Security Watch
Backup Daemon Vulnerabilities
Patches are released for flaws in Veritas backup daemons, Florida banks are phished, the new Sun Grid is attacked by bots, and the Feds lose computers.
Hacking
Three distinct vulnerabilities in various
Symantec Veritas NetBackup daemons
could allow an attacker the ability to run code of their choice on the affected
system. The vulnerabilities exist in the SharePoint Services Server, Volume
Manager and Catalog daemon. Patches are available for all.
Vulnerabilities in back-up servers have been picked on by hackers in the past,
particularly in educational environments. Though there hasn't been any
exploits yet, it won't be a surprise if they come.
Cited as an unusual form of phishing, hackers broke into the computers of a
hosting site which hosted three Florida banks. According to reports,
the hack redirected visitors from the banks' legitimate Web sites to bogus
sites where their login information was obtained.
This kind of activity used to be simply called hacking, but I guess phishing
has greater media appeal right now. While standard builds make management of
such servers easier, it also seems to have led, in this case, to the three banks
suffering the same attack via one provider.
The U.S. Internal Revenue Service (IRS) has established an e-mail address
to collect suspected phishing e-mails sent to taxpayers. Messages sent to [email protected]
will be used by the IRS to help law enforcement shut down phishing sites.
Firstly, it's important for anyone whose reputation may be abused by
phishing scams to ensure they make their customers aware of the possibility
and to provide any assistance to their customers that will bring such criminals
down.
However, consumers are not going to be able to remember hundreds or thousands
of e-mail addresses, so a better effort should be made to create a central reporting
address. Alternatively, ISPs should put forward a better effort by accepting
all reports from their customers and taking on the task of routing them to the
appropriate authorities. It's enough of a challenge to get consumers to
recognize phishing from legitimate messages.
Denial of Service
A text-to-speech application intended to give the public a view of the newly
unveiled Sun Grid, a private network of processors offered up for hire
by Sun Microsystems, had to be removed from public use after it was attacked
by a bot network on the Sun Grid's opening day. Sun defended the application
by moving it inside the Sun Grid's authentication system, thereby preventing
all but their few customers from using it.
What the heck were they thinking? How on earth did they expect this to come
as anything other than a public relations black eye if they couldn't withstand
a DDoS attack?
| Want
More Security? |
This
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here. |
|
|
Physical Security
The U.S. Energy Department's Office of Intelligence lost 18 pieces of
computer equipment and cannot determine whether or not the equipment had been
used to process classified information.
Of interest in the department's report was the statement that equipment
that processes classified information can only be identified while it is still
attached to the classified system.
Well, duh! How sensible an approach is that? Equipment should be deemed as
having handled classified data simply by virtue of the fact it had access to
sensitive data and thereafter should never be used in a lesser classified environment.
It seems the DOE Auditor General's report is indicating that this best
practice was not used within the Office of Intelligence.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.