Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists.
It's the Season - 24 December 2005
From all the staff here at Sûnnet Beskerming we wish all our readers a very merry Christmas and a happy New Year. We hope that the security advice and reporting that we have provided to you this year has helped you avoid difficulties, and that it is allowing you to have a peaceful break over the Christmas / New Year period. Before everyone can go and enjoy themselves there are a few issues to have come up over the last few days which could impact over Christmas.
Firstly, Symantec and a number of other Information Security vendors have had vulnerabilities disclosed which could leave systems open to complete compromise by remote attackers. In Symantec's case, almost the entire product line has been found to be vulnerable to a flaw which can allow a remote hacker to execute code of their choice on systems running Symantec software. Interestingly, this problem is cross-platform, affecting both Windows and Macintosh Symantec software with similar results. In McAfee's case, their Security Centre and VirusScan software products can expose underlying systems to remote attackers, with similar outcomes to the Symantec issues. While the Symantec flaws can be completely automated, the McAfee flaw requires the victim to activate it, either by visiting a malicious website, or other vulnerable action. In Symantec's defence, the filesize required to exploit this flaw is in the range of 50 MB.
Normally, Apple software doesn't attract a lot of attention from hackers, and so not a lot of security flaws tend to get discovered. The past week has seen two different vulnerabilities discovered, affecting the QuickTime media player, iTunes, and the OS X Operating System. The first flaw, which affects QuickTime and iTunes, leads to a Denial of Service against the software and is launched by opening a malicious .mov media file. While the original discoverer has claimed that arbitrary code execution is possible, there is no indication that this is the case (at this time). This flaw affects both the OS X and Windows versions of the software. The second flaw affects the OS X Operating System itself. In this case, malformed HTML input will cause the KHTMLParser to crash, bringing down vulnerable applications with it. It is known to affect Safari and TextEdit at this stage, but any application which relies upon the inbuilt KTMLParser to render HTML content is likely to be vulnerable. The discoverer of this flaw, who also discovered the QuickTime / iTunes flaw, claims that arbitrary code execution is possible, but again there is no indication that this is the case (at this time).
The timing for public release of this information seems suspect, especially the claims of arbitrary code execution and the lack of a timeline which indicates when Apple were notified of the problems. While the vulnerabilities are certainly real, it is probable that a patch will be delayed due to the Christmas / New Year holiday period. Concerned users should be careful about accepting QuickTime media files from untrusted sources (for the first vulnerability), and about visiting potentially malicious / untrusted websites (for the second vulnerability), lest their application suddenly shut down.
Website applications are not escaping the attention of hackers over the Christmas period, either. It is suspected that many of the most active and prolific website defacers are secondary or tertiary students, and the increase in defacement activity seems to correlate with school holiday periods, with significant reductions during exam seasons. Turkish based hacking groups appear to have become very active over the last couple of weeks, with some fairly significant attacks taking place during that time period. Not only are single sites being targeted, but servers which host multiple sites are being attacked with increasing frequency. To aid the defacement and other attacking efforts, a number of vulnerabilities have been discovered over the last couple of weeks in a range of common Internet software packages. These vulnerabilities are already seeing fairly rapid deployment, with a number of sites running the Mambo Content Management System in particular being targeted over recent days.
The company behind leading law enforcement forensic software EnCase, amongst other titles, has released a statement admitting that they were recently compromised in an attack which allowed the attackers access to financial and personnel data connected to thousands of law enforcement personnel and security professionals. The attack was first discovered on December 7, and it is believed that the incident took place at some stage in November. While normal identity theft cases can net valuable information, the perceived level of compromise, and the specific industry groupings covered, would mean that this particular security breach could have some significant long term effects. It is reported that the US Secret Service has become involved in investigating the breach.
Microsoft's Internet Explorer web browser for the Macintosh Operating System was frozen at version 5 a couple of years ago when active development ceased in response to the emergence of Safari. All support for the application will be ceased as of December 31, 2005, and it will no longer be included for distribution from January, 2006. While this move is not unexpected, it has been some time since Internet Explorer was the default web browser installed on Apple Operating Systems (it was always installed, or was on the installation disks, just not the system default browser). While not a complete reproduction of the Windows version of the software, it did make for a useful testing and development tool for Web designers and other Internet professionals, as well as providing a fall back for sites which refused to display in other browsers.
IBM's once flagship Operating System, OS/2, has also reached the end of its lifespan, with all support for the product being withdrawn as of December 23.
Little Compositions - 19 December 2005
This week has seen quite a number of smaller news articles come to surface, many being follow ups to stories that gained prominence earlier in the year, including spear phishing, Chinese state sponsored hackers and more.
In one of the most recent cases where spear phishing has been the claimed, at least one minor US financial institution had their internal systems specifically targeted by remote attackers. Separating this case from the normal range of phishing attacks was the fact that it appeared targeted to employees of the institution, and attempted to compromise their work systems for purposes unknown (although a good guess would be for compromise of account holder account details). The case is now under investigation by the authorities, but it is interesting from the point of view that it has been reported by the media as a case of spear phishing.
A story which evolved along similar lines, saw a charity in the United Kingdom find themselves the victim of a compromise which resulted in the theft of the personal details and financial contribution data from a large number of their donors. This information was rapidly turned around for active exploitation, with a number of the donors being contacted by the hackers, who were claiming to represent the charity, and seeking further donations from them. Others had accounts with various financial institutions accessed and modified.
Since the public notification of the breach, the website for the affected charity has been shut down. A comment from the head of the UK Charity Commission suggests that there is a lack of understanding of the threats to online financial transactions, at the highest levels of the Commission. Essentially, he claimed that the use of SSL to protect information in transfer between the donor and the charity should be sufficient security for protection of information, which conveniently ignores the risk posed by insecure storage of sensitive information on the server. The Executive did follow up this claim with a later statement that charities and other companies with an online presence should ensure they have some form of security on their sites.
The bad news didn't end there for the UK, with reporting that the suspected fraud perpetrated through an HM Revenues & Customs tax credit portal was far more extensive than originally thought. Initially disclosed at the start of December, when the portal was taken off-line, it was thought at that time that up to 1,500 call centre workers had their identities and financial details stolen, with a number being used for fraudulent claims through the tax portal. Continuing investigation work has discovered that the number of compromised people may be up to 13,000, with the total fraud perpetrated in the millions of pounds. Most fraudulent claims appear to have been limited to less than a thousand pounds, possibly in an effort to avoid automated and manual scanning systems.
Following the recent fuel storage explosion and fires in England, a number of large electronics retailers and Information Technology firms were directly affected, and had the chance to implement their disaster plans (if they had them). One of the major electronics retailers in England had their headquarters essentially destroyed, but the quick implementation of their disaster recovery plan meant that they were able to resume operations from a secondary location, with minimal disruption to their services. It is feared that a number of smaller (and even some larger) companies will not be able to cope with the stress and system disruption caused by the damage to their information infrastructure, and will go out of business as a result.
Elsewhere in the World, and hacking for National Interests has grabbed minor headlines for a number of incidents. The 'Titan Rain' set of incidents, where it is claimed that State-sponsored hackers from China were actively exploiting semi-sensitive networks and systems in the USA, have grabbed more exposure from Western news sources. To counter the negative press being generated, the Chinese Foreign Ministry released a statement that the Chinese Government is not involved in any hacking of the USA, and they have called for evidence to be released which shows the links between the attacks and the Chinese Government.
Minor hacking and web-defacement conflicts have also been taking place between Chile and Peru, and India and Pakistan. While it is unlikely that these cases involve any state sponsored efforts, the hacking can be considered a proxy front for the national interests being tussled over in the real world. Internal hacking efforts have also resulted in the complete shutdown of a government-sponsored television station in Russia. The new station, Russia Today, has admitted that they were forced to cease transmission of their programs due to a particularly nasty attack from a hacker, or hackers unknown. Broadcast of content has been ceased until the attack can be defeated.
There were also a small number of significant malware events which affect a wide range of systems. Not wanting to be outdone by Sober, the creators behind the Bagle / Beagle family of email worms have released the next variant, which appears to be a much more active attacking worm than previous versions. Most Anti-virus companies should have updated definitions files by now to deal with this latest worm. While this particular worm is spreading, it appears that Sober is beginning to have some fairly serious effects. Users of Microsoft's Hotmail and MSN email services may be unable to receive emails (or have them excessively delayed) from an unspecified number of external ISPs. A spokesperson for Microsoft claims that the issues are related to the increase in traffic caused by the Sober email worm.
A new exploit was released which targets the MSDTC vulnerabilities fixed in the MS05-051 security patch released in October this year. Dubbed Dasher, the current versions in the wild link back to key loggers and other nasty software in an effort to extract useful information from the infected end users. An initial, crippled, version was sent to the major Anti-virus companies earlier in the week, for reasons that are currently unknown. While the patch from Microsoft will completely block the exploitation route the worm is using, there have been reports that the patch has caused problems for some users, and so not all vulnerable systems may have been patched.
Finally, the possession of Plasticine may soon be regarded as suspicious (there goes the Kindergarten and ChildCare industry) following revelations that it may be used to bypass biometric authentication systems such as fingerprint readers. Laboratory testing has discovered that, 90% of the time, biometric systems could be confused and bypassed by such simple means as the use of plasticine. The high failure rate should be a cause for concern, and the fact it isn't mentioned by the vendors could be leading clients to have a misplaced sense of trust in their authentication systems, and can make well-designed multiple factor authentication systems become single factor authentication. At the least, it appears to be driving a number of the vendors to improve their products to be better protected against such simple attacks.
Of Disaster and Online Terror - 12 December 2005
As the Christmas and New Year period arrives again for another year, it is time to consider how you may be leaving your Information Technology infrastructure over the holiday period. From disaster recovery plans in the case of catastrophic system failure, through to inadvertent information leakage it is important to be prepared.
While major natural disasters are relatively infrequent, their destructive effects are fairly uniform across a large area. This means that if your recovery plans rely upon immediate response by third party agencies, then they may not have the opportunity to respond to your needs as you have planned. The infrequency of disasters is not a good enough argument against not planning for them to affect your infrastructure this holiday period. The South Asian tsunami and Canberra bush fires are two fairly recent examples of disasters to hit close to this time of year.
While not a natural disaster, the sudden catastrophic failure of IT infrastructure can be devastating, and it is something that many businesses are not able to recover from. Just in the last several days, Sûnnet Beskerming staff witnessed a company experience sudden and complete infrastructure failure, yet be able to recover within minutes, to the point that the sum data loss across the company was two lines of unsaved text in a text editor.
The failure struck just as the company had commenced daily operations, and their systems were loaded with the maximum amount of data for daily processing. In their recovery plan, the company had steps to handle situations such as this, and were able to fully recover the information that was held on the systems, and were confident that, if they were given more time, they would have recovered the unsaved text as well. The loss of productivity was only on the order of a couple of hours to the end users as alternative systems were brought online.
The above company was not lucky, just well prepared, although with the current general state of IT management, the two seem to be interchangeable.
At the other end of the disaster scale, planning needs to take into effect what happens as personnel depart for leave, travel or holidays, and what their systems will be doing during this period. Already a number of security mailing lists are publicly calling for people not to turn on automatic out-of-office reply features in their email clients as they can get replicated onto the mailing lists, providing the hackers who read them useful information about the whereabouts of key security personnel for various companies. It also makes their hacking efforts that much easier, as the company being targeted already knows that the person the hacker is pretending to be is not in the office.
Even without the holiday increase in hacking efforts by the lower skilled hackers (script kiddies), the ongoing research into software vulnerabilities sometimes causes a problem when the discoverers decide that they want some public recognition for their efforts. Last week, an auction appeared on eBay which claimed to be for the sale of a '0-day' exploit for Microsoft Office's Excel spreadsheet software. As expected, eBay rapidly pulled the auction off the site, but the existence of it sparked some interesting arguments amongst security specialists as they argued over the ethical issues raised by such a move.
While the act of selling an exploit for software can be considered ethically dubious, there are a number of higher profiled Information Security companies which do trade in such exploits, ideally acting as a conduit between the software vendor and the hacker, for financial compensation to both. This apparent hypocrisy only furthers the perception of the Information Security industry being filled with snake oil salesmen.
As to the nature of the Excel exploit, no one is completely sure, although the eBay lister suggested that Microsoft agreed that it was a real vulnerability which had been discovered. At least one other researcher has hinted at having possession of an exploit against Excel which can lead to the compromise of a vulnerable system, but it is not known whether Microsoft have verified that particular case.
The bickering continued, following the announcement that the Sober email worm would automatically self-update on the 5th of January, 2006. One company (which is one of the companies involved in the trading of newly discovered exploits for money, and is one of the more 'respected' names in Information Security), claimed that it is to activate a mass attack of some form (possibly spam) to commemorate the 87th anniversary of the founding of the German Nazi party. While the 87th anniversary of any event is an odd one to celebrate, at least part of the justification is based on previous iterations of the worm being used to distribute neo-nazi spam.
Not only have the claims of this company been questioned, but also the intent of the company which claimed to have discovered the self-updating feature. While disclosure of information such as this is important for administrators to be able to better defend their (infected) systems, an administrator who would take action on this information would have already ensured their systems were cleaned of infection, and subsequently protected. At the least, it has tipped the developer of the worm off that the internals of their worm have been cracked, and the Security world will be watching with interest come January 5.
Online attacks have also gained extra attention this past week, with the BBC reporting at the start of the week on a call from a group of Islamic militants who were seeking to have a presence established on the Internet so that they could distribute information to the world about their activities and military actions. As part of the compensation for the budding web designer is a promise that the designer would get the chance to remotely launch a rocket attack against a US base in Iraq, using newly developed Internet-controlled rockets.
While this, and other activity by militant groups, is not normally identified by the mainstream media or Information Security groups as being an issue, the transcript from an informal round-table on the threat of online terror attacks has been published on the Internet, and it has drawn a range of very polarised responses - arguing for and against the threat of online attacks. The round-table itself appeared to be inconclusive, with more argument about how attacks can be defined than actually about the threat posed by external attackers.
The few nuggets of useful information that were thrown up suggest that the US, at the least, is concerned about what is known as an asymmetric threat, whereby one attacker, or a few, can create damage far beyond what their size would suggest (e.g. one person taking out the power infrastructure for the country). Some of the other information suggests that there are numerous critical infrastructure systems in the US which are reachable, and thus attackable, from the Internet, including important utilities such as electricity, gas, and water supplies for major metropolitan centres.
What did seem apparent from the transcript was the significant difficulties that are encountered when trying to get technical people to consider the military and national interest strategic consequences of technical vulnerabilities and system exposure, and those difficulties encountered when getting strategic planners and thinkers (military and national interest) to adequately understand the technical nature of the threats being discussed.
Even minor attacks such as web defacements can be seen by some as a terror threat. The recent defacement of the Australian Capital Territory Chief Minister's website was reported as being a targeted attack against the Chief Minister (which it wasn't), while the recent defacement of the National E-Health Transition Authority (NEHTA) was not widely reported (if at all), but probably is of more concern. NEHTA has been established for the purposes of enabling the Commonwealth and State and Territory governments to develop better ways of electronically collecting and securely exchanging health information, and the inability to secure their Internet presence does not instill a lot of confidence in their claimed focus on the security of electronic health information.
At the very least, even if the threat of online terror attacks is not a credible one, it does not mean that security can not be improved on the systems currently connected to the Internet, and those which are not meant to be.
Disturbingly, the discussion on online terror attracted enough apparently independent comments about various military and other sensitive infrastructure networks (primarily US) to imply that there are definitely electronic connections to the greater Internet from systems up to and including the US Top Secret level, with varying levels of ease of connection to those systems.
To protect the US, it looks like the US Air Force is going to step up and do it. At least, that's according to their recently released mission statement:
The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests -- to fly and fight in Air, Space, and Cyberspace.
Little Bits and Pieces - 05 December 2005
The ongoing issue with the recent Internet Explorer arbitrary code execution vulnerability continues to worsen, with active exploitation by at least one new system worm. There is some speculation that Microsoft will be issuing an out-of-cycle patch for the Internet Explorer issue, although their scheduled monthly patch release is set for December 13.
The argument for the out-of-cycle patch is that Microsoft have known about the root flaw that allows the code execution for at least six months, and the criticality of the developed vulnerability; while the argument against an out-of-cycle patch is that some regard the issue to be a design error which would require a significant overhaul of the Internet Explorer code base in order to correct the flaw. Whichever way it turns out, it is essential that users of Internet Explorer apply whatever patches are made available, as soon as they are released.
Although not as critical as the Internet Explorer flaw, exploit code has been published for recently patched vulnerabilities, those patched by MS05-051 and MS05-053. A fully updated system will not be vulnerable to exploits developed from the sample code, but it should be a reminder to those who have not patched their systems that they should expedite the process. The sample exploit code would result in Denial of Service style attacks against vulnerable systems.
While fairly active attention was focussed on active and patched vulnerabilities in Microsoft products, Apple Computer released their latest security patch for their OS X Operating Systems. Released for their 10.3 and 10.4 product lines, the Security Update 2005-009 release fixes a number of fairly serious, and not so serious, vulnerabilities in included third party software and some core components of the Operating System. While most of the third party vulnerabilities, such as those affecting the Apache web server, were previously known about, the serious core Operating System vulnerabilities were not. Either Apple were able to encourage the discoverers to keep quiet about their discoveries, or they were discovered in house. Irrespective of the reason, it is an interesting difference to the way that recent Microsoft vulnerabilities have been disclosed and handled.
The news isn't all good for Apple, however, with initial reporting of vulnerabilities leading to arbitrary code execution through QuickTime, at least for the Windows implementation, for the most recent versions. The last update for QuickTime was to fix another arbitrary code execution issue, and it is not known whether the new claimed vulnerability is related in any way to the fixed vulnerability.
Also from previous weeks, and the high profile recent variants of the Sober email worm have started to include the UK National High Tech Crime Unit (NHTCU) as one of the spoofed senders, joining the FBI, CIA and other agencies as spoofed From: addressers. With less than a calendar month remaining in the year, it will take a fairly significant effort from another email-based worm to displace the latest Sober variants from the title of most significant email-based worm for 2005.
Amongst other movement in the so-called hacker 'underground' recently, European security firm, Zone-h, apparently found itself the victim of an online defamation. At some stage in the previous couple of weeks, a Google Groups group was established with the name 'Zone-h The Internet Thermometer', which is a phrase Zone-h does use to describe themselves. Rather than providing discussion ground for security news and efforts, the group appeared to be used for the solicitation and trade of hacking services. Zone-h (the real one) has issued a press release publicly denying any involvement with hacking services, offers for hacking, and other illegal activities promoted through the group.
It now appears that several members of the Google Groups group took advantage of a slip in moderation to redirect the focus of the group, and at least one Zone-h moderator has re-appeared to take back control of the group.
Researchers who are investigating weaknesses in common cryptographic hashing functions (one-way encryption which is commonly used for validating integrity of files and protecting passwords in applications) have released further samples of collisions (two different original samples producing the same encrypted result) under a range of common functions. While the presence of collisions has been known for some time, it was believed that generating products that collide under multiple hashing algorithms at the same time was practically improbable.
The released samples now include eight files with the same MD5 hash and two Windows executables with the same MD5 hash, the same CRC32, the same checksum 32, and the same checksum 16. While it is still practically improbable for any useful exploitation of the collisions found (i.e. starting with an arbitrary original file / content and then modifying it in a meaningful way), it does bring it another step closer and does show that multiple hash algorithm collisions can exist for the same content.
Finally, a fairly serious vulnerability was disclosed in a range of Cisco IOS versions, which could provide a remote attacker with complete control over vulnerable networking hardware. Designed to take advantage of the web server that is included with latter versions of IOS, the vulnerability, and published exploit code, makes use of functions that dump the memory of the networking device for an administrator to review.
By being able to inject arbitrary commands into the network traffic which the device then retains in memory, it was discovered that the commands would be executed if the administrator ran the appropriate scripts. What prevents this from being a massive problem is that the web server feature of the vulnerable IOS versions is not enabled by default, and the known attack is limited to a small set of specific scripts. The other downside, in addition to compromising targeted hardware, is that the attack can compromise all networking devices it passes through en route to the targeted device. provided that they have the same feature enabled.
Cisco have not been able to release a patch for this issue, and their current advice is for affected users to disable the web server.