Petco Punished for Doing the Right Thing
Even honest disclosure can incur the wrath of the Man.
The U.S. Federal Trade Commission
announced it had
come to a settlement with Petco Animal Supplies Inc.
regarding issues that arose from Petco being hacked and exposing customer information
(including credit card numbers). As a result of the settlement, Petco now must
submit to close scrutiny for the next 20 years over how it handles such sensitive
The irony here is that this information came to light when Petco pursued a
suit against the hacker. The FTC settlement suggests that any company which
discloses that it's been hacked may end up with very long-term scrutiny by the
FTC. While it's important that we get business to realize the impact they cause
consumers when they don't properly secure their information, I'm not convinced
that such harsh settlements are yet warranted. Such action may very well stifle
disclosure. Also, the extortion possibilities are very scary.
Liu Die Yu, noted for discovering numerous vulnerabilities
in Internet Explorer (IE) over the last year using
nothing more than a Windows 98 box, was acknowledged by Microsoft for responsibly
disclosing information to them about two vulnerabilities corrected in the MS04-038
cumulative IE patch. This is the first time Liu's done this; he used to simply
release his findings as he found them. I'm a strong supporter of informing a
vendor of vulnerabilities in their products, and giving them a reasonable amount
of time to fix it before telling everyone.
Two new vulnerabilities were announced for IE6.
The first provides a method for a site to hijack another site's cookies. This
should only be possible if the attacked site's cookies accept wildcards in the
domain name, a bad practice in the first place. XP SP2 isn't vulnerable to this
exploit. The second bypasses XP SP2, and exploits the way IE handles custom
error pages, along with another URL parsing error. The result is that it's possible
to download, and run, an executable of the attacker's choice.
It continues to baffle me why we have not seen a plethora of utilities that
intercept the stream IE sees and looks for a wide variety of known vulnerabilities.
Protocol handlers, a feature of Windows for several versions now, permit a tool
to register itself against various protocols, like HTTP or FTP.
When implemented, they're handed an open stream for the requested protocol,
allowing them to see the raw information being returned to the application that
requested it. Not every application allows protocol handlers to do their thing,
but IE certainly does for HTTP. A simple protocol handler could, for example,
parse all URLs in a stream and only allow those that conform to a stricter set
of parsing rules. In the case of the error page vulnerability above, it relies
upon the fact that IE allows a URL like "v.exe?.htm," but wouldn't
allow "v.exe". It wouldn't be difficult to spot that malformed URL.
An e-mail was released recently which attempts to exploit the Graphics
Rendering Engine vulnerability patched by MS04-032.
That vulnerability is exploited by a Windows Meta File (WMF) or Enhanced Meta
A new version of the Cabir virus was discovered.
Cabir exploits a Bluetooth vulnerability in cell phones and spreads very slowly.
In some countries companies are charging $90 per phone to clean it.
A Russian member of the group 29a was fined the equivalent
of $100 for writing a virus. That may be a lot of money there, but it sure doesn't
seem like enough of a fine.
Historically, eCards during the holiday season have
been a great way to get bots and trojans installed on your computer. Remember
to be vigilant and not succumb to the cuteness of eCards. Very few free eCard
services continue to exist, but most don't do nearly enough to ensure that the
content they carry is safe. Considering the vulnerabilities exploiting graphic
formats these days, plus the fact anyone can load any image they want into their
eCard, don't be surprised to hear that these issues are combined to make for
the next big deal.
Sarbanes-Oxley Act, Section 404,
took effect a few weeks ago. Under Section 404 of the law, publicly-traded companies
must have policies and controls in place to secure, document and process material
information dealing with their financial results.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.