Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

From Rock to Quicksand

Microsoft's termination of mainline support for Windows 2000 might be coming back to bite them. A couple of known flaws with various Windows services could result in the total compromise of Windows systems, including Windows 2000, XP, and 2003. The vulnerabilities have not been publicly identified, but it is only a matter of time until the hacking community discovers and exploits them, or the information leaks from the discovering researchers. Apparently the vulnerabilities reside in a core service of the NT derived Windows OS variants, one which can not be simply turned off. Because Microsoft has terminated mainline support for Windows 2000, this suggests that there will not be any patch or service pack to be released to fix the issue for Windows 2000. Security patches however, will continue to be released, but the initial reporting suggests that a simple security patch is not going to be sufficient. Hopefully this is not the case, as many users have decided to stay with Windows 2000, because it works, and it would cause major problems if a worm as virulent as Blaster managed to exploit these vulnerabilities. The problem with the Blaster and Sasser worms was that they were poorly designed, forcing a local denial of service, when a well designed worm would have resulted in a complete stealth takeover of the PC, which is the big risk with the new vulnerabilities. Paralleling this system flaw is an unpatched vulnerability with the handling of .mdb files (Access files), which can allow for complete compromise of a system. Again, this flaw affects Windows 2000, and later, and Microsoft Access and Office from version 2000, on. This flaw was initially publicly identified in April, and exploit code is beginning to appear on various mailing lists.

Details emerged last week of a set of techniques to capture information that is entered via software keyboards, particularly used in various online banking logins. A software keyboard is a representation of a keyboard that appears on the screen, and users click on the representation of keys that correspond to their password / PIN. They have been designed to overcome keyloggers capturing banking login details as a user enters them from the keyboard. The suggestion is that keyloggers are evolving to introduce these new techniques (which will not be published here), effectively neutralising the protection offered by the software keyboard. Even though these techniques are new, there have already been worms released which have targeted various implementations (such as eGold), but they have not been all that widespread in terms of infection rates.

Researchers in the USA and Japan have recently published papers describing methods that could be implemented to identify and avoid passive network monitoring tools used to track Internet threat emergence. Centres such as the Internet Storm Centre, operated by the SANS Institute, use networks of systems that monitor various Internet addresses, and track the traffic patterns being sent across them. These loose global networks are comprised of machines that have their physical and network locations kept secret, in order to prevent poisoning of results or avoidance of detection. The methods described in the papers suggest that it could take as little as a week for an attacker to determine the location of theses machines, and map out their network. The implications of this are important, as the information gleaned from these networks could be compromised through a number of methods. A rapid-spreading worm could specifically avoid propagation to those addresses, giving the worm more of a time advantage before defences are organised. Conversely, the monitoring network could be flooded with fake data, neutralising the effectiveness at identifying emerging threats, which could then allow a real threat to gain a sustainable foothold before a response can be arranged.

The Cisco vulnerability presentation that was reported on last week continues to cause trouble for various groups. Increased numbers of companies and security firms are getting edgy, while they wait for the malicious hackers to automate an attack against the Cisco IOS Operating System, which runs on most Cisco hardware. The chest beating continues from various people and groups who feel threatened that a threat has emerged which they can do nothing about, and have no idea of what to do, but still feel the need to add their voice to the current cacophony. The responses are an interesting mix of fear, alarm, calmness, irrationality, and level headed-ness, and it has seen reporting of other security vulnerabilities essentially dry up as people rush to investigate the vulnerabilities which could bring the Internet to its knees.

Following on from the vulnerability news, Cisco's main website was announced to have been vulnerable to an SQL injection attack (database control from the webpage), which potentially exposed the entire account database (particularly passwords). Users who held an account with cisco.com were presented with a dialogue advising them that their password had been reset, and would be available to be sent to the email account they had registered from initially. The freeze on the logins caused trouble, as this site is where patches, bug reports, and other support items are available from. It was suggested by some inconvenienced users that whoever compromised the cisco.com passwords could potentially have access to passwords for multiple client systems, such as corporate networks, and cisco.com account holders should start changing their passwords. This last statement is not a failure of Cisco, rather it is a failure of the security policies of the users who maintained similar (or the same) passwords for multiple services.

The requirement for account holders to email from the email address that registered the account has also been proven inadequate. Testing by various testers indicated that spoofed From: and Reply-To: headers would result in a hacker being able to obtain the new password for a Cisco account holder. It has been suggested that more than 3 million accounts were directly affected by this recent breach, which is enough to cause worry amongst many customers.

The latest fad in Internet technology, after the XML RSS that is PodCasting, is VoIP (Voice over IP). Although it has been growing quietly for a while, VoIP is starting to hit the mainstream, but there are problems that all potential VoIP users should be aware of. Because VoIP uses a transport mechanism that is NOT designed for a continuous stream of information, there is risk with loss of information. According to an article at Security Pipeline, as little as a 1% loss of information can start to cause trouble with call integrity, with a 5% loss effectively destroying the usefulness of the transmission. The information packets being used for transmission are designed to survive arriving out of order, which a continuous stream of speech is not able to handle. The other downside listed by the article, which VoIP providers tend to gloss over, is the insecurity inherent in the system. There is no native encryption on the packets, allowing a growing number of tools to eavesdrop on VoIP connections with complete success (without the users being aware of it). Encryption options add a noticeable lag to transmission, which can be unsuitable for a number of users. The technology is also prey to the same flaws affecting routine http traffic (i.e. normal web traffic), of slow networks, Denial of Service attacks, client side malware, and power outages removing service. In a closed system, where integrity can be achieved, VoIP is a viable solution (even though it eats bandwidth), but the technology still has a little way to go before it is ready for prime time usage.

As a followup to the earlier reported breach of up to 40 million credit cards through processing firm, CardSystems, they claimed at the US Congress hearing convened to cover the issue, that it was not their fault that they had been breached, it was the fault of the auditors and consultants that they had brought in to conduct a CISP audit on their systems. Never mind that the audit was 17 months before the breach was initially reported, and there is no indication that the audit was for all systems belonging to CardSystems, and not just the payment processing systems (the breach was from a separate system which had been storing the numbers for later analysis). As was suggested earlier, this is one element of the blame game, as the different parties involved point their fingers in all directions, but at themselves, accepting responsibility for their own actions.

A recent Internet Storm Centre Diary entry gave a disturbing example of just what information might be extractable from a simple Google search on a person. The information that was demonstrated was sufficient to carry out multiple types of fraud, from financial fraud through to complete Identity theft. Even if you are being careful with your online data entry, you should always be cogniscent of the fact that you won't always have control over your personal information that is exposed online. Different Government agencies and bodies may place various records online, with partial information disclosure but they can then be cross referenced with other results to develop a complete picture. Even though this information has always been available, it hasn't always been so readily available (i.e. for free, and to everyone).

On a slightly more fun note, a new record has been sent for highspeed wi-fi connection over distance, at the annual BlackHat DefCon gathering in Las Vegas. The winning team utilised standard wi-fi cards, spare satellite dishes, and a lot of clever thinking to develop a system which could happily sustain an 11 Mbit connection for over 3 hours, over a 125 mile (200 km) range, with an observable lag of 12 ms. The team that achieved the result believe that they can get the distance stretched out to 300 miles, although curvature of the Earth starts to affect transmission capabilities, and the 2.4 GHz wi-fi frequency is not able to bend through the atmosphere too well.

8 August 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.