Security Watch

One Site Exploits IE Flaw

A visit to the malicious site in question can invite a trojan into your midst.

• By Russ Cooper
• 12/19/2005

The site in question has not been identified to us; however, Microsoft has acknowledged the reports, suggesting it may know the malicious site. Regardless, the trojan that was being delivered was/would have been recognized by most current AV programs as a generic downloader. In other words, it was not something new that updated signatures were required to detect. Also note that to be victimized, the attacker must lure the victim to a malicious site AND get the victim to click on something within that site.

Given that only a single site has thus far been reported, the volume of discussion right now places this issue in the "hype" category, as the threat has not dramatically increased to warrant the increase in discussion. Yes, this issue has potential for harm, but we believe it’s unlikely the threat will increase. A worm is unlikely, and using this method to propagate a bot is much slower than other existing mechanisms.

Webmin and Usermin Web Server Format String Vulnerability: Webmin is an HTML-based administration console for Unix, while Usermin is an HTML-based user console for Unix. The server component miniserv.pl contains format string vulnerabilities that could allow a remote attacker to cause a denial-of-service condition and possibly remotely execute commands. Patches are available.

Apple OS X Updates APPLE-SA-2005-11-29 Security Update 2005-009 APPLE-SA-2005-11-30 J2SE 5.0 Release 3: There were a number of items in these packages that dealt with some strange circumstances, like having local users on open directory master servers -- issues which shouldn’t occur in normal business practice. None were urgent, but we'll continue to track the issues should they turn into an exploit in the future.

Exploits have been released for both MS05-051 (MSDTC) and MS05-053 (vulnerabilities in rendering .WMF and .EMF file formats), although at this point there’s no indication they’re being used.

Denial of Service
NTP Inc. continues to receive favorable rulings from judges in their case against Research In Motion, makers of the BlackBerry. This time, a federal judge ruled against RIM in two motions they filed; one to attempt to force NTP to settle the case, and another to stop the proceedings while the U.S. Patent and Trademark Office re-examined NTP’s patent claims. The ruling brings the possible injunction to stop sales of BlackBerry mobile e-mail devices and shut down the BlackBerry service in the U.S. closer to reality.

Since BlackBerry use is so widespread, enterprises should plan now on how to deal with a possible outage. Some discussion has been held over whether or not Web browsing and SMS service will continue to Blackberry devices should an injunction be invoked. While it’s most likely true that neither of these services will be interrupted, it’s yet another reason why customers should check with their providers. Ultimately, it will be the providers who, driven by customer demand, may record Friends of the Court letters regarding this case. Also, they will be determining what, if anything, they are able to do for their customers.

It’s also important to remember that only Blackberry Enterprise Service e-mail is encrypted between the BlackBerry gateway and the destination device. SMS is not. So, should an injunction come into effect, determining the effect of unencrypted messaging on your business plans is an important thing to do.

Human Factors
A man using the handle “Dr. Chaos” has been sentenced as a result of a 2002 conviction for 1999 charges stemming from attacks against SCADA systems in 1999.

At the time of the massive U.S. East Coast blackout in 2003, when Internet attacks against SCADA systems were suspected, nothing was known about this individual or the attacks performed in 1999. Much of the skepticism in 2003 about the possibility of such attacks may have been eliminated had these prior attacks been known publicly.

Physical Security
According to Qantas Airlines testimony to the Australian government inquiry into aviation security, during the past two years the company has issued 384 Aviation Security Identification Cards (ASICs) for Sydney Airport, which they can no longer account for. They claimed that 24 were “indirectly stolen” while the “vast majority” were simply lost, although it’s unclear how they made that distinction or could stand by it given they claim the ASICs are unaccounted for. Qantas claims it notified police whenever they realized an ASIC was missing and disabled it from being used. However, a spokesman for Sydney Airport stated that disabling the ASIC wouldn’t prevent it from being of value since the ASICs validation isn’t tested at manned entry points -- all anyone would need is a valid-looking ASIC with a picture ID.

Tokens, or any “device” used to supplement other authentication mechanisms, are only as valid as the environment they’re used in. So, if you put a digital certificate on a token, it serves no purpose unless you actually test the certificate, and then, only if you test to ensure that certificate hasn’t been revoked or compromised. Far too many implementations sound strong but operate weakly simply because the features of the token aren’t fully implemented or verified at every point the token might get presented.

Then there is the issue of educating verifiers from one security mechanism generation to the next. Tokens and passwords have been in use for thousands of years and have been compromised for just as long. Each time a new scheme is implemented, presumably to thwart the compromise of the previous scheme, someone has to ensure that everyone is on the same, new page. In this case, Qantas implemented ID cards with digital verification, but it didn’t ensure that every point the old ID cards could be used was upgraded to actually test the digital veracity of the new card. Without access to a “new” card, any idiot could create a duplicate with their own picture and then simply walk up to a manned entry point, never having to worry about the electronic aspect of the ASICs at all. Wonderful!

Privacy
Lycos in the Netherlands was instructed by the Dutch court to turn over the name and other information of one of their customers for use in a civil litigation case. The effect of that order is now it’s easier to force an ISP to disclose information about its customers in a civil court than it is in a criminal court.

While this is strictly a Dutch law at present, its precedence may open the way for adoption of similar decisions in other jurisdictions. If civil cases afford greater flexibility in obtaining private information about individuals, they’ll become the opening salvo of choice by anyone harmed by someone else’s Internet actions. There’s a great deal of similarity between forcing an ISP to disclose a customer who was connected on a given IP address at a given time, to a company that has an employee connected to their network at a given time.

Remember that any court can only force you to produce those records you actually have. If records are not kept, you cannot be forced to recreate them unless they can be fully constituted from other records. As such, you should carefully consider what records you store, and how long you store them and develop this decision into a policy. If civil subpoenas become commonplace, our customers could find themselves overburdened by the efforts of producing logs and testifying in cases in which they are being used.