Security Watch

SpyProxy Offers Browser Protection, For Now

Another tool to fight the criminals lurking on the Internet. Plus: DNS 'pinning'; Atsiv driver rejection; more.

• By Russ Cooper
• 09/24/2007

The obvious question is, whether SpyProxy can be breached. Talking about a virtual machine as if it was a separate box with no connectivity to anything else is simply foolish. Sure, it may well prevent the exploits that are currently being attempted on users, but that will only last as long as the tool is not broadly used. If SpyProxy achieves critical mass, it then becomes a target.

Besides, assuming SpyProxy becomes popular, criminals could simply attempt to deliver huge executables as a way of creating significant latency issues. If this was done in a broad enough fashion, it could cause users to rethink having the program running. To become effective, SpyProxy needs to be completely invisible to the sites and function quickly enough to not create noticeable latency.

Same Old Problems with 'DNS Pinning'
Researchers at Stanford University have renewed discussions on a problem that's more than a decade old: Same Origin Policy used by browsers and other software to determine whether it can or cannot talk to a site. Combine this with how DNS is resolved by browsers -- a problem that is just as old as SOP -- and it becomes possible to convince a machine to probe other machines on its internal network and send the information out to an Internet-connected system.

This is nothing new, of course -- bots and Trojans use the same approach. However, in this case, the malware is loaded by Javascript or Java applets. OK, so that's not new either.

Browser vendors implemented “DNS pinning” as a mechanism to make SOP attacks less likely. While this idea works in theory, the Stanford researchers say that the actual implementations are extremely flawed and can’t prevent trivial attacks.

The solution, some say, is to get browsers to distinguish between internal and external hosts and not to resolve domain names for internal hosts. The attack involves having the malicious object attempt to resolve an IP address; when it does, it receives two IP addresses in response to the name. One IP address is that of the external site being looked up, and the other is the victim’s machine (or some other machine within the internal network that the victim’s machine trusts). With this DNS entry cached on the victim, it then becomes possible for the object to do things in the context of the victim’s browser, from an SOP perspective.

Regardless of the effectiveness of the technique or even the difficulty in preventing such an attack, it is still reliant on having a victim visit a site that contains malicious code. To counter this argument, the Stanford researchers say they purchased, for $100, a spot on an advertising network where they placed a Flash advertisement that used the technique. Pretty slick, eh? Well, who knows what else it did, or even if it did anything other than resolve a domain name? So who can say that using the existing ad networks as a vehicle for spreading malware is realistically viable? The ad networks have been warned on numerous occasions about the possibility they could be used to compromise a significant number of surfers, so we doubt it’s a viable method more than once.

Without such an attack, you’re left with getting someone to your criminal site just like current browser vulnerability exploit sites do today.

Misplaced Trust Can Mean Data Exposure
New York City-based The Buying Triangle says its hosting provider, Infosys of India, has refused to return intellectual property and customer data in support of a Web application The Buy Triangle used to create its customer community; the data was stored on Infosys servers. (Darkreading.com has the story here.)

Always ask yourself, do you have your backups, or will you have to ask someone else for them?

Microsoft Blocks Atsiv
Microsoft has revoked the signature of a 64-bit driver, Atsiv, which is intended to allow for the loading and unloading of any 32-bit or 64-bit driver. While Atsiv itself is signed properly, that it allows unsigned drivers to be loaded violates Microsoft’s Kernel-Mode Code-Signing policies. Microsoft says that it has issued a Windows Defender signature for Atsiv that can identify the driver as being potentially unwanted software if found.

While it’s understandable why someone might want such a driver -- say, when you have a legacy driver for which there is no 64-bit update -- it is equally understandable for Microsoft to enforce its policy in the way it has.

Who's Your Domain Daddy?
The manager of a group of leather furniture stores sold their domain name, sofa.com, for $200,000 to a London-based online furniture retailer back in 2005. He did so without the permission of the store’s owners and pocketed the money. A year later, he allegedly was confronted by the owner and repaid some $66,000 to the store. He was charged in April 2007 with "theft in a business setting," says this article from the Sheboygan (Wisconsin) Press.

Clearly this should be a significant reminder to anyone who has a valuable domain name to ensure that adequate controls are in place so such incidents never happen to you. While no attempt has been made by the original sofa.com owners to recover the domain, it is doubtful whether they ever could outside of purchasing it from its current owners. If the individual charged in this case was also listed as the sole contact for the domain, it could be argued that the purchasers acted in good faith and believed they were dealing with the domain’s actual owner. If that’s true, the sale would likely be deemed legitimate from the buyer’s perspective.

Carefully review your contract with your domain registrar, and take steps to ensure the sale of your domains is not a "one-man" process.