Terms of Use
Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists.
Which Bank? - 27 February 2006
Australian readers will quickly note the irony in the title, but more on Which Bank? later. As reporting continues on cases of identity data loss and theft, countries other than the US are starting to have wider reporting of cases within their borders. A potential breach of thousands of student identities and privacy records at the Canterbury University in New Zealand was made public last week. It was not disclosed how long the exploit window had been open for, but it could not have come at a worse time for the university, with a rush of students registering and interacting with their details before the start of the new academic year. Although a valid ID is initially required to gain access to the system, once a user has access they have the ability to view and edit records on any student registered at the University. And investigation is ongoing and it has not been made public when the system is expected back online, if ever.
Which Bank? (the Commonwealth Bank), the St. George Bank and telecommunications company Optus were affected by an embarrassing privacy incident initially reported on Valentine's Day. From the media reports, thousands of account statements affecting thousands of customers, including private account holder data, were spread along the side of a busy Sydney road (Hume Highway at Warwick Farm) after they apparently were lost from a load of waste that was being shipped for destruction by an unnamed company. The documents originated from Salmat, a company contracted by the affected companies to produce and distribute account statements, and it is not known why the statements had not been better handled. This breach appears similar to the one which affected a number of US newspapers when credit card and cheque account details of subscribers was used to bundle papers for distribution.
Even the big contracting agencies can't stop themselves from losing privacy related information. Deloitte & Touche USA recently disclosed that they had lost a CD containing information on thousands of current and former McAfee employees. The loss was assumed to have taken place on December 15, with McAfee being notified on January 11. More worryingly, it was not until January 30 that they were made aware of what information was suspected of being on the disk. The disk contained personal information for all current US and Canadian employees, along with 6,000 workers previously employed by the company in North America. It was reported that the information was unencrypted and could possibly contain details on names, social security numbers and stock holdings in the company. Later reporting suggested that the CD was left in the pocket of an airline seat.
Ernst & Young weren't able to escape the recent spate of information disclosures, with news being reported of the disclosure of information relating to high profile customers. The information was contained on a laptop that was stolen from the parked car of an employee, and included information on the CEO of Sun Microsystems (Scott McNealy), amongst others. The data included such staples as the Social Security Number. Ernst & Young had not publicly admitted to the loss until it was contacted by The Register. While it is reported that the system was password protected, the total number of people exposed by the breach is not known. The link to Scott McNealy came at the recent RSA conference where he admitted that the same organisation being used by Sun to maintain Sarbanes-Oxley compliance (SOX) notified them of a loss of confidential data. The irony of the case was pointed out by The Register in that Ernst & Young have been pushing heavily on transparency of reporting and monitoring for their customers, but have failed to achieve the same themselves (just another case for those who argue companies should eat their own dog food). It has not been determined whether various laws such as SB 1386 have been violated.
Another case of unintentional irony came to light recently, when it was made public that tax company, H & R Block, was itself forced to reissue its statements after discovering that it had miscalculated its own taxes by $32 million USD. Although corporate tax assessment is different from individual tax, the news is expected to be an embarrassment for the company.
Breaches of information require a data source, and one of the largest and most interesting-sounding databases has been confirmed to exist. While it is more confirmation of something that many would have expected, the numbers are still quite staggering. What it is, is a database of 1.92 trillion telephone call details stretching back decades, collated and held by US telco AT & T. While access to the database is extremely limited, the public confirmation of its existence has added another "must have" to the illegal data trade.
One of the less-considered side effects of capitalism is that companies aim to compete their way to a monopoly. With Internet search engines there are many different competing companies that offer similar services, but the market has gravitated to a small number of major market share holders (Google, Yahoo! and MSN), with Google and Yahoo! responsible for more than two-thirds of all searches (searchenginewatch.com July 2005 figures for US searches). With Internet users relying upon these companies to find resources online, websites are always trying to improve their positioning in returned search results. Sometimes, the methods used in these attempts cross the line of what the search engines consider acceptable, and corrective action follows.
In recent months, the German BMW website (bmw.de) was delisted (removed from search results) from Google for the use of 'doorway' pages. Doorway pages are specifically set up to only appear to website crawlers (which the search engines use) and not for human visitors. This relies upon the site developers filtering the display of the site based on what User-Agent is making the request, or what IP the request is coming from as the major search engines index sites from a fairly well known set of IP addresses. This has the effect of the search engines adding pages to their indexes which users can not view - instead they are directed to other content. Due to the misuse of this procedure by spammers and unethical users, the procedure is frowned upon by Google, thus the eventual delisting. Camera manufacturer was expected to face the same fate, for similar activities. The sites have since been reinstated to the Google index.
What should be taken away from this is an understanding that when there are only a couple of primary sources of information, it results in undue levels of trust and faith being placed on those sources. If the availability of information through those sources can be modified through malicious activity, abuse, or unintentional behaviour, then it can leave innocent victims suffering. It also places a social obligation on the information archives to be even-handed in the handling of that information. This is the cornerstone of one of the arguments against Google and Yahoo!'s recent behaviour in establishing search sites in countries like China, where results are prefiltered / censored to comply with National law. The level of argument in this case could suggest that there is a perceived threat from China, as similar actions in France and Germany (limiting of information sources on Nazism), Iran and several African nations (firewall at national border) have not attracted the same level of attention.
A case where the search engines have been accused of abusing their power, by arbitrarily delisting a site is seen with spacewar.com. The military-watching site was recently delisted for unspecified reasons, but later reinstated after numerous complaints were lodged by loyal site visitors. A press release issued by Spacewar drew links between the recent censoring activities in China and the delisting of their site, alluding to a political motivation behind the delisting. While a lot of the claims sound like they are based on paranoia, it doesn't mean that they aren't valid. Again, the site has since been reinstated to the search engine, once again appearing in relevant results.
Apple's security woes from the last couple of weeks (proof-of-concept worm releases) continued with the public release of a fairly high risk vulnerability which could lead to remote compromise of an OS X system in its default configuration. Driven from a variation in how the system and some applications handle the 'meta-data' associated with some files, the proof of concept showed a zip archive which automatically launched the disguised system script within it. The greatest risk was associated with the use of Safari, with the 'open safe files' option selected in the application preferences (enabled by default). Exploitation through other avenues appeared to require at least some level of interaction with the archive and obfuscated files. The file obfuscation used a series of tricks available for file handling in OS X to trick victims into believing the files were legitimate. This included changing the file icon and meta-data to disguise the fact that it was not as it claimed.
This high level of coverage of OS X worms and vulnerabilities led some observers to compare the difference in handling and reporting for OS X and Windows vulnerabilities. While the vulnerabilities are real, and the latest one is serious, it is only as serious as many of the current worms that are threatening Windows users through their email inboxes and sites that they visit. The latest variant of Windows worms do not generate global press like the discovery of an OS X worm does. The security of OS X has not changed all that much, although some media outlets might like to report otherwise.
Phishing Evolves - 20 February 2006
Although countries such as the United States have introduced various legislation to ensure the protection of vulnerable personal information such as financial and medical data, breaches and disclosures continue to take place based on poor security design and implementation. The FBI has been involved in investigating claims of a breach to sensitive medical systems after it was discovered that there had been unauthorised access to so-called 'back office systems' in at least one medical practice. The ensuing investigation showed that a breach had occurred where the hacker had come through an existing VPN connection, and then used a hardcoded backdoor to gain access to sensitive information from a web-based application. It was not disclosed how many practices were running that particular software, but it could be assumed that other applications in use by medical practitioners could also have hardcoded backdoors in them.
It was also reported recently that a 20 year old in the United States was arrested and was being charged for creating and operating a botnet, which managed to include systems from a hospital in Seattle, amongst others. What attracted significant attention on the case was that the compromised systems in the hospital were claimed to have resulted in systems in the Intensive Care Unit going offline, doors to the Operating Theatres failing to work, and numerous pagers and other systems failing to operate. Accountability for the breach rests with the perpetrator, but hospital administrators must also take some responsibility for leaving sensitive systems connected to the greater Internet. The ideal practice is to have sensitive systems separated from external networks by 'air gaps', physical separation - which can not be remotely bypassed.
It has been common practice for some time now to warn computer users not to click random links from emails that they haven't been expecting, particularly those from financial institutions. If users need to visit the site to verify that the need is real, then they should manually type in the web address, and confirm that the site appears legitimate, and the correct details are shown when the lock icon is clicked (for sites with SSL support).
This advice to users is now out of date, and could potentially be harmful to victims of the latest family of phishing scams.
In recent reporting from a handful of sources, new phishing attempts have been circulating where following the current best generic advice would not prevent a user from being tricked into supplying their account details. Even most third party protective products and systems would not be able to protect against this new phishing technique.
Not only do some of the new emails contain valid card data, such as the first 4-8 digits of a credit card (easy to obtain from public sources - they are fairly standardised across systems and institutions), but they also provide a realistic-looking URL to click on. Even without redirection trickery, the realistic-URL is a valid site that the phisher has set up to mimic the legitimate institution being targeted. Because of the lax requirements to secure an SSL certificate (allows for https:// traffic), the phisher is able to set up an SSL certificate which passes all known checks for being issued to a legitimate organization. NetCraft have been reporting for some time on the increasing usage of SSL in phishing attacks, and it is considered likely that the attempts at phishing are only going to improve, with fewer spelling and design mistakes, more accurate reproduction of targeted sites, and better targeted mass emailings.
Thus, even if the user carefully validates each step of the process, the phishing attack will still appear as a legitimate approach from a financial institution, and will be more likely to succeed. It is important to remember that SSL only protects the data in transmission between the victim and the phisher, but it can do nothing to protect you from the attacker at the other end of the connection. It does not appear that any company or organisation is offering protection against these better developed attacks. Sûnnet Beskerming's Nabu online financial protection tool has always been able to prevent these attacks from being effective against clients of financial institutions that apply the solution.
Microsoft's Black Tuesday Security Patch release for February saw a number of patches released, with a range of criticality. Ranging from Denial of Service through to complete compromise via remote code execution, the several vulnerabilities patched have already had exploit code publicly released for at least two of them. Unfortunately for Windows users, the vulnerabilities being targeted by the exploit code released so far are the more serious ones, which allow for complete compromise of vulnerable systems. It is strongly recommended that all Windows users apply patches MS06-004 through to MS06-010 as soon as possible, to keep their systems safe from the latest exploit code that is circulating.
In other news from the last week, a video surveillance company in the United States has started implanting ID tags into workers who need to access sensitive work areas (in this case, an area which stores data for the Government). The ID tags are small chips encased in glass which are then implanted into the right bicep, and which are read by passing closely to a proximity detector. The idea is to limit access to only those individuals who are implanted with the device, but like many other security measures it has several fatal flaws. The particular technology which has been selected has been publicly compromised already by security researchers, and it has been demonstrated that it is possible to remotely obtain the security codes from the device without the owner's knowledge - allowing later reproduction, and thus security bypass. For the less technical threats, the implant requires any attacker to escalate force in order to gain access to the facility, either by physically extracting the tag, or by kidnapping the worker, which is far more likely to result in violence against the employee.
To round out the week's column, a number of shorter stories and news items that might have otherwise have been missed.
The commercial DVD release of 'Mr. & Mrs. Smith' in at least one country allegedly contains a hidden rootkit as part of its copying protection. When an infected DVD is played in a Windows PC, it installs a hidden software application that is part of the Settec Alpha-DISC copy protection system. While it does not hide itself from the file system, it will hide what processes it is running (so it can not be seen from the Task Manager). Settec are providing an uninstaller application so that affected users can remove the software.
Finnish Information Security company, F-Secure, has announced the discovery of a new proof-of-concept worm for OS X, the second in as many days. The new worm, dubbed OSX/Inqtana.A makes use of a known BlueTooth vulnerability to spread. As a proof of concept, the worm does not actually do anything other than demonstrate an ability to spread, and even that is limited - as it is tied down to a specific library which ties it to a specific BlueTooth address, and is set to self-expire on February 24. It would appear, however, that the vulnerability being used to spread has been patched in earlier Security Patch releases from Apple.
The first proof-of-concept worm for OS X was the OSX/Leap.A worm which appeared on the forums of the popular site, macrumors.com last week. Tantalising readers with hints that the file they were about to download contained sneak preview images of Apple's next Operating System release, 10.5 (dubbed Leopard), the file was a compressed application which masqueraded as a jpg file. When executed, the file would install code into the victim's library which would then be activated whenever an application was launched, preventing infected applications from functioning again, and using the opportunity to spread itself to more victims via the user's iChat buddy list. The worm does not appear to have spread very far, and has only caused very minor damage.
Reporting has surfaced that Apple's OS X Operating System designed for their new x86 line of systems has been cracked to run on non-Apple x86 systems. While hardware support is still limited, a number of key components to the Operating System need to be removed in order to get it running, which makes it debatable as to how much capability the modified Operating System actually retains. The site which originally announced the news was then requested by Apple to remove links to specific tools and descriptions to allow other users to achieve the same result.
Following the release of Apple's Intel-based systems, there has been a rush on from enthusiasts to get alternative Operating Systems to boot on the machines. The current efforts to boot Windows appear to leave the machines unbootable, but it has been announced that Linux is now booting on the new machines. While it does not appear that the system boots to a usable interface, the difficult steps of ensuring that the system initially loads have been completed. More information is expected to be released over coming days to allow a fully functional system, and to allow others to achieve the same result.
The last week has also seen a large number of reported Identity data losses across the United States. Almost 375,000 individuals have had sensitive personal data leaked by accident. 350,000 tobacco farmers had their Social Security Numbers and Tax IDs released by mistake in a Freedom of Information Act release, and more than 25,000 employees, vendors and contractors who have worked for the Blue Cross have had their Social Security Numbers and names exposed after a contractor sent a copy of the records to his home system.
The Australian moguls skier who recently won Australia's first gold medal at the 2006 Torino Winter Olympics is rumoured to have made his Internet millions through spam and spyware. Media reporting suggests that his Internet company is worth millions of dollars, but the only acknowledgment of this claim was a cryptic statement from the skier that "It is complicated... I don't do anything that pops up. I just make software". Comments to multiple security mailing lists suggest that some of the companies linked to him have been responsible for the distribution of spyware. Various Internet forums have also been busy discussing the same reports, with many confident that the money came from the shadier side of online business.
In the ongoing antitrust suit between the EU and Microsoft, the EU has recently raised accusations that Microsoft's effort to release code and documentation to comply with the EU rulings falls short. This means that Microsoft is due to start having daily fines of $2.4 million USD levied against them, after the extension to the time allowed for them to comply with the original ruling passed on Wednesday. Microsoft have accused the EU of contributing to the problems they have encountered in trying to comply with the demands, and have called for an oral hearing in their latest attempt to delay the introduction of fines.
Finally, in a followup to earlier reported news of privacy data on 19,000 Honeywell employees being exposed on a public website, Honeywell have announced that they have identified the individual responsible for the leak and publication of the information. The now ex-employee, from Arizona, has been accused of accessing Honeywell systems and then causing the 'transmission' of the sensitive data.
Spies and Spying - 13 Febraury 2006
The increasing attacks against Danish websites first reported on last week's column (which preempted other public reporting by several days) has started to see efforts directed against Australian sites. New intelligence gathered by Sûnnet Beskerming researchers has provided indication that Australian sites are now being selected as targets for defacement in relation to the Danish caricature publication affair.
The defacement of the victim's website appears to have been perpetrated by Iranian hackers or their sympathizers, and carries the primary message of supporting Iran's Nuclear program. The secondary message is a short hate message targeted against the US, Israel and Denmark. The attack is believed to have utilised a known recent set of flaws in the OsCommerce e-commerce software, which has left the front page of the site damaged.
While Australia is not identified by name in the above attack, it is considered a matter of timing before it is linked by name. The reproduction of some of the caricatures by different Australian media sources is considered to be taken as just cause by interest groups to stage attacks on Australian sites.
Not a lot of international spying cases have been publicised in recent years, but recent weeks and months have seen quite a number being publicly announced. The first was a case from last year, where Israeli companies were the victims of an involved industrial espionage case following intentional infection with computer malware designed to obtain various trade secrets. The perpetrators of this case, an Israeli couple in London, have been arrested and are awaiting extradition to Israel to face charges.
A second, more recent, case came to light in late January, when Russia accused the United Kingdom of spying when a television program aired footage of what was claimed to be spies and their handlers using a sophisticated 'dead drop'. In this case, the 'dead drop' is a fake rock, with a wireless transmitter and storage device built into it, designed to receive information and pass information to designated devices which pass within range of the rock. It was not explained how the case was discovered, but footage showed someone collecting the fake rock, presumably for servicing or replacement.
Although it wasn't reported in English until recently, a spying case in Greece has been uncovered, where it is claimed that the United States was spying on several Greek politicians, Greek companies, police, the miliatary, and possibly some diplomats as well over the period of the 2004 Athens Olympics, and lasted until March 2005, when it was discovered. The discovery came when network engineers discovered non-standard software running on the mobile phone network in Greece, which was set up to conference call a set of numbers whenever one of a specific set of mobile phones was in use. The link to the United States is assumed due to the physical proximity of the extra call numbers to the US embassy. The suicide of the network chief for the mobile phone network provider in March 2005 is now being revisited. The suicide came after the discovery and shut down of the malicious software, but before notification was provided to the Greek government.
Late last week, news was also reported of a Taiwanese national and a French national who are accused of trying to smuggle US military hardware into China. The Taiwanese national is currently under arrest, while the French national has fled the United States.
The news of spying and surveillance didn't just stop with publicised cases of suspected spying. Surveillance and data mining programs being established by various Governments and companies also drew attention.
Following claims that the US Government is planning to spider the complete Internet, through their ADVISE program, it prompted ridicule from some technical commentators, who quickly pointed out that it isn't all that hard to prevent such programs from seeing anything at all that you don't want them to see. It also drew complaints that they feared the Government would end up overstepping their boundaries with the software, and that it would provide better results on monitoring Americans than it ever would on finding terrorists.
Similar claims have been made about the US security screening programs at airports, in particular US-VISIT, where it is claimed that nearly a thousand individuals of interest have been trapped by the system at a cost, when averaged out of the cost of the system, and across the 44 million travelers who have passed through it, of around $15 million USD per individual caught. Besides the questions asked about cost effectiveness, the greater cost is increased inconvenience to normal travelers.
The updated version of the Google Desktop Toolbar has attracted the interest and ire of many concerned users, with the introduction of a component only known as the 'search across computers' option, which temporarily uploads and stores the content of a user's local hard drive on Google owned servers. The content which is transferred includes PDF files, Word files, spreadsheets and other text-based files. It is believed that the intent is to allow users to search for the content of their files from multiple systems, even if the desired files are not on that particular system. Privacy advocates are concerned that it is possible that this information may be subpoenaed from Google by any agency, without any need to subpoena the original owner. If a hacker has obtained the login credentials from a user, then it could allow them to access a victim's files through this feature. Google have also indicated that they are not searching / indexing the files for advertising suitability, but have not ruled out the possibility in the future. At this stage, the feature is an optional extra, which is not activated by default on a simple install.
For users who activate this feature, a fair amount of bandwidth is going to be used transferring the files initially, and Google outline in the terms of use that the data will eventually be automatically purged from their servers, and can be manually cleared at any time (but it will mean that the content of the files can not be searched from anything other than the original computer). Even encrypting data files will not provide a realistic advantage, as the content of an encrypted document is not really searchable in the first place. It is also more likely to cause issues for companies that have to comply with privacy and accountability regulations, such as HIPAA and SOX in the United States, the Data Privacy Act in the UK, and comparable legislation across the globe. Some workplaces have already implemented bans on the software.
The discovery of this feature has already gotten security researchers working at a way to prevent this feature from functioning on their networks, even if a user has enabled it. It will also be likely that malware will be written in the near future which makes use of this feature to intercept the flow of data and copy it to the hacker's systems.
A recent breach of credit card details from an unnamed US source appears to have come from a part of the mega-retailer, Walmart. Originally reported as affecting the 'Regions Bank', at least 100,000 credit cards have been exposed through a breach at an unidentified credit card processor in the United States.
The card processing company, later identified as CardSystems (the same processing firm which had more than 40 million credit card details stolen), claimed responsibility for discovering the breach, which has now spread to other financial providers, including the Bank of America, where an undisclosed number of cards were reissued. Concern is spreading about how the breach occurred at what is believed to be Sam's Club, a part of the Walmart chain. While no official confirmation has been given of which company was compromised (an office-supply retailer has been suggested as an alternative breach point), more worry is spreading about what mechanism was used to acquire the details. One theory is that it was the result of a hacker that penetrated the company, targeting the financial information. Others have claimed that this is related to a series of earlier reported incidents that alluded to a larger data breach.
At least one observer believes that it is only a matter of time until major litigation is launched against credit processing facilities following repeated privacy and financial data breaches.
Hackers targeting financial information is nothing new, and another case was made public last week, where Russian hackers stole more than 1 million Euros from French bank account holders over 11 months in 2004. A dozen arrests have been made, and several Ukrainians (thought to have masterminded the efforts) have been arrested in Moscow and St. Petersburg. The criminals used various spyware and keyloggers to capture banking details from victims prior to the account funds being captured by the criminals.
The US Department of Homeland Security recently undertook a scenario-driven paper exercise dubbed 'Cyber Storm', designed to test the effectiveness of communication and interaction between various government agencies and corporations in a number of countries following 'realistic' attacks and threats to critical infrastructure. The large exercise, which ran from February 6 to 10, was originally scheduled for last year, but was cancelled not long before it was meant to start.
Some critics have slammed the exercise as only testing known threats within a narrow scope - that it provides no indication of response following an unexpected attack which uses unidentified threats. Even if this has been the case, the exercise will have provided valuable information about any inter-agency communications issues and any internal problems with rapid response groups, and help improve them so that they will be able to respond better in the case of a real attack.
They have since declared the exercise a success, at a press conference following the conclusion of the exercise on 10 Feb.
A suspected vulnerability in Apple's Quicktime software has recently been announced in an odd way. In addition to posting a basic outline of the vulnerability, and a screen capture which demonstrates the vulnerability, the researcher who discovered it also posted it to the news aggregator site, Digg.com in an attempt to have information (and credit) widespread, possibly in an attempt to boost his credibility as a researcher.
Finally, Microsoft have announced that they are to be releasing seven patches as part of their February Security Patch release, due on Tuesday. Of the seven, at least two have been rated as critical - which means remotely exploitable.
BlackWorm Attacks! - 06 February 2006
The BlackWorm / Nyxem infections that have attracted so much recent attention were set to activate their malicious payload on the third of February (last Friday), and then on the third of every subsequent month. The early indications are that the impact is not as great as was initially feared, with isolated incidents where large numbers of systems were affected. Although the issue attracted little mainstream media attention until after the payload was scheduled to launch, the widespread technical coverage has been slammed as sensationalism by observers who noted the distinct lack of widespread outages.
The massive notification efforts which followed cooperation by numerous industry and government groups is likely to have been responsible for limiting the rate of spread from the worm. More information about infection / payload activation is expected to come to light this week, and it may take some time before the full impact is understood.
Already, the city of Milan has had to prevent the use of almost 150 servers and 10,000 end user systems due to an infection by BlackWorm which could not be removed in time. At the same time as BlackWorm was scheduled to activate, it was announced that a Russian stock exchange was forced offline for a few hours due to a computer virus / worm infection of unspecified type. This incident has led some to claim that the increased focus on BlackWorm has led to a loss of attent ion on more critical infections and threats.
Prior to February third, F-Secure, via the ISC, reported that some systems infected with the BlackWorm email worm had already started activating their malicious payloads, resulting in the mass deletion of critical data files. The problem appeared to be infected systems that had their system time set incorrectly. What this suggests is that by not allowing a system date to change over to the third of any month it is a possible defence mechanism against the infection, if no other tools are at hand. It also indicates that the payload will be activating at various times over the next few weeks, as systems with different time settings reach the third of February.
The ISC ran an analysis of the malicious payload, which suggests that the destruction of data on networked drives is not necessarily a given, despite the initial claims by Information Security vendors. Their test showed that while networked systems became infected, it required pre-infection across all systems before data destruction became a problem for the networked devices. This suggests that if networked storage devices are not being used to boot from, then it is possible that data on those devices will be safe from the destructive payload BlackWorm brings. Other system administrators have reported that the ISC's findings are only temporary, the worm will eventually propagate to the remaining systems and the destructive payload will be activated.
Moving away from BlackWorm, Netcraft have released their Internet server statistics for February, which show the leading web server applications, Apache and IIS, continuing to add to their marketshare at the cost of lesser known server technologies. Microsoft's IIS has crept up to just over 25% of the market share, while the market-leading Apache continues with more than 66% of the market share.
Netcraft have also noted that US registrar and hosting provider, GoDaddy, has taken the lead in terms of the most number of site hosted globally, taking over from Germany-based provider 1 & 1 Internet AG. This represents the first time that 1 & 1 have been displaced from their top position, and it caps an impressive 12 month growth for GoDaddy, which has been suggested is the result of their Superbowl ads from January 2005. Already, their 2006 Superbowl ad has drawn negative attention, even though it is unlikely to be shown during the game.
One of the leading news stories of the moment is about a Danish newspaper that published a dozen caricatures of the Islamic prophet Mohammed, which is considered offensive to followers of the Islamic faith. Amongst the outcry and replication of the images, a number of websites which are hosting copies have been attacked via distributed Denial of Service attacks, or straight forward website defacement, such as the site of the Danish paper that originally published the images.
Observation of Brazilian hacker / website defacement networks has shown a number of hackers who are advocating defacement not only of Danish sites, but an extension to US and Israeli sites as well (although those countries have no involvement in the caricature fracas). The majority of attacks are believed to have originated from Pakistan, Turkey and other Muslim majority countries with an active website defacement community. Although the issue is now a couple of months old, it has gained significant mindshare recently, and is spreading rapidly through community channels and networks online.
Computer Security vendor, Symantec, have announced an all-in-one security product, dubbed Genesis, which is designed to integrate Anti-Virus, Internet Security and new security products to provide a single point solution (and thus single point of failure) for end user security.
Initial response to the announcement has been muted, with a fair number of vocal opponents claiming that it will be a terrible implementation, even if the idea is reasonable. They base this argument off previous experience with Symantec software, and the resource usage / update slowness / introduced vulnerabilities that have been encountered. Privacy advocates are concerned about the idea that the software will report back to Symantec regularly about the condition and nature of threats the system is facing, and have voiced concerns about the level of trust in Symantec software, following the recent disclosure that some Symantec software installed and used a 'rootkit' as part of normal operation.
The features of Genesis are reported to include: Anti-Virus, anti-spam, anti-spyware, intrusion prevention, firewall, PC optimization and maintenance elements, transaction security tools and online/offline backup capabilities. Some of these tools are integrated from previous company acquisitions, and bring their own security concerns - particularly the backup capabilities which are based on Veritas software which has had some very serious security issues recently.
It was reported that the website forums on the AMD Internet site were recently infected with a variant of the WMF vulnerability that was causing trouble earlier in the year. The issue appears to have been resolved, and it is not known for how long the vulnerability was present on the site. Readers who have visited the AMD forums in the last month and who have not applied MS06-001 should consider that they may have been infected. Some security commentators have taken this opportunity to remind people that web forum vulnerabilities are an ongoing problem, and the WMF vulnerability is just the latest exploit to be spread through this vector.
The recently disclosed vulnerability affecting Oracle database servers is still attracting attention, with the security researcher who disclosed the issue releasing a modified advisory to address reported problems with his original workaround. With the continued silence from Oracle on the issue, except for claims that the workaround is damaging to their clients, the researcher was prompted to explain the history of the vulnerability, claiming that it was originally reported to Oracle in 2001 but was never properly patched in subsequent patch releases.
It has been less than a month since Steve Jobs announced the release of the first Macintosh machines with Intel chips, and already hackers are hard at work getting the latest version of OS X to run on generic Intel hardware. Software images of the OS X 10.4.4 backup disks supplied with the machines have already appeared on software distribution sites, and it is estimated that it will be less than a month before the goal of running it on commodity hardware will be achieved.
More details about the recent FBI and law enforcement raids on a high level piracy group have been reported via Reuters. The group, known as RISCISO, was apparently led by a 26 year old Perth man who is now facing extradition to the United States and up to 5 years in prison, a $250,000 USD fine and restitution if found guilty. With sixty members, nineteen of whom have been arrested, the group is alleged to have pirated software worth over $6 million USD, using servers spread globally. It was reported that the copy-breaching activities were mainly for the 'thrill', rather than any commercial gain, and the eventual compromise of the group was due to an informant.
Staying with law enforcement related news, and two new cases have been reported of suspected privacy data theft and inadvertent credit card exposure. Honeywell International disclosed that Social Security and financial records for 19,000 people who were company employees in 2003 had been leaked onto at least one website, which was quickly taken down. As the company is currently unsure as to the source of the leak, it is possible that the data will reappear in other locations. In the second case, a number of newspapers in the American North East were shipped to distributors with numbers for nearly 250,000 credit cards of subscribers. The numbers were printed on the routing slips, which had been taken from paper sources earmarked for recycling. It appears that waste paper from the financial department had been incorrectly set aside for recycling.
Finally, in what appears to be a very fortuitous piece of timing, the Whitehouse claims that key email messages sent and received by the Vice President and the Executive Office of the President during 2003 can not be found, although they are meant to have been archived. The AP (via Yahoo!) article which claims this, also claims that the messages never made it to the archiving system in the first place. The messages are being sought as key evidence in the trial of Lewis Libby over the disclosure of identity of the CIA agent Valerie Plume, and are being sought to aid Libby's defence.