Security Watch

I'm Thinking of a Number

OpenSSH flaw in Debian and derivatives not as serious -- yet. Also, IE printing flaw; Belgium and India attack China; more.

• By Russ Cooper
• 06/23/2008

SSH has been under heavy attack for quite some time, long before knowledge of this vulnerability was made public. Those attacks have not been attempts at exploiting this vulnerability. Instead, attempts have been made to find relatively insecure implementations using guessable or known passwords. As such, anyone with an OpenSSH implementation has likely already taken steps to minimize exposure to untrusted sources, and tools included with OpenSSH such as fail2ban are available to mitigate such attacks.

We believe the likelihood of exploitation is largely overstated. Certainly this is an important issue and a serious vulnerability and you should take the appropriate steps to mitigate it by applying patches and regenerating keys. However, this should be done from the standpoint of reinstating the trust you thought you had in this area of critical security infrastructure, more so than because there's a fear the vulnerability may be attacked. Should attacks change to target this vulnerability, sufficient monitoring is being done around the Web to alert you.

IE Printing Flaw Can Let Crooks In
Yes, IE has a vulnerability in the way it handles HTML when it produces its own copy of a Web page for printing with the "Table of Links" option chosen. IE creates an HTML copy that is formatted in such a way that the links contained on the page printed at the bottom after the regular HTML. In that process, IE does not parse the links but merely takes their inner value "as is." A criminal can craft a page with links in them that, when rendered by this printing process, will actually execute in the Local Machine Zone while printing. No updates are available.
http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrint
TableOfLinksquotCrossZoneScriptingVulnerability.aspx

Well, this one is interesting from the perspective that an attempt to create a hard copy of HTML may, in fact, cause malicious code to execute. Beyond that, it's highly unlikely to be used. Not only do I have to get you to the criminally crafted site, I have to convince you to print it and then get you to print it with the list of links included. Nobody is suggesting people don't print pages with lists of links on them, but the criminal's HTML is likely going to get picked up by either a phishing filter or your AV if it's truly malicious. That said, Microsoft really needs to do a good double-check on everything they consider to be in the Local Computer Zone.

Belgium, India Point Fingers at China
Several reports claim that the Belgium Justice Minister and "unnamed government sources" in India have lately claimed attacks on government servers from IP addresses originating in China, once again leading to the speculation that the Chinese Liberation Army or Chinese government itself are behind the attacks.
http://www.techworld.com/security/news/index.cfm?newsid=101438
http://www.upiasiaonline.com/Security/2008/05/09/india_faces_
cyber_challenge_from_china/5587/

This really is getting awfully boring. Did I ever tell you that at one time, during the peak of NTBugtraq, I actually blocked huge ranges of Asian IP addresses? I was totally fed up with the amount of spam, and at the same time wondered "who would I be preventing access to if I did so?" Well, clearly it was a dumb idea for NTBugtraq and it wasn't long before a good friend in New Zealand asked why I was preventing him access to the site. Oops!

The point is, you can look into your logs and do a Whois and decide; "Well, that IP comes from China, so it must be a Chinese criminal!" However, it may just be a criminally controlled server, and how do you know where the criminal is who is controlling it? There are ways to be more deterministic about who is actually sending the packets to you, but there's no small amount of effort involved. If that server in China is getting connections from many sources, any one of them could be the criminal who is controlling it -- but of course, it may very well be someone at the keyboard.

The bottom line is that it is impossible, strictly from your own logs, to determine who is actually behind the attacks you receive. It takes more than that. This speculation is far from helpful.

Hacker with a Hacksaw?
Hopefully another copper criminal has bitten the dust. A 12,000 volt line on a hydro poll was cut, apparently with a hacksaw, ensuing in a fire and power outage. The criminal has not been found. PG&E, the power company who owned the line, said that their copper is of such high quality that anyone offering it for purchase should easily be able to identify it as belonging to PG&E.
http://abclocal.go.com/kgo/story?section=news/local&id=6133939

A hacksaw was found nearby, charred! So too were a pair of burnt up gloves!! Ergo, stands the reason the criminal's hands, at least, have severe burns too. Great, another one bites the dust! I don't know about you, but I get a kick out of thinking about a criminal so dumb as to think they can somehow cut such a wire while it's live and live to tell about it.