[Sunnet Alert] Advisory #138 - Snort, Mozilla, Multiple News
Security and IT News Alerts
Alertmailinglist at skiifwrald.com
Sun Jun 4 01:09:47 EST 2006
Sûnnet Beskerming Alert List Advisory #138
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Snort
- Remote Hacker Automatic Bypass
1.2 Mozilla
- Remote Hacker Automatic Control
=======================================
/*
- Remote or Local - Can it be achieved through a network or
does it require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be
manually performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker
get control of your system / website, will they prevent you from
using it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Montana Goes Quiet
2.2 Continuing Data Losses
2.3 Implications of Data Theft
2.4 mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
2.5 What Qualifies a Technical Journalist?
2.6 Miscellanea
=======================================
1. SECURITY
1.1 Snort - Remote Hacker Automatic Bypass
-- Products Affected --
Snort 2.4.5, 2.6.0 and earlier when protecting Apache
webservers
-- Technical Description --
Encoding an extra '\x0d' (\r) character in an http request
will be accepted by Apache, but will cause Snort to ignore the
content of the request - effectively allowing stealth attack attempts
(except for the Apache logs). Further reporting indicated that on
some systems, changing the format of the request slightly can bypass
the third party patches currently available.
-- Description --
The popular network traffic monitoring tool / Intrusion
Detection System has been discovered to have a vulnerability which
allows traffic aimed at websites (using http) to completely bypass
any of the detection routines. This does not make the system any
more vulnerable to attacks, it just makes it more difficult to detect
them when they start happening.
-- Recommended Action --
Patches will be made available on Monday 5 June. There
has been no report as to when a fix for the secondary issue will be
available
-- Source --
http://www.snort.org/pub-bin/snortnews.cgi#431
-- Threat Matrix --
U O
Home - - (Nil)
Business - 8 (Very High)
1.2 Mozilla - Remote Hacker Automatic Control
-- Products Affected --
Firefox prior to 1.5.0.4
Thunderbird prior to 1.5.0.4
SeaMonkey has also been reported to be vulnerable to some
of the issues
-- Technical Description --
Details on the vulnerabilities are available from the
source websites. There are a number of critical vulnerabilities that
can permit remote code execution, through to system crashes and
denial of service style attacks. Because of the shared codebase for
some Mozilla products, the same vulnerability can affect multiple
products.
-- Description --
A major update has been released by the Mozilla foundation
for the Firefox web browser and Thunderbird email client. There are
a number of serious security related vulnerabilities that have been
fixed with these latest releases, which could allow an attacker to
take control of vulnerable systems if victims could be enticed into
viewing malicious content.
-- Recommended Action --
Update to the latest versions from the Mozilla website
(http://www.mozilla.com/firefox/releases/1.5.0.4.html and http://
www.mozilla.com/thunderbird/releases/1.5.0.4.html)
-- Source --
http://www.mozilla.org/projects/security/known-
vulnerabilities.html#firefox1.5.0.4
http://www.mozilla.org/projects/security/known-
vulnerabilities.html#thunderbird1.5.0.4
-- Threat Matrix --
U O
Home 9 9 (Critical)
Business 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Montana Goes Quiet
The US State of Montana went quiet late last month, as an unexplained
outage shutdown government computer systems (http://www.cnn.com/2006/
TECH/05/23/computer.outage.ap/index.html). While a number of high
priority services were kept running through various means, the state
bureaucracy basically ground to a halt. There has been no indication
of the cause, although a major traffic spike leads some to consider
that a virus was responsible for the outage. Although it is more
likely an aberration of data collection, the F-Secure world map for
late May shows a major spike in malicious traffic for Montana (http://
worldmap.f-secure.com/vwweb_1_2/vwm/map/clen/de200615000/ds200614900/
dt3/gnus/ic10/if0/ii0/is2/ly100/ro0/rtpage/zz.html) several days
after the event, but almost no traffic over the affected dates.
2.2 Continuing Data Losses
Ernst & Young are busy attracting a reputation for poor data
management after it was recently disclosed that more than 230,000
customers of Hotels.com and affiliated sites between 2002 and 2004
had their personal information stolen after a laptop was stolen from
an Ernst & Young employee. As with a number of similar cases, the
data was stored on a laptop which was then stolen from a vehicle.
Affected customers have been notified by letter, following the breach
which was reported to have taken place on May 3. Although the data
appears to have been lacking the staple Social Security Number, at
least some records are reported to have included credit or debit card
details, along with name and address.
Universities again have had a spate of disclosures, with Miami
University reporting the loss of almost 1,000 records after a
handheld device was stolen, while the Texas Guaranteed Student Loan
Corp, in conjunction with Hummingbird Ltd., lost records of 1.3
million loan applicants and recipients (almost 10% of clients) after
equipment was lost from Hummingbird's offices. An undisclosed number
of students from Florida International University were notified of a
potential loss of data, following the discovery of malicious software
on an FIU system which could allow for sensitive data to be passed
out from the system. A similar incident took place at the University
almost twelve months ago.
Elsewhere on the Internet, numerous banks had their websites
redirected to a hacker controlled server after the hosting provider
that was hosting them all was compromised (a similar incident took
place in Australia last year, which Sûnnet Beskerming identified and
reported). The Veterans' Affairs breach continues to worsen, with
dismissals already starting to take place. It has been reported that
the stolen data may have included "Social Security numbers and
birthdates, [and] in many cases phone numbers and addresses".
Specific medical data codes were also available for a number of the
records.
2.3 Implications of Data Theft
With the increasing publicity of breaches, it is likely that thieves
are taking a closer look at the data on laptops, where they may not
have been all that interested previously (for opportunistic theft).
Targeted thefts will continue to utilise the information stolen, but
with almost 10% of the American population affected by one single
theft (Veterans' Affairs) it is almost at the stage that identity
fraud can be considered to be ubiquitous, and as one commentator puts
it "simply punish[ing] those who haven't adopted the latest soon-to-
be subverted identity widget?". A lot of the particular trouble for
Americans is the widespread use of the Social Security Number (SSN)
as a global identifier, even though it only has a narrow scope of
legislated use. Countries that are planning to introduce national
identity cards or identifiers should take note of this, and plan
carefully to avoid the issues associated with it (in Australia Tax
File Number and Medicare number fraud work, although it is harder to
completely capture an identity for financial gain).
2.4 mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
The newly surfaced Archiveus Trojan malware affecting Windows based
systems has already been defanged as a result of work by antivirus
companies (or someone with a copy of 'strings'). In what appears to
be a growing trend, Archiveus intentionally encrypts local documents,
holding them to ransom for purchases from dubious online pharmacies.
Fortunately for victims, it appears that the original author has used
a symmetric encryption algorithm, and has hardcoded the key into the
software (hence the subject name). Although the malware has now been
defanged, the police to whom the infection was first reported have
essentially reported that tracking the source of the attack is "too
difficult", which isn't really the best sign to send to potential
victims, or enterprising malware authors. Perhaps if the infections
were more widespread, rather than a one-off, the extortion would be
more likely to take the attention of the law enforcement community.
2.5 What Qualifies a Technical Journalist?
Following recent commentary posted on a couple of 'Technical' News
Sources (http://news.com.com/2100-1026_3-6079314.html), (http://
blogs.zdnet.com/Ou/?p=226), (http://www.zdnet.com.au/news/security/
soa/Open_standards_security_threat_ignored_auditor/
0,2000061744,39257451,00.htm), questions need to be asked about what
qualifies an individual to be regarded as a technical journalist (or
paid blogger in the services of a technical news site).
In the first example, the rush to point out a feared defacement of
popular video sharing site (youtube.com) led to the 'journalist'
completely missing the modified use of a clichéd Internet meme
(AYBABTU) and senationalising what was there. Even though YouTube
had provided advanced notice of the downtime, it was considered
newsworthy enough to publish and get completely wrong. Based on the
poor response to the message (and presumably the article), YouTube
later updated the site to include the message "No, we haven't be
hacked. Get a sense of humor.". Stunned at the poor technical
knowledge in the article, one reader left the comment "If you don't
know what that refers to, then you shouldn't be writing on a tech
website", while another left "If you don't remember this, then you're
not old enough to be surfing the web without parental supervision".
Never mind that there are plenty of significant defacement stories to
use after The Pirate Bay was raided, there have been a spate of real
attacks against Swedish police sites, and defacements of music
industry sites (http://www.zone-h.org/content/view/4473/31/).
In the second case, the author does raise some useful points, but
they are about 18 months behind the curve in terms of value. While
financial sites using HTTP front pages, instead of HTTPS (the one
with the lock, secured using 128-bit SSL), is a concern for some
people, there are various reasons why this is the case. For larger
institutions, the non-cacheability of HTTPS prevents its use as the
hardware and bandwidth required to host the site would quickly become
excessive. The use of distributed hosting providers (Akamai), can
also make it difficult to adequately secure the initial pages, and
there are plenty of other reasons. Most large banks do offer
https:// as well as http:// front pages, most just default to the
http:// version. There are quite a number of reasons why https://
isn't all that it is made out to be, including that an https:// page
can have a form that moves information across an unencrypted link,
however space restricts the ability to post them here. Because both
the use, and non-use, of https:// has strengths and weaknesses, it is
a bit disingenious to only highlight the weaknesses of the position
that you don't support, especially when your own position has
equivalent weaknesses. At least some of the comments subsequently
posted to the article got it right.
In the final case, it could either be poor reporting, or poor
knowledge on behalf of the quoted certified Auditor (the 'expert').
Although the 'expert' claims that security by obscurity is a good
thing (that concept went out of fashion several years ago), the title
of the article - that "Open Standards" are a security risk is nothing
but inflammatory, and is almost completely false. Even though the
'expert' is quoted as saying that in the article, a better turn of
phrase is that "Open Networks" are a security risk, but no one runs
articles on the sky being blue. Although SCADA devices are not all
that well known amongst script kiddies, those malcontents targeting
the devices will already know how to work with SCADA systems, so
there is no security by obscurity. Even if the script kiddie doesn't
know how to work a SCADA system, they are still going to play around
and break something (almost the definition of a script kiddie, right
there). Hopefully the article misrepresented his position (it is
troubling if this is the standard line of thought for a CISA), but
some commentators have pointed out that SCADA is NOT an IT system,
but an engineering system. The fact that is uses various computer
hardware is irrelevant. When it is considered as just another IT
system, that is when trouble starts (ref: US North East blackouts,
Gold Coast sewage plants).
2.6 Miscellanea
The ISC are alerting to increased probes for Telnet services (http://
isc.sans.org/diary.php?storyid=1376), so that is something to keep an
eye on if you still run Telnet services. The CEH (Certified Ethical
Hacker) certification is coming under a cloud of suspicion, after
research into the background of the company that is responsible for
the certification program raised some uncertain details. EC Council
have defended their position and SecurityFocus (Symantec) have
deleted all records of the mailing list messages from the archives -
which does make it more difficult to source what the original
annoyance was (though there are still ways of accessing the original
messages, it looks sneaky by Symantec). This back and forth, and EC
Council's weak defence, has brought people out of silence (many with
CEH certs) who claim that there is nothing in the certification which
can not be had by downloading the software off the Internet. Even if
EC Council is completely in the clear (which they appear to be), it
is a black mark against their certification programs that will take
quite some time to clear. Reports (http://www.fcw.com/
article94650-05-25-06-Web) are indicating that China is bringing more
of its 'cyberattack' units into the frontline, or at least more into
the public eye. While the military usefulness of these units can be
debated, there is suspicion that these (or related) units may be
involved in hacking / spying attacks being launched from China and
Asia. At the least, it could lead to an amusing 'geek race' as
different countries establish their own units and defensive /
counterattack units (as North Korea is also suspected of maintaining).
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: 0410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list