Security Watch

BBC's Honeypot Reveals Nothing New

Also: Checking your DNS settings; bots and FUD; more.

• By Russ Cooper
• 11/27/2006

Of the 50 attacks, 36 came in the form of e-mail messages with virus attachments or phishing scams attempting to get people to divulge their personal information. Many of the others, such as attacks against Web servers or SQL Slammer attacks, wouldn’t affect a typical home PC.

Regardless, any average corporate administrator who has looked at his router logs will realize there is a constant stream of attack traffic pointed not directly at them, but at any and every computer connected to the Internet. While the BBC may be able to bring this information to the attention of the more mainstream public, the news is certainly nothing new.

The single most effective action anyone could take to reduce the number of threats they face per day is to convert HTML-based e-mail into plain text, a standard feature available on all e-mail applications. In doing so, they will immediately and clearly see phishing e-mails pointing to sites other than the official sites and, more likely, not even be able to understand the gist of the message.

Is Your DNS Server Configured Wrong?
The Measurement Factory conducted a survey and found that more than 50 percent of the DNS servers on the Internet are configured to allow recursive queries. These types of queries open the DNS up to the possibility of cache poisoning. Also, 29 percent of DNS servers allow zone transfers to be requested from anyone, as opposed to only those who mirror the domain zone.

Caveat emptor: The survey was conducted on behalf of a DNS appliance vendor.

Allowing recursive DNS queries is not, in itself, a problem if the DNS software is not vulnerable to bogus entries. Cybertrust is not aware of any significant exploitation of this vulnerability via any method other than modification of the client’s HOSTS file, which is not actually a cache-poisoning attack.

Permitting zone transfers to unauthorized DNS servers could lead to information leakage and open up a network to other attacks -- attacks which require the knowledge a DNS zone might contain. For example, the alternate name of a server may provide information about account names, or information about internal SMTP servers may make forged SMTP headers look more authentic.

In any event, the issues are no different now than they were a year ago.

Oracle To Open Up on Bug Severity
Oracle announced that in its upcoming Critical Patch Update it will use Common Vulnerability Scoring System numbers to provide a severity assessment for each vulnerability being patched. It will also provide information identifying whether a vulnerability can be attacked by an anonymous Internet attacker.

Well, it’s certainly about time that Oracle provided more information about the vulnerabilities its patches are intended to correct. Oracle is one of the first major vendors to adopt the CVSS. CVSS is intended to standardize the severity ratings that vulnerabilities get. It will be interesting to see whether the CVSS founders feel Oracle is adhering to the scheme or altering it.

We hope that Oracle will start using Common Vulnerability Enumeration identifiers also. In order to be listed in the CVSS, the vendor must also supply the appropriate CVE number. If Oracle does this, it will mean we'll be able to correlate patches with specific vulnerability announcements made by researchers, something we haven't been able to do in the past.

Spamhaus Fights U.S. Court Domain Threat
After choosing not to enter a defense against charges it illegally labeled e360, an e-mail marketing firm, a spammer, a U.S. judge ruled that Spamhaus was to, among other things, pay e360 $11,715,000 in damages. Spamhaus refused to pay or comply with the judge’s dictates on the basis that it did not believe the judge had jurisdiction. Now e360 has requested that the judge order ICANN to suspend Spamhaus’ domain name, given that it's registered under the U.S.-based domain system.

A number of issues are presenting themselves in this case. First, there’s the question of whether a U.S. judge has jurisdiction over a U.K. firm. Next, can a firm label a marketer a "spammer", using its own definition of the term? Finally, can ICANN be forced to accept a U.S. judge’s dictate over domain name registration for a foreign company?

Given that Spamhaus is voluntary, and an opt-in subscription model, it’s hard to see how it could be forced to alter what it put into its subscription. Anyone who does not feel they should be in a blacklist is free to tell anyone else they shouldn’t be in there, but that they are is equally the choice of the service. If e360 were a rival, or there was some other obvious reason for maliciously placing them in the blacklist, there might be some substance to e360’s claims, but nothing of this nature exist.

e360 is claiming that Spamhaus is preventing it from doing its business, whereas Spamhaus is merely adding IP addresses based on a standard set of criteria it uses for all such blocks.

Many have suggested that Spamhaus is wrong in deciding not to defend itself. Spamhaus, for its part, says that any attempt at a defense may open itself up to many other cases where owners of addresses who have been blocked would like to stir the pot.

ICANN has already responded indicating it has no authority in the case.

Computer Bots Adapt to New Technologies
An article at InformationWeek attempts to show how next-generation bots are going to be targeting systems such as mobile devices and voice-over-IP systems.

There’s absolutely nothing but hype and FUD in this article. Most of the attacks it describes are applicable to malware, but the term "bot" is inserted for hype value. Were this article believed, there’s no such thing as malware or any exploit that isn’t a bot.

It uses the unbelievably old adage that once a given system has sufficient mass, it will become a target. Wow, now that’s news. To give the article more FUD value, it gives the example of wireless iPods.

The article, in its description of VoIP bots, is so totally off the mark so as to not even suggest that anyone might steal VoIP access in order to do their own toll-free telephone calling, probably the single most exploited crime today.

Every system that connects to a network, or even another system, runs some risk of being attacked. Nothing described in the article looks to be any more likely than anything else to become a target.

In the course of discussing this article, the RIT agreed that the attack focus is shifting from Target of Opportunity to Target of Choice. The number of widespread en masse attacks are down, compared to previous years, and focused attacks aimed at generating financial revenue, such as installing keystroke loggers via phishing sites, are up. We observed that this may lead some to believe there is less of a threat, possibly leading to less funding for security issues.

The emphasis is shifting toward compliance with various standards, most of which simply request that the corporation do risk-based thinking. At the same time, those tasked with such thought are generally not seeing as much of a problem as they have in the past and, with even fewer very public attacks, will likely perceive even less risk. Therefore, will risk-based thinking alone protect a corporation from the potential for targeted attacks in the future?