U.K. Calls for Int'l Privacy Standards
Plus: McAfee's road to safe surfing, and Novell, OpenBSD buffers overflow aplenty.
Information Commissioner is suggesting
that there needs to be greater
"harmonization" of privacy laws around the globe, and in particular between
the EU and U.S.
The real question is which country's laws are closer to the harmonized
standard being sought, and which has to change its thinking? The SWIFT
issue is a perfect example where the EU felt SWIFT should be governed
by its rules, and the U.S. felt SWIFT should comply with its needs. In
the end, SWIFT agreed with the U.S., which got the EU flustered.
McAfee Maps Safe Surf Locales
Using the same tools McAfee uses for its SiteAdvisor product, the company
has performed a study based on top-level domain names to
rank the TLD risks. Tokelau (.TK) came up as the No. 1 riskiest TLD,
while .gov remains the only TLD without any risky sites.
The study isn't quite fair. The .gov TLD isn't exactly equivalent
to all of the other TLDs McAfee tested. No doubt, most countries have
domains reserved entirely for their governments, such as .gov.uk in England
-- while not a TLD, it is the .gov equivalent. There may be many
countries that have entire classifications of domains that are free of
"risk" as defined by McAfee, but because of the way McAfee is
looking at it, these won't show up as such.
Regardless, the study does show how some countries are possibly not doing
enough to determine to whom they grant registrations. For example, e-mail
addresses are collected for spamming by some 73 percent of the .info domains
Smart USBs Gone Bad
In case you weren't aware, U3 drives are USB drives that make themselves
appear as CDs to Windows. As such, when they are inserted, Windows typically
uses its AutoRun feature to load and execute whatever is in the U3 drive's
.inf file. This means that a criminal
could set up their U3 drive to run tools or malicious code and attack
the system they are connecting to.
And if that works, they could've done it with a CD. The difference
might be that the U3 drive might store information it discovers on itself.
However, with the number of CD-RW drives out there, that may well be true
of a CD. In any event, it is a "slurping" issue in that a criminal
could plug in their U3 drive, pass some time talking, and then remove
the drive with whatever files they had discovered.
Windows XP and Windows Server 2003 allow you to disable the AutoRun feature,
and Vista prompts the user whenever anything that attempts to get AutoRun
to work is inserted. There are also products available which, at an enterprise
level, can disable USBs or make them read-only.
Attack of the Cyber-Toxins
MIS magazine article made us wonder whether any of the people
interviewed in it had been in security for more than five years. The article
suggests that there's a revelation in knowing that client applications
are being targeted for attack by criminals, and that this somehow meant
"the war on hackers has simply moved to a new battleground."
The article makes it sound like people spent all of their time on firewalls
until just recently, when they realized they needed to protect the client
systems. The article goes on to suggest that firewalls and anti-virus
are of little use in protecting client systems, because Word and PowerPoint
zero-day exploits have made perimeter protection obsolete.
Of course, anyone who's read Cybertrusts' Anti-Virus Policy Guide
knows that client-side protection has been as important as perimeter protection
for many years. Anyone who has read our Weekly Risk Briefing Notes will
also realize that the application level risk really hasn't changed,
despite every attempt by the media and purveyors of security solutions
to suggest the risk is enormous.
Every type of attack discussed in the MIS article has affected
one to four users, according to available information. Yes, such attacks
have occurred, but to suggest that we need to completely rethink what
we're doing -- or to say that anti-virus is of no use -- is absurd.
The article also makes a seemingly important point that the user is the
problem, because the user is being presented the malware and choosing
to click on it. How is this news and how is this any different than it
ever has been?
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
Novell, OpenBSD Buffer Overflow Flaws
NetMail WebAdmin Remote Buffer Overflow Vulnerability
Novell NetMail uses a tool called WebAdmin to process modifications to
the NetMail process. WebAdmin can be exploited via a buffer overflow when
performing basic authentication. If the user name parameter is longer
than 213 characters, the criminal's code may execute. Updates
This is a server component, so exploitation would result in the ability
to execute code in the security context of SYSTEM, the highest privilege
on the server. The process normally listens on port 89 (HTTP) and 449
(HTTPS), but on Novell Nterprise Linux Services it listens on 8018 (HTTP)
and 8020 (HTTPS). None of these ports should be accessible by untrusted
Being only the second remotely exploitable kernel vulnerability in OpenBSD
in 10 years, malicious IPv6 ICMP packets can be sent to an OpenBSD machine
and cause criminal code to execute with the privileges of the kernel,
the highest available on the system (see alerts here
The default installation is vulnerable, and the default installation
of the firewall does not filter such packets. That means any OpenBSD system
that is exposed to the Internet is potentially vulnerable.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.