Researchers Challenge DOS Attack Data
Also: protecting against EFS-based attacks; banks misappropriating data from other sources.
A group of researchers analyzed
to determine details about DoS attacks. They have made
several observations that vary from conventional thought. The first is
that they believe 70 percent of DoS attacks come from IP addresses that
haven't been spoofed. Second, they believe they saw less than 1 percent
of DoS traffic using UDP in their backscatter traffic analysis (although
this was contradicted somewhat by their own Large-Scale Attack Detection
System used in a Tier-1 ISP, which saw 46 percent of DoS traffic as UDP.)
The fact that DoS attacks aren't being spoofed any more is something
we've known for a while, although it's nice to see it substantiated in
published research. More interesting was their analysis which determined
that DoS traffic originated from fewer than 50 Autonomous Systems (ASes),
suggesting that DoS traffic could be dramatically limited if the owners
of those networks were controlled (intelligently black-holed or simply
monitored more closely.)
Protecting Against EFS-Based Attacks
McAfee's AVERT Labs recently
expressed concern in its blog over a Trojan that appears to take advantage
of the Windows Encrypting File System (EFS) to hide itself on the victim's
system. The Trojan, among other things, creates an Administrator account,
thereby providing itself with a encrypting key. This key is then used
to encrypt the files it downloads, preventing others from being able to
see the contents of the files. McAfee says it has been detecting variants
of this Trojan since Aug. 2, 2006, and an upsurge in infections over the
past few weeks.
It cannot be disputed that such an attack is significant in that decryption
of the files would not likely be accomplished easily. However, it is important
to note that such a Trojan is not likely to work within a corporate environment
where, if best practices are being followed, users should not be able
to create Administrator accounts. Furthermore, if a Key Recovery Agent
has been established, the files could be decrypted by that key. However,
in a home user environment, the Key Recovery Agent is not likely to be
present, nor is it likely that a home user could crack the password on
such an account. Therefore, the Trojan is likely to stay on the infected
system much longer than others.
Warning on Free O'Hare Wi-Fi Connections
According to a study
by Authentium, some 90 percent of the apparent wireless connection
points at O'Hare Airport were not from actual providers. Instead, they
were broadcasts from other travelers' laptops offering up themselves as
access points because that's how they are configured by default. The security
firm took the opportunity to point out that any of those could have been
a hacker hoping to lure people into using their machine to login to bank
accounts or other acts which might yield sensitive personal information.
The steps to get a wireless connection set up were so cumbersome in the
early days that it had to be automated. That has now been proven so wrong
as to be incredibly scary. Granted, it's unlikely that any of the O'Hare
access points were actually culling for bank login details, but it could
be true. Why physically pick your pocket if I can pick your money right
out of the air? As the article suggests, you definitely must ensure that
your laptops are not attempting to offer themselves up as connection point,
and, whenever you do connect to an access point, it should be verified
as being what you thought it would be.
Bank To Pay $50 Million for Buying Personal Data
Fidelity Bank in Florida has
been sued by an individual who claims the bank illegally obtained
and used information that it purchased from the State of Florida Department
of Motor Vehicles. According to the filings, Fidelity violated the 1994
Drivers Privacy Protection Act, a law enacted to force states to seek
permission from the owners of the information they hold before such information
can be used in any non-authorized fashion, including being sold as lists
to third parties.
The ruling does not appear to actually convict Fidelity, but instead
simply overrules Fidelity's dismissal request. Fidelity had attempted
to suggest that the plaintiff had not suffered monetary damages as a result
of the bank's purchase of his information and, therefore, was not entitled
to seek remedies from the court. The ruling declared that the law permitted
actions regardless whether damage had actually been suffered.
It can be expected that Fidelity will, at some point, point out that
it had every reason to believe that the Florida DMV had obtained permission
from all the people whose personal information it was making available.
That requirement came as part of a 1999 amendment to the federal version
of the law which was never enacted in Florida's version of the law.
If Fidelity is found to be at fault, without additional circumstances
coming to light, it would definitely be a huge blow to anyone who markets
lists or purchases them. If the purchaser must request the permission
of the individual whose information they wish to obtain, individuals are
going to be inundated with such requests on a regular basis. This would
likely be the end of such list distributions.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.