Where Have all the Exploits Gone?
One of the most referenced sources of online exploit disclosure, the French Security Incident Response Team (FrSIRT), previously the K-Otik security group, has withdrawn their exploit archive from public view. By making the archive available only to subscribers of their Vulnerability Notification Service (VNS), they believe that this move is compliant with the recently passed French laws which prohibit full disclosure security research publication. Although the exploit archive has been withdrawn, FrSIRT continue to operate their freely available vulnerability archive.
While the motive behind the withdrawal might be questioned by some, it has provided an interesting insight into the replication of content amongst security vendors and sites. At the same time as the content was withdrawn from public view, a number of unrelated sites stopped providing extremely similar content - strongly suggesting that the source of the content was the FrSIRT site. It appears that many of these sites have now redirected to replicating content from some of the other remaining high profile sources of public exploit data. FrSIRT have also come under fire for the move to a pay service as the majority of the exploits being presented have been acquired from other sources that may not have agreed to their sale by third parties.
Staying in Europe, and news reached a number of websites over the last several days of demands being made by the United Kingdom to receive the source code associated with the integrated systems of the F-35 Joint Strike Fighter, or else they would cancel their ?12 billion stake in the project. As a Tier 1 partner, the potential withdrawal of the United Kingdom from the project could cause major problems with future implementation of the proposed fighter (other countries such as Australia are lower level export partners who will be sold / leased aircraft further down the line).
In amongst the fear mongering of the United States being able to effectively switch off the aircraft in flight, the underlying demands are most likely concerned with the ability to integrate future weapons with the aircraft, or to modify the delivery envelope that the aircraft's systems will accept.
It was reported that the deal is expected to go ahead, but the root cause of withholding the source code is likely to rest with US laws restricting the export of weapons technology. Similar laws have been used in the past in an attempt to restrict the distribution of software outside of US borders, as was most notably seen with the PGP encryption software.
Ongoing basic research by S?nnet Beskerming staff involves monitoring and reviewing the background level of global network traffic across a set of key indicators, as reported by a handful of traffic monitoring companies. One such index, the global level of traffic to news reporting sites saw a major spike over the last several days, easily 300% higher than normal traffic patterns. Normally a major sustained spike (this one spent 2-3 days at high levels) has a corresponding major global news story as a direct cause. Some historic spikes matched Hurricane Katrina flooding New Orleans, the start of the current Iraq war, and the most recent Bali bombings. With such a massive increase, a news story such as war against Iran or an all out war between Israel and neighbouring countries would have been expected. Confusingly there was no major story, or group of related stories, to correlate.
So, what caused the spike?
The company that supplies the figures has not given any analysis of the recent spike, so the exact reasons are not known, but it could be presumed that there may have been increased network attacks against news providers (such as the current DNS concerns), or the collection mechanisms could have been overwhelmed due to various differences in load balancing and system maintenance. Other sites that provide related analysis showed no significant departure from reporting levels, so it could be presumed that the issues are limited to the one collection mechanism. It certainly would be interesting to see what led to the massive increase.
Basically it is a reverse of the old cliche of 'not being able to see the forest for the trees', except in this case there has been a massive forest appear from nowhere but it is currently impossible to see any of the trees responsible for making it up.
In a week of security updates and warnings, Apple, Microsoft and Ubuntu all had security patches released for problems of varying criticality. In Apple's case, update 2006-002 was released which addressed the issue which led to problems with hiding executable files disguised as safe files in archives, which were then able to be executed by the default system settings. An amendment to the update was released later in the week to address unspecified issues that were encountered.
Microsoft released two patches for their March Security Patch release, MS06-011 and MS06-012 addressing problems with the actual system (account elevation) and Microsoft Office, respectively (remote code execution).
The Ubuntu patch is a little more interesting. It was discovered that certain installation software would store unencrypted copies of the first username and password that were supplied during system setup. Even if the root account was not being setup, the first account had access to the sudo command which would allow for a rapid increase in account level. Within hours of the problem being made public patches appeared from the company, but detailed instructions on where the vulnerable data resided could still see a race between system attackers targeting the vulnerability and administrators closing it off.
Operating System maintainers were not the only software companies facing security issues over the last week. The 4715 detection pattern used by various NAI and McAfee antivirus software was a little over-ambitious when it was released several days ago - finding numerous false positives and essentially preventing affected systems from functioning correctly. A corrected pattern, 4716, was released soon after, but not before the damage to reputation and customers had already been done. Amongst the misidentified files were files belonging to Oracle products, perl, Cygwin, Excel, SysInternals, Java, and others. If users ran the affected detection pattern and had legitimate files quarantined, McAfee has since released an application to help restore the files that were wrongly quarantined.
One of McAfee's biggest competitors hasn't fared too well either after the last week of activity. A recent Symantec daily update knocked AOL users offline due to an unidentified technical error. Symantec software would identify parts of the AOL network connection as being a possible threat to the system and terminate the connection. While an updated definitions file was later released, it obviously caused some trouble for end users and comes shortly after it was shown that Symantec software would overreact to certain key phrases in IRC channels, knocking the user out of IRC as a prevention against IRC bot control.
Updates to Operating Systems and security software aside, the loss of identity data by companies continues unabated. The US state of North Carolina had 16,000 credit card numbers belonging to residents stolen after a hacker broke into a system used to process ferry fare payments, while the latest publicised case of information leakage due to the Japanese Winny worms has affected Toyama hospital in Japan where 2,800 patients who had surgery over several years had their records leaked to the filesharing network. More information about the Ernst & Young laptop losses revealed that the laptops held over 80,000 Social Security Numbers belonging to company clients, including IBM employees who worked overseas in their careers.
Other cases also include the State College in Denver, Colorado, where 93,000 students will need to be notified following a laptop theft (unencrypted data) - covering 1996 to 2005, and more than 40,000 people had sensitive data stolen from Georgetown University.
The Canadian province of British Columbia had more than 70 systems compromised for undisclosed data theft totals - but they are beating that problem by selling tape archives at auction with sensitive medical data still on them (HIV status, mental illness details, etc on tens of thousands of individuals), and finally, an undisclosed number of Verizon employees are at risk following the theft of laptops from the company.
Some good news has come to light in the ongoing identity theft / financial fraud case affecting a number of US banks (including Citibank). Arrests in New Jersey have seen 14 US citizens arrested in law enforcement action linked to the case. It appears more certain that 'Office Max' stores were part of the overall incident, which is still denied by the company. The full breach is rumoured to affect more than 600,000 individuals.
The ISC recently provided an analysis of a phishing attack which appeared to be extremely well prepared and contained a range of accurate personal information that it was considered a bank would have on hand. Such a move will make it more difficult for massive phishing campaigns, as each message needs to be individually modified, but it is expected that a higher percentage of recipients will actually provide their details to the scam. It is postulated that the information presented in the phish has been obtained through theft from an online retailer, as that would provide the greatest collation of data in the one place that would otherwise cost from a collation company such as ChoicePoint. S?nnet Beskerming's Nabu software will neuter the effectiveness of these emails.
Finally, rumours are building that an automated bot is registering accounts on various phpBB based bulletin boards presumably to launch widespread attacks with the next suite of remote vulnerabilities affecting the popular forum suite. Identified by the name "Funt Klakow", the account that is created tends to sit silent, but is being created rapidly across a wide range of phpBB sites. Even without new vulnerabilities being released, there are plenty of existing vulnerabilities with phpBB software which will provide the bot with a suitable launching point should it activate an attack in the near future.
20 March 2006
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.