Security Watch | Matt Hines | April 2007

MORE ENTRIES

April 2007

April 30, 2007 | Comments: (0)

Roger Thompson at Exploit Prevention Labs has posted some cool video footage on YouTube of the malware-laden ads his company recently discovered among the sponsored links served up with Google search results.

In the video, Thompson walks through the entire process by which the ads are found -- using a very common and straight forward search for innocuous terms on Google -- and how the attack works silently to infect end users' computers without giving them any easily-noticeable evidence.

(One thing I forgot to mention in my story last week was that Google fails to provide a mouse-over function that allows users to look at the URLs of ad sites that appear as sponsored links, which could definitely help fight the problem -- as Thompson suggests in the video.)

If people are wondering how quickly and stealthily current malware distributors can work in delivering their payloads, the video serves as chilling evidence. Other than a momentary download pause and a lack of validation from a browser's URL-tracking features (hidden where most users never find them), the ads take people's browsers to the sites they originally intended to get to with no clues to the secret redirect and infection going on behind the scenes.

Smarttracker.org -- the Russian hacker group behind the attacks -- is a prime example of the type of outfit carrying out such effective campaigns, Thompson said. In his case the infected PCs got stuck with password-thieving malware, but it could work the same way for botnet programs, adware, or nearly anything else.

When I spoke with Thompson last week he admitted that it's hard to estimate just how many such threats are being carried out as Exploit was simply lucky enough that one of its customers clicked on one of the badware links and the company's LinkScanner software recognized the attack.

Thompson said the hackers responsible are also moving their attacks around the Web radpidly. Smarttracker.org was distributing threats less than two weeks after the domain was registered. Once the domain becomes less effective, Thompson said they'll likely just buy another.

Posted by Matt Hines on April 30, 2007 08:21 AM

April 27, 2007 | Comments: (0)

More enterprise spammers uncovered

Researchers at Support Intelligence continue to find spam sources they say are located within some of the world's largest businesses.

After outing spam distribution centers in companies including Aflac and Bank of America in recent weeks, the network security company has identified unusual e-mail traffic emanating from well-known enterprises including media conglomerate Clear Channel, book-seller Borders Group, and outsourcing specialists Affiliated Computer Services (ACS).

According to the Support Intelligence blog, Clear Channel, which owns scads of television and radio stations, began sending out significant volumes of spam in March. Most of the spam initially advertised low-price pharmaceuticals, Viagra and HGH, and came from multiple IP addresses within the firm, researchers said.

Spam traffic coming from Clear Channel spiked in late March and carried on through April as the mail being sent out shifted toward advertisements for cheap IT products, including those made by Adobe and Microsoft.

For Borders -- which the security company said does a "fairly good job" containing spam issues -- the problem consisted of a pharma-oriented spam run that pumped out mail at high volumes from March 29-April 3rd. Support Intelligence said that the spam was likely generated by a botnet-controlled device, and utilized resources in six different countries to power itself.

In the case of ACS, Support Intelligence said it specifically tracked a load of spam coming from several sources in the firm between late March and mid-April. Messages delivered from IP addresses controlled by the company included content advertising everything from pharmaceutical products and male sexual enhancement drugs to pump-and-dump stock schemes, before the torrent of e-mail slowed down, according to the security firm.

After I wrote a story about Support Intelligence's observations of Aflac-driven spam, representatives at the company gave me additional information on the situation. According to the PR officials, Aflac was not "hijacked" by spammers nor were any of its Web servers compromised, as I had originally reported.

In reality, company officials said the incident was "the result of a user's home machine that was attacked by a virus which generated roughly 80mbs of spam."

The company also denied the report that the campaign involved messages related to a pharming attack.

The firm said that the e-mails generated by the machine did not consist of "a spam campaign," as I'd reported, but rather "nothing more than spam selling a pharmaceutical product as a result of a virus infected PC."

I think I'm missing something in there, unless Aflac thinks it's OK for outsiders to usurp control of its employees' machines to distribute spam e-mail (and make money) from its IP addresses, that is.

Sure sounds like a spam campaign to me.

Posted by Matt Hines on April 27, 2007 01:27 PM

April 26, 2007 | Comments: (0)

TraceSecurity talks about physically breaking into banks

TraceSecurity Garza ZeroDay Podcast

In today's cast I had a chance to catch up with Jim Stickley, CTO, Vice President of Engineering, & Co-Founder at TraceSecurity, to discuss physically breaking into his one thousandth bank.

We talk about how TraceSecurity physically breaks into banks, financial institutions and other organizations. While Jim is always successful in the compromise of a target's data (except for maybe one), we talk about the best ways to protect your organization from professionals as well as opportunistic data thieves.

Listen to the interview with TraceSecurity now. LISTEN!

Posted by Victor R. Garza on April 26, 2007 10:33 AM

April 26, 2007 | Comments: (0)

Researchers - Remote QuickTime exploit isn't out

Security researchers involved with the MacBook Pro/QuickTime exploit detailed at last week's CanSecWest conference are denying reports that the threat is circulating publicly, but admit that the vulnerability used in the attack is easier to find than they originally believed.

Matasano Security Researcher Thomas Ptacek said that his team -- which includes Dino Dai Zovi, who wrote the exploit as part of a CanSecWest Mac-hacking competition sponsored by 3Com's TippingPoint division -- has determined that people who claim to have scraped the exploit from the conference network are most likely not telling the truth.

Ptacek posted a blog late Wednesday warning that the QuickTime exploit may have been unintentionally exposed and warning people to turn off Java in their browsers to avoid attack based on claims by another blogger that the exploit code had been intercepted at CanSecWest.

As part of the competition, TippingPoint had originally instructed competitors post to their exploits to a publicly-available wiki, from which the attacks would be uploaded in a Mac laptop to test them against a browser.

The individual claiming to have access to the exploit code, identified only by their blog name "Information Security Sell Out," said that it was snatched from the wiki as it was waiting to be tested.

However, CanSecWest organizers told Ptacek that they changed the format of the competition mid-event, and that the information needed to reverse engineer the code could not have been taken out of the wiki as the blogger has claimed.

Other details of the post have also led the Matasano team to doubt the validity of the blogger's claims, Ptacek said.

"At this point we believe that the details of the exploit sneaking out are false, some of the things being said are wrong, such as the claim that it uses JavaScript, which it doesn't involve," he said. "We don't have any credible statements being made and they don't match the confidential details available only to us and [TippingPoint]; in terms of scraping the exploit from the wiki, the CanSecWest guys are telling us this couldn't have happened, as they changed the use of the wiki."

Representatives of CanSecWest posted to Ptacek's blog, saying that it couldn't have been taken from their network either.

The post reads:

"Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there. The network was very simple: a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2’s when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network.

We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side.

Y'all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn’t end up on the pocket wireless network. The AP doesn't have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible).

The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet."

Despite their belief that the Information Security Sell Out claims are untrue, Ptacek said that the Matasano team has deduced that the QuickTime vulnerability used to carry out the exploit -- which affects a number of browsers, not just Apple Safari -- is easier to find than they originally thought it to be.

Apple has been informed of the vulnerability, and TippingPoint has added the CanSecWest Mac Hack to its list of upcoming bulletins.

Posted by Matt Hines on April 26, 2007 08:18 AM

April 25, 2007 | Comments: (0)

Google AdWords used to serve exploits?

Are Google AdWords being used to serve up Web-based exploits? That's the contention of Roger Thompson, a security researcher at Exploit Prevention Labs, a small Web threat detection firm. Thompson, formerly of Computer Associates and Pest Patrol, posted a note on the company's blog on Tuesday that suggests that cybercriminals are gaming Google's popular AdWords text advertisements to trick users into visiting malicous Web sites that do "drive-by downloads" of keyloggers, Trojan horse programs and other malicious programs.

According to Thompson and EPL, exploit detections that appear to come from "household name sites" like the Better Business Bureau and cars.com have been popping up since April 10.

A closer inspection by EPL researchers revealed that the attacks were actually coming from a site called smarttrack.org, a Russian Web site that serves up a variety of Web exploits, Thompson told InfoWorld.

According to Thompson, cybercrooks appear to have purchased Google AdWords for popular terms like "Better business bureau," "Auto Show" "Auto tour" "Florida Business Opportunity Law" or "Modern cars airbags," then associated those terms with its exploit server. Google users who clicked on the sponsored links that appear on the right hand side of Google's search results were directed to the malicious server, which used an exploit of a recently patched vulnerability in Microsoft's Data Access Components (MDAC) to gain control over the vulnerable system and place a small downloader program on the PC. That program in turn, installed a back door program that gives hackers access to the machine and a so-called "Post Logger" banking Trojan. That program was specially tailored to monitor sessions on around 100 different banking Web sites and capture field information and any keystrokes whenever data was submitted from the banking customer's machine to the bank Web site, Thompson said.

The Post Logger even carried mock-ups of bank web pages designed to get customers to submit their "shared secret" -- a tidbit of personal information often used to distinguish legitimate customers from scammers, he said.

"This was a pretty sophisticated operation," he said.

Thompson and his colleagues counted around 20 compromised terms, both in English and German, and reported them to Google. Though the company has not replied to EPL, searches on some of the suspect terms, such as Better Business Bureau, returned Google results pages lacking any paid search terms -- a rare sight indeed.

(Click here to see a screenshot of Google search results -- minus any AdWords --for one of the terms named by EPL. )

Google did not immediately respond to requests for comment from InfoWorld.

Attacks using AdWords as a lure are particularly difficult to spot because users can't see the links attached to the AdWords simply by placing their mouse over the link, as they can with non-sponsored search results, Thompson noted.

"The only way to see where the link goes is by clicking on it."

EPL's software scans for malicious Web servers and warns users about suspect links on Web pages and search results.

Most desktop security programs are designed to stop malicious downloads, but have had a tough time staying ahead of organized crime gangs that attack previously unknown holes in operating systems or applications, and tailored malicious programs that may have never been seen before.

"The only way we found out about this was because our users were running into it," Thompson said.

Finding the responsible link in a Web browsing session can be difficult he said -- researchers often get hundreds of pages of search history to sort through, only one link of which may be associated with an attack. "We tend to be very interested with what's on page 1, but these things were on page 25," he said.

While the terms EPL reported to Google have been cleansed, Thompson expects that others may still be active, given that smarttrack.org is going strong.

Stay tuned...more to come.

Posted by Paul Roberts on April 25, 2007 06:16 PM

April 25, 2007 | Comments: (0)

Calif. RFID security bills advance

California State Senator Joe Simitian -- a Democrat representing the tech-heavy Palo Alto constituency -- is making headway in his push to establish security and privacy parameters for use of RFID technology in the state.

On April 24, Simitian's latest legislation - Calif. Senate Bills 28 and 29 -- received a go ahead vote from members of the state's senate and have passed on for review in the state's assembly.

Simitian's measures specifically require a moratorium in the use of RFID chips in Calif. driver's licenses and student IDs or records, based on privacy and security concerns related to wireless-enabled chips.

Bill 28 prohibits the Calif. DMV from issuing driver's licenses that use RFID to transmit personal information remotely. Bill 29 bans public schools from using RFID devices to track, monitor or record a student's presence on school grounds.

Simitian was quick to point out that he is not opposed to the use of RFID, but instead concerned about proposed adoption of the technology before all of its implications are understood, and before the systems have been proven hacker-safe.

"RFID technology is not in and of itself the issue. RFID is a minor miracle, with all sorts of good uses," Simitian said in a statement. "The issue is whether and under what circumstances the government should be allowed to compel its residents -- adults or children -- to carry technology that broadcasts their most personal information."

Simitian started researching the use of RFID in government-issued IDs after an elementary school in Sutter, California implemented a system that required students to wear badges that contained the chips.

Based on concerns that the technology could be used to track children's movements or scoop their personal information wirelessly, parents in Sutter successfully petitioned the school nix the program.

"Parents should be allowed to decide whether and how their children's information is gathered and shared," Simitian said. "The last thing we want to do is issue 20 million drivers licenses or 6 million student IDs without any privacy protections or limits on the information provided; privacy is an indisputable right under the California State Constitution. As such, we in government have a responsibility to protect it."

SB 28 passed out of the Calif. Senate on a 31-6 vote while SB 29 passed out of the Senate on a 28-5 vote.

The state senator is also currently pushing three other measures that address privacy concerns about the use of RFID.

RFID security has come under increasing scrutiny in the last year as the technology -- primarily used today by companies to track packages for purpose of logistics management and theft prevention -- has found its way into more controversial applications.

In a recent exercises, independent security researcher Adam Laurie has hacked both the RFID chips embedded in new U.K. passports and a chip that someone voluntarily had embedded under their skin (at the ShmooCon show in DC).

In another high-profile example of lax RFID security, researchers from IOActive have demonstrated a device which can be used to sniff unencrypted transmissions from RFID security card IDs and potentially spoof the devices.

The diversity of special interest groups that support Simitian's work illustrates the wide ranging concerns and cultural impact currently tied to use of RFID chips.

Among his supporters are some unlikely bedfellows including the ACLU, Gun Owners of California, Privacy Rights Clearinghouse, Citizens Against Government Waste, California State PTA, Republican Liberty Caucus, and the National Organization for Women (NOW).

Posted by Matt Hines on April 25, 2007 12:52 PM

April 25, 2007 | Comments: (0)

Newest airport security screening device a day late and a dollar short

On a very recent pass through the San Jose, CA International Airport (SJC), I was the first "passenger volunteer" to try out a new millimeter wave technology used to see through objects like prosthetics, casts and heavy bandages. Yes, this is the type of technology that caused privacy concerns a while back since it can easily see through clothes and other materials. Based on literature, I'm under the impression that SJC is only one of two locations in the country currently trying out these portable devices.

At the airport there were several representatives from Spectrum San Diego, Inc, and of course TSA officials were also tucked away behind the normal screener location. I was the willing guinea pig and was escorted to a small privately curtained area where the large, but portable, Falcon device was housed. In the past I've always thought that someone with a prosthetic or cast could easily pass through security with a sharp implement, portable and disassembled firearm, or explosive. This seems especially true since airport security doesn't require removal of these devices (unlike airport screeners in some countries). Of course, the chemical screening (with a gas chromatography swab and a EGIS Explosives Trace Detection Machine) that a passenger with a prosthetic goes through should weed out trace chemicals used in the bomb manufacturing process, but there are a variety of other ways to smuggle nefarious devices on board.

The problem with what I experienced with this all seeing device is it's image aperture size and number of 'snapshots' that had to be used to get a clear picture around a prosthetic. Since the aperture of the device, while highly maneuverable, was only about five inches wide by about ten inches long, it took several (about a half a dozen) snapshots to get all the way around a lower leg/foot prosthetic. The aperture also has to be about one to two inches from the subject. The images were pretty good once rendered on the Falcon's screen, and the TSA trainee could easily discern flesh from carbon, metal, or other objects of various densities. Thing is, this device is supposed to save time for passengers, but just the image taking process took about ten minutes, and I can't imagine it taking any less then five to ten minutes per person. Since it was a foot/lower leg we were looking at, the TSA trainee had to maneuver the Falcon aperture down to the leg, take a picture close to the knee, take one lower down, take several from the other side (since the radiation won't pass though flesh and bone and images have to cover all the way around the subject) and then take an image from the bottom of the foot. Of course in my case the process left the gap at the top of the foot unchecked. So I might have been able sneak something up there. But I went though a rough process (including stepping on foam and other materials to stabilize my stance) and this process may very well get much more refined as trials continue.

While the process for a lower extremity was slightly arduous I could see this being very effective for weapons detection around an arm, hand or wrist cast or artificial limb. The images presented on the screen, while about three inches by three inches and grainy, were easily recognizable and different materials displayed were easily identifiable.

Of course, it being me, I had to go through the usual chemical swab, wand and pat down process after being irradiated.

I will say that TSA individuals were very courteous and showed me quite a bit of respect during the whole ordeal, so I can only imagine that passengers who have to go through this extra screening in the future will find the whole process only slightly invasive.

I also found out that with each image taken, I was only exposed to several minutes of radiation, similar to what I would experience in a plane during flight. And since I'm up in the not-so-friendly skies relatively often, I've probably already experienced the amount of radiation that I would get from this device and then some.

I must say that I don't think that there will be any more successful attempts to use a plane to cause mass destruction. There are way too many other effective ways to get the same job done without using a passenger on an aircraft to try and take over the flying tin can but this technology is an interesting tool nonetheless.

Posted by Victor R. Garza on April 25, 2007 03:47 AM

April 24, 2007 | Comments: (0)

Web-based malware marches on

Two new research reports conclude that Web-borne malware programs continue to proliferate rapidly, with some experts citing "dramatic" growth of online threats.

According to AV specialists Sophos, the sheer volume of Web-based malware more than doubled during Q1 of 2007 when compared to the same period last year. The Boston-based company tracked some 23,864 new threats over the first three months of '07, while Sophos saw 9,450 Web malware threats during Q1 '06.

Spam e-mail also continues to prove a troublesome nuisance, with many threats being delivered by the time-honored channel. The total amount of spam observed by Sophos rose by 4.2 percent during Q1 '07, compared to Q1 '06.

Despite the increase, Sophos reported that there was a noticeable decline in the number of malware-laden e-mails it processed, with attack messages accounting for only .4 percent of all traffic, compared to 1.3 percent of all messages during the same timeframe last year.

Sophos said that it was able to identify an average of 5,000 newly infected Web sites each day, and said that China has become the leading host of malware-hosting URLs, accounting for 41 percent of all online attacks.

According to the company, the top ten malware families hosted on websites in Q1 2007 were:

1. Troj/Fujif
2. Troj/Ifradv
3. Troj/Decdec
4. Mal/Packer
5. JS/EncIFra
6. Mal/FunDF
7. Mal/Psyme
8. Troj/Zlob
9. Mal/Behav
10. Mal/DelpBanc

Most of the infected sites tracked by Sophos during the quarter were legitimate URLs that have been compromised by attackers. Some 70 percent of all malware-hosting sites fell into this category, according to the report.

"When comparing this quarter to the same period last year, it's very clear that cybercrimals are again changing the way they operate," Ron O’Brien, senior security analyst at Sophos, said in an e-mail.

"It's shocking that such a high percentage of web sites are vulnerable to hackers - this is definitely a big concern," O'Brien said. "Web site owners need to step up to bat, put more emphasis on safeguarding their sites, and if needed, allocate more resources to ensure that the proper security is in place."

The top ten countries hosting web-based malware in Q1 2007 were:

1. China
2. United States
3. Russia
4. Germany
5. Ukraine
6. United Kingdom
7. France
8. Netherlands
9. South Korea
10. Taiwan

In addition to the continued rise of China as a source of malware, Sophos' native home the U.K. made the list for the first time ever. China displaced the U.S. atop the study for the first time.

In a separate report, Atlanta-based Exploit Prevention Labs released its March '07 Exploit Prevalence Survey.

According to the study, the top five most widely-reported Web exploits for the month were:

1. Modified MDAC
2. Q406 Roll-up package
3. Trojan Fake Codec
4. ANI
5. WMF

The security company specifically highlighted the impact of the ANI vulnerability in multiple Windows operating systems as interesting.

The exploit was able to successfully attack fully-patched Windows XP SP2 computers running on Microsoft's IE 6 or 7 browsing software and landed the fourth spot on the rankings with only four days of distribution in the month.

"The ANI exploit is a sophisticated attack," Roger Thompson, co-founder of Exploit, said in an e-mail. "We believe it first originated in China, with the relatively benign goal of stealing World of Warcraft (WoW) passwords. But within days, bad guys from around the world had picked it up and begun enhancing it for more nefarious purposes."

In another trend, China's roll in the security exploit world appears to be growing. The modified MDAC exploit taking leading the prevalence survey originated in China. This supports Thompson's belief -- and others including Trend Micro CEO Eva Chen and FaceTime botnet researcher Chris Boyd -- that a global shift is taking place with China becoming a center for suspicious activity.

"We're now seeing a rapid rise in the number of active cybercriminal groups in China looking to profit from exploits," Thompson said. "The technical sophistication of Chinese exploit code is easily on a par with code coming out of the U.S. and Russia."

Posted by Matt Hines on April 24, 2007 11:34 AM

April 23, 2007 | Comments: (0)

One third of all sites vulnerable to data attack

New research published by WhiteHat Security concludes that nearly one out of every three Web sites has a serious vulnerability that could lead to an external attack or data leakage.

According to the second-ever installment of the vulnerability specialists' Web Application Security Risk Report -- which spans 15 months of vulnerability assessment of millions of active URLs worldwide dating from Jan. 1, 2006 to March 31, 2007 -- cross-site scripting (XSS) vulnerabilities continue to dominate, with nearly 70 percent of all URLs that the company tested found to be open to that manner of threat.

In a nod to the growing problem of data theft, the second most common type of weakness cited by WhiteHat and its founder/CTO Jeremiah Grossman is its "information leakage" genre of vulnerability -- which means that just like our friends at TJX Companies, these sites can be hacked and mined for data.

The ever-popular "content spoofing" problem is another Web site security problem that won't seem to go away, and other time-honored weaknesses that continue to show up in significant numbers are SQL injection holes and sites that utilize insufficient "authorization controls."

Despite the numbers -- which specifically found that 67 percent of all sites that were studied could be infected using XSS hacks -- WhiteHat said that there are actually fewer URLs online today that are vulnerable to XSS and SQL threats than it found in its previous round of research.

"This may indicate that organizations are beginning to address the growing number and severity of website attacks; however, logical vulnerabilities such as insufficient authorization, where an attacker gains unauthorized access to protected sections of a Web site, have not decreased," the firm said in a synopsis of the report.

When I last interviewed Grossman, he told me that WhiteHat is being hired by a number of well-known financial services and e-commerce companies to hack their transactional systems for potential weak points -- and that they are finding as many, if not more vulnerabilities in those systems than ever.

In addition to well-established threat vectors including those listed above, he cited the increasing use of Web 2.0 programming languages such as AJAX as another growing issue in online security.

As much money as these companies are spending on security tools and consulting services, it appears that most still value the speed with which they can get some type of business application up-and-running over any related security concerns.

"You would be amazed by the stuff we find, it's easy to tell that these companies are telling their developers to build something that works fast without giving the proper consideration to securing it first," Grossman said. "We are talking about critical transactional systems at some of these companies; I think it's fair to say that a lot of these companies are getting ripped off [by cyber-criminals, not security vendors] and we'll never hear about a lot of it."

Posted by Matt Hines on April 23, 2007 02:07 PM

April 19, 2007 | Comments: (0)

Spammers tapping into Va. Tech shooting

Security researchers are tracking a rapid move by spammers and malware distributors to use this week's mass murder at Virginia Tech as a new avenue for luring people to open unsolicited e-mail messages.

Spam experts have already seen an initial wave of messages bearing subject lines and content that advertises information about the shootings at the school, which bears the official name of Virginia Polytechnic Institute and State University.

Researchers have also observed that a large number of Internet domain names related to the university and the shootings have been scooped up since the tragedy first unfolded.

On Monday, April 16, Virginia Tech student Cho Seung-Hui is alleged to have carried out a killing spree that resulted in the death of 32 students and instructors at the school before taking his own life as police closed in on the building where the bulk of the shootings occurred.

On April 19, researchers with the security education outfit SANS Institute, based in Bethesda, Md., reported that registration of new domain names that either directly reference Virginia Tech or the shootings has spiked, with over 450 of the URLs and e-mail addresses purchased since the tragic event was reported.

In a blog post on the SANS Internet Storm Center Web site, Chief Research Officer Johannes Ullrich wrote the uptake of the Virginia Tech domains occurred at an even faster pace than similar activity around other recent news events targeted by spammers, including Hurricane Katrina in 2005.

"Some of them are used for benevolent purposes, however, a good share of them are parked for auction and even used for fraudulent donations," said Ullrich.

To help thwart the spammers' efforts, SANS has set up a list of the suspicious addresses related to the event and is requesting help from other researchers interested in investigating the domains.

Researchers at anti-virus specialists Sophos, based in Burlington, Mass., have already discovered a malware-laden spam campaign that attempts to use the Virginia Tech shootings to trick people into opening a file and infecting their computers.

In spam messages bearing subject lines that advetise camera phone footage of the shootings, Sophos said it found that a link that directs users' machines to site that installs a Trojan virus designed to steal users' online banking passwords and account information.

The malware file itself has also been tailored to capitalize on interest in the shootings, bearing the label TERROR_EM_VIRGINIA.scr.

"Cyber criminals prey on the interest of concerned citizens hoping for the latest information on breaking news and, if history repeats itself, we'll see this campaign continue until interest [in the tragedy] fades," said Ron O'Brien, senior security analyst at Sophos. "We've seen similar behavior with other tragedies like Katrina and the death of Pope John Paul II."

Security experts said that efforts to capitalize on major news events -- in particular incidents of great concern such as natural disasters -- have become a common operating model for spammers and malware distributors.

However, lawmakers are also beginning to look at the purchase of suspicious domain names to take their cues about which sites and e-mail campaigns to watch out for, said David Jevans, chairman of the nonprofit Anti-Phishing Working Group (APWG) industry association.

"Whenever there's some bad news we're seeing more people proactively registering domain names, some of which are used for phishing or spam and some of which are fronts for fake charities," said Jevans. "Previously most of this activity has been focused on natural disasters but now we see the Virginia Tech shootings, which could point to the use of a broader spectrum of these types of themes."

Jevans said that the Department of Justice is establishing a group that will attempt to track such activity and investigate the individuals who register domains that become sources of spam or malware and phishing attacks.

"Overall this is further evidence that more people are engaged in these types of activities and with the competition that brings you have more people thinking outside the box about creating more innovative ways to trick users," Jevans said.

Officials with firewall and filtering device maker Barracuda Networks, based in Mountain View, Calif., said that social engineering among spammers has become significantly more sophisticated over the last year as businesses and consumers employ new technologies that have helped limit attacks.

"It's all about social engineering for the smarter spammers these days, part of their work is figuring out the right technologies to use to defeat filters, but as much effort is going into figuring out what users might open," said Stephen Pao, vice president of product management at Barracuda. "It's all about getting the eyeballs, and not just getting the message to the user, but also convincing them to open it."

For those people interested in making donations in the wake of the Virginia Tech shootings, the school has set up its own charity, labeled as the Hokie Spirit Memorial Fund, information on which can be found through the university's own Web site.

Posted by Matt Hines on April 19, 2007 12:09 PM

April 19, 2007 | Comments: (0)

Microsoft plans DNS patch for May 8

By no later than May 8, Microsoft is planning to distribute a security update aimed at fixing a highly-publicized vulnerability in its Windows Domain Name System (DNS) server software that has become a feeding ground for malware attacks, botnets and cyber-criminals.

In a blog post on the software giant's Web site, Christopher Budd, a security program manager at Microsoft, said the company is pushing hard to deliver the patch by that date, and appears to indicate that it may even arrive sooner.

"While we don't have a firm estimate on when we'll complete our development and testing of updates for this issue, we have teams around the world working on it twenty-four hours a day, and hope to have updates no later than May 8, 2007 for the monthly bulletin release," Budd wrote. "However, this is a developing situation and we are constantly evaluating the situation and the status of our development and testing of updates."

Budd reports that Microsoft teams are currently developing and testing 133 separate updates for the problem, including one in every language for every currently supported version of the Windows server software.

Microsoft has frequently cited the time needed to carry out quality and assurance testing on patches, and to test patch interoperability with Windows aftermarket applications, as the cause of delays in getting fixes produced faster.

"Each of these has to be tested to ensure they effectively protect against the vulnerability," said Budd. "Because DNS is a critical part of the networking infrastructure, they also have to be tested to ensure that changes introduced by the updates don't pose a greater risk than the security issue we're addressing."

I had a chance to ask Scott Charney, vice president of Microsoft's Trustworthy Computing initiative, about the company's efforts to shorten the amount of time needed to produce patches yesterday at the ongoing Authentication and Online Trust Alliance (AOTA) Summit here in Boston.

Charney cited many of the same issues related to the time needed for sufficient patch testing as a challenge, saying that: "Much like cooking soup, no matter how many chefs you hire it still needs time to simmer."

There has been a great deal of debate in the security research community of late over Microsoft's inability to get patches out the door quickly and what it should do to improve the situation.

While waiting for the fixes, Microsoft's security gurus said that customers should follow any other recommendations the company makes -- such as employing its existing workaround for the DNS vulnerability -- and claims that taking such measures can greatly reduce the impact of many flaws.

Whether that's actually the case, and whether Microsoft will begin dropping patches more quickly… only time will tell.

Posted by Matt Hines on April 19, 2007 08:35 AM

April 18, 2007 | Comments: (0)

Garza on InfoWorld Core Impact Webcast

Garza-Zero Day-Garza on InfoWorld Core Impact Webcast
If you ever need to run a penetration test against your network, I'd recommend using Core Impact.

I'm not just saying that because I introduce the latest Core Security webcast for InfoWorld. I'm saying it because I've used Core Impact for years, and it's served me very well out in the field and during comparisons and reviews. This is especially the case where we used it to slide right through IDS/IPS products during reviews.

Version 6.2 of Impact is out now, and if you've not heard of the product I suggest that you take a listen to Max Caceres (the Impact product manager) talk about the importance of penetration testing your network to increase network security.

The webcast link should be live by the time you click here (a quick registration is required).

My speaking volume isn't that great during the presentation (although Max's is fine) so you might want to crank up your speakers before listening.

Posted by Victor R. Garza on April 18, 2007 02:09 PM

April 17, 2007 | Comments: (0)

Bot worm owning RPC flaw

A range of researchers are reporting that attackers are swarming to take advantage of the stack overflow error discovered in the Windows Domain Name System (DNS) Server's RPC interface in several popular Microsoft products.

The issue -- which specifically affects Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 -- is currently being exploited by the W32/Delbot-AI worm, also known as Nirbot or Rinbot, according to experts at Arbor Networks and Sophos, among many others.

According to Jose Nazario, senior security engineer for Arbor, the botnet program began utilizing the RPC interface issue -- which impacts the manner in which affected programs process malformed requests sent to a wide number of ports -- some time on April 15.

"The nirbot authors have rolled one of the public exploits into their own code and have launched a bot; it connects to the channel ##DNS on a set of servers they control," Nazario said in an e-mail. "Size estimates put the botnet at a few thousand bots, and we are actively engaged in the operator community seeking takedown of this botnet."

In a blog post on the network security software maker's Web site, the researcher indicated that Arbor's ATLAS outbreak monitoring system began seeing the bot Sunday evening GMT, and said it appears that the flood of RPC exploits was added to an existing botnet, with public exploits of the Microsoft vulnerability rolled into the attack over the weekend.

Researchers at anti-virus specialist Sophos said in a report that the botnet worm attack has been able to exploit the vulnerability by sending a specially crafted RPC packet to vulnerable systems.

If the worm successfully infects a PC, it allows hackers to gain access over the computer, giving them the ability to control what it does and steal information from the unsuspecting user, the company said.

Ron O'Brien, senior security analyst for Sophos, said that hackers are piggybacking on Microsoft's announcement of the problem and catching people with threats before their systems have been patched by the vendor.

"Hackers are seemingly launching malicious code in strategic patterns—specifically on the heels of Microsoft's monthly patches release," O'Brien said. "What businesses and critics need to remember is that these attacks are often a business for many hackers. They'll always be seeking out software vulnerabilities."

Sophos reported that the worm can also exploit a software vulnerability present in some Symantec anti-virus products despite an existing patch from the vendor for the problem.

Posted by Matt Hines on April 17, 2007 02:51 PM

April 16, 2007 | Comments: (0)

Let's talk Identity Theft

Garza-Zero Day-Let's talk Identity Theft

What can you and your business do to prevent data loss that can lead to ID Theft? Well, that's the topic of InfoWorld Live's latest radio broadcast, and I happen to talk about ID Theft with Oliver Rist, Joanne McNabb, the Chief of the California Office of Privacy Protection and Pat Dane, the chief revenue officer for MyPublicInfo.com

While we didn't end up with a way to obliterate ID Theft, we do have suggestions for how to protect yourself and your company from this hulking monster.

You can download this week's episode of InfoWorld LIVE! #11: Identity Theft & SMB by clicking on this link: Listen!

On the program I make mention of LifeLock, and one of the tools that I always carry with me, XOFTSpy Portable Anti-Spyware.

Posted by Victor R. Garza on April 16, 2007 05:41 PM

April 12, 2007 | Comments: (0)

Storm Worm blows up, breaks records

Security researchers are reporting that the Storm worm virus has taken off anew, and is currently pelting the Web with a record-breaking volume of spam e-mail.

Ken Dunham, director of the Rapid Response Team at VeriSign-iDefense, said that a new wave of Storm activity is serving up "heavy volumes of the code" on many large networks.

The latest variant of the increasingly pernicious worm distributes copies of itself inside a password protected ZIP file to circumvent anti-virus systems.

The e-mail messages carrying the code have been randomized with different file names, Durham said in an e-mail, with varying passwords and alternating binaries used within the ZIP files to cloak the attack.

After infecting a machine, the new Storm installs a rootkit on the system, dubbed wincom32.sys, and calls out to its control network for subsequent commands over a private peer-to-peer (P2P) network, accord to the researcher.

Much as with earlier iterations of the Worm, the virus is expected to deliver many different types of spam campaigns, including malware downloads and pump-and-dump schemes.

Researchers at Postini reported that the avalanche of spam being generated by Storm has broken records for volume of such attacks over the last twelve months.

The current blast of messages is three times the size of the distributions of Storm spam tracked in Dec. 2006 and Jan. 2007, Postini researchers said.

The company estimates that over 5 million messages have been launched by the attack in the last 24 hours alone.

Among the message subject lines being used in the latest variants of the attack are some that attempt to capitalize on the threat's own success, including those made to appear like security warnings such as Worm Detected, Spyware Detected or Virus Activity Detected.

Researchers have debated the attachment of the worm designation to Storm since its discovery, based on the fact that rather than the classic self-propagating virus model, it is actually a Trojan attack that is being passed along by botnets of infected PCs. (We'll refrain from dubbing the emerging virus platform Worm 2.0)

In addition to the new security-oriented themes and the pump-and-dump iterations of Storm spam, the attack has also used news-oriented headlines to attempt to lure in end users, including iterations that falsely report attacks by the U.S. and Israel on Iran. Some go as far as to suggest the beginning of World War III.

Jose Nazario, senior software and security engineer for Arbor Networks, predicts that the Storm activity and subsequent spam runs will go on for quite some time. Fresh off the top-secret HotBots researcher confab in Boston -- from which the press were banned -- Nazario said that much conversation at the event was given over to discussion of such attacks.

Posted by Matt Hines on April 12, 2007 07:04 PM

April 12, 2007 | Comments: (0)

TJX breach could cost company $1B

How much will it cost to clean up the mess caused by TJX Company's loss of financial records on 45 million customers? What would you think if I told you it would cost, in the words of Dr. Evil, $1 million dollars?!!!!? Not too bad? *Ahem* Sorry. How about $1 billion dollars?!!?! Now that's more like it! And that's the number that security industry analysts are bandying about in today's Boston Globe. How'd they get to the $1B figure? Well, it's all pretty fishy, but the formula looks something like this: (cost_per_lost_record x (number_of_lost_records) + cost_of_IT_cleanup = total_cost_of_breach.

Not surprisingly, there are a lot of caveats with at least one expert, Larry Ponemon of the Ponemon Institute, putting the figure in the hundreds of millions of dollars, and a Forrester analyst, Khalid Kark, putting it as high as $1.35 billion.

Forrester's number comes from that firm's estimate of a cost per lost record of $90 and an estimate that around 15 million of the 45 million stolen credit records were for unexpired debit and credit cards.

Curiously, Ponemon estimates that the cost to replace stolen records is a lot higher -- $182 per card, but that no company who has experienced a data loss has spent more than $22 million to recover from it. Given that other companies have experienced similar sized breaches -- ChoicePoint, CardSystems -- it's hard to see how $22 million could be the ceiling, but that's what the article says.

Other cleanup costs -- computer forensics and new consulting fees, better intrusion detection products....a database firewall anyone -- are just the cost of doing business and would be no more or less had a breach not occurred (translation: "they need this stuff anyway, so who cares why they're buying it?")

Besides, the costs to the company would be amortized over one or two years -- or more, depending on the outcome of lawsuits filed against TJX and the aftermath of the breach (in other words, how many consumers are victims of ID theft that can be traced back to TJX).

So, if security analysts are bearish on TJX, Wall Street certainly isn't. As the Globe story points out, the company's stock is trading within five or ten percent of where it was the day before news of the leak was disclosed.

Add it all up, and you've got to ask: "Is there really a price to pay for violating your customers' privacy?"

Posted by Paul Roberts on April 12, 2007 08:29 AM

April 11, 2007 | Comments: (0)

HD DVD encryption gets hacked via xBox

As noted in a blog post on the U.K.-based Heise Security forum, it appears that hackers have found a way to circumvent encryption of the Advanced Access Content System -- a standard used for content distribution and digital rights management (DRM).

Launched in 2006 by a group of well-known entertainment and IT companies to help limit unauthorized reproduction of content stored on DVDs and Blue-ray discs, the platform has already been targeted by several attacks that have allowed hackers to bypass its protections.

In the new assault, an individual has posted details on the Doom 9 DVD conversion forum that explain a method that can be used to bypass the version of AACS used to protect HD DVD movies.

Attributed to a hacker known by the screen name xt5, the process highlights the ability to read the affected discs' volume IDs -- used for AACS decryption -- using an unmodified xBox HD DVD drive.

After connecting the xBox HD drive to a PC, individuals can obtain all the encryption keys needed to bypass AACS, without requiring a player application such as WinDVD to do so, according to the forum posts.

The technique has not yet been ported over to circumvent AACS on Blue-ray discs, but other people responding to the original post said that efforts are underway to do so.

The initial attack on AACS involved the extraction of decryption keys for the technology from the WinDVD software player. AACS administrators subsequently banned WinDVD from being used to play content protected by the standard.

Among the companies backing AACS are entertainment giants including Disney, Warner Brothers and Sony, and technology providers such as IBM, Intel, Microsoft and Toshiba, which makes the xBox HD drives.

Posted by Matt Hines on April 11, 2007 08:57 AM

April 10, 2007 | Comments: (0)

Apple fixes 2 wireless router flaws

Apple has released a security update for its Airport Extreme Base Station wireless router in a move to patch two vulnerabilities discovered in the product.

While the firmware flaws could allow for attackers to bypass security features in the device, with the potential for exposure of sensitive system data or user information, researchers at Secunia rated the issues as only "less critical," the company's second least severe vulnerability rating.

The first -- and more potentially dangerous -- of the two problems could allow for remote attackers to circumvent the Airport Extreme's security features when configured in default mode.

In the case of the second vulnerability, Apple said that the AirPort Disk feature of the router -- which is designed to allow file sharing from a USB hard drive connected to the device -- hosts a flaw that could allow other users within a local network to view other people's file names, but not their contents, on password-protected disks. The vulnerability cannot be exploited by outside attackers, Apple said.

The issues only affect AirPort Extreme Base Station models with 802.11n wireless network capability, and not other versions of the router, Apple said in a bulletin posted to its Web site.

The company introduced the Airport Extreme Base Station in January 2007.

The Firmware version 7.1 update offered by the company to fix the flaws is installed into an AirPort Extreme Base Station by running the AirPort Utility which is provided with the product.

Posted by Matt Hines on April 10, 2007 06:51 AM

April 09, 2007 | Comments: (0)

ID thief sent to prison

Law enforcement officials in Seattle are celebrating a victory against identity thieves in the region as a man accused of masterminding a widespread fraud scheme using stolen credit card data was sentenced to five years in prison there last week.

U.S. District Court Judge John Coughenour in Seattle sentenced Scott William McComb, 41, to 65 months in prison and three years of supervised release on charges of Social Security number fraud and aggravated identity theft.

According to prosecutors, McComb drove across the U.S. buying cars and other expensive items using other people's IDs, bank account information and credit card accounts.

First tipped off by two individual consumers who discovered that their credit cards and bank accounts were being violated, the investigation led police to a Seattle hotel room in late February 2006 where they found computer equipment with numerous programs for use in creating fake IDs. At least ten IDs that displayed McComb's picture with other people's personal details were also recovered in the raid.

McComb was subsequently arrested after he attempted to use one of the victim's credit cards to buy some computing gear in Bellevue, Wash., along with two associates. The three individuals were found to be driving a stolen rental car that police said was "filled" with equipment used for making fake IDs.

Also in the car was a piece of hardware used for tapping into residential phone lines. As part of his scheme, McComb had used the device to set up fake credit card accounts that could only be activated from the card owners' homes, according to law enforcement officials.

After the suspect was released on bail, he was reportedly caught in Michigan in Sept. 2006 driving a luxury SUV purchased under someone else's name and towing a trailer full of power tools bought through similar tactics.

In addition to the fraudulently-obtained possessions, McComb was also carrying numerous driver's licenses, Social Security cards, credit cards, personal checks and payroll checks bearing other people's names.

According to prosecutors, McComb opened approximately 25 credit card accounts in the names of 18 different victims and committed $142,000 in fraud over the course of his spree.

Posted by Matt Hines on April 9, 2007 09:25 AM

April 07, 2007 | Comments: (0)

In computer security, sensationalism not needed...

Several of you have written in regards to Matt's post First iPod virus discovered and mentioned that for this Proof of Concept exploit to work on the iPod, the device, first and foremost, has to be running Linux. Okay, I'll admit that the chance of running Linux on an iPod is slim -- except for the readership here, where all of you seem to do some off the wall stuff like converting your iPod to Linux so you can browse Wikipedia because you were bored one night last week (yes, I mean you Tony).

This got me thinking about sensationalism in my own post titles. Yes, I'll admit that I've committed this sort of switcheroo because I've wanted to draw your eyeballs to the blog and up my numbers. But overall, I think I've kept this kind of thing to a minimum. After all, why do we need sensationalism in security? We've got crazy security compromises going on every day. It seems that even the most mundane attack vectors can glean oodles of compromised data. Case in point is the now infamous UFO hacker Gary McKinnon who admits to being just a normal guy with a great deal of persistence.

As I've said this time and time again in classes, you don't have to be the brightest tool in the shed to compromise data, you just have to be persistent. Last summer during the last session of a class I was teaching at the Naval Postgraduate School I had a projector with slides up presenting class materials on security. On another projector I was running a machine connected to the #ccpower channel. As I was teaching I told students to watch the some of the incredible transactions that were being conducted in this marketplace -- ID's, credit card numbers, fulls (SS#'s, name, address and phone numbers), birth certificates. You name it in regards to identity and it was being sold here on the cheap in this venue for the malicious and criminal.

I know that this was an eye opening experience for everyone. I would say for some it was unbelievable.

With this kind of thing going on everyday do we really need sensationalism in our headlines? In reality, no. But security awareness is important, so sometimes blowing things a little out of proportion is necessary to educate.

Do you agree you me on this point or do you think that this sort of thing just adds to the 'cry wolf' factor?

Let me know you thoughts and rants. I'm listening.

Props go out to LT Quarles at the NPS for pointing out the To Catch an ID Thief show where the #ccpower channel was recently featured.

Posted by Victor R. Garza on April 7, 2007 01:57 PM

April 05, 2007 | Comments: (0)

First iPod virus discovered

Security researchers have found what they believe to be the first proof-of-concept attack designed specifically to infect Apple's popular iPod portable multimedia devices.

In a blog post on its Web site, Russian anti-virus specialists Kaspersky Lab published details of the threat, dubbed Podloso, which it claims can be launched and run on an iPod.

However, in order for the attack to take root, an iPod must have Linux installed, which is probably still fairly rare as it demands that users add the software themselves.

According to Kaspersky:

-If the virus is installed to the iPod by the user, the virus then installs itself to the folder which contains program demo versions. Podloso cannot be launched automatically without user involvement.

-Once launched, the virus scans the device's hard disk and infects all executable .elf [Executable and Linking Format] files. Any attempt to launch these files will cause the virus to display a message on the screen which says "You are infected with Oslo the first iPodLinux Virus".

Researchers said that the proof-of-concept has no payload and cannot spread itself, and therein poses no real threat at this time.

However, the code discovery proves that it is possible to create iPod malware, albeit for devices that have had additional software modifications made by their users, namely the addition of Linux programs.

In the enterprise, one could imagine that news of the test threat could lead more IT departments to ban the use of iPods on their networks. Some companies have already forbidden use of the handheld devices because they pose a risk for unauthorized data storage.

Posted by Matt Hines on April 5, 2007 08:47 AM

April 04, 2007 | Comments: (0)

Microsoft defends .ANI patch delay

A lot of people are questioning why it took Microsoft over three months to come up with a patch for its well-publicized .ANI malformed cursor vulnerability, which is present in roughly a dozen high-profile Microsoft products including Vista.

A wave of .ANI-based attacks are currently tearing across the Web.

In a rare move, Microsoft broke with its monthly patch distribution schedule, delivering a fix for the problem on April 3, one week in advance, based on the large volume of reports it was receiving from security researchers and customers over a wave of recently launched malware attacks that seek to take advantage of the issue.

The software giant said it shipped the patch just five days after first being informed of the attacks, but in order to clarify why it took so long to get the work done, Mike Reavey, operations manager of the Microsoft Security Response Center (MSRC), posted a blog on the process late Tuesday.

"While we released [the patch] within 5 days of being notified of attacks, we have received questions from customers about why it took us 3 months to develop and release the fix for this vulnerability," he writes. "I wanted to provide some insight into the history of this vulnerability, and while doing so, hopefully provide insight into the overall security update lifecycle, including testing, which consumes the greatest amount of time."

Reavey said that Microsoft first heard of the vulnerability when privately informed of the problem by researchers at Determina on Dec. 20, 2006.

Understanding the severity of the .ANI problem, which is being used by malware writers to download everything from adware to root kits onto unprotected PCs, Reavey claims that Microsoft almost immediately began the work to create a patch.

Based on the severity of the initial report, Reavey writes that Microsoft began working on the patch as soon as the vulnerability was verified.

He goes on to say that Microsoft prioritizes vulnerabilities based on "the severity of the vulnerability and the risk to customers" but said the firm was unwilling to "shortcut" many of the steps in its patch creation and testing process just to ship something to customers.

"If customer risk is imminent we will balance the need for quality and comprehensiveness (investigating, fixing and testing any vulnerabilities in related code) with the need to protect customers as quickly as possible," Reavey writes.

The companies next step was to investigate the problem, which took the company through January and February, at which point the firm determined that a dependency between one of the files required to address a related vulnerability in a system driver and the file that needed to be updated to resolve Windows Animated Cursor Handling vulnerability would both need to be updated.

The investigation led to the discovery and patching of the seven additional flaws addressed by the company in its early Patch Tuesday release, Reavey said.

Throughout February and March, Microsoft was busy building and testing the patches themselves, with "extensive" testing necessary, which involved hundreds of people at the company, according to the blog post. At one point the testing reportedly revealed over 80 potential issues with the updates that needed to be fixed.

When the company was told of the emerging attacks, it implemented its Software Security Incident Response Process (SSIRP) and sped up its final testing to push the patch out one week early.

"In many cases, there is a delicate balance we strive to strike between meeting customer needs, our ability to test an update for appropriate quality and protecting customers against possible attacks," Reavey writes. "Of course we'll always look for ways to improve our response time to help protect customers more quickly, without sacrificing quality in the process."

As noted in my story, a lot of people are openly questioning why Microsoft couldn't deliver a patch sooner, and before it was forced to do so by the threats.

"With four patches issued from Microsoft between the original announcement and the release of all this code, one could say it might have been fixed sooner," said David Frazer, director of technology services for anti-virus specialists F-Secure.

Posted by Matt Hines on April 4, 2007 12:44 PM

April 02, 2007 | Comments: (0)

ZERT patches MS cursor flaw

Microsoft may have promised that it will release a rare out of cycle patch for the recent flaw in Windows animated cursor (or ANI) files, but that's not soon enough for the folks at the Zero Day Emergency Response Team (ZERT), who announced Monday that they have a fix for the flaw that will protect users from circulating attacks.

News about the hole in Windows processing of ANI files surfaced last week, and by this weekend publicly available exploits had surfaced, as had reports of Web sites serving up attacks that target the vulnerable file type. That prompted Microsoft to announce late Sunday that it would break its typical patch cycle and release a fix for the ANI problem on Tuesday, a week ahead of its scheduled patch release on April 10.

ZERT, a group made up of security researchers, first began issuing its own patches for previously unknown and unpatched (or "zero day") holes in September, when it issued an unofficial fix for a hole in Windows processing of Vector Markup Language (VML) graphics.

The group decided to release the latest patch because it was concerned that previous patches of ANI problems by Microsoft were insufficient, and that a non-vendor patch from eEYE was too specific to the latest hole in ANI files, according to an message board post by Gadi Evron, a founding member of ZERT.

Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.

"For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files," Evron wrote.

The Zert patch, which is available here, works on Windows 98, 2000, XP and Vista.

For its part, Microsoft has discouraged customers from using third party patches by eEYE or others. Customers are advised to tune their firewalls to spot known attacks and to make other configuration changes that will limit exposure until an official patch is available.

Posted by Paul Roberts on April 2, 2007 01:56 PM

April 02, 2007 | Comments: (0)

TJX biggest breach ever? Not so fast!

When is a data breach the biggest in history? When the Washington Post says it is, it appears.

At least that appears to be the case with the WP's article about the TJX data breach on Friday, "Data Theft Grows to Biggest Ever." That article, by Ellen Nakashima and Ylan Q. Mui, used numbers from a TJX filing with the SEC that put the number of credit card numbers exposed in the attack at 45.7 million, which "represents the largest reported computer theft of personal data in history," the authors claim.

That statement just hangs there -- the authors neither attribute it to any official, nor do they qualify it or expand on it in the story.

But is it true? I guess it depends on what does and doesn't count as a data breach. Other noteable hacks, such as the 2003 hack of database company Acxiom by Scott Levine of Snipermail were bigger. The Acxiom breach, in particular, reportedly netted Levine more than one billion data records, including e-mail and personal address information that he resold for use in spam campaigns. Levine was found guilty in 2005 of 120 counts of unauthorized access to a computer (Acxiom's lightly guarded FTP server) and obstruction of justice.

But in the world of breach tracking, not all data is created equal, according to Paul Stephens, an analyst at the Privacy Rights Clearing House.

"We consider it to be the biggest of all time," Stephens said. Breaches like Acxiom's, where no social security numbers or financial data is stolen, are not considered sensitive, he said. "It's an arbitrary distinction, but we consider that (names and mailing addresses) are information that's available for the public record and that's readily available online," he said.

True, e-mail doesn't fall into that category, but Privacy Rights clearly thinks that having an email address sold to spammers is a lesser kind of hell than full blown identity theft involving financial data -- and they may be right!

There's no news yet on whether the WP will qualify their "biggest ever" claim ever, but according to Stephens, groups like Privacy Rights Clearinghouse have their story, and they're sticking to it.

Posted by Paul Roberts on April 2, 2007 08:04 AM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •

•

• Archive •

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert