Security Watch

Companies Face New Rules on E-Mail

Also: NASA hacked, and a password discovery tool that might be </i>too<i> </i>good.

• By Russ Cooper
• 01/15/2007

After a five-year review by the U.S. Supreme Court’s administrative arm, U.S. companies involved in federal prosecution will now have to be able to provide “electronically stored information” as part of the discovery process in such cases. The rules don’t significantly alter data retention policies, but do ensure that data pertinent to current cases -- and cases the company may expect -- cannot be overwritten. Reuse of a backup tape, for example, could be deemed “virtual shredding.”

As we continually point out, knowing what you are archiving is as important as whether you are or how you’re doing it. Judicious choices in archive maintenance may make complying with this rule easier to some.

Man Indicted for Hacking 150 Government Computers
A Romanian has been indicted for breaking into the computers at NASA, the Jet Propulsion Laboratory and Goddard Space Flight Center, among other government sites. He is alleged to have flaunted his compromise on the screens of the victimized systems.

Unfortunately, extradition from Romania may take up to two years, and in the meantime the individual is out on bond, a bond issued against the Romanian charges he faces.

Oxid.IT: Cain & Abel Version 4.2 Released
Cain & Abel is a password recovery program/network sniffer for Windows. The latest version adds man-in-the-middle NTLM spoofing, NTLM session security downgrading, a variety of other NTLM/LM spoofing and additions to its rainbow tables.

This is certainly a capable forensic tool and it works well for those who have to discover the lost password of a former employee. However, some of the capabilities are starting to encroach on those used only in attack scenarios.

IBM Tivoli Storage Manager (TCP 1500)
Four buffer overflows in the Tivoli Storage Manager service could allow a remote criminal to cause code of their choice to execute in the security context of the service via the client login process. No authentication is required to be able to exploit these vulnerabilities. Patches are available.

Tipping Point, which discovered the vulnerability in April and reported it to IBM, believes the vulnerabilities could lead to code execution. IBM, however, does not believe this to be true and specifies that it could cause a Denial of Service. Regardless, the service should not be available to criminals outside of your network. (You can also read about it in Secunia's bulletin here.)

Intel Network Drivers Local Code Execution Vulnerability
eEye has released an extremely detailed analysis of a vulnerability in all Intel Pro network adapter drivers that could allow a criminal, operating on the local system, to elevate privileges to the level of the kernel. Intel has released patches.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

eEye have provided virtually step-by-step instructions on how to exploit this vulnerability, and as a result the information could be used to create rootkit type exploits in malware. It is important to recognize that the vulnerability cannot be exploited over the wire, but instead must be done by code already executing on the victim system. As such, a victim must first succumb to some other attack, social or otherwise, to run code of the criminal’s choice to then use this vulnerability to increase privilege.

Correction
In my Dec. 18 article, I incorrectly attributed the Alliance for Gray Market and Counterfeit Abatement (AGMA) as saying that Cisco is the most counterfeited product out there. It made no such claim, and I regret any problems I may have caused.