Much to Think About
Microsoft has released an advanced notice that there will be nine patches to be released with the October Security Patch release (Tuesday). Eight of the patches are for the core Operating System, while the ninth is for Microsoft Exchange, as well as the core Operating System. Given the short timeframe encountered between patch release and exploitation for the August patches, it is very strongly recommended that all Microsoft Windows users apply the patches as a matter of some urgency, following their release. Most of the patches will be rated critical, which is Microsoft's highest vulnerability rating.
Following on from their recent attacks against OS X and Open Source Software users, Symantec has brought a complaint against Microsoft to the European Commission Anti-trust regulators. The cause for this latest maneuver is the proposed Anti-virus and Anti-spyware offering from Microsoft, which is expected to reach specified clients by the end of 2005, and is expected to be bundled with the next version of Windows, Vista.
Symantec's complaint is that Microsoft is about to abuse their monopoly position, to the detriment of the other companies (in particular Symantec) in the Windows-based Anti-Virus market. Observers suggest that it is a sign of Symantec losing their cool with the situation, given their historical revenue base in the Anti-Virus sector.
While it is not likely that Symantec is about to be shut down (they have significant income from other divisions), they definitely appear to have been rattled. Other observers are not surprised, given Microsoft's historical trend of unethical business practices when it comes to business partners.
Unfortunately, Microsoft has always been in a tight situation with their monopoly position. People are ready to complain about the poor security record of Microsoft's products, but when they make an effort to release a product which addresses the issues, more people complain that they are shutting out the other companies that have established themselves in a niche position to address the deficiencies of the Microsoft products. The problem is that Microsoft tends to bundle their software in with the Operating System, which effectively shuts out the commercial competitors. If they released their products on a commercial basis, then it is likely that most of the issues would be resolved.
The upcoming Microsoft Anti-Virus solution is too late for the current exploits doing the rounds. Exploit code for a Windows XP Wireless Self-Configuration Service vulnerability has surfaced and it is considered only a matter of time before an automated tool appears to allow attackers to easily attack Windows XP systems on wireless connections. It is very strongly recommended that all Windows XP system users who connect to the Internet through a wireless connection consider the use of a wired connection until Microsoft can release a patch to resolve the issue.
What appears to be a well developed version of the 'Sober' email worm appeared towards the end of last week. Under the new CME numbering system, the version has been allocated the identifier CME-151. Initial research suggests that the worm selectively chooses email addresses from vulnerable systems, rather than blasting all addresses found. Appearing as both German and English variants, the software attempts to turn vulnerable systems into spam spewing zombies as part of a hacker's bot network. The email that it arrives as will purport to either be with respect to a class reunion or deal with password changes. Either way, it is a constant reminder for users to be extremely cautious about opening attachments received in email.
A potential outcome of worms like Sober is a so called zombie network which the hacker then has complete remote control over. The Dutch have recently closed down a zombie network of more than 100,000 systems, arresting three men over the issue. According to the news reports, the particular malicious software that was being used in the case was Toxbot, a piece of malware which affects Windows based computers. In addition to providing control of the system to the remote hackers, the Toxbot malware also included keylogging capabilities, and the accused are suspected of gaining access to several eBay and PayPal accounts to perpetrate financial fraud.
The zombie network was used in at least one Distributed Denial of Service (DDoS) attack against an unnamed US company, with the possibility that many more attacks were carried out using the network. Dutch law enforcement, in conjunction with a number of ISPs, have dismantled the network, preventing further abuses from that particular zombie network. While it may only be a drop in the ocean, it's a good start.
Windows based systems have not been the only devices which have faced threats from worms over the last week. Following disclosure that an exploitable buffer overflow existed in the firmware for the PlayStation Portable gaming system, a small community of people excitedly began developing tools and software to allow users to develop their own content to run on the PSP. In recent days a new software tool, claiming to be from the 'PSP Team', has surfaced which deletes essential Operating System files once it is executed. This normally results in turning the PSP into an expensive paperweight, as the device is rendered unbootable. It is not known whether there will be any official support for users who have encountered this issue, as it requires users to actively seek out the software, download and execute it, before it cause any damage.
Even with the new vulnerabilities being exploited, new email worms surfacing, and other threats facing online users, sometimes the greatest threat comes from those who control the actual hardware which comprises the Internet. Although the Internet is ideally a 'mesh' network for maximum flexibility, in reality it is more of a 'distributed' network - with a number of key points where the majority of the Internet's traffic flows through.
The owners of these key points are generally known as 'Tier 1' ISPs, major providers to smaller ISPs and other customers - essentially they own the key infrastructure that the Internet relies upon. Starting early last week, a disagreement between two of these Tier 1 ISPs turned nasty, when one shut off a 'peering point' - where the information flows from one ISP to another, with another Tier 1 ISP. The risk is that end users of the two ISPs (or customers of the ISP clients) will find a whole swathe of Internet address space will no longer be available for them to view (even with the proper IP addresses). It is not known whether the two ISPs (Level 3 and Cogent) have resolved their differences, or what the long term effects will be. Calls have been made for the management of the higher level services to be government controlled / regulated.
In the short term, the connection has now been re-established, but the warring parties have only been given a month before the larger ISP closes the connection for good. At the heart of the issue is claims over payment for the bandwidth being used, or rather, the lack of it. The practical effects of the peerage point closure has been felt by many Internet users, with site load times extended significantly as a large chunk of the Internet network space has vanished, and a number of sites completely unavailable, while a large number of the warring ISPs' customers have effectively found their Internet access shut off.
The Chief Information Officer of the US Army has recently released a plan which provides 500 days to upgrade the US Army Information Technology Internet-based infrastructure to provide combat troops with better combat communications. The LandWarNet system, a part of the US Department of Defence's global information network, is set to provide upgraded voice, video and data capabilities to local commanders and individual troops.
The 500 day schedule is extremely optimistic, and there was little coverage of the issues that are plaguing the existing information infrastructure that the US military uses.
While the concept of network-centric warfare is one of the goals that most Western military forces are headed towards, the practical implementations to date have been less than impressive. With everything on the battlefield networked, available bandwidth and information overload become a significant factor.
During the initial phase of operations in Afghanistan, the US discovered that their bandwidth capability was rapidly saturated, even without all of the fancy network-centric warfare devices online. The other concern is what happens to all the content that is pushed through the bandwidth - the human processors of the information can not be upgraded to process the information faster, and electronic devices have their drawbacks in terms of raw processing power, so useful information is lost, and the risk of friendly fire incidents increases.
Unless the US military is maintaining its own separate truly mesh network, this new plan runs the same risk of disruption that was recently experienced by the civil networks with the Tier 1 ISP arguments.
A fairly controversial argument that originally started in August has resurfaced, and has attracted some fairly interesting discussion. Originally a discussion about the validity of the procedures currently in use by law enforcement agencies in terms of Information Technology forensics, discussion has re-emerged suggesting that a number of suicides have been linked to improper forensics work surrounding the cases identified.
It was suggested that the suicide of a senior British Naval figure in Gibraltar can be directly linked to the poor forensic data, and the leak of unverified information (which was later quashed). Other contributors to the discussion suggest that suicides in Italy have been linked to similar incidents. The claims have been dismissed as fanciful by other contributors, but it does at least appear feasible that the claims are true.
A current case which appears to follow the idea of poor forensics, is one which follows on from news earlier this year, where an English Information Security contractor was arrested for using a command line browser to access a website that was established to accept donations following the 2004 Tsunami. A guilty conviction has now been handed down to the accused. Strangely, the conviction is under the Computer Misuse Act, even though the actual justification returned for the guilty verdict was 'lying' to police following the initial arrest.
The verdict has worried a lot of observers, who believe that the charged individual only took reasonable steps to verify the authenticity of the website when he became concerned that his donation was being sent to a phishing site. It has not been determined whether there was any material change to the statements that were initially recorded, and it is worrying many more observers that the accused's various statements were similar, differing only in usage of technical terms and minor details. The concern is that the various law enforcement agencies are not adequately trained to differentiate multiple different ways to describe the same technical procedure.
For readers who wish to discover some of the details behind the case, the website in question was http://www.dec.org.uk, a website that is managed by British Telecom for the Disasters Emergency Committee in England. While bad web design is not a crime (yet), the poor design of the main and donation pages is a good first indicator that a site requesting money may not be all above board. The second strong indicator is the change of domain between the main dec.org.uk site, and the actual payment site, hosted on securetrading.net.
An initial step to verify the identity would be to look at the records of who owns the domain dec.org.uk, which checks out. The payment page (securetrading.net), on the other hand, claims to be a UK company, but doesn't hold a .*.uk domain, was registered outside of the UK, and which has obscured details in the records of domain ownership. According to those who have stepped through the process, checking of the records at Companies House (where all UK companies must be registered) for securetrading.net shows that it is owned by another company, UC Media, which doesn't really exist, except as UC Group Ltd. To make matters even more interesting, UC Group has two insolvency notices listed against it in the Companies House records.
Having just provided approximately $100 AUD in donations (and a credit card record) to a site which doesn't appear to be legitimate, and having done so just before a long weekend, the convicted individual could reasonably expect to be concerned about where his records were going to end up. The 'hack' that he is claimed to have used is a simple URL modification to verify that the parent directories do in fact belong to the same site. Many phishing sites will fail this simple test, and this will generally provide a means to determine which institutions are targeted by a phisher, as well as identifying who owns the top level site.
There are two key lessons to take from this. Firstly, don't lie to law enforcement agencies, and secondly, be very careful when typing in website addresses by hand, you may trip an over-sensitive security system and end up in handcuffs.
While too late to help out in the above case, an interesting article was recently published which outlines a basic approach to profiling phishing attacks. By comparing the details of new phishing messages, along with the sites that they link to, to previous known attacks, it is possible to build up a basic appreciation of repeat phishers and emerging techniques that are getting widespread usage by phishers.
Although this can not readily be turned into a positive identification of the actual people behind the attacks, it can be used to identify collaborative efforts, and sources.
This sort of technique works well because humans are creatures of habit, and naturally lazy. Once they have found something that works, and are comfortable with a few approaches that have been known to be successful, the phisher is more likely to reuse the same techniques in the future, with only a minor modification. Similar techniques can be applied to website defacements, tracking and identifying which groups are actively defacing websites, and how they are achieving it.
Finally, a German security researcher who is well known for his research and disclosure of vulnerabilities affecting Oracle products has provided in depth details on a number of vulnerabilities which affect different versions of the Oracle database product line. The rationale behind the disclosure appears to be a lack of credit from Oracle for his efforts in discovering the issues, along with the long lead time between the initial notification to Oracle, and a patch being released which addresses the issue (up to two years in some cases). The issues range from Denial of Service attacks, through to disclosure of sensitive information.
10 October 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.