Buffer Overflow: Big News, Small Impact
Also: a cyberfront to an online war; why it's a good thing your smart phone is dumb.
ARCserve backup servers contain
a buffer overflow in the Tape Engine service, normally accessed over
TCP6502. Malformed RPC packets targeting that port could create a Denial
of Service condition or possibly execute remote code of the criminals
code has now been published.
Reports exist that this vulnerability is now being publicly exploited.
The vulnerability has been patched in BrightStor ARCserve Backup version
11.5 SP2. CA has indicated that it is currently working on patches for
earlier affected versions. Backup vulnerabilities have a tendency of being
exploited within educational institutions, where networks are often more
It's not just CA that has a vulnerability on its hands: Opera 9.02 and
earlier versions contain
a vulnerability in the way they handle JPEG images. The vulnerability
could be exploited by a Web site to cause code of the criminals
choice to run in the security context of the visitor.
It is always worth remembering that even applications perceived to be
far more secure than most can have security vulnerabilities of their own.
It is also interesting to realize just how complex the JPEG file format
is that so many have failed to properly implement its parsing.
That said, we have yet to see exploitation of any of the many image format
buffer overflows that have been announced over the past 18 months. Furthermore,
exploitation requires the hosting of the criminal image, and the most
likely sites will already be hosting criminal code. However, until we
hear that sites such as MySpace have implemented some significantly improved
method of scanning upload material for malware, it or sites like it are
the most likely place well find exploitation.
DOD Preps for Battle in Cyberspace
The U.S. Department of Defense has been facing a more concerted and intelligent
effort at compromising its network. Attacks
have become more focused and realistic, using information which viewers
would generally perceive as valid. The effort has led the DoD to implement
Digital Signatures on e-mail, and recently caused it to ban HTML e-mail
The attacks fall into a category known as "spear phishing,"
where the attack is specifically crafted to look real to a very limited
subset of victims, and then sent to that small group in the hopes of convincing
one or more of them the message is valid. DoD is mum on just what the
attacks attempt to do, but one would tend to think that they arent
just out to get more bots in a botnet.
It's stories like this that inspire the "state-sponsored cyber-terrorism"
media stories. With no statistics publicly available, it is impossible
to know just how much of this form of attack is actually occurring. Equally,
without knowledge of what the attacks are trying to achieve, it's impossible
to determine the reasoning behind the attacks.
Wi-Fi Body To Simplify Security
According to the Wi-Fi Alliance, the main reason Wi-Fi
networks are left unsecure is because it is too complicated to set
them up securely. To this end, it is announcing
a new specification, WPS, which lays out simpler methods of establishing
a new Wi-Fi network in a secure configuration.
So it's too complicated to provide a network name and passphrase. To
simplify this, WPS automatically generates a network name and replaces
the passphrase with a four- or eight-digit PIN or a button on the device
which can be pushed. This may make setting up the WAP more easily, but
it doesn't alter what the clients have to do. To address that issue, they're
providing a specification for a near-field communication device (probably
an RFID) that can be brought near the WAP for authentication.
This sure sounds like "new toys" rather than "simpler
setup of secure networks." After all, how hard is it to come up with
a network name and passphrase? Pretty simple when you figure out where
to enter it and what is being requested. Granted, having fob-like devices
can do that for you. Pressing a button on the WAP, is simple -- but what
do you do in a cafe or airport terminal? Imagine a college lunch room,
with everyone lined up once to purchase their lunch, and again to get
near enough to the WAP to authenticate.
In the continuing effort to come up with "single-button security
solutions," the Alliance seems to have taken this literally. Perhaps,
if this effort doesn't succeed any better than previous ones, we can stop
looking for that and instead focus on education. Maybe we can get 9-year-olds
to write the security documentation.
High-Tech Handsets Are Hacker Bait
story about malware and mobile devices claims, in each of its first
four paragraphs, that such malware is on the rise and posing a greater
risk. Meanwhile, actual reports of infections have been constant, extremely
limited and hardly noticeable.
It is unfortunate for a media outlet such as BusinessWeek to have
such journalism being practiced by its reporters. There are few sources
of information about mobile malware, and all are in the business of promoting
it in the hopes of selling equipment and/or software to prevent it. The
"rise" constantly referred to, if it exists, is from two to
four pieces of malware. Compare this to the thousand-fold or greater increase
in malware presented to PCs, and it should become obvious that the threat
is virtually non-existent.
Furthermore, the article talks about the growing sophistication of mobile
devices such that they are, according to the article, "really a computer,
not just a phone." Well, how obvious is that? Theyve always
been computers, even when they were just phones!
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
Thus far the only serious corporate threat to occur as a result of malware
and mobile phones is their use as a storage medium in the hopes of transferring
from one computer to another when the phone is connected during a sync
operation. This rarely happens, and it is more likely that spreading malware
in this way is a side effect and not an intention of the malware authors.
If the phones storage is mounted on the PC as another drive, and
the malware uses drive-spreading techniques, then of course it would spread
onto the phone. Having it spread back to another PC, however, never occurred
in the case of the cited article, and the malware usually copied over
with everything else that's on the phone. That didn't activate the malware
on the second PC, and it is far likelier that it wouldnt have even
copied itself down had the investigators not told the PC to grab the contents
off the phone's storage.
Certainly, PDAs, with fairly complete operating systems and network capabilities
of their own, must be considered PCs from the perspective of protecting
them from malware. If a user can read e-mail, open attachments and execute
can. Most smart mobile phones, however, are not so intelligent.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.