Security Watch

Survey Says Attacks are Down

But hackers may be relying more on inside men to get the job done.

• By Russ Cooper
• 07/25/2005

• Fewer of the top 100 financial institutions experienced IT security breaches. The number was down to 33 percent this year, compared with 83 percent last year.
• Internal IT security breaches more than doubled.

As for the drop in security incidents, nothing incredibly significant has changed in the IT security landscape to account for it; it may be due to additional experience in identifying and dealing with such attacks. It's also noteworthy that over the past 12 months there hasn't been a significant world-wide IT security event, which may have accounted for many of the past year's reports of external IT security breaches. With fewer external events to focus security teams on, it's also possible that they had more time to concentrate on discovering internal IT security events.

It's hard to say whether the increase in internal breaches is the result of better investigations, discovering the internal component of what may have previously been believed to be a completely external attack, or that attackers are putting more effort into involving an internal person.

Two distinct vulnerabilities have been discovered in Microsoft objects.

The first is a vulnerability in the Log Sink Class ActiveX control. The control is incorrectly marked safe for scripting, and safe for initialization, in any security zone. As a result, it's possible for an attacker to cause files to be created on the victim system. Patches are available.

The second is a vulnerability in the JAVAPRXY.DLL COM object. The control incorrectly handles additional code supplied during initialization, and as a result it's possible for an attacker to initialize the control and supply code of his choice to run when the control is started. Patches are not available, but instructions have been provided on how to limit the object's invocation, or disable it entirely. Also, a scanning tool is available from Microsoft to determine which systems contain the vulnerable control.

The insidious thing about this is that if you've done a new installation of Windows XP bundled with Service Pack 1a or 2, or a new installation of Windows Server 2003, you didn't install the Microsoft JVM (Java Virtual Machine) and therefore probably don't have the vulnerable object.

But if you upgraded from a previous version of Windows to either of the above, you probably do have the vulnerable control (and the Microsoft JVM.) Further, other applications may have required the JVM and installed it as part of their installation process. The result is that the object's presence on your network may be arbitrary, which is why Microsoft produced a scanning tool to determine which systems contain the JVM. It's available at http://snipurl.com/4lut.

PHP Extension and Application Repository (PEAR) prior to version 1.3.1 contains a vulnerability in its implementation of XML-RPC. XML-RPC provides a means for various operating systems to issue procedure calls to XML servers via the Internet. The vulnerability permits PHP (a scripting language) to be included in the XML-RPC stream, which is executed when the RPC call is evaluated. An attacker could run PHP code of his choice on the victim system as a result. Patches are available.

Malicious Code
Be on the lookout for W32.Toxbot.C, a worm that allows a remote attacker to gain unauthorized access to a system via IRC. The worm propagates by exploiting the following vulnerabilities:

• Microsoft RPC DCOM vulnerability reported in MS03-026 and Cybertrust Alert 6307
• Microsoft Windows LSASS buffer overflow vulnerability reported in MS04-011 and Cybertrust Alert 7535
• Microsoft SQL Server privilege escalation vulnerability reported in MS02-061 and Cybertrust Alert 4762
• Veritas Backup Exec registration request buffer overflow vulnerability

The malcode writers are still using the "Swiss Army Knife" approach, just trying anything they can. The new piece on Toxbot is the Veritas vulnerability. People were wondering what was causing the port 10000 TCP hits, and the consensus points to Toxbot.

Sophos has suggested that the huge increase in new pieces of malware (7,944 new pieces in the first six months of this year, a 60 percent increase over the same period last year) suggests that more criminals are seeking to use malware to commit their crimes.

Cybertrust (my employer) has been stating that criminals have been using malware for a considerable length of time; however, a dramatic increase in the number of new pieces of malware doesn't necessarily prove Sophos' theory. For example, numerous viruses this year, including MyTob, have produced hundreds of variants in a very short time span, seemingly in an attempt to overwhelm anti-virus vendors. The release last year of malware source code has also led to a dramatic increase in the number of people who can author malware, most of whom probably have no criminal intent per se.

Sophos also suggested that anti-spam laws were having an affect on criminals who previously used spam to entice their victims, forcing them to shift from spam to Trojans. Given that spam volume is up over last year, this connection seems tenuous at best.

Privacy
The University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week. The flaw put at risk "hundreds of thousands" of records containing personal information, including names, birth dates, addresses and social-security numbers, according to the vulnerability's discoverer.

Reports suggest the information was left available as a result of a misconfiguration involving a SQL server which would allow SQL injection attacks. It's also unclear whether or not this information was actually compromised or that the misconfiguration was discovered and the school reported the possibility that the data may have been compromised.

Governance
All banks in Hong Kong are now required to use two-factor authentication to enhance security for high risk online transactions. The Hong Kong Monetary Authority mandated the upgrade and all banks in the country have complied.

Although the mandate didn't include specifics as to how two-factor authentication was to be implemented, it appears the banks have chosen to use smart cards with digital certificates.