surfing at work. The survey has been debunked by a number of groups, who counter claim that there is no empirical data to back it up. There are a couple of major red herrings which discount the validity of the results. The first is that it has been sponsored and published by the same company selling solutions to help cut down on web surfing at inappropriate times. The second is that the actual figures from the survey indicated half of what was highlighted, with the balance being made up by the impression of management.
A Ukranian man has been arrested earlier this month for his role in setting up a trading site for stolen credit card numbers at CarderPlanet.com. At its peak, the site had several thousand active members and was trading millions of account details. Despite the site having been closed since last year, law enforcement agencies continued to track down the site originators, with one of the high ranking members of the site already serving time in an England prison, having pled guilty to fraud and money laundering. The organisation behind the site was largely Russian and Eastern European and law enforcement agencies are suggesting that there may be more arrests to come in Ukraine with respect to the site.
In a case of excellent timing, ZDNet is reporting on AusCERT possibly facing an existence crisis with the suggested creation of a GovCERT body as a part of the Australian Government's response plan for 'cyberterrorism' attacks. The Full Disclosure mailing list recently had an active discussion regarding the usefulness of multiple agencies in the US, which has CERT, CIAC, CVE, ICAT, and US-CERT all operating in the same sphere. The introduction of a GovCERT alongside AusCERT should not mean that one has to cease to exist, as the US experience indicates that the multiple agencies each have their own focus, despite overlapping areas of responsibility, and can operate relatively well with each other. AusCERT took a defensive attack stance in the ZDNet article, basically claiming that because they were there first, GovCERT isn't required. Comments by industry analysts further down the column suggested that there is room for both organisations, although the current mindshare is with AusCERT.
The popular open source alternative Internet browser, FireFox, was subject to a number of minor vulnerabilities in the latest release (1.0.5), affecting a number of extensions and localisation issues. One of the most popular extensions, Greasemonkey, which is designed to allow client-side (on your computer) modification of web pages through the use of scripts, has recently announced a major vulnerability which affects all versions. Through the scripting capabilities, Greasemonkey can be used to automatically fill out forms, remove advertising, change links to pass through a proxy, or any other number of uses. Unfortunately, this ease of use is also matched with an ability to expose the contents of your local hard drive to any site that you are viewing through Greasemonkey. The exact nature of the flaw allows this to be done silently, irrespective of Operating System (Yes, it affects Linux and OS X systems as well as Windows), and opens the window for much worse exploitation by those with malicious intent. To overcome the issue, users should either uninstall the Greasemonkey extension, or up/downgrade to version 0.3.5, which disables the functionality that is exploited in this case.
25 July 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.