Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Still More Fallout

Information from Netcraft, which follows on from last week's news about the rise in the use of SSL protection for phishing attacks, is that their Toolbar has reached 12 months of age. A feature of this Toolbar allows expert users to identify phishing frauds and the Toolbar then blocks the suspect sites for all other users. The statistics released by Netcraft show an almost tripling in the number of sites being identified as hosting phishing frauds for the closing months of the year, when compared to the first couple of months implementation. While this could be an indication of growing numbers of Toolbar users, it does match up with a more general trend of increased phishing efforts by the attackers, and is an interesting trend to ponder for the coming year.

Netcraft also took the opportunity to release figures outlining the total number of sites that they observe on the Internet, and the technologies which support them. Unsurprisingly, the total number of websites continued to increase, including the number of sites receiving active maintenance. An interesting observance from the results was a visible dip in the number of sites hosted on the Apache webserver software, which was matched with a corresponding rise in 'Unknown' hosting software. Netcraft explained this away as being due to a major US hosting provider changing their initial redirect software to an unknown product (postulated to be Apache, but currently unidentified). That such a noticeable change in the overall figures can be attributed to changes of operation from just one company speaks volumes about the effect that conglomeration of services can have on a system as large as the Internet.

Towards the end of the week early reports were received about new worms which are targeting the AIM network, and a worm which targets vulnerabilities in numerous Oracle products. While the Oracle worm is not self propagating, it is believed to only be a matter of time before it is. What may be more worrying for Oracle administrators is that the worm is an extension and redevelopment of an earlier worm, and has added numerous new features to improve it's attacking toolkit.

Although Microsoft initially provided no timeframe for patch release of a patch to fix their .wmf problems, that was quickly modified to a release with the January security patch release on 10 January, which was then modified further to an official out-of-cycle release on January 6. It has not been confirmed whether a leaked pre-release copy of the patch from Microsoft on January 5 was influential in ensuring the release of the final patch on January 6. If users have not already patched their Windows PCs, then they should as a matter of high priority.

Although Microsoft issued an out-of-cycle patch, arguments began to rage about the actual criticality and extent of the vulnerability and efforts to exploit it. Although a number of exploit vectors were being used actively, there was not a lot of mainstream exposure to these efforts, which led many to believe that the vulnerability was being blown out of proportion. One of the biggest fears, that an online banner ad hoster, such as Doubleclick, would start serving infected images, was almost a reality when a smaller banner hoster did start serving infected images across a range of sites. Some legitimate websites were attacked, and were modified to serve infected images, but were fixed fairly quickly. The vulnerability also made minor inroads through IM products and other lesser infection vectors.

In the end, the low level of apparent infection was most likely the result of a number of contributing factors. Firstly, the mass publication of exploit code and methodology came at a slow period, when most employees and vulnerable users would be away from their normal systems, limiting the rate of infections. Secondly, user input was required, even if it was extremely minimal (a number of infection methods displayed this). Thirdly, Microsoft released an out-of-cycle patch that came within a few weeks of the initial public disclosure, and was timed just as many companies were returning from their Christmas / New Year shutdown periods. Finally, the rapid response from the Information Security community ensured that administrators and security specialists were aware of the problems, how to mitigate some of the known attack methods, and what to do to prevent most of the common infection vectors.

It was expected that the recent Sober computer worm variants were to activate in the last week and try to contact a number of sites for possible updates or new commands. Given the early identification of this feature, and the widespread reporting at the time of the variant release, there was no reporting observed of network or system troubles due to the worms activating. Unfortunately for users who are still infected with this family of worm, their systems are still under the remote control of a hacker, and the worm will apparently be trying to contact a new (currently unknown) set of URLs in the next 14 days, and will continue the cycle into the future (for how long is not known).

US-CERT recently released figures for the number of vulnerabilities reported / released in 2005, which quickly drew sharp criticism from a number of observers for inaccurate reporting and a flawed accounting model. The report totaled 5198 vulnerabilities reported in 2005, with 812 targeting the Windows operating system, 2328 targeting all other operating systems, and 2058 affecting multiple operating systems.

Complaints from observers included observations that the same vulnerability was sometimes reported several times as updates on the issue were provided, and was also counted for each and every version / distribution of varying Operating systems (i.e. a single vulnerability could be counted as 1 for Windows, but 30 or more for everything else, due to the number of different distributions and Operating Systems it affects). They also included complaints that vulnerabilities for third party applications were counted against Unix/Linux/ OS X systems, but not against Windows systems; that the relative severity of the vulnerabilities was not assessed; that public release of an exploit and time between disclosure and patch were also ignored.

After news from last year, when Yahoo! was accused of handing over privacy related information which resulted in the jailing of a Chinese journalist, the actions of an American company providing services to Chinese citizens has again been called into question. This time, Microsoft has drawn some unwanted attention following the removal of a blog belonging to a Chinese pro-democracy supporter after a number of bloggers at a competing Chinese service (Bokee) complained. It is not so much the removal of the blog which has upset people (which it has), as much as it was the supposedly arbitrary cessation of service without notifying the blogger or otherwise identifying intent of actions.

Efforts by various interested parties to discover Microsoft's motive for closing the account have seen an interesting statement released by Microsoft that they have to comply with the laws of the nations that they operate in, and countries such as China have unique requirements established in local law. This reasoning opens a new line of argument, as to where the line is drawn for provision of services - if the service was being provided on US based systems, then which set of laws apply? If Microsoft's arguments are accurate, why was this particular user singled out for closure of his account, and pre-emptively closed without any request originating from the Chinese Government. Currently unproven, accusations have even been leveled against the Bokee blogging service that they were behind the move to have the blogger's account closed.

Finally, following the small run of Identity data losses at the end of 2005, more news has filtered through of other cases from the same timeframe, including cases affecting Tax Specialists H & R Block, the University of San Diego (7,800), and Iowa State University (3,000). Most worryingly, in this last example, the University administration has indicated that it will not be pursuing the identity of the thief.

9 January 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.