Security Watch

U.K. Calls for Int'l Privacy Standards

Plus: McAfee's road to safe surfing, and Novell, OpenBSD buffers overflow aplenty.

• By Russ Cooper
• 04/23/2007

The real question is which country's laws are closer to the harmonized standard being sought, and which has to change its thinking? The SWIFT issue is a perfect example where the EU felt SWIFT should be governed by its rules, and the U.S. felt SWIFT should comply with its needs. In the end, SWIFT agreed with the U.S., which got the EU flustered.

McAfee Maps Safe Surf Locales
Using the same tools McAfee uses for its SiteAdvisor product, the company has performed a study based on top-level domain names to rank the TLD risks. Tokelau (.TK) came up as the No. 1 riskiest TLD, while .gov remains the only TLD without any risky sites.

The study isn't quite fair. The .gov TLD isn't exactly equivalent to all of the other TLDs McAfee tested. No doubt, most countries have domains reserved entirely for their governments, such as .gov.uk in England -- while not a TLD, it is the .gov equivalent. There may be many countries that have entire classifications of domains that are free of "risk" as defined by McAfee, but because of the way McAfee is looking at it, these won't show up as such.

Regardless, the study does show how some countries are possibly not doing enough to determine to whom they grant registrations. For example, e-mail addresses are collected for spamming by some 73 percent of the .info domains tested.

Smart USBs Gone Bad
In case you weren't aware, U3 drives are USB drives that make themselves appear as CDs to Windows. As such, when they are inserted, Windows typically uses its AutoRun feature to load and execute whatever is in the U3 drive's .inf file. This means that a criminal could set up their U3 drive to run tools or malicious code and attack the system they are connecting to.

And if that works, they could've done it with a CD. The difference might be that the U3 drive might store information it discovers on itself. However, with the number of CD-RW drives out there, that may well be true of a CD. In any event, it is a "slurping" issue in that a criminal could plug in their U3 drive, pass some time talking, and then remove the drive with whatever files they had discovered.

Windows XP and Windows Server 2003 allow you to disable the AutoRun feature, and Vista prompts the user whenever anything that attempts to get AutoRun to work is inserted. There are also products available which, at an enterprise level, can disable USBs or make them read-only.

Attack of the Cyber-Toxins
An MIS magazine article made us wonder whether any of the people interviewed in it had been in security for more than five years. The article suggests that there's a revelation in knowing that client applications are being targeted for attack by criminals, and that this somehow meant "the war on hackers has simply moved to a new battleground."

The article makes it sound like people spent all of their time on firewalls until just recently, when they realized they needed to protect the client systems. The article goes on to suggest that firewalls and anti-virus are of little use in protecting client systems, because Word and PowerPoint zero-day exploits have made perimeter protection obsolete.

Of course, anyone who's read Cybertrusts' Anti-Virus Policy Guide knows that client-side protection has been as important as perimeter protection for many years. Anyone who has read our Weekly Risk Briefing Notes will also realize that the application level risk really hasn't changed, despite every attempt by the media and purveyors of security solutions to suggest the risk is enormous.

Every type of attack discussed in the MIS article has affected one to four users, according to available information. Yes, such attacks have occurred, but to suggest that we need to completely rethink what we're doing -- or to say that anti-virus is of no use -- is absurd. The article also makes a seemingly important point that the user is the problem, because the user is being presented the malware and choosing to click on it. How is this news and how is this any different than it ever has been?

Novell, OpenBSD Buffer Overflow Flaws
NetMail WebAdmin Remote Buffer Overflow Vulnerability
Novell NetMail uses a tool called WebAdmin to process modifications to the NetMail process. WebAdmin can be exploited via a buffer overflow when performing basic authentication. If the user name parameter is longer than 213 characters, the criminal's code may execute. Updates are available.

This is a server component, so exploitation would result in the ability to execute code in the security context of SYSTEM, the highest privilege on the server. The process normally listens on port 89 (HTTP) and 449 (HTTPS), but on Novell Nterprise Linux Services it listens on 8018 (HTTP) and 8020 (HTTPS). None of these ports should be accessible by untrusted systems.

Being only the second remotely exploitable kernel vulnerability in OpenBSD in 10 years, malicious IPv6 ICMP packets can be sent to an OpenBSD machine and cause criminal code to execute with the privileges of the kernel, the highest available on the system (see alerts here and here).

The default installation is vulnerable, and the default installation of the firewall does not filter such packets. That means any OpenBSD system that is exposed to the Internet is potentially vulnerable.