Security Watch

Buffer Overflow: Big News, Small Impact

Also: a cyberfront to an online war; why it's a good thing your smart phone is dumb.

• By Russ Cooper
• 02/12/2007

ARCserve backup servers contain a buffer overflow in the Tape Engine service, normally accessed over TCP6502. Malformed RPC packets targeting that port could create a Denial of Service condition or possibly execute remote code of the criminal’s choice. Exploit code has now been published.

Reports exist that this vulnerability is now being publicly exploited. The vulnerability has been patched in BrightStor ARCserve Backup version 11.5 SP2. CA has indicated that it is currently working on patches for earlier affected versions. Backup vulnerabilities have a tendency of being exploited within educational institutions, where networks are often more widely open.

It's not just CA that has a vulnerability on its hands: Opera 9.02 and earlier versions contain a vulnerability in the way they handle JPEG images. The vulnerability could be exploited by a Web site to cause code of the criminal’s choice to run in the security context of the visitor.

It is always worth remembering that even applications perceived to be far more secure than most can have security vulnerabilities of their own. It is also interesting to realize just how complex the JPEG file format is that so many have failed to properly implement its parsing.

That said, we have yet to see exploitation of any of the many image format buffer overflows that have been announced over the past 18 months. Furthermore, exploitation requires the hosting of the criminal image, and the most likely sites will already be hosting criminal code. However, until we hear that sites such as MySpace have implemented some significantly improved method of scanning upload material for malware, it or sites like it are the most likely place we’ll find exploitation.

DOD Preps for Battle in Cyberspace
The U.S. Department of Defense has been facing a more concerted and intelligent effort at compromising its network. Attacks have become more focused and realistic, using information which viewers would generally perceive as valid. The effort has led the DoD to implement Digital Signatures on e-mail, and recently caused it to ban HTML e-mail entirely.

The attacks fall into a category known as "spear phishing," where the attack is specifically crafted to look real to a very limited subset of victims, and then sent to that small group in the hopes of convincing one or more of them the message is valid. DoD is mum on just what the attacks attempt to do, but one would tend to think that they aren’t just out to get more bots in a botnet.

It's stories like this that inspire the "state-sponsored cyber-terrorism" media stories. With no statistics publicly available, it is impossible to know just how much of this form of attack is actually occurring. Equally, without knowledge of what the attacks are trying to achieve, it's impossible to determine the reasoning behind the attacks.

Wi-Fi Body To Simplify Security
According to the Wi-Fi Alliance, the main reason Wi-Fi networks are left unsecure is because it is too complicated to set them up securely. To this end, it is announcing a new specification, WPS, which lays out simpler methods of establishing a new Wi-Fi network in a secure configuration.

So it's too complicated to provide a network name and passphrase. To simplify this, WPS automatically generates a network name and replaces the passphrase with a four- or eight-digit PIN or a button on the device which can be pushed. This may make setting up the WAP more easily, but it doesn't alter what the clients have to do. To address that issue, they're providing a specification for a near-field communication device (probably an RFID) that can be brought near the WAP for authentication.

This sure sounds like "new toys" rather than "simpler setup of secure networks." After all, how hard is it to come up with a network name and passphrase? Pretty simple when you figure out where to enter it and what is being requested. Granted, having fob-like devices can do that for you. Pressing a button on the WAP, is simple -- but what do you do in a cafe or airport terminal? Imagine a college lunch room, with everyone lined up once to purchase their lunch, and again to get near enough to the WAP to authenticate.

In the continuing effort to come up with "single-button security solutions," the Alliance seems to have taken this literally. Perhaps, if this effort doesn't succeed any better than previous ones, we can stop looking for that and instead focus on education. Maybe we can get 9-year-olds to write the security documentation.

High-Tech Handsets Are Hacker Bait
A FUD-ridden story about malware and mobile devices claims, in each of its first four paragraphs, that such malware is on the rise and posing a greater risk. Meanwhile, actual reports of infections have been constant, extremely limited and hardly noticeable.

It is unfortunate for a media outlet such as BusinessWeek to have such journalism being practiced by its reporters. There are few sources of information about mobile malware, and all are in the business of promoting it in the hopes of selling equipment and/or software to prevent it. The "rise" constantly referred to, if it exists, is from two to four pieces of malware. Compare this to the thousand-fold or greater increase in malware presented to PCs, and it should become obvious that the threat is virtually non-existent.

Furthermore, the article talks about the growing sophistication of mobile devices such that they are, according to the article, "really a computer, not just a phone." Well, how obvious is that? They’ve always been computers, even when they were just phones!

Thus far the only serious corporate threat to occur as a result of malware and mobile phones is their use as a storage medium in the hopes of transferring from one computer to another when the phone is connected during a sync operation. This rarely happens, and it is more likely that spreading malware in this way is a side effect and not an intention of the malware authors. If the phone’s storage is mounted on the PC as another drive, and the malware uses drive-spreading techniques, then of course it would spread onto the phone. Having it spread back to another PC, however, never occurred in the case of the cited article, and the malware usually copied over with everything else that's on the phone. That didn't activate the malware on the second PC, and it is far likelier that it wouldn’t have even copied itself down had the investigators not told the PC to grab the contents off the phone's storage.

Certainly, PDAs, with fairly complete operating systems and network capabilities of their own, must be considered PCs from the perspective of protecting them from malware. If a user can read e-mail, open attachments and execute Javascript or a PE executable, they can be infected the same as any PC can. Most smart mobile phones, however, are not so intelligent.