Security Watch

Grokster Loses; ISPs Next?

The U.S. Supreme Court's ruling against Grokster could shift responsiblity for illegal file sharing to ISPs.

• By Russ Cooper
• 07/18/2005

The ruling doesn't immediately make Internet service providers (ISPs) liable, but it does provide further indication of where liability could—and should—be assigned. One reason the Internet is saturated with viruses, worms, spyware and malware is because ISPs believe they have no liability for the actions of those to whom they provide service.

While the Electronic Frontier Foundation condemns the ruling as unleashing "a new era of legal uncertainty on America's innovators," others, including myself, hold that such innovators must act responsibly when creating new technologies; they must ensure that those technologies don't undermine other existing and accepted laws.

The day of the open, unfettered and completely unmonitored Internet connection may well be over—and if it isn't, it should be. ISPs should be held accountable for the actions of the subscribers they've courted through promises to allow spam and/or hacking. The ruling may help thwart the constant onslaught every Internet subscriber must endure in using what is now being called "the backbone of the U.S. economy."

Hacking/Denial of Service
Most sources seem to be backing off their dire claims and warnings of some imminent disaster related to the MS05-027 vulnerability patched last month. MS05-027 was yet another vulnerability in the Server Message Block (SMB) as a result of a buffer overflow. Reports had indicated significantly increased scanning and sniffing of port 445, yet these reports offered nothing to indicate why or how this was over and above what has been constant on the Internet for several years.

Cybertrust's take is fairly simple: if you have port 445 open and exposed directly to the Internet, your system has probably been compromised. If you don't, a new vulnerability isn't likely to affect you. Internal attackers are certainly a possibility, but they've been a possibility on that port since its inception.

Exploit code has been publicly released as part of the Metasploit Framework for the CONNECT_CLIENT_AUTH buffer overflow vulnerability in Veritas Backup Exec. An increase in scanning and active exploits has also been reported.

Reports suggest that several educational institutions were compromised as a result of this vulnerability. CERT has also issued a warning about it. One report indicated that a bot, W32.ToxBot, is purportedly targeting the publicized Veritas vulnerability.

It is now a given that whenever proof of concept code is published, it's incorporated almost immediately into a bot, and attacks from within a bot are those first noticed.

Corporations should not be exposing these Veritas products directly to the Internet. Educational institutions are often known to obtain corporate software but deploy it, basically, as a kid would deploy software in his house.

Privacy
The University of Connecticut discovered a compromised server that was running for nearly two years. The discovery of the rootkit in June forced the school to notify 72,000 students, faculty and staff about the possibility of personal information compromise. University officials said they were convinced no information was actually taken from the compromised server because the malware installation was only partially successful; a backdoor subsystem was not successfully installed.

Still, one has to question how it got installed in the first place and why that installation wasn't detected until now. In addition, just because the backdoor routine wasn't successfully installed doesn't mean there couldn't have been any data theft. For instance, the rootkit may have been designed to transmit data without receiving instructions via the backdoor. Only forensic analysis could determine precisely what damage the rootkit did.

CVS, one of the largest pharmacy chains in the U.S., temporarily shut down the purchase-tracking feature on its Web site after it was determined that unauthorized users could request, via e-mail, information about another user. According to CVS, the feature didn't include prescription purchases. Access to the information was based solely on an 11-digit account number, the user's zip code and the first three letters of the user's last name; all information which could be brute-forced or guessed at in combination with known information about an individual. CVS has said it will keep the feature disabled until it's developed additional security measures.

This is a perfect example of a company proceeding with interactive Web applications without fully considering the ramifications. CVS claims the information is benign and that it couldn't be used for identity fraud; but the fact that the data was so weakly protected has drawn the wrath of some privacy groups and sullied CVS' name. CVS may lose customers, share value, or both as a result, simply because a rather innocuous feature was poorly conceived or implemented.

Any company with an online presence needs to seriously consider every aspect of its online security to ensure that a similar episode doesn't happen to it.