Security Watch

Are Linux Bots More Powerful?

Russ takes issue with a recent report. Plus Oracle's latest patch batch lacking, Symantic LiveUpdates seems to be making Macs more vulnerable, and more.

• By Russ Cooper
• 05/15/2006

Well, there’s no denying that a bot with more bandwidth is worse than one with less, but it’s hardly new or more daunting from an individual bot perspective. Barrett described a common misconfiguration in PHP that was being exploited by a particular bot-herder, with an automated search for other such systems using Google searches for its seeding. This, according to the article, resulted in a large number of such high-bandwidth systems being brought together.

However, there’s no way the visibility of this PHP misconfiguration defines a system as being high bandwidth, just as much as it’s true that a Windows machine means it’s low bandwidth. I remember many years ago when a DoS attack took out thousands of networks because it was launched from a single Linux box which happened to be located directly on the backbone -- a system someone thought had been decommissioned but wasn’t. So the moral of the story isn’t that Linux machines should be more carefully protected than others, or even that machines with access to high bandwidth connections should be more secure. Instead, secure the system you’ve got, whatever and wherever it is.

Hacking

Oracle April 2006 Critical Patch Update: Last month's April 2006 Critical Patch Update from Oracle addressed multiple security vulnerabilities in Oracle products.

As is typically the case, Oracle has provided no details to what issues the patches are actually addressing. Possibly more important is the fact that many of the patches have not yet been made available for all supported platforms.

Symantec LiveUpdate for Macintosh Execution Path Privilege Escalation Vulnerability: Symantec LiveUpdate for Macintosh contains a vulnerability with the execution path environment that could allow a local attacker to gain elevated privileges. Patches are available.

This is a privilege elevation vulnerability in that a local user could make modifications to the environment that LiveUpdate runs in, and then place a binary of their choice such that it will be executed in the security context of the victim system.

Yet another example of how running AV on a Mac reduces, rather than increases, the security of that system!

Firefox Vulnerabilities: Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information and potentially compromise a user's system.

Twenty-one vulnerabilities have been patched in Firefox, at least 10 of which would allow a malicious Web site to execute code of their choice on the victim system. Fixes have been incorporated in versions 1.0.8 and 1.5.0.2

Microsoft Ends Win98 and WinME Support: Microsoft will end support and security updates for Windows 98, Windows 98 Second Edition and Windows Millennium Edition on July 11, 2006. Saying that the products are outdated and can expose customers to security risks, Microsoft encourages upgrades to newer systems as soon as possible. However, experts predict that people using such older systems will keep them until the hardware they are running on fails.

These are the last of Microsoft OSes which provided no integral security features. While it’s true that some people will likely keep running them, those same people are unlikely to be paying much attention to security in the first place. In other words, their lack of upgrading isn’t going to worsen our security stance. In fact, anyone who upgrades from such a system now is going to jump to Windows XP with SP2, and given they likely have little knowledge of security features, are going to leave SP2 the way it is…namely far more secure than what they had.

Human Factors

Several articles were published following a panel discussion at the CanSecWest security conference on whether or not companies should be buying research into new security vulnerabilities (go here and here).

Clearly there are proponents and opponents of the practice. For Cybertrust, the bottom line is how the information is being handled, not whether it’s being paid for or not. Certainly there is a criminal element prepared to pay for such research in order to capitalize on a flaw and, for example, have more successful phishing attacks. Equally, there are competitors looking to “out” their brethren in the hopes of convincing consumers their product is better. However, it seems more true that the majority of such “purchases” have resulted in patches from the vendors in a timely enough fashion so as to provide more protection to the consumer than they might have had should the research have simply been posted publicly without prior vendor notice.

If it takes some money to enforce responsible disclosure of security vulnerabilities, so be it. If we can do it without the money, even better. If the “good guys” can prevent some “bad thing” from being sold to the “bad guys,” then we’re all for it.

Governance

A U.S. district judge has ruled that Wells Fargo was not negligent in not encrypting sensitive customer data that it supplied to another company to print monthly statements. The printer, Regulus Integrated Solutions, had computer hardware stolen from it which contained the Wells Fargo data. Two Wells Fargo customers filed suit against Wells Fargo claiming the negligence and asking for damages. The court ruled that the suit was based on an “anticipation of future injury that has not materialized.”
http://news.com.com/2100-1030_3-6061400.html

So it would seem that Wells Fargo was found innocent purely on the basis there was no malicious use of the data stolen -- hardly something a company should base its decision whether or not to encrypt sensitive data on.

Of course, the other interesting aspect is that the plaintiffs were seeking damages based on the anxiety of not knowing whether or not their information would be abused. Should that data surface at some point in the future, could it be such damages will be greater due to the longer passage of time?

Also recently, the U.K. Information Commissioner’s Office issued official guidelines covering the sale of consumer information databases when a company closes. The guidelines recommend that such databases be sold only for the similar purpose which the data was collected -- otherwise, the new owner of the data will have to receive consent from the individuals contained in the database.