Security Watch

Bank Hack Shows Need for Separate Servers

A single compromised server leaves 100 banks vulnerable. Also: OpenOffice/StarOffice virus hype, online banking surveys and rogue hotspots.

• By Russ Cooper
• 06/26/2006

Hacking

Hackers gain access to server hosting bank Web sites: A hosting provider for smaller community banks was recently compromised by hackers, placing at risk more than 100 different banks across the U.S.

This problem is only going to get worse as time goes on. The biggest problem here was that so many highly desirable targets were located on a single server. It's impossible to tell whether the criminals who attacked the server were aware of this fact ahead of time, but it would have been obvious once their initial compromise was successful. When employing hosting services it is critical to fully understand how the site is being secured. Equally important is knowing what else is located on the same server to determine whether or not it places your site at higher risk, either from hacking or denial of service attacks.

Snort http_inspect bypass: A flaw discovered in the Sourcefire's Snort IDS system may allow attackers to bypass detection rules relating to attacks on Apache Web servers through the use of malformed HTTP requests.

Although not reported to be in the wild, the nature of the attack allows it to be trivially retrofitted into existing attack tools. The issue cannot be readily addressed through signature updates. Third-party interim patches have been released.

Enterprises using Snort sensors to monitor Apache Web environments should be aware of the vulnerability in Snort and consider updating to the revised detection engine when it becomes available. The bypass constitutes a blind spot that could be used by miscreants while attacking Web applications, but does not introduce any new exploitable conditions.

NetBSD drops default installation of Sendmail: NetBSD has dropped Sendmail as part of its core offering, instead allowing NetBSD owners to choose to configure it themselves or replace it with some other MTA, such as Postfix. About time!

Malicious Code

OpenOffice/StarOffice Macro Virus: Media outlets recently hyped a blog entry by researchers at anti-virus company Kaspersky Lab regarding their observation of the first known virus targeting OpenOffice and StarOffice documents. While it exists, the virus is not in the wild in any remarkable way, is unlikely to spread and is generally insignificant. Enterprises should do nothing.

Virus.StarOffice.Stardust.a is a macro virus written in Star Basic. On execution, it downloads an adult-content image file and opens this file as a new document. There are no reports it is network-aware. There are no reports it is spreading. Indeed, there is only one competent report of its existence -- the blog entry itself.

Macro viruses have been out of vogue for about seven years. This virus will not change this fact.

Human Factors

Security fears stunt online bank growth: A recent Christian Science Monitor article attempts to link fears about security threats to a reticence about banking online. The article draws information from two distinctly separate polls. The first states that the majority of Americans are concerned about identity theft and sale of their personal information, while the second states that online banking growth will be limited to 4 percent between 2006 and 2010.

More fun with statistics. There is no data cited which states that it is security fears that will limit the expected adoption of online banking, merely two surveys which found information that the article's author has decided to link. Americans need not bank online to have concerns over the sale of their personal information or security threats. Equally, no reason is provided for the expected low growth rate of online banking users.

More are opting for online banking: As a comparison to the Christian Science Monitor article, this Seattle Times article cites virtually all of the same statistics but comes to the conclusion that more and more people will adopt virtual online banks as their banks of choice.

The speculation about the numbers in this article focus on the fact that many virtual online banks are offering higher interest rates than their brick and mortar counterparts. Two stories, two very different views.

Web encryption: VeriSign released an article recently discussing how many Web sites are accepting connections from their visitors at less than the common encryption strength, 128-bit.

The article points out an interesting fact, namely that your Web site certificate's strength in no way guarantees that the client will use that strength. However, it completely ignores the reality that the strength of encryption during SSL transactions has yet to be shown to be a concern. Loss of sensitive information occurs once the data has been decrypted by the server, not in transit, which is all that the SSL strength ensures.

Physical Security

Rogue hotspots offer rich pickings for hackers?: RSA Security is suggesting that criminals are likely to move from e-mail-based phishing attacks to setting up and running rogue wireless hotspots. They claim the data that could be monitored via such a setup will yield them a greater volume of accurate details, such as bank login information and credit card details.

Well, how's this for casting FUD. Sure, there's no doubt that a rogue hotspot could get more accurate information than, say, a single phishing e-mail might. However, phishing e-mails are sent out in the millions, if not billions, daily while a rogue hotspot is only going to connect to hundreds, possibly thousands, a day. The report certainly rings true in its assertion that many wireless users of hotspots make little effort to determine whether they are accessing the legitimate access point or one under criminal control. Better controls in this regard, coupled with user education, is required. For now the best idea is to ensure that sensitive information is not being sent in the clear while connected to a hotspot, instead opting for VPN access to the corporate resources and then onto the Internet from there.