- Get up to speed on Botnets and DDoS attacks
- New Svchost patch for XP released!
- Reader responds to my column on MySpace Password exploit
- Update to Treo vulnerabilty entry
- New Linux Rootkit detector-Rootkit Profiler
- I'm going to work for Microsoft
- New Snort overflow exploit
- Malware/Unwanted Software being distributed via MSN banner ads
- Update: Third party Treo bug fix
- CastleCops under DDoS attack.
February 21, 2007 | Comments: (0)
Get up to speed on Botnets and DDoS attacks
A list of Botnet and DDoS reading material.
List of DDoS Articles and Tools
http://staff.washington.edu/dittrich/misc/ddos
Spam Zombies and Inbound Flows to Compromised Customer Systems http://www.uoregon.edu/~joe/zombies.pdfMAAWG San Diego, March 1st, 2005
Know Your Enemy: Tracking Botnets
http://www.honeynet.org/papers/bots
Route Injection and Spam
http://www.uoregon.edu/~joe/maawg8/maawg8.ppt (or .pdf) MAAWG Toronto, 23 October 2006
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms
http://www.cis.udel.edu/~sunshine/publications/ccr.pdf
RFC on Egress Filtering
http://www.faqs.org/ftp/bcp/bcp38.txt
Infected PCs Acting as Spam Zombies: We Need to Cure the Disease, Not Just Suppress the Symptoms London Action Plan-CNSA Workshop, Belgium, December 13, 2006 http://www.uoregon.edu/~joe/lapcnsa2/london-action-plan.ppt (or .pdf)
Port 53 Wars: Security of the Domain Name System and Thinking About DNSSEC http://www.uoregon.edu/~joe/port53wars/port53wars.ppt (or .pdf) Internet2/ESNet Joint Techs, Minneapolis, February 14, 2007
Cert's Botnets as a Vehicle for Online Crime
http://www.cert.org/archive/pdf/Botnets.pdf
Bots and Botnets: Risks, Issues and Prevention.
Martin Overton, IBM Global Services, UK
http://arachnid.homeip.net/papers/VB2005-Bots_and_Botnets-1.0.2.pdf
Explaining Distributed Denial of Service Attacks to Campus Leaders
http://www.uoregon.edu/~joe/ddos-exec/ddos-exec.ppt
Book: Botnets: The Killer Applications
http://www.amazon.com/Botnets-Killer-Applications-Craig-Schiller/dp/1597491357/sr=8-1/qid=1172068761
Coming Book:Botnet Detection: Countering the Largest Security Threat (Advances in Information Security)
http://www.amazon.com/Botnet-Detection-Countering-Security-Information/dp/0387687661/sr=8-2/qid=1172068761
Cisco DoS Mitigation using Clean Pipes
http://www.cisco.com/en/US/netsol/ns341/ns121/ns310/net_value_proposition0900aecd80511f1e.html
Cisco Basic DoS Mitigation Techniques
http://www.cisco.com/en/US/products/products_security_response09186a00807bd13d.html
Posted by Roger Grimes on February 21, 2007 05:34 AM
February 21, 2007 | Comments: (0)
New Svchost patch for XP released!
Fixes the problem of Svchost.exe saying pegged at 100% cpu utilitization.
I've (and ten thousand other people) seen this problem many times before. The most common symptoms are Svchost.exe causing 100% cpu utilization for an extended period of time after boot up or after running Windows Update or Windows Defender. If you have this problem, be sure to download this hotfix.
Posted by Roger Grimes on February 21, 2007 04:55 AM
February 20, 2007 | Comments: (0)
Reader responds to my column on MySpace Password exploit
Reader, George Shaffer, responds to my comments on passwords.
George responded to my column on the Myspace Password exploit and passwords in general.
Here's George's email:
Roger,
No word that can be found in a dictionary is safe. And for these purposes a dictionary is any electronic list of words. chartreuse is not safe just because it is not a commonly used password. While all common passwords are easily cracked the inverse is not true; being uncommon is of no value whatsoever in making a password difficult to crack. Common passwords are easily cracked because crackers put them in their dictionaries.
Chartreuse appears in the current Red Hat dictionary (linux.words). It also appeared in the 2001 linux.words dictionary (probably also Red Hat, as well as a much smaller English words list (origin forgotten) that were among the many dictionaries and word lists that were used to populate my "database" for my Password Evaluator at http://geodsoft.com/cgi-bin/pwcheck.pl which I placed online in March 2001.
If you want to understand how crackers crack passwords you may want to read my "An in Depth Analysis of Good, Bad, Strong and Weak Passwords, Password Cracking Techniques and How-To Reduce Password Vulnerabilities" at http://geodsoft.com/howto/password/ The entire section is on the order of 50 printed pages, and is the most comprehensive discussion of passwords I've found on line. You can pick and choose from sections that may interest. I'll take at Mark Burnett's book if I can get into my local library's online database, and the Microsoft articles as well. I was not favorably impressed by their password article in which they referred to me and my website (search Google with '"george shaffer" site:microsoft.com').
chartreuse is bad for a second reason. You have listed it as "a relatively safe password choice." This automatically makes it a bad password. Crackers will grab any password they see listed in any public source and add it to their core dictionary. People who read your article are much more likely to use a chartreuse than any randomly selected word from a modest size dictionary such as linux.words.
If I were to suggest that Ggabm2!qat was a good password on my web site, even though it meets all normal tests of a good password, I have ruined it as a password. When an apparently authoritative source says a password is good, you can be sure that some readers will use it as a password. The small increase in chance that that character sequence will be more likely used than all other possible sequences (of similar length) makes it worth including in the dictionary of first resort used by a cracker.
Depending on the target, a cracker may use multiple dictionaries starting with tens of thousands of words and working up to millions (unabridged and or multi lingual). A 45,000 word dictionary (the size of linux.words) on a fast desktop with 10 variations per word will take less than a second to process. While it's true that users who use easy 6 or 7 character passwords will almost certainly not use my sample password, someone looking for a good longer password with mixed case, digits, and symbols or punctuation, who read my site is more likely to use this than another arbitrary equal length sequence.
This was generated with my fully configurable Password Generator http://geodsoft.com/cgi-bin/password.pl This password deliberately has two consonant vowel consonant sequences separated by two non letters.
This aids in remembering strong passwords. Capitol letters also tend to be at the beginning or end of a letter sequence in several of my predefined patterns, but it's pretty much chance between which or both sequences and which end, and in some rare occasions all ends.
By changing the options, my password generator can create totally random character sequences limited in length only by screen readability. As an experiment I've generated fully random 400 character "passwords," but totally structured 6 or 8 or any other arbitrary character length can also be created. A control pattern can also create passwords of highly variable length, though variation of more than a few characters does not make sense, because those who want 7 character passwords are quite different than those who can live with 12 character passwords. Letters, consonants, vowels, case, alphanumeric, digits, symbols and punctuation, non letters, and all displayable characters, are some of the pattern categories that can be used to structure a password. The probability that each pattern type will appear at its designated location, or repeat
2 or more times is fully configurable.
From the blurb that I read on Mark Burnett's book, my password generator is designed to do automatically what he teaches users. It allows a user any degree of structure that they require, but with the randomness of the selected characters, that a computer but not a human brain can generate. By default it shows 10 at a time and if you don't see one that looks reasonably easy to remember, you can refresh and get a new set, or try a new pattern.
This all started with the State Department's password generator in the 1980's which generated passwords in the form of CVC99CVC, or two sets of consonant, vowel, consonant, separated by two digits. Both ends pronounceable, with three easy to remember pieces. Very advanced by the standards of day but pretty weak now if a cracker suspects such a pattern is being used.
The evaluator checks for dictionary words and all the transformations that cracking tools can do plus some they cannot yet, as well as every kind of character sequence. It's very rigorous with the default settings but can easily be relaxed.
George Shaffer
--
For my GnuPG key ID and fingerprint see http://geodsoft.com/about/
Posted by Roger Grimes on February 20, 2007 03:21 PM
February 20, 2007 | Comments: (0)
Update to Treo vulnerabilty entry
Palm may or may not be fixing your Treo, depending on the model.
Marlene Somsak, VP of Communications for Palm, Inc., emailed and called me concerning the recent Treo vulnerability and my concern over it not being fixed. She is as pleasant as they come. I really enjoyed talking to her, but I didn't like the answer she had to relay.
She told me that Palm will definitely be fixing the vulnerability in Cinular 680's and Sprint and Verizon 700p's in an upcoming "rev", but all other models will remain unfixed (until they can find a reliable solution, if ever).
Somsak relayed that the fixing the bug would require a software patch or ROM fix, both of which "would cause problems to many existing applications." She continued, "Palm has already done the revs they planned on the other models and hadn't planned to do more."
I told her that most other vendors face similar issues (i.e. older products needing unplanned security patches), and almost all still fix the problem.
When I asked if Palm would ever patch other Treo models, she replied that she did not know, and that research is ongoing.
In closing, the Treo bug isn't that big of a bug. It's low risk and requires physical access to the Treo. But, yes, I'm truly concerned. Over the last decade or so, I've left or lost a few cell phones. The idea that unauthorized people may be able to see my personal information, phone numbers, and other information is disturbing. I even care about personal information, such as my kid's cell phone numbers, garage door access codes, email addresses, etc.
But it isn't the thing I find most concerning, it is the corporate attitude that they may or may not offer a fix to a product that is only 2 years old. I think my Treo cost me $600 when brand new. I bought not only a hot new phone, but a phone I figured I could use for a few years before it stopped being supported. As it stands now, it appears to be an unsupported legacy model.
Ah, just my one half cent.
Posted by Roger Grimes on February 20, 2007 02:07 PM
February 20, 2007 | Comments: (0)
New Linux Rootkit detector-Rootkit Profiler
New Linux rootkit detector.
Read and download it here.
RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).
RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.
RKPconsole is a userland program that can be used to analyse the collected information.
RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:
- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules
Posted by Roger Grimes on February 20, 2007 10:58 AM
February 20, 2007 | Comments: (0)
I'm going to work for Microsoft
I've decided to join Microsoft's ACE Team as a senior security consultant.
Although most of my Linux and Apple zealot readers have long considered me a Microsoft employee already, I've just accepted a senior security consultant position with Microsoft's Application Consulting Engineering (ACE) Team. You can read the ACE blog here.
And I could not be more excited. Many of my trusted friends and acquaintances who taught me much through the years, like Brett Hill, Bill Boswell, and Mark Russinovich, have proceded me. I'm not worthy, I'm not worthy...
Having been a 20-year Windows security veteran, my new role is a natural fit. And I love the team, and the bosses are cool. Everyone is very committed to making software and infrastructure more secure. The team comes from around the world, with various levels of expertise in different fields. I thought I'd be bringing my "unique" Linux and OpenBSD experience to the team, but it turns out that many of my team members know even more about both topics than do I. I always think knowing both worlds makes a better security consulant.
I'll be writing a column on my new job soon. First though, another column I'm writing on DDoS attacks, is being published this week. I will always let my passions drive the column content. And right now, I'm more fired up about DDoS attacks, and the lack of good defenses than I am by anything else.
What does that mean for my blog and the column overall? Am I going borg'd? Will it only contain Windows positive articles?
No, of course not. Like a lot of the other Microsoft employees, we all have our own opinions. And although many readers might be surprised, the harshest critics of Microsoft security I hear, are MVPs and Microsoft employees. The the most heated flame wars and name calling (well, maybe not name calling) come in private Microsoft security forums where people feel more protected to state strong opinions. If you don't believe me, email any Microsoft MVP to confirm.
While my own column has regularly supported Microsoft on many topics (IE 7, Vista, IIS 6, etc.), it's also pointed out flaws and concerns. I was among the first who blogged about the new MSN banner ad exploit. My New Year's resolution proposal was for my readers to learn OpenBSD (not Vista). Just because I point out that IIS 6 has only had 3 reported vulnerabilities to Apache's 33, in the same time period, and that Microsoft is doing a better job overall on security, does not make me borg. I think it makes me balanced. I frequently have called OpenBSD the most secure OS on the planet, in the same columns.
It is my hope that this column continues to focus, as it has always done, more on computer security in general, than on a particular vendor or product. After 20 years of computer security experience, I'm a computer security skeptic. I don't completely trust any of the computer defense products! I am the reader's advocate and I spend my time trying to decipher between what is and isn't real in vendor attestations. It's that role, and bringing to light pressing computer security concerns (e.g. banking trojans, DDoS attacks, identity theft statistics, spam, etc.) that this column will continue to focus on.
On the same hand, I will absolutely be developing more Microsoft Windows security content in my new job. It's my hope to provide more comprehensive analysis, documentation, and practical recommendations, and share that with readers. I don't think that is a bad thing as 90% of the world's desktops run Microsoft Windows. However, Microsoft-only content will probably be done on the ACE team blog, but I'll have links in this blog to content I think is important to share with readers.
Posted by Roger Grimes on February 20, 2007 06:44 AM
February 20, 2007 | Comments: (0)
Snort can be buffer overflowed.
About once a year, Snort gets a buffer overflow vulnerability.
Any piece of additional software in a defense strategy has to be carefully considered (e.g. Snort, Wireshark, antivirus program, anti-spam device, etc.) before placing it.
In order to pull off this particular exploit, the attacker would have to know you are running Snort, know its placement, create the buffer overflow attack, and somehow get it to your Snort sensor.
A dedicated attacker, who really wants to exploit you, could learn that you are running Snort, and then just sit back until the next Snort exploit is released. All they have to do is beat you to the patch.
In the best of environments, it normally takes the admin at least half a day to a day, at best, to patch something like Snort...and I'm being gracious (many users I run across using Snort haven't updated it since they first installed it...very sad).
It's because of things like this, that I personal cautious when using Snort and Wireshark (both of which I love) in real-time alerting and analysis. A student of mine recommended a great strategy for my many honeypots (I run 8).
In the past, I had used both Snort and Ethereal (now called Wireshark) to capture packets and to alert me. Because both Snort and Wireshark get the occassional buffer overflow exploit announcement (Wireshark much more so than Snort), the student suggested that I never run either in real-time, and instead, capture traffic on the front end with some other tool, and use Snort and Wireshark on the backend for analysis. Perfect strategy for me.
By definition, any traffic to my honeypots is malicious by nature. I don't run Snort as an detection and alert tool. Instead, I use it to identify common exploits of traffic I've captured. I used Wireshark to capture packets. Well, in the past I used Wireshark to capture packets in real-time. Not anymore.
Now, I use winpcap and/or tcpdump to capture and analyze packets in real time. Then when I'm alerted to an attack, I use the captured packets (captured using port mirroring Ethernet switches), I analyze the traffic on my management machine, where I have Snort and Wireshark. I get the benefits of less risk and the benefits of Snort and Wireshark (and Tcpdump) during the analysis.
Of course, I always have to worry about Winpcap and Tcpdump buffer overflows, but both of those products seem more stable and less attacked (than Snort and Wireshark).
Remember, even your security defenses are potential exploit vectors. Always keep your security tools up to date.
And the last time Snort had an exploit (it was with the Back Orifice detector, I believe) several other commercial products had the exact same exploit they had to patch.
Posted by Roger Grimes on February 20, 2007 06:22 AM
February 18, 2007 | Comments: (0)
Malware/Unwanted Software being distributed via MSN banner ads
Apparently, malware producers have been able to infilitrate MSN's banner advertising system, pushing unwanted software to MSN users.
Read what is publicly known so far here, at Sandi's MVP blog.
Posted by Roger Grimes on February 18, 2007 08:43 AM
February 16, 2007 | Comments: (0)
Update: Third party Treo bug fix
Someone has coded a third party fix for the recent Treo bug.
He posted his email to Bugtraq.
------------------beginning of message
I have produced a temporary fix for this security vulnerability. The fix can be found at:
http://discussion.treocentral.com/showthread.php?p=1199445&posted=1#post1199445
I will be providing an alternate URL in the following week.
------------------end of message
On a related note, two days ago I emailed the CEO's of Verizon Wireless (my carrier) and Palm with my concerns about Palm not patching this bug. Today, I rec'd an email from a Palm VP inviting me to a phone conference on Monday or Tuesday of next week. I'll let readers know if anything useful comes out of the phone conference.
Roger
Posted by Roger Grimes on February 16, 2007 10:35 AM
February 14, 2007 | Comments: (0)
From my friend, Paul, CastleCops founder:
-------------------
As you may be aware, castlecops.com has been under a ddos since last night. It knocked us out for a couple hours, but our ISP and their upstream vendor were able to mitigate. Until now. Upstream vendor has logs, but they have been working on sending it to Johnny all day.
I got the call from my ISP about 45 minutes ago. The attack blew out the entire network at at rates way above normal. He requested that the upstream vendor block all traffic to castlecops.com. At that point, CastleCops entered into a live or die situation. We don't have the money to add on extra bandwidth.
We need help from our friends in industry to stay alive and keep up the fight. This is all that Robin and I do, and we don't want to stop.
Paul Laudanski, Microsoft MVP Windows-Security Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com
Update (2/15/07): Castlecops is back up. Paul reported that the bot net's Command & Control site was identified and the upstream traffic is being blocked.
Update (10/2/07): The person who possibly did this has been arrested.
http://www.castlecops.com/a6833-Botmasters_Take_Heed_–_You_Are_Being_Put_On_Notice.html
Posted by Roger Grimes on February 14, 2007 05:37 PM
February 14, 2007 | Comments: (0)
Palm not fixing Treo security bypass vulnerability
Yet another vendor cares so little about their customer base that they have decided not to fix a critical system bug.
Thanks to Symantec for finding the bug and reporting it. As a Treo user, I'm far from thrilled. I plan to get rid of my Treo. Way to go Palm.
Here's the full story as reported on Security Focus:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-002
Advisory Title: Palm OS Treo Find Feature System Password Bypass
Authors: J.R. Wikes, Matt Cooley, & Scott King
Release Date: 14-02-2007
Application: N/A
Platforms: Palm OS Treo smart phones - Tested on Verizon,
Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW &
Treo650-1.12-SPCS), Cingular Treo 680, and
Sprint/Verizon Treo 700p phones
Severity: Locally exploitable
Vendor status: Verified by vendor. No patch forthcoming.
CVE Number: CVE-2007-0859
Reference: http://www.securityfocus.com/bid/22468
Overview:
Palm OS Treo smartphones are equipped with a system password lock to secure contents of handheld data from unauthorized access.
When this lock is engaged, Treo's built-in Find feature is still accessible and can be used to perform searches on text in Treo applications and databases (e.g. SMS Messages, Memos, Calendar, Tasks, etc). Search results are accessible, and depending on their size, may be truncated. An attacker may use this vulnerability to retrieve information from a locked device.
The built-in Find feature can also be used to access an Edit window and paste previously cut or copied data into the search field of a locked device. An attacker may use this vulnerability to view data that was cut or copied from Treo applications prior to the device being locked.
Details:
The Find feature can be accessed when the handheld is locked by issuing keyboard shortcut keys on the Emergency Call screen and the Call In Progress screen that is displayed when an incoming call is accepted. More details for each of these methods is listed below.
1. Emergency Call Screen
- From the System Lockout screen, select 'Make Emergency Call'.
Press the keyboard shortcut keys for Find (Option Key + Find Key).
This will open the Find window on the bottom half of the screen.
Enter the desired text to search and click on 'OK'. (Searching on a single space usually returns data)
To access the Edit window, press the Menu key while the Find window is open. Select Paste from the Edit window to paste previously cut or copied data in the Find window.
2. Call In Progress screen
Accept an incoming call.
Press the keyboard shortcut keys for Find (Option Key + Find Key) during the call. This will open the Find window on the bottom half of the screen. Enter the desired text to search and click on 'OK'. (Searching on a single space usually returns data)
To access the Edit window, press the Menu key while the Find window is open. Select Paste from the Edit window to paste previously cut or copied data in the Find window.
Note: The Find window will stay open after a call has been disconnected. However, users will be returned to the Lockout screen when the find results are closed.
Vendor Response:
14-08-2006: Initial Vendor Notification.
06-09-2006: Vendor acknowledges receipt of vulnerability description.
06-09-2006: Vendor confirms vulnerability.
19-01-2007: Vendor decides not to fix vulnerability.
14-02-2007: Advisory released.
Recommendation:
In the interim of a patch being released to address this vulnerability, users should be notified of this condition so that they may take appropriate actions including encrypting sensitive handheld databases.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE-2007-0859
- -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/enterprise/research/archive.jsp
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- ---------------------------------------------------------------
Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Vulnerability Research. Reprinting the whole or part of this alert in any medium other than electronically requires permission from research@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
iD8DBQFF0fdBuk7IIFI45IARAo2OAKCOjb/3hM3y1LqakzIRSjUZrINRQwCffwf/
LiKdpxGBKZXOqMpIzxrYw9M=
=2CJL
-----END PGP SIGNATURE-----
Posted by Roger Grimes on February 14, 2007 09:02 AM
February 12, 2007 | Comments: (0)
IBM puts a 1000 hypervisors on a computer and secures them
The Register reported this week that IBM is announcing a platform capable of running a 1000 VMs.
Read their report here.
Hypervisors and VMs are exploding everywhere...at vendors, large and small, and at clients. These days I'm rarely at a client who isn't betting the bank on VMs and hypervisors.
What caught my eye on this article was IBM's work on moving the Trusted Computing Group's (TCG) Trusted Platform Module over to hypervisors (well, just Xen, right now). I'm delighted that IBM is leading the way with secure hypervisors and with porting TCG goals to VM environments. I'm not sure if any other vendors are working on similar projects, and if so, what stage they are in, but I want to congratulate IBM for its leadership in this arena.
Posted by Roger Grimes on February 12, 2007 04:10 AM
February 11, 2007 | Comments: (0)
Huge, Easy Solaris Telnet exploit!
If you've got Solaris with Telnet running, you could be in for a big surprise.
Per SANS' announcement:
"If you run Solaris, please check if you got telnet enabled NOW. If you can, block port 23 at your perimeter. There is a fairly trivial Solaris telnet 0-day.
telnet -l "-froot" [hostname]
will give you root on many Solaris systems with default installs We are still testing. Please use our contact form at https://isc.sans.org/contact.html if you have any details about the use of this exploit."
And I thought the Solaris TTYPROMPT telnet exploit of 2002 was easy.
-----------
Johannes Ullrich http://isc.sans.org
Update (2/12/07):
By default the root user cannot telnet to a Solaris box. Root is often prevented from remotely connecting to Unix/Linux boxes in an attempt to prevent some exploits. If root is intentionally prevented from connecting remotely to a box, the admin normally telnets in as another regular user, logs in, and then su's to root. This new exploit should be prevented in default install scenarios (unless admins have commented out the default root blocking text...as many admins do). In those cases, you would need to run the exploit using another valid account (i.e. fbin) with logon privileges instead of froot. Essentially, this means that the exploit is still pretty scary, and pretty easy to pull off.
Posted by Roger Grimes on February 11, 2007 06:39 PM
February 04, 2007 | Comments: (0)
New IE 7 Anti-Phishing Feature-High Assurance
As shared in a friend's blog, Microsoft has enabled a new anti-phishing feature in Internet Explorer 7 called High Assurance.
Microsoft discusses it here, as well.
Essentially, popularly phished web sites (e.g. Paypal, Ebay, etc.) will be verified by IE. If the web site link is legitimate (i.e. not a fake phishing link), IE 7 will display the link in a green banner, like this example.
You must have IE 7's automatic anti-phishing filter and automatic certificate revocation enabled, for this feature to work.
I haven't even begun to explore the strengths and weakeness of this new feature, but I wanted to share it anyway. There are bound to be proponents and critics, but I welcome any addition to the anti-phishing family.
Posted by Roger Grimes on February 4, 2007 01:03 PM
February 04, 2007 | Comments: (0)
Why is www.dolphinstadium.com still running Windows 2000 and IIS 5?
Websense reported a few days ago that www.dolphinstadium.com had been hacked.
The popular SuperBowl-related site was hacked to push two client-side exploits to unpatched visiting Windows computers. One of the exploits was patched last month, and one last year. If you're running Microsoft Windows in the default mode, with Automatic Updates (or some other patch mgmt) tool, you should be fine.
But after investigating the web site, I'm wondering why the Miami Dolphin organization is still running Windows 2000 and IIS 5?
While I am pretty confident that the hack against the popular web site did not exploit an unknown Windows 2000 or IIS 5 vulnerability (it was probably an application programming error like most web site exploits), I don't know why the techs, developer, hosts, and management allow a 7-year old OS and web server to be their platform?
Did anyone on the team ask that question recently? If so, were they ignored?
Windows 2000 no longer has mainstream support. It's an old legacy platform.
Windows Server 2003 and IIS 6 have been out since March 2003, almost 4 years now, and both have a stellar protection record.
I wouldn't want anyone running a 7-year old OS or web server application. I don't run OpenBSD 1.0, it's 4.0.
Sadly, if you do a Netcraft or Nikto scan, you'll find more Windows 2000/IIS 5 combinations than Windows Server 2003/IIS 6.
Windows Server 2003 and IIS 6 are more secure and reliable than legacy combinations. Web sites running on legacy platforms are easy to migrate to the newer platform (for most organizations).
It's a no brainer decision.
It's one thing to stay on older platforms under the guise of being stable. It's another to be neglectful.
Of course, in this particular case, the web site was compromised by an application coding bug, or something like that, and not because of Windows 2000 and IIS 5. Still, if you're running the legacy versions of Windows and IIS, it's time to upgrade. Heck, IIS 7 is out now.
Posted by Roger Grimes on February 4, 2007 09:52 AM
February 02, 2007 | Comments: (0)
Snip-It Add-on for Internet Explorer
Handy, time-saving little add-on from Microsoft.
Snip-It makes it easier, and quicker, to send highlighted text in Internet Explorer to others in email.
Posted by Roger Grimes on February 2, 2007 04:02 PM
TOP STORIES
Sun exec on OpenSolaris, LinuxAT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Apple slammed on climate change
Java ubiquity an edge in RIA battle
Google grilled on human rights
MS' post-Yahoo options
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
