Skip to main content.

Terms of Use

Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.

Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.

If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists. Readers may especially be interested in our mailing list which provides advanced coverage of issues covered here in the column, and important Information Security threats that don't get reported anywhere else, or in the training courses and speaking engagementts that Sûnnet Beskerming are available for.

The Internet is Out to Get You - 27 March 2006

Microsoft's Internet browser, Internet Explorer, was the focus for a range of disclosures over the last several days. Three different issues were publicly disclosed, two relating to script handling in HTML files (initially Denial of Service crashes) and one relating to an undisclosed handling issue for HTML Applications (HTAs). The most recent of the script handling issues was rapidly elevated into a remote code execution exploit and claims were made that it had been circulating private hacker groups for a couple of weeks.

More than 100 sites have now been infected with variants of exploit code which is used to download malware such as SDBot and then gain control over infected systems. While many of the sites are specifically designed to distribute the code, a growing number are legitimate sites which have been defaced with the exploit. The only indication that users will get that they have been infected is Internet Explorer downloading additional files - the exploit can be hidden from view on the page and still be effective.

Pressure is mounting on Microsoft to issue an out of cycle patch to fix the issue, much as they did with the WMF vulnerability from the start of the year.

A couple of weeks ago a court case in the United States served as a potent reminder why email sometimes isn't what people expect it to be. Search engine giant and free webmail provider, Google, was ordered to hand over archived emails for one of their subscribers. This sort of order is not unexpected, except this time the subscriber had deleted all of their messages related to the case.

Unlike physical records, there are no guarantees that electronic records have been destroyed when a user thinks that they have. In fact, a valuable market exists for extracting information from hard drives that have been wiped, destroyed, written over, or files accidentally deleted. Depending on which Operating System is used, deleting files might only mean removing a reference to the file - leaving the full contents of the file in place. With email even if a user has deleted the email from their local system (assuming the data has been completely removed and not a reference removed) and has deleted the copies from their upstream server, then the information is more thank likely still in existence.

This is what Google is being ordered to hand over, their archived records. Most companies that operate mail servers have established archiving / backup practices in place which allow them to reconstitute subscribers' mail histories after disaster. Even if an email has been deleted, chances are that it still exists on a backup tape. If the message slipped through the system and was deleted before an archive could be made, there is a possibility that an archive was made of it on one of the servers that the message passed through en-route to the final server, or at the originating server.

The nature of the Simple Mail Transfer Protocol (SMTP), the protocol used to pass email messages across networks, means that messages are passed in plain text - able to be read by anybody on the link between the originating and receiving server. There are solutions which can provide encryption to email messages in transit but none have received widespread acceptance to the point that they are considered a standard.

More bad news related to emails and Windows-based systems came to light over the last week when a few sources reported on a new software trojan being seen on a few systems. Designed to capture the special one-off codes that a number of European banks use for client authentication, the 'Bancos' trojan targets customers of Deutsche Bank and Postbank, both institutions which use the temporary authentication TAN codes to add an extra layer of integrity to the trust model.

Using TAN codes as part of the authentication process means that attackers need to know the logon and password details and also a valid TAN to impersonate the online identity of a victim. 'Bancos' achieves this by presenting an error message to the victim when they try and enter a valid TAN, passing it to the phisher who then has a short period of time to make use of the valid token before it expires or the victim uses another.

Until now most malware has not been able to capture data hidden within secured online traffic (https), but 'Bancos' appears to be able to capture this data. It is most likely that the trojan intercepts the information before the browser is able to encrypt it in the https session, rather than the extraction of data from an encrypted packet. It had been suggested for some time that malware would soon be created that had this particular capability.

Luckily for victims, 'Bancos' is not very widespread and only targets a small number of financial institutions. The concern from spyware watchers is that this trojan represents a watershed event, that multiple trojans are on the way with similar capabilities, and the TAN and equivalent systems could soon become worthless as a result.

A strange incident has been reported on by Zone-h, the authority on website defacements. An Israel-based website which is critical of Russia was defaced by a Russian-based group which received congratulations from the Russian Duma (parliament). Publicly acknowledging a website defacement is a rare occurrence, but state level endorsement of an attack is extremely rare - in fact it is believed to be the first case ever.

Suspicion has long been placed on various Asian countries of state-sponsorship in hacking and defacement activities but this is an interesting development outside of that region and which supports some of the conspiracy theories about various government support in other countries.

The statement of support came in the form of an official decree issued on March 22, by a State Duma deputy who is part of the Security Committee and stated the support for the "vigilance and ... suppression or provocative anti-Russian and irreligious materials on the Internet.". The deputy, Nikolay Vladimirovich, represents the Liberal Democratic Party of Russia which is an ultra-nationalist aligned party.

The attack being referred to was carried out by a group which has been tracked since December 2005, and took place on March 14 against, replacing the homepage. The site had previously gained notoriety for publishing an article calling for the eradication of orthodox religious symbols, which had been taken as directly targeting the Russian Orthodox Church. It was further reported that state-level discussion of similar activities started as early as January with the promise of encouragement and recognition for attacks against terrorist and extremist sites.

Finally, a claim was recently made on a security mailing list that various printers that rely upon unique user / operator PINs can be forced to print out all valid PINs for that particular device. The discovery was made that the PIN is stored unencrypted in a Windows registry item, which is then supplied to the printer to authenticate the user for printing. Through a simple process of enumeration and testing, every single possible PIN could be processed in around 200 hours to obtain all valid 6 digit PINs. With optimization this could be sped considerably and at the least it provides users a means to impersonate someone else to the printer, which creates a problem if the PIN is being used for auditing / accounting purposes.

Where Have all the Exploits Gone? - 20 March 2006

One of the most referenced sources of online exploit disclosure, the French Security Incident Response Team (FrSIRT), previously the K-Otik security group, has withdrawn their exploit archive from public view. By making the archive available only to subscribers of their Vulnerability Notification Service (VNS), they believe that this move is compliant with the recently passed French laws which prohibit full disclosure security research publication. Although the exploit archive has been withdrawn, FrSIRT continue to operate their freely available vulnerability archive.

While the motive behind the withdrawal might be questioned by some, it has provided an interesting insight into the replication of content amongst security vendors and sites. At the same time as the content was withdrawn from public view, a number of unrelated sites stopped providing extremely similar content - strongly suggesting that the source of the content was the FrSIRT site. It appears that many of these sites have now redirected to replicating content from some of the other remaining high profile sources of public exploit data. FrSIRT have also come under fire for the move to a pay service as the majority of the exploits being presented have been acquired from other sources that may not have agreed to their sale by third parties.

Staying in Europe, and news reached a number of websites over the last several days of demands being made by the United Kingdom to receive the source code associated with the integrated systems of the F-35 Joint Strike Fighter, or else they would cancel their £12 billion stake in the project. As a Tier 1 partner, the potential withdrawal of the United Kingdom from the project could cause major problems with future implementation of the proposed fighter (other countries such as Australia are lower level export partners who will be sold / leased aircraft further down the line).

In amongst the fear mongering of the United States being able to effectively switch off the aircraft in flight, the underlying demands are most likely concerned with the ability to integrate future weapons with the aircraft, or to modify the delivery envelope that the aircraft's systems will accept.

It was reported that the deal is expected to go ahead, but the root cause of withholding the source code is likely to rest with US laws restricting the export of weapons technology. Similar laws have been used in the past in an attempt to restrict the distribution of software outside of US borders, as was most notably seen with the PGP encryption software.

Ongoing basic research by Sûnnet Beskerming staff involves monitoring and reviewing the background level of global network traffic across a set of key indicators, as reported by a handful of traffic monitoring companies. One such index, the global level of traffic to news reporting sites saw a major spike over the last several days, easily 300% higher than normal traffic patterns. Normally a major sustained spike (this one spent 2-3 days at high levels) has a corresponding major global news story as a direct cause. Some historic spikes matched Hurricane Katrina flooding New Orleans, the start of the current Iraq war, and the most recent Bali bombings. With such a massive increase, a news story such as war against Iran or an all out war between Israel and neighbouring countries would have been expected. Confusingly there was no major story, or group of related stories, to correlate.

So, what caused the spike?

The company that supplies the figures has not given any analysis of the recent spike, so the exact reasons are not known, but it could be presumed that there may have been increased network attacks against news providers (such as the current DNS concerns), or the collection mechanisms could have been overwhelmed due to various differences in load balancing and system maintenance. Other sites that provide related analysis showed no significant departure from reporting levels, so it could be presumed that the issues are limited to the one collection mechanism. It certainly would be interesting to see what led to the massive increase.

Basically it is a reverse of the old cliche of 'not being able to see the forest for the trees', except in this case there has been a massive forest appear from nowhere but it is currently impossible to see any of the trees responsible for making it up.

In a week of security updates and warnings, Apple, Microsoft and Ubuntu all had security patches released for problems of varying criticality. In Apple's case, update 2006-002 was released which addressed the issue which led to problems with hiding executable files disguised as safe files in archives, which were then able to be executed by the default system settings. An amendment to the update was released later in the week to address unspecified issues that were encountered.

Microsoft released two patches for their March Security Patch release, MS06-011 and MS06-012 addressing problems with the actual system (account elevation) and Microsoft Office, respectively (remote code execution).

The Ubuntu patch is a little more interesting. It was discovered that certain installation software would store unencrypted copies of the first username and password that were supplied during system setup. Even if the root account was not being setup, the first account had access to the sudo command which would allow for a rapid increase in account level. Within hours of the problem being made public patches appeared from the company, but detailed instructions on where the vulnerable data resided could still see a race between system attackers targeting the vulnerability and administrators closing it off.

Operating System maintainers were not the only software companies facing security issues over the last week. The 4715 detection pattern used by various NAI and McAfee antivirus software was a little over-ambitious when it was released several days ago - finding numerous false positives and essentially preventing affected systems from functioning correctly. A corrected pattern, 4716, was released soon after, but not before the damage to reputation and customers had already been done. Amongst the misidentified files were files belonging to Oracle products, perl, Cygwin, Excel, SysInternals, Java, and others. If users ran the affected detection pattern and had legitimate files quarantined, McAfee has since released an application to help restore the files that were wrongly quarantined.

One of McAfee's biggest competitors hasn't fared too well either after the last week of activity. A recent Symantec daily update knocked AOL users offline due to an unidentified technical error. Symantec software would identify parts of the AOL network connection as being a possible threat to the system and terminate the connection. While an updated definitions file was later released, it obviously caused some trouble for end users and comes shortly after it was shown that Symantec software would overreact to certain key phrases in IRC channels, knocking the user out of IRC as a prevention against IRC bot control.

Updates to Operating Systems and security software aside, the loss of identity data by companies continues unabated. The US state of North Carolina had 16,000 credit card numbers belonging to residents stolen after a hacker broke into a system used to process ferry fare payments, while the latest publicised case of information leakage due to the Japanese Winny worms has affected Toyama hospital in Japan where 2,800 patients who had surgery over several years had their records leaked to the filesharing network. More information about the Ernst & Young laptop losses revealed that the laptops held over 80,000 Social Security Numbers belonging to company clients, including IBM employees who worked overseas in their careers.

Other cases also include the State College in Denver, Colorado, where 93,000 students will need to be notified following a laptop theft (unencrypted data) - covering 1996 to 2005, and more than 40,000 people had sensitive data stolen from Georgetown University.

The Canadian province of British Columbia had more than 70 systems compromised for undisclosed data theft totals - but they are beating that problem by selling tape archives at auction with sensitive medical data still on them (HIV status, mental illness details, etc on tens of thousands of individuals), and finally, an undisclosed number of Verizon employees are at risk following the theft of laptops from the company.

Some good news has come to light in the ongoing identity theft / financial fraud case affecting a number of US banks (including Citibank). Arrests in New Jersey have seen 14 US citizens arrested in law enforcement action linked to the case. It appears more certain that 'Office Max' stores were part of the overall incident, which is still denied by the company. The full breach is rumoured to affect more than 600,000 individuals.

The ISC recently provided an analysis of a phishing attack which appeared to be extremely well prepared and contained a range of accurate personal information that it was considered a bank would have on hand. Such a move will make it more difficult for massive phishing campaigns, as each message needs to be individually modified, but it is expected that a higher percentage of recipients will actually provide their details to the scam. It is postulated that the information presented in the phish has been obtained through theft from an online retailer, as that would provide the greatest collation of data in the one place that would otherwise cost from a collation company such as ChoicePoint. Sûnnet Beskerming's Nabu software will neuter the effectiveness of these emails.

Finally, rumours are building that an automated bot is registering accounts on various phpBB based bulletin boards presumably to launch widespread attacks with the next suite of remote vulnerabilities affecting the popular forum suite. Identified by the name "Funt Klakow", the account that is created tends to sit silent, but is being created rapidly across a wide range of phpBB sites. Even without new vulnerabilities being released, there are plenty of existing vulnerabilities with phpBB software which will provide the bot with a suitable launching point should it activate an attack in the near future.

A reminder that our training courses will be running from the end of May through to the end of July, all across Australia. If you haven't had the chance to look at the courses, details are available from, also our new domain has been established at, which will become the primary domain for the company.

A Telemarketer's Smile - 13 March 2006

We would like to take this chance to let our readers know of a new section to our main website. If you have wondered how we find out about all the material we write about, or what other details we don't release, our training and speaking engagements section might be of interest to you. The new section appears at, and covers speaking engagements for company representatives and training courses that are on offer. With companies such as Microsoft Australia regarding Sûnnet Beskerming as 'Security Experts', why not find out what we can do for your company.

Through an exclusive partnership, Sûnnet Beskerming is bringing the Information Security specialists, Zone-h, out to Australia to run their very successful 'Hands on Hacking' course. Dates and locations are listed on the training page and will cover most Australian state capitals. This is the first time that this course has been conducted in Australia, so act quickly to secure your spot.

Sometimes security mailing lists become the targets of hackers who are trying to make them useless, either through pointless posts, or through mass spamming. One such list under attack at the moment (i.e. just as this article is being published) is 'Full-Disclosure' which is being targeted by one or more hackers in a mass spamming, falsifying messages from identities / recent posters who have been causing trouble for them (in their opinion) on the list. Prominent names such as Dave Aitel and Gadi Evron are being defamed in this manner.

The goal of this mass spamming is likely to be twofold. Initially, the messages require some level of individual attention as they claimed to be valid advisories (but slammed on some points which have seen some heated debate), thus taking more time from the list readers to process them. Secondly, linking prominent names to abusive and offensive posts is an attempt to get overzealous spam filters and block lists to add those names and email addresses to the list of blocked sources. This has the effect of censoring future comments and messages from the real identities, removing them from the security community. Either way, it will take a significant amount of time and resources to recover from the issue.

Security software vendor, Symantec, has finally retired a notorious hacking tool from their software offering. The LC5 software, previously known as L0phtcrack, has been discontinued because it no longer fits in with Symantec's future vision. Originally designed to extract and crack passwords from vulnerable systems (marketed by Symantec as a tool to audit and recover passwords), L0phtcrack was developed by the L0pht group which transferred the technology to @stake in 2000 when they merged, and then sold on to Symantec in 2004. Customers who have had trouble with Symantec software in the past might see the irony in the security vendor having to sell underground hacker tools as part of their valued service offerings.

In what appears to be a related case to an earlier JMSDF leak, Japanese police have inadvertently leaked information on over 1,500 people linked to three years worth of cases. The leak came from an Okayama Prefectural Police investigator whose system was affected by the same, or similar, worm targeting the Winny P2P file sharing application that is popular in Japan. According to news reports, the leak represents the largest online loss of information from Japanese police. What is different from the JMSDF case is that the investigator had received permission to store the files on his personal system while he was working on them. An unconfirmed report suggested that the data included details on victims of sex crimes.

A story that is gathering momentum at the moment is ongoing difficulties with various US financial institutions, with discoveries recently that some are preventing access to accounts from overseas teller machines. Initially, the most recent reporting came from a posting that first appeared on popular blog site The post claimed that a Citibank customer discovered that he could not withdraw funds from an ATM in Canada with his card. On calling the bank, he was told that it was due to a "Class break", and affected Citibank customers accessing services in Canada, the United Kingdom, and Russia.

Further reporting and discussion suggest that access being blocked is related to earlier credit card disclosures and it is a defensive measure against fraud, rather than a "class break". Even though the information was initially uncorroborated, other claims have been made that Royal Bank of Canada / Centura customers have also been affected and the issues are definitely in relation to a loss of credit card data and subsequent withdrawals by the thieves. The claim has also been made that the issue is in relation to the ShadowCrew (a group of credit card traders) investigation from last year.

Subsequent reporting linked the above information with more certainty to a large breach at a major retailer which has been causing ongoing issues for customers of other financial institutions. The retailer, identified as Office Max or Sam's Club, is even alleged to have stored PINs alongside card details unencrypted on internal systems. This information was then captured by a hacker (or hackers) who subsequently broke into the systems.

Security expert, Bruce Schneier has also reported of incidents in Denmark where criminals are breaking into shops pretending to ransack them, and installing skimming equipment on the EFTPOS terminals - including miniature transmitters to pass the data back to the hackers.

Perhaps Citibank should switch to using Mac Mini's for storage. In late February a university student placed his Mac Mini online, taunting site visitors to 'rm -rf /' his system (i.e. wipe it completely) by hacking it. To facilitate this, he installed the Apache, MySQL and PHP versions available through Fink and then activated the LDAP service to provide local user accounts to anybody that connected to the system via SSH (i.e. free user accounts to all who asked). Less than six hours after placing the system online, the website was hacked - but no other damage appeared to have been done.

The widespread media reports that the case initially attracted over the last week indicate only that the system was hacked over the internet, not that the attacker had a valid local user account at the time. While no information was provided as to the mechanism of the breach, it is assumed that he made use of a local privilege escalation exploit to gain Admin level privileges and deface the site, or exploited a known vulnerability in one of the services that was added.

The poor reporting of the incident has irritated Macintosh proponents who have vocally been arguing the poor reporting in forums against those who took the stories as reported. A followup challenge was taken offline by system administrators after several days due to improper approval for conducting the challenge by the local network owner.

News from the seamier side of the Internet doesn't rate much for Information Security concerns, but a recent case does. Once a high flying billing agent for many adult sites, iBill has more recently faced a number of legal and financial difficulties which are only going to get worse following a disclosure of data for millions of customers. The information, which has made its way to a number of spam / hacker groups / carder sites includes names, phone numbers, addresses, email addresses, IP addresses, logins, passwords, credit card types and purchase amounts. The source that publicised the case (Wired) claims that credit card details were missing from the files they viewed. Also missing was identity theft staples such as Social Security Numbers and driver's licence numbers. Although this information is missing, more than enough data remains to effectively blackmail or socially engineer any outcome that an attacker could want.

iBill has since come out and denied losing any customer data, claiming that the lists available online are fake.

The Register recently ran claims suggesting that Microsoft had an active hand in providing personally identifying information about a Chinese HotMail user to the Chinese authorities. The user, a Chinese dissident, is currently facing trial over information that he is alleged to have spread via a number of HotMail accounts. Privacy advocates have pointed to similar cases with Yahoo! users who had their information handed over by Yahoo! to the Chinese authorities and are claiming that the only way the authorities could have identified the latest dissident is with the active assistance of Microsoft. Microsoft is denying the claims.

The latest figures from Netcraft on online hosting have shown an increase in the raw numbers of all tracked servers for February, but the greatest increase belonged to the Apache webserver. This increase came at the cost of all other server types tracked, including the main competitor - Microsoft's IIS. Netcraft also reported that a large number of newly registered sites were primarily used as a domain park, locking the domain name away for advertising / paid searches or as part of a speculative portfolio of domain names. Netcraft states that media coverage of domain buying has possibly led to a resurge in domain name resale, and thus the speculative portfolios being established.

First warnings on the risk of increased attacks against Domain Name Servers (DNS) were raised by Sûnnet Beskerming early last year, and at various times again through the year. Increasing reports are starting to be gathered of attacks targeting DNS which make use of specific flaws in a number of DNSs to amplify the effectiveness of the attack. This means that one packet of data going into the DNS is multiplied into numerous packets leaving the server. This allows an attacker to make their attack more efficient, by delivering a much greater attack on the end target for a much smaller initial seed. It stages the attack through an extra point as well, which makes it a little more difficult to trace effectively. The DNS configuration / design issues which lead to this are reported to affect a significant percentage of the available DNS reachable from the greater Internet. Advice has recently been released which identifies the DNS included on Windows 2003, 2000 and NT 4 as being vulnerable to this attack method.

Finally, Microsoft's Black Tuesday is due again for another month. It is reported that there will only be the one critical security patch released this coming Tuesday.

1001 Geek Nights - 06 March 2006

This week's column is just a collection of fairly short items that make interesting reading in passing - read them all at once, or scan and pick out whatever appears interesting.

The Japanese Navy suffered a leak of confidential information onto the Internet recently when a Chief Petty Officer is accused of copying information onto his personal system which was compromised with malware that targeted the popular Japanese P2P software, Winny. The accused is in charge of communications on a Japanese destroyer, and it is possible that the information that was transferred was highly sensitive communications data and settings.

Numerous Internet forums were buzzing with the news of an event by Apple this last week. Apple held a press event on 28 February at which it was announced the availability of Mac Mini's with Intel chips powering them and a "Boombox" accessory for iPods. One of the most interesting elements of the new Mac Mini is the integrated Intel Graphics adaptor (80MB of shared memory). While it is double the VRAM of the previous model, it takes its chunk from the main system RAM and is reported to have significantly poorer 3D performance compared to the earlier Mac Mini models. While the 3D performance may be less, it really shines in 2D performance - in particular decompression of video. This particular move by Apple has led some commentators to claim that it is Apple's attempt at a Digital Video Recorder. When combined with the Frontrow media management software that Apple supplies with the systems, the claim does not look too outlandish. Improving the baseline hard drive space to 80GB, and including digital audio out ports, certainly makes it possible to easily integrate the Mini into the lounge room alongside the television and stereo. An integrated iPod dock on the case just completes it.

Noted by a couple of security reporting sites is an ominous silence in the reporting of new vulnerabilities and exploits over the last few days. While attacks and breach attempts are ongoing, they are using known historical exploits, and the new information being released has been very small scale in impact. A majority of primary sources appear to have slowed in the updating of information, both before and after the traditional weekend quiet period. Silences such as this tend to put wary security professionals on their guard, as something big may be being coordinated behind the scenes. No major law enforcement cases can be found to explain the silence, either. A week or so ago some of the core systems on a particular eMule network were shutdown, and a mid-level hacker was arrested in France, but neither case can explain the current situation. Many universities in the southern hemisphere commenced their academic year this week, but a spike of activity would be expected from such an event. Hopefully all will be well, but a number of experts are beginning to develop a feeling that something is amiss.

Since AOL announced that commercial email sent to their network customers would attract fees, or be forced through more restrictive filtering, the decision has attracted condemnation and opposition from numerous groups. At least 50 groups have banded together to lead the charge against the move. One of the most prominent concerns is that groups that can not afford the fees will be the most disadvantaged (charities, non-profits, etc.).

With major crises such as the Pakistan Earthquake, South East Asian Tsunami, and many other disasters, it could limit the fundraising ability of these organisations. Other criticism points out that it essentially gives spammers a free pass (as long as they pay their fee) to spam AOL customers, and AOL will do nothing about the messages.

At the same time as it is launching this service, AOL has launched lawsuits against three unnamed phishers / groups for $18 million USD. Those who are being targeted are accused of sending immense numbers of messages to AOL and CompuServe clients which attempted to get them to give up sensitive financial data or their ISP account details.

News reported by The Register indicates that although a large percentage of UK consumers know about VOIP, and have the ability to use it through their Internet connections, less than 10% of users currently use VOIP. While VOIP takeup is slow, money being made on fixed line telephone services is falling but mobile telephony revenues are increasing - which is possibly a good sign for mobile content providers and 3G network supporters.

In the often narcissistic environment of online blogs, many people do their best to get more visitors and regular readers of their content. Some of the most popular blogs, which allow their authors to make a living just from the content they create (based off Google advertisements or equivalent), are starting to attract attention from hackers who are launching distributed Denial of Service (dDoS) attacks against them. By preventing legitimate visitors from viewing the sites, it prevents the authors from making any income in that time period. Normally launched against online betting sites, payment sites or e-commerce sites, this new trend could make it more difficult for people to make a living from their sites (or for new people to do so).

In what appears to be a tap-out by ICANN (being bullied by VeriSign in the courts), ICANN has decided in favour of giving VeriSign effectively permanent ownership of the .com namespace, including the ability to raise prices by almost 50% over the next six years (7% per year). In addition to this, VeriSign gains control of domain names that have expired (said to be the biggest market on the Internet). In return, VeriSign will abandon its current lawsuits against ICANN and also recognise the authority that ICANN holds. While the approval still needs US Congress approval prior to taking effect, this is considered only a formality. The growing chorus of outcry against the move might prompt a closer review, and some believe it could even mean the end of ICANN. This chorus included outcry from eight registrars, who between them handle more than 60% of all domains traded globally.

Light reporting suggests that China is establishing an independent set of root level servers which can handle queries using Chinese characters. While there has been much discussion about previous alternate root setups, ICANN and Verisign, some people believe that this is a good move by China. With the second largest online population (behind the US), China is soon set to have the largest number of people online for any country in the world (pure numbers, not percentages). With such a large number of Internet users moving to an alternate setup, it could be the first real threat to the US ICANN / VeriSign dominance which currently exists (unlike the EU threat from a few months ago).

While the servers for this new root will not be globally distributed like the current set, it will still control the destination of tens of millions of Internet users. Although this move is not likely to have any effect on the rest of the Internet, it does force a separation for Chinese users. In conjunction with complaints and issues about the 'Great Firewall of China' and other censoring activities it raises questions about the freedom of information flow that this will allow for.

According to reporting which was covering news conferences in relation to the recently disclosed Greek Wiretapping case, it appears that the software which enabled the attack to take place was actually designed into the systems. Whether it was put in place due to a law such as CALEA or not is not known, but it is hinted at that the code was to allow law enforcement agencies to wiretap calls when necessary. If the allegations of the USA being behind the case are true, it could be possible that it is using capacity that CALEA (or a derived / similar law) has put in place (even though it is outside of the USA).

More criticism has recently been seen over the "SiteAdvisor" program to alert Internet users to sites and content that may or may not be safe for them to look at in terms of malware or popup advertising hidden in the site. Closely matching advice that was given to potential investors into the program, the commentary considered some of the risks that the program will face into the future. Specifically, it focussed on the issues that arise due to the lag between when a site is assessed and when a user visits the site.

If a site is hacked prior to assessment and is fixed post-assessment, then the SiteAdvisor database will reflect for a time that the site is untrustworthy, even though it was due to an external hack which has since been repaired. Likewise, if a site that is deemed trustworthy gets hacked before it is assessed again, then a user who trusts the SiteAdvisor assessment will discover that they have been affected by the misclassification. Because the assessment process is not instantaneous, this problem is a result of the design of SiteAdvisor, which is placing itself in the position of acting as arbiter of what is safe on the Internet for end computer users.

Finally, Apple released their first security update for 2006 which addressed a number of issues - some of the more serious ones were actually unknown prior to Apple releasing the patch. Patches were provided for issues related to to bypassing security restrictions, unsafe loading of encrypted volumes, heap overflows, privilege escalation, arbitrary remote code execution, and others. Public exploit code has already been released for a 'passwd' privilege escalation. If OS X users have not applied the patch, they should at the earliest opportunity.

Copyright © 2005, Sûnnet Beskerming Pty. Ltd.
Home | Contact Us