Security Watch
Too Much Academic Freedom?
A crack in the ivory tower might require a Big Brother to patch.
Privacy
George Mason University should be reconsidering some
of its privacy policies after more than 30,000 students and staff had Social
Security numbers and other information stolen earlier this month.
It sure seems to me that going to college these days pretty much means you
must expose all your private information to some hacker who will likely give
it away to any number of other unknown folks.
One reason continually cited as being the cause of lax security at such institutions
is the need for "free" and "open" environments. In other
words, we can't have strong security at an ".edu," because to do so
would mean monitoring student traffic, enforcing controls on student-owned systems
(such as the use of personal firewalls and ensuring that antivirus software
is up-to-date). At what point will the student body realize that not having
institutionally enforced security leads to its privacy being compromised by
hackers? Better the devil you know...
T-Mobile was compromised by a 21-year-old who, seemingly
through social engineering, managed to view e-mails and account information
for some 400 customers. Apparently, he was offering to look up any of their
customers for a price. It looks like he may be working with law enforcement,
since the offenses occurred in 2003 and there's been no sentencing information
yet.
Hacking
Three new patches that fix security holes were recently delivered by
Microsoft. The worst was a vulnerability in the HTML
Help ActiveX control patched in MS05-001.
This cross-zone scripting vulnerability would permit an attacker to have a page
read from, say, the Internet zone drop and execute code in the Local Computer
zone. This is most likely to be exploited by spyware.
| Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
More graphic formats were found to be vulnerable to overflows in their parsing
engines (whatever tools render the graphic file); these flaws were patched by
MS05-002.
In this case it was cursors and icons (including animated icons). Internet Explorer
automatically downloads an icon file (FAVICON.ICO), if it exists, from a Web
site when it's bookmarked, so be careful.
Finally, the Microsoft Index service was found to have yet another overflow,
now patched by MS05-003.
This is the same service targeted by the Code Red worm several years back. In
this case, you have to be able to submit a complete query for anything to happen.
Note: Windows 2000's Index Service isn't vulnerable
to the issues in MS05-003, but there's a patch for the platform anyway. Microsoft
made some security enhancements to the COM object delivered with Index Service,
and the Win2K version of MS05-003 provides those enhancements.
Firefox was found to be vulnerable to having security
dialogs spoofed. Hmmm ... when that vulnerability was found with IE, there was
no end of chatter; but now that it's been determined to be more a problem with
HTML than with browsers themselves, people seem awfully quiet. It will be an
interesting browser that finally prevents—completely and absolutely—the
ability of a Web page to obscure a security dialog box. I doubt we'll see one
in our time.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.