Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

An Inauspicious Start

Although attacks and threats are beginning to rise in number and severity again, the Christmas period, and a few days either side, was observed with a minimum of fuss and arrival of new attacks. That pattern was disrupted in a bad way only a few days after Christmas, and it is likely to cause major headaches for Information Technology personnel long into the New Year.

As reported by CNN Money, the Ford Motor Company in the US has discovered that a system with identity information for up to 70,000 current and former employees has been stolen. Containing the names and Social Security Numbers, the information from the system is not believed to have made it yet into the market for Identity Theft. Ford has offered to pay for the affected individuals to obtain credit-monitoring services, and has involved the US Secret Service and the FBI in the investigation. The theft was believed to have taken place in late November.

The loss of information from Ford was not the only major Identity related data loss to happen at the end of 2005. The Marriott hotel chain has disclosed that they have lost track of a number of backup tapes which hold identity related information, including credit card data and Social Security Numbers, for more than 200,000 people who were partners, employees and customers of their Marriott Vacation Club International (MVCI) group. It is not known where the tapes were lost from (transit, storage or other), but the Hotel has offered to pay for credit monitoring services for the affected individuals (at $100 USD per individual, a cost of over $20,000,000 USD).

Identity theft wasn't the only Information Security issue to attract attention over the latter weeks of 2005. A small number of unique phishing attacks were launched which could have interesting outcomes.

Of interest are attacks against the National Australian Bank (NAB), and a Saudi Arabian bank. The NAB has implemented one of the better transaction verification procedures in Australia, using SMS messages to provide users with a code which is to be used to complete online transactions, but this hasn't stopped it being a target of an attack which not only attempts to trick victims into supplying their banking login details, but also downloads and installs a keylogger onto the victim's computer. The Saudi Arabian phishing attempt had several noteworthy elements, including messages composed in Arabic, a reasonable URL derived from the original bank, and an explanation that it was linking to a proposed online IPO for an Industrial firm.

According to Netcraft, statistics gathered from their Netcraft Toolbar Community suggest that more than 450 phishing attacks in 2005 used SSL in one form or another to improve the efficiency of the phishing attacks. While this is something which S?nnet Beskerming has been warning about for some time, and something which Netcraft suggests has been happening for quite a bit of time, the first step in educating users about phishing attacks is to get them to look for the https at the start of the URL, and to look for the lock icon in the corner of the browser window. The reasoning behind this is that the provision of SSL certificates by Certificate Authorities requires authentication of legitimate business details, which would remove phishers and other scammers from the process. In addition to the acquisition of SSL certificates, Netcraft identifies the use of XSS and browser vulnerabilities as other primary methods to allow phishing attacks to appear to have SSL validity.

Moving away from phishing and Identity theft, and one of the most interesting figures from the last twelve months has resigned from their post. The CIO of the US state of Massachusetts has resigned his position following what appears to have been a smear campaign against him. The CIO, Peter Quinn, gained fame for being instrumental in the state's move towards supporting the OpenDocument format over other proprietary formats for electronic storage of official state documentation. The state is expected to still implement support for the standard by 2007, but it not known how the plan is going to move forward following the CIO's resignation. A poorly researched article in the Boston Globe that sought to get an official investigation launched into the CIO's travel claims, which were later shown to be legitimate, was said to be the primary factor behind the resignation.

The biggest threat to come out of the last few days, however, was the release of a new vulnerability affecting all Windows Operating Systems.

All versions of the Windows Operating System (including all Service Packs and patches) are vulnerable to complete compromise through the simple act of previewing, viewing or indexing a malicious image file. This vulnerability is currently being actively exploited through numerous websites (including through Internet banner advertisements on legitimate websites), spam email, and has started to spread to Instant Messaging services. Although the user is required to view / preview the file for the attack to work (such as in a webpage), automated indexing by Windows (or additional software) will automate the attack without user intervention. There are no solutions guaranteed to protect a system. There is no indication from Microsoft when this issue will be resolved.

Originally thought to be an Internet Explorer specific vulnerability, it has now been confirmed as a full Windows vulnerability, affecting all applications which make use of the specific GDI library (shimgvw.dll) to render images. This includes applications such as Internet Explorer, Outlook, Firefox, Opera, and Lotus Notes.

Although the particular vulnerability is for .wmf (Windows Meta File) type images, it has been observed that a range of image extensions (BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF) have been used to carry the vulnerability onto systems. This technique works because Windows identifies a .wmf file type by certain 'magic bytes' towards the start of the actual file data, and not the file extension itself.

Working exploit code has been publicly released on the Internet, and multiple variations of the attack are already appearing, including one which can specifically avoid the majority of workaround / defences at this time. This latter variant appears to be very well designed, and may become the most prolific version over the next few days. It is also confirmed that this vulnerability is not related to the .wmf issues patched in the recent MS05-053 security patch.

Users who are infected may notice their Windows Picture and Fax Viewer application opening up to display a file (one of the first indications for some infection vectors). The issue has been deemed serious enough for the Internet Storm Centre to move to Yellow alert twice within the last five days (they only went to yellow once for the Zotob worms in August), and is drawing a lot of attention and concern from Information Security firms globally.

This is a major issue as it is currently unpatched and the workarounds being provided are not guaranteed to work. The end of the Christmas - New Year holiday period this coming week for many businesses and schools (mainly Northern Hemisphere), which means that a large number of vulnerable systems are going to be connecting to the Internet and are more likely to engage in risky behaviour. As the vulnerability is being exploited by a range of methods including websites, banner advertisements, spam, images embedded in documents, P2P, and Instant Messaging (AIM, Jabber, MSN) there are numerous infection vectors possible.

Infection results are varied, but manual removal of infected software will most likely be extremely difficult, if not impossible to achieve. The safest course of action is to reinstall Operating System software following the release of an official patch, don't connect to the Internet in the meantime, and consider the use of an alternate Operating System which is not affected (such as Linux or OS X).

2 January 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.