The Internet is Out to Get You
Microsoft's Internet browser, Internet Explorer, was the focus for a range of disclosures over the last several days. Three different issues were publicly disclosed, two relating to script handling in HTML files (initially Denial of Service crashes) and one relating to an undisclosed handling issue for HTML Applications (HTAs). The most recent of the script handling issues was rapidly elevated into a remote code execution exploit and claims were made that it had been circulating private hacker groups for a couple of weeks.
More than 100 sites have now been infected with variants of exploit code which is used to download malware such as SDBot and then gain control over infected systems. While many of the sites are specifically designed to distribute the code, a growing number are legitimate sites which have been defaced with the exploit. The only indication that users will get that they have been infected is Internet Explorer downloading additional files - the exploit can be hidden from view on the page and still be effective.
Pressure is mounting on Microsoft to issue an out of cycle patch to fix the issue, much as they did with the WMF vulnerability from the start of the year.
A couple of weeks ago a court case in the United States served as a potent reminder why email sometimes isn't what people expect it to be. Search engine giant and free webmail provider, Google, was ordered to hand over archived emails for one of their subscribers. This sort of order is not unexpected, except this time the subscriber had deleted all of their messages related to the case.
Unlike physical records, there are no guarantees that electronic records have been destroyed when a user thinks that they have. In fact, a valuable market exists for extracting information from hard drives that have been wiped, destroyed, written over, or files accidentally deleted. Depending on which Operating System is used, deleting files might only mean removing a reference to the file - leaving the full contents of the file in place. With email even if a user has deleted the email from their local system (assuming the data has been completely removed and not a reference removed) and has deleted the copies from their upstream server, then the information is more thank likely still in existence.
This is what Google is being ordered to hand over, their archived records. Most companies that operate mail servers have established archiving / backup practices in place which allow them to reconstitute subscribers' mail histories after disaster. Even if an email has been deleted, chances are that it still exists on a backup tape. If the message slipped through the system and was deleted before an archive could be made, there is a possibility that an archive was made of it on one of the servers that the message passed through en-route to the final server, or at the originating server.
The nature of the Simple Mail Transfer Protocol (SMTP), the protocol used to pass email messages across networks, means that messages are passed in plain text - able to be read by anybody on the link between the originating and receiving server. There are solutions which can provide encryption to email messages in transit but none have received widespread acceptance to the point that they are considered a standard.
More bad news related to emails and Windows-based systems came to light over the last week when a few sources reported on a new software trojan being seen on a few systems. Designed to capture the special one-off codes that a number of European banks use for client authentication, the 'Bancos' trojan targets customers of Deutsche Bank and Postbank, both institutions which use the temporary authentication TAN codes to add an extra layer of integrity to the trust model.
Using TAN codes as part of the authentication process means that attackers need to know the logon and password details and also a valid TAN to impersonate the online identity of a victim. 'Bancos' achieves this by presenting an error message to the victim when they try and enter a valid TAN, passing it to the phisher who then has a short period of time to make use of the valid token before it expires or the victim uses another.
Until now most malware has not been able to capture data hidden within secured online traffic (https), but 'Bancos' appears to be able to capture this data. It is most likely that the trojan intercepts the information before the browser is able to encrypt it in the https session, rather than the extraction of data from an encrypted packet. It had been suggested for some time that malware would soon be created that had this particular capability.
Luckily for victims, 'Bancos' is not very widespread and only targets a small number of financial institutions. The concern from spyware watchers is that this trojan represents a watershed event, that multiple trojans are on the way with similar capabilities, and the TAN and equivalent systems could soon become worthless as a result.
A strange incident has been reported on by Zone-h, the authority on website defacements. An Israel-based website which is critical of Russia was defaced by a Russian-based group which received congratulations from the Russian Duma (parliament). Publicly acknowledging a website defacement is a rare occurrence, but state level endorsement of an attack is extremely rare - in fact it is believed to be the first case ever.
Suspicion has long been placed on various Asian countries of state-sponsorship in hacking and defacement activities but this is an interesting development outside of that region and which supports some of the conspiracy theories about various government support in other countries.
The statement of support came in the form of an official decree issued on March 22, by a State Duma deputy who is part of the Security Committee and stated the support for the "vigilance and ... suppression or provocative anti-Russian and irreligious materials on the Internet.". The deputy, Nikolay Vladimirovich, represents the Liberal Democratic Party of Russia which is an ultra-nationalist aligned party.
The attack being referred to was carried out by a group which has been tracked since December 2005, and took place on March 14 against www.evrey.com, replacing the homepage. The site had previously gained notoriety for publishing an article calling for the eradication of orthodox religious symbols, which had been taken as directly targeting the Russian Orthodox Church. It was further reported that state-level discussion of similar activities started as early as January with the promise of encouragement and recognition for attacks against terrorist and extremist sites.
Finally, a claim was recently made on a security mailing list that various printers that rely upon unique user / operator PINs can be forced to print out all valid PINs for that particular device. The discovery was made that the PIN is stored unencrypted in a Windows registry item, which is then supplied to the printer to authenticate the user for printing. Through a simple process of enumeration and testing, every single possible PIN could be processed in around 200 hours to obtain all valid 6 digit PINs. With optimization this could be sped considerably and at the least it provides users a means to impersonate someone else to the printer, which creates a problem if the PIN is being used for auditing / accounting purposes.
27 March 2006
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.