Security Watch
Grokster Loses; ISPs Next?
The U.S. Supreme Court's ruling against Grokster could shift responsiblity for illegal file sharing to ISPs.
Governance
The
U.S. Supreme Court ruled against file sharing software companies
in a case with potentially broad ramifications. In the case,
MGM Studios
Inc. v. Grokster Ltd., the Court ruled that Grokster had substantially encouraged
its customers to defy copyright law and illegally share and distribute copyrighted
material. This is a substantial step toward establishing the groundwork for
responsibility by providers over the actions of its customers.
The ruling doesn't immediately make Internet service providers (ISPs) liable,
but it does provide further indication of where liability could—and should—be
assigned. One reason the Internet is saturated with viruses, worms, spyware
and malware is because ISPs believe they have no liability for the actions of
those to whom they provide service.
While the Electronic Frontier Foundation condemns the ruling as unleashing
"a new era of legal uncertainty on America's innovators," others,
including myself, hold that such innovators must act responsibly when creating
new technologies; they must ensure that those technologies don't undermine other
existing and accepted laws.
The day of the open, unfettered and completely unmonitored Internet connection
may well be over—and if it isn't, it should be. ISPs should be held accountable
for the actions of the subscribers they've courted through promises to allow
spam and/or hacking. The ruling may help thwart the constant onslaught every
Internet subscriber must endure in using what is now being called "the
backbone of the U.S. economy."
Hacking/Denial of Service
Most sources seem to be backing off their dire claims and warnings of some imminent
disaster related to the MS05-027
vulnerability patched last month. MS05-027 was yet another vulnerability in
the Server Message Block (SMB) as a result of a buffer overflow. Reports had
indicated significantly increased scanning and sniffing of port 445, yet these
reports offered nothing to indicate why or how this was over and above what
has been constant on the Internet for several years.
Cybertrust's take is fairly simple: if you have port 445 open and exposed directly
to the Internet, your system has probably been compromised. If you don't, a
new vulnerability isn't likely to affect you. Internal attackers are certainly
a possibility, but they've been a possibility on that port since its inception.
Exploit code has been publicly released as part of the Metasploit Framework
for the CONNECT_CLIENT_AUTH buffer overflow vulnerability in Veritas
Backup Exec. An increase in scanning and active exploits has also been reported.
Reports suggest that several educational institutions were compromised as a
result of this vulnerability. CERT
has also issued a warning about it. One report indicated that a bot, W32.ToxBot,
is purportedly targeting the publicized Veritas vulnerability.
It is now a given that whenever proof of concept code is published, it's incorporated
almost immediately into a bot, and attacks from within a bot are those first
noticed.
Corporations should not be exposing these Veritas products directly to the
Internet. Educational institutions are often known to obtain corporate software
but deploy it, basically, as a kid would deploy software in his house.
Privacy
The University of Connecticut discovered a compromised server that was
running for nearly two years. The discovery of the rootkit in June forced the
school to notify 72,000 students, faculty and staff about the possibility of
personal information compromise. University officials said they were convinced
no information was actually taken from the compromised server because the malware
installation was only partially successful; a backdoor subsystem was not successfully
installed.
Still, one has to question how it got installed in the first place and why
that installation wasn't detected until now. In addition, just because the backdoor
routine wasn't successfully installed doesn't mean there couldn't have been
any data theft. For instance, the rootkit may have been designed to transmit
data without receiving instructions via the backdoor. Only forensic analysis
could determine precisely what damage the rootkit did.
CVS, one of the largest pharmacy chains in the U.S., temporarily shut
down the purchase-tracking feature on its Web site after it was determined that
unauthorized users could request, via e-mail, information about another user.
According to CVS, the feature didn't include prescription purchases. Access
to the information was based solely on an 11-digit account number, the user's
zip code and the first three letters of the user's last name; all information
which could be brute-forced or guessed at in combination with known information
about an individual. CVS has said it will keep the feature disabled until it's
developed additional security measures.
This is a perfect example of a company proceeding with interactive Web applications
without fully considering the ramifications. CVS claims the information is benign
and that it couldn't be used for identity fraud; but the fact that the data
was so weakly protected has drawn the wrath of some privacy groups and sullied
CVS' name. CVS may lose customers, share value, or both as a result, simply
because a rather innocuous feature was poorly conceived or implemented.
Any company with an online presence needs to seriously consider every aspect
of its online security to ensure that a similar episode doesn't happen to it.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.