Should Security Consultants Enter Without Knocking?
Plus Oracle patch misses SQL injection flaw, Symantec ScanEngine vulnerability and more.
The case of Eric McCarty
, an independent security consultant charged
with computer intrusion after he used an exploit to illegally gain access to a university's online application site data, has been the focus of some concern lately -- particularly, whether people who use exploits to determine whether or not a site is vulnerable may come under indictment.
To think there might be a problem, one must presume that there's a way to determine, in advance, whether or not someone is attempting to use an exploit for ethical reasons. Since it's impossible to tell this in advance, one has to question the reason the concern is being raised!
Should it be legal for people to come to our house and see whether or not our alarms go off when they try to enter? Should they even try to enter via any means other than by knocking on the front door? Somehow, to us, using an exploit on a Web site does not sound like “knocking on the front door” -- it sounds more like “attempting to jimmy the lock.” Why use an exploit if all you want to do is knock?
It might be argued that McCarty was merely trying to check to see if his personal information would be safe on the site. Well, even if that were true, why not ask first?
Finally, McCarty decided to first release his information to SecurityFocus, not the university. Surely there must have been some motivation to do things in that order that, at least to us, raise some ethical concerns.
The U.S. Government Accountability Office (GAO) has taken severe issue with the U.S. National Information Assurance Partnership (NIAP) and Common Criteria (CC) (download PDF here). Among their concerns is the lack of evidence CC actually improves product security, particularly the length of time it takes to get a product through certification (resulting sometimes in the product not being useful by the time it's certified), and the cost to vendors who wish to achieve certification (meaning smaller companies are kept out of the market because they can't afford the costly process.)
According to David Litchfield of NGS Software, the April Oracle Critical Patch Update does not address a SQL injection vulnerability in GET_DOMAIN_INDEX_METADATA.
The vulnerability can be exploited only if the group Public has execute permissions on this package, something which is the default unless you have changed it specifically. To prevent exploitation -- publicly available exploits do exist -- revoke that permission for the DBMS_EXPORT_EXTENSION package.
Symantec Scan Engine Web Interface Unauthorized Access Vulnerability: By exploiting a proprietary XML command language, a remote unauthorized attacker could access the Scan Engine's administrative interface, allowing them to do anything a local user could do. Symantec has released an update, available here.
Not surprisingly, Microsoft has decided to, by default, disable outbound blocking on the firewall included in Windows Vista. Microsoft claims this is based on feedback from enterprise customers, but more likely it is due to the belief that the majority of home users will have little understanding of what to do in order to get things to work properly should that setting be made.
There's no doubt that outbound blocking requires a significantly more savvy user to figure out what they do or don't need, but it certainly seems a shame Microsoft has discarded this necessary protection by default.
For example, Microsoft could create a default profile on Vista Home that would allow the basics, SMTP, POP3, HTTP, HTTPS and DNS. At the very least we'd have IRC blocked, as well as the outbound use of file sharing.
The process of enumerating applications, such as games, and their required ports so consumers would have somewhere to reference would certainly be onerous, but, in doing so it would give an opportunity to highlight those applications which make no attempt to secure their communications. Programs that can't tell you what ports they use, or won't comply with restrictions on the ports they use, should have a light shone on them.
According to a security expert at Infosec Europe, spyware development is more active than virus development. The company reports that some spyware modifies itself hourly in order to avoid detection by signature-based scanners.
A proof-of-concept Bluetooth virus sends a premium-rate SMS message, costing the victim $5.
According to a recent article, desktop search tools that involve a Web-based service are extremely attractive to end users. As such, they deserve close scrutiny by IT staff concerned about the potential for sensitive information being leaked outside of your organization.
Don't forget compliance requirements, or more accurately your ability to assure that you have complied. If a user in your organization has unencrypted sensitive data on their system and uses such a search facility, it can be near impossible to prove that the sensitive data did not end up in a location it shouldn't have.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.