Terms of Use
Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists.
This is Not an Email From the FBI - 28 November 2005
With a number of anti-virus companies and IT news sites calling it the biggest email based threat of 2005, new variants of the Sober email worm started hitting email inboxes in the last several days. Although the worm has employed various social engineering methods in an attempt to get victims to execute the email attachments, the current versions appear to have been fairly well thought out. With infected emails claiming to be from the FBI, CIA or the German BKA, and related to investigations into the victim's Internet usage habits, the Sober creators appear to have identified a method which is likely to result in a greater number of compromised systems.
The effectiveness of the worm was so great that the FBI was prompted to place information on their website to deny that the emails were originating from them. As per previous variants of the Sober worm, the included malware attempts to install a spam-engine, collect email addresses stored on the system, disable the firewall and any other protective software, modify the local HOSTS file to prevent access to Windows and other security update sites, and open network ports to allow remote control of the system via IRC.
As anti-virus companies scrambled to catch up with the emerging variants, some security commentators were warning that the worms were evolving too quickly for anti-virus vendors to keep up with. Basic user education to consider .zip file attachments to be malicious and not to be opened, would prevent a significant number of infection cases.
With the spread of the worm being so rapid, it has been considered by some that the creators have used existing botnets to increase the rate of spread of the worm, in addition to the improved social engineering efforts. The attempt to play on people's fear of authority, especially with various Homeland Security agencies, laws and increased tensions, is considered to be the key to the increased spread of this particular Sober variant.
The past week also saw the release of the SANS Top 20 vulnerabilities list for 2005. A new feature of this year's listing was a major focus on cross platform threats and application vulnerabilities, as compared to Operating System vulnerabilities. With a breakdown of five Windows, two Unix, ten cross platform application, and three networking hardware vulnerabilities, the list seems to cover most of the significant Information threats to surface in 2005.
Some of the inclusions have been a little contentious, such as inclusion of a generic warning for OS X, but no specific breakdown of any applicable direct threat. In subsequent discussion, a SANS representative indicated that the inclusion was based on the increasing number of poorly administered OS X systems that they are observing.
The other vulnerabilities covered included issues with Windows Services that were exploited by worms such as Zotob, and issues with Cisco networking hardware that related to Mike Lynn's presentation at the Black Hat / Defcon 2005 Briefings and Conference. Recent threats to the ISAKMP implementations by a number of networking vendors also rated a mention, along with SANS' personal bugbear, the Domain Name System (DNS) also made the list.
Emerging too late to make the Top 20 list is a vulnerability which affects Internet Explorer on most versions of Windows (except Windows 2003 Server in Enhanced Security mode). Derived from an earlier Denial of Service bug that would cause the browser to crash upon trying to open a new window via a JavaScript call in the body tag for a web page, the new vulnerability has been designed to allow for execution of code by a remote hacker.
In a move which upset Microsoft, the security researcher who discovered the extended vulnerability released the code publicly, including complete source code to a working exploit, and did not notify Microsoft ahead of time. While the developed proof of concept code only launched calc.exe, it was reported that variants of the code were in circulation which could provide a reverse shell, which allows the attacker to gain access to the command line. It is possible that these later reports were based on a misunderstanding of the comments in exploit code, which mentioned establishing a shell.
Microsoft is yet to issue a patch, but has acknowledged the presence of the vulnerability and has provided suggestions to users who would like to protect their online activities (basically, disable JavaScript). The root cause is believed by many to be a design error in Internet Explorer, which would require significant overhaul of the codebase in order to fix the issue. It is more likely, however, that an incremental patch will be developed which will disable that particular instance of calling a new window using JavaScript.
This latest Internet Explorer vulnerability was joined by reports of an issue which can see Internet Explorer opening unexpected applications to handle various tasks. While more correctly a Windows 'pathing' issue which has been known about for some time, the discovery that Internet Explorer will open a folder / file / application on the Desktop named notepad.exe as a priority over the Windows default Notepad application has seen some increased attention to the filetypes and applications that can be abused in this manner. Several Registry modifications were soon provided, along with links to the MSDN reference on the issue, which forces Internet Explorer to look in specific locations if it needs to open Notepad, or equivalent.
While the discussion surrounding the discovery quickly returned a working solution along with a reference to Microsoft documents, it prompted discussion on the behaviour of Internet Explorer and Windows in those situations, along with an explanation of why some core System applications sometimes appear to magically reappear after their manual deletion (dllcache).
A practical example of finding applications which have pathing problems was provided by a contributor who suggested making a copy of the calculator (calc.exe), renaming it to 'program.exe', and placing it in the root level of the Windows partition (C:\program.exe). This would then allow users to identify applications that are potentially vulnerable to abuse by having appropriately named files placed at higher levels of the Directory structure. The symptom encountered would be unexpected copies of calc.exe opening up on the screen.
You May Not be as Secure as You Think - 21 November 2005
As laptop and notebook computers continue to increase in sales, more users are looking for a more portable method of connecting to the Internet. The current technology of choice is the 802.11 family of wireless connection specifications, generally known as Wi-fi, which almost all wireless network connections use (with minor use of Bluetooth and Infra Red connections).
From the initial development of the wireless networking specifications it was realised that it was not a suitable security practice to be broadcasting all network traffic for any passing wireless-enabled computer to collect, and so research began on methods to protect the technology.
The first effort to improve the security of the connections revolved about the Wired Equivalent Privacy, commonly known as WEP. This particular technology provided an encrypted link for all legitimately connected wireless clients, and which would prevent unauthorised connections from capturing network traffic. Unfortunately, once a client was allowed to connect through WEP, they were able to capture all the network traffic, unencrypted, and the encryption method used to develop WEP was rapidly broken, effectively making WEP useless as a means for protecting wireless network connections.
The followup protection technology, Wi-Fi Protected Access, which is known as WPA, and WPA2 for the complete implementation, began to be implemented in early 2003. Designed around a stronger encryption process, WPA encrypted each client's connection individually, in an effort to prevent clients from viewing the unencrypted traffic for other connected clients. As a means to overcome some of the shortcomings from WEP, the system was designed so that encryption keys would change over the time of the connection.
Over recent weeks a fairly active security discussion looked at methods to overcome the protection offered by WPA, and possibly that offered by WPA2. One method in particular allows a user who has been granted a connection to perform an attack which is known as ARP cache poisoning. Basically, ARP poisoning is when a system connected to the network pretends to be another for the purpose of obtaining the traffic to the victim's system.
Even though WPA is not meant to supply protection to the network layer that ARP poisoning works on, by being able to conduct ARP poisoning it removes the protection that WPA does offer, removing its promise of maintaining a secure link between client and wireless access point. Technology such as IPv6, IPsec (which has had issues recently), and static ARP records can help mitigate the effects of an ARP attack, as can the use of SSL / SSH / VPN traffic at the highest level. A number of network monitoring tools can also be used to detect odd behaviour on a network segment, which can indicate an attempted ARP poisoning attack.
Unfortunately, all of this technology is useless if it is never turned on. Quite a significant percentage of business and home wireless access points, and the associated networks, have not applied any security protection and even if they have, a still not insignificant proportion will use the default security settings, including the default administrator passwords.
While companies and some home users will be taking steps to prevent connection of unknown clients to their wireless networks, major public access points are becoming more common, and will become more of a concern as attacks against wireless connections develop their capability. With coffee shops, fast food restaurants, and a range of community wireless access opportunities (Adelaide CBD, Macedonia, and numerous cities worldwide) providing more and more chances to connect to a wireless network, the false sense of security that pervades is likely to lead to significant information theft and data compromise in the future.
In other news, it has been a strange week for security disclosure; a number of vulnerabilities were announced and picked up on by the larger IT news sites which affected outdated products or which targeted specific examples of a much greater vulnerability. Products from vendors such as Google, Apple and Microsoft were caught up in this odd round of disclosure, and investigation into the claims usually resulted in identification of a misdiagnosis or overreaction. It definitely looked to be a week where the media was notified first (who then swallowed it completely), then the vendors whenever a vulnerability was disclosed.
Google's interface to various online messaging services, Google Talk, had a fairly quiet vulnerability disclosed which could cause the Windows version of the application to crash on receipt of a specifically formatted email. Subsequent investigation suggested that, while it was a real vulnerability, the impact was low and for the vulnerability to work a number of key conditions had to be manually set. Other reporting about Google indicated that they had quietly fixed a reported vulnerability with their GMail webmail service. Again, the vulnerability required a number of fairly specific nonstandard and detailed steps to be taken for a victim to be vulnerable to losing control of their GMail account.
Google also fixed a Cross Site Scripting issue with Google Base, their new data collation service. The vulnerability allowed an attacker to gain access to a victim's account details, which could then provide access to sensitive information in GMail, Ad Sense or Ad Words. It is felt that this issue was related to a vulnerability quietly closed at the end of September (alerted on 12 October) by Google.
Apple's vulnerabilities included a set of real vulnerabilities, and a set of vulnerabilities which would have more correctly been attributed to the underlying Operating System (Windows in this case). The Quicktime media player could have been used to execute arbitrary code if a user could be tricked into running a certain media file, but it only affects the Windows versions (solution is to upgrade to the latest version). This vulnerability was not widely reported, while a vulnerability which affected Apple's iTunes was. Upon investigation, it turned out to be the result of a specific Windows call not being fully called correctly and which a number of other applications had also been discovered to be vulnerable. The impact would be iTunes opening an unexpected application in response to specific calls from within the application, so if you expected a certain CD burning application to open, it could open Excel instead. Even though numerous applications from a range of vendors were found to make this specific Windows call incorrectly, iTunes was singled out as the apparent only vulnerable application.
While researching methods to exploit the vulnerability fixed by MS05-047, an Indian researcher uncovered a vulnerability which affected a fairly specific range of Microsoft Windows versions and patch levels. The discovered vulnerability affected Windows 2000 and XP systems, with a fairly old set of patches, which is possibly why the discovery was posted publicly rather than withholding it until Microsoft had a chance to properly assess the impact. The result of the published exploit code was such that a system would exponentially consume system resources until it could recover (after some time), which could be extended indefinitely by making sustained requests against the target machine (which would be very noisy).
Unfortunately, the overreaction from the industry media to the recent vulnerabilities only provides more confusion and misinformation to readers, especially when significant vulnerabilities or other vulnerabilities affecting the same applications are being overlooked. It was suggested that a lot of these were attempts by 'security' companies trying to increase business or to keep their names in the news for a little while longer.
At least the issues raised by Sony's rootkit haven't dropped out of the press, with continued focus on the removal tool that Sony has supplied, as well as other protection software used by additional CD titles. This continued focus has found some very concerning elements, especially the insecure ActiveX component which is supplied to the user who is trying to clean their system of Sony's malware (which can be used to remotely reboot a system, gain administrator level access, or execute code of choice). While Sony has started taking steps to withdraw the affected disks from sale, and refund customers affected by the issue, it still remains to be seen what the long term effects will be. Lawsuits have already been launched in the USA and Italy over this issue, with a number of companies now forbidding all music CDs from being played through their computer systems in an effort to prevent possible future compromise.
Of more interest with respect to Sony's rootkit are accusations that the anti-virus companies (in particular Symantec) were complicit in ensuring that their products did not pick up on the rooktit's presence, and actually went out of their way to ensure this was the case. While detection and removal of rootkits is generally left to specialised tools, a lot of people consider their anti-virus vendor to be capable of protecting them from all evil.
Short, But Sweet - 14 November 2005
A memo from Microsoft Chairman, Bill Gates, was recently 'leaked' onto the Internet, and it heralds a fairly surprising change in direction for the company. Citing examples such as Google and Yahoo!, it appears that the head of Microsoft feels threatened by an environment where a small startup can come from nowhere and rapidly gain the dominant market share, before the larger established companies have a chance to react.
This call for a move to online advertising and services as a cornerstone for future revenue already looks like it has the first components in place by Microsoft. They have announced the creation of a 'Live' project which is designed to further the capabilities offered by MSN, which will continue to operate alongside the new service. The new project will offer a range of additional services for offline applications, as well as some unique online tools, supported by advertising and premium subscription content.
Microsoft claim to have invented the AJAX phenomenon through their Outlook Web Access technology which made use of their XMLHttpRequest object (an essential component of all AJAX applications), which is a claim not too far from the truth. The leaked memo makes reference to Microsoft having missed a great opportunity with Outlook Web Access, something which they do not wish to repeat.
More concerning for competing companies is the reference to Microsoft focussing on developing a competing format to the ubiquitous PDF (Portable Document Format), which is closely tied to Adobe. For many users, .pdf files have become a de facto standard, such that it is used as the underlying default image type for Apple's OS X Operating System. Microsoft's competing format, dubbed Metro, is scheduled to be included with the Microsoft Vista release which is expected for release next year.
Microsoft's 'Black Tuesday' security patch release for November came and went with only a single patch, rated critical, for Windows NT-derived systems (2000, XP, 2003). A memory error in the processing of EMF / WMF image types for vulnerable systems could allow a remote attacker to gain control of the system. It was highlighted that, provided the user could be tricked into viewing the file, this could be exploited through Internet Explorer, Microsoft Office, and Microsoft Outlook (when viewing HTML formatted emails).
Initial reaction was that the disclosed vulnerability would not be suitable for use as a mass spreading automated worm, but could be used as an infection vector for other worms. At least one Anti-Virus company claimed that the vulnerability was already being used by a worm that was in the wild, however they subsequently retracted this claim. One other Anti-Virus company's product went haywire with the detection routines for identifying this flaw, flagging numerous legitimate files as infected and causing Excel to stop functioning correctly. The current set of definition files has corrected this issue, and it is a standard recommendation to ensure that all readers maintain their Anti-Virus products with the latest definition files.
With the recent arrests in Australia over suspected terrorism related activities, and the ongoing rioting throughout Western Europe, the use of the Internet, computers, mobiles, and other networked technology devices to plan and manage these actions has been highlighted. With the Australian arrests, some of the evidence that is known to have been secured is computer equipment and related storage material. While it is not known whether the suspects used the Internet to co-ordinate their activities, any emails on the systems would surely be of interest to investigating officers. The presence of any encrypted data is also likely to draw additional attention.
The English parliament recently overturned an effort to increase the length of time that a suspect could be held without charge to 90 days, from the current 28. The primary argument being given for the proposed increase was that it would take that length of time for forensic specialists to recover and process information from an encrypted computer drive. This argument appears weak when it is considered that it is an offence in the UK not to provide the encryption key to law enforcement upon request. Also, the possible types of encryption encountered include methods which can not be reliably cracked in a human lifetime, so 90 days is an odd number for decryption of a device.
Across the Channel from England, and France has seen some of the worst rioting for a number of years, seemingly restricted to a fairly narrow group of residents. Alongside all of the other unique features associated with the rioting, it has been reported that there has been a high level of coordination and planning which has utilised everything from mobile phone networks to Internet chat rooms to manage the rioters. Even though it appears that the riots have slowed down, there are claims that on the 14th of November, something known as 'Operation Midnight Storm' is scheduled to start, having been planned and managed through various Internet sites.
Of Bad Patches and Rootkits - 07 November 2005
When a company releases patches to fix their software, it gives hackers and security researchers a chance to 'reverse engineer' them to work out how the company has actually fixed the vulnerability, and in the case of the hackers it gives them a chance to understand how to create a workable exploit against the patched vulnerability. Sometimes companies will 'slipstream' patches to unannounced vulnerabilities in with the patch for an announced vulnerability. This can cause problems for end users who are expecting to have a certain subsystem repaired, only to discover that the 'slipstreamed' vulnerability patch has caused an unrelated subsystem to fail. Unfortunately, this only adds to the mystery as to what happens within a user's computer whenever they are trying to do things.
One of the patches released by Microsoft with their October Security Patch release, MS05-049, was being reverse engineered by an Argentinian security consultant, who discovered that it repaired a vulnerability that was improperly repaired by an earlier patch, MS05-018. According to the researcher, the earlier patch only blocked one particular avenue of attack, rather than repairing the underlying vulnerable function.
In Microsoft's defence, code maintenance is one of the most frustrating and time consuming elements of the overall development process. Developers assigned to code maintenance have to apply extreme caution to the process, in order to avoid inadvertently introducing new vulnerabilities, and to minimize the disruption to services and third party software which relies upon the code being maintained. Sometimes it is code that is several years old, and core elements of applications which needs the most urgent maintenance, but it is usually this code that causes the most issues for maintenance due to the reliance that subsequent software releases has placed upon the behaviour of the code. For such a large company (i.e. with a lot of inertia), their commitment to secure development practices, and a focus on security, can take some time to filter through their product lines.
The alternative viewpoint put forward by observers is that Microsoft should adopt a development process which enables code modularization, whereby the complete codebase is reduced into separate modules that are clearly defined (in their interface with other modules), and which can be handled by an individual coder, or a small team of coders. Others rush to point out that Microsoft is more of a marketing company than a software development company, cynically observing that Microsoft is probably the only company which can get away with creating a problem, then being elevated to hero status for fixing the issues that they have caused. It is suggested that the combined size of all the patches and security updates for Windows 2000 is greater than the size of the original Operating System installation. If true, it would call into serious doubt the quality of the software produced by the company.
If that isn't enough to keep people awake at night, numerous countries and companies rely upon software from the largest software company in the World for critical functions (even though it says not to in the EULA), when it is apparent that they have some difficulties correcting vulnerabilities in their code.
Other software companies are not immune to such patterns, with Oracle known to have ignored vulnerabilities for extended periods (years), and IBM patches to software only fixing the known attack vector and not the underlying problem (the same thing Microsoft has been vilified for).
Ultimately, it is the human factor which leads to such situations, and the human factor which can remedy it. Developers are not able to produce quality, flawless code for extended periods of time, and this varies greatly with the external pressures applied by a management structure which has deadlines to meet, and also by the ability and experience of the developer. It also comes down to the humans who use the software, happily clicking their way past warning screens and alert boxes, opening email attachments and running the software they found there, downloading and installing software from as many sites as they can and a number of other actions which strike fear into the hearts (and cash into the wallets) of the security industry.
The human factor in computer security really became a problem over the last week, when it became known that Sony appears to be secretly installing a 'Rootkit' on Windows computers when certain Sony/BMG audio disks are attempted to be played on them. While the disks will function correctly in a stand-alone CD player which is 'Red Book' standard, which means that they can probably still be classed as legitimate CDs, the sneak-installation of a Rootkit is considered extremely unethical (at best), and possibly illegal.
Even taking measures to clean the system requires specialised tools (which will either leave the system damaged, or install further secret software). Even rebooting into Windows 'Safe Mode' will not stop the Root kit from running. While it has been restricted primarily to technical news reporting, the issue did start to make an appearance with a number of main stream media outlets. There was an almost universal condemnation of the action, along with forecasts of further malicious software to make use of the unique features of the particular Rootkit. Various small groups have called for boycotts of Sony/BMG music products, all the way up to boycotts of all Sony products, as a sign that such actions are not appropriate.
Already, software to allow cheating on the popular online role-playing game, World of Warcraft, has surfaced, which makes use of various features of the Sony Rootkit to hide its presence from the 'Warden' system monitoring / cheat scanning software which runs alongside World of Warcraft.
This move could bring Blizzard (publisher of World of Warcraft) into the fray, on the side against Sony. Historically, Blizzard have taken a dim view of applications that let players cheat, or use their games online through services not Blizzard's own. Two very recent cases of this were when the developers of Bnetd were essentially forced to halt development, and when Blizzard's 'Warden' application was considered not to be a Root kit or spyware (despite what it does). If enough players make use of Sony's Root kit to install cheat software for World of Warcraft, Blizzard is very likely to take some sort of action.
The information that accompanies the CDs indicates that Administrator privileges are required to use the CD with a PC. This then allows the software to install itself, call back to the Sony servers (if the computer is online), and then hides itself inside the Operating System. Through the investigative efforts of one particular security researcher, it was discovered that this particular software has a number of bugs, which makes it an extremely inviting prospect for other malicious software authors to hide their software behind, such that it will not show up on any scans of the system.
The known spread of the infected CDs is North America, but it is probable that samples exist outside of that market. It has already been observed that requests have been made for complete CD images of infected disks (i.e. .iso files), in order to install and play around with the Rootkit.
Some observers have quipped that instead of advertising that something is protected by DRM (Digital Rights Management), a more appropriate usage would be 'Infected with DRM'. Others are complaining that the Rootkit only hurts those who are purchasing their music legally, and is more likely to have the reverse of the intended effect in the long run. That is, it is more likely that people will look for their music via electronic download (Kazaa and the like), than through a purchased CD which will infect their computer with nasty software.
The security implications from this are massive. Companies which allow their employees to run as Administrator, and home users who do the same, are likely to discover that their system security has been significantly weakened just by playing an audio CD. For people employed to remove spyware, adware, viruses, worms, and other malware from infected computer systems, they will need to ask their customers whether they have bought and played any music CDs through their computer lately.
Finally, as this article was being prepared for publication, it was identified that Cogent (one of the Tier 1 ISPs involved in the recent peering issue) started suffering some significant network reliability issues. Network traffic was passing through at a reasonable rate, but their end of their connections to the other Tier 1 ISPs was suffering an availability issue, with as little as 75% network availability to some of the other ISPs. After about three hours, the issue appears to have been resolved, with the network availability rising back up over 90% for most connections, and the remainder also climbing. It will soon be a month since the Cogent / Level3 connection was re-established, and it will be interesting to monitor what happens over the next few weeks, to see whether the peering point will be shut down, or not (even with the other agreements in place).