From alertmailinglist at skiifwrald.com Fri Jul 18 17:48:30 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 18 Jul 2008 17:18:30 +0930 Subject: [Sunnet Alert] Advisory #257 - Microsoft (Multiple), Multiple News Message-ID: <12D09195-F66B-43E3-A60C-0AE2F5716EAD@beskerming.com> S?nnet Beskerming Alert List Advisory #257 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - >1 week ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 $1 Million gets you International Hacking Capabilities 2.2 Online Attacks for Political Reasons 2.3 You can Only Blame Technology so Often ===================================== 1. SECURITY 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Exchange Server SQL Server -- Technical Description -- MS08-037 - DNS Server / Client. Spoofing / Cache poisoning. Important MS08-038 - Windows Explorer. Multiple remote code execution. Important MS08-039 - Exchange Server - Outlook Web Access. Privilege Elevation. Replaces MS07-026. Important MS08-040 - SQL Server. Privilege Elevation. Important -- Description -- Microsoft provided four Important patches with the July Security Patch Release. Only one of the patches had any vulnerability or exploit data available Microsoft has provided seven patches with the June Security Patch Release. Of the patches, three are rated as Critical, three as Important, and the remaining patch as Moderate. Exploit data for some of the Internet Explorer (MS08-031) and Speech API (MS08-032) vulnerabilities has been publicly available, but limited in distribution. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx -- External Tracking Data -- CVE-ID: CVE-2008-1447 (MS08-037) CVE-ID: CVE-2008-1454 (MS08-037) CVE-ID: CVE-2008-1435 (MS08-038) CVE-ID: CVE-2008-0951 (MS08-038) CVE-ID: CVE-2008-2247 (MS08-039) CVE-ID: CVE-2008-2248 (MS08-039) CVE-ID: CVE-2008-0085 (MS08-040) CVE-ID: CVE-2008-0086 (MS08-040) CVE-ID: CVE-2008-0106 (MS08-040) CVE-ID: CVE-2008-0107 (MS08-040) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 $1 Million gets you International Hacking Capabilities A recent briefing by the US Department of Homeland Security has thrown up some interesting figures about the level of online attack capability that a number of designated terrorist organisations are believed to possess. What is somewhat surprising is the level of capability being claimed for a relatively low level of investment. That a number of these organisations are developing an ability and commensurate plans to target online services and data stores is not a surprise. After all, online attacks represent almost the perfect form of attack - significant short to medium term effect for almost no personal risk, easy to set up and administer and have effects far beyond the immediate region. Figures were quoted in the report for Hezbollah, which is estimated to be devoting almost $1 million of the estimated $60 million annually that it receives to electronic warfare. From that amount it has apparently developed the capability to tap and monitor / hijack fiber optic networks, though it could be assumed that much of whatever capability they have has come direct from their state sponsors (Syria and Iran). While people are coming to rely upon the Internet as an essential service, it wasn't all that long ago that there was no real level of interconnection as such and so the wider community probably won't be too greatly affected by an attack on an individual level. Communities as a whole may suffer due to outages with essential services and service providers that may be relying upon the Internet for operations. How the terrorist organisations compare to the existing spam networks, Russian and Chinese controlled botnets, and system and software updates going awry remains to be seen. Perhaps now that Information Security threats have been linked with terrorist groups, the Information Security may start to see some of the funds set aside to combat terrorism. 2.2 Online Attacks for Political Reasons It seems that the only time that state-sponsored online attacks are covered in the media is when someone wants to create a short term scare campaign that is focussed on driving business to a company, or on increasing funding or perceived relevancy for a government agency or group of agencies. Perhaps the best known case in the last few years was in Estonia, though there remains contention about who exactly was behind the attacks. Even though the official story is that an ethnic Russian in Estonia was responsible, there are those who still believe that the attacks were coordinated and managed from Russia. State sponsored attacks are always guaranteed to attract interest, but the idea of semi-state and stateless organisations developing online attack capabilities for political goals is also starting to attract attention. With many of the groups that have openly admitted to developing such capability already engaged in open attacks in other environments and many also attracting designation as 'terrorist' groups, an online attack that is claimed by or attributed to one of these groups is considered far more likely than a state-sponsored attack. While the technology and methods used may be no different from those used in spam, phishing, and other online criminal activity, it is the political intent behind their use which places them in a separate class. Supporting this argument is a number of claims by different terror groups that they have access to an electronic attack capability surfacing in recent weeks and months. These claims are actively promoted by the groups, who argue that it allows them to level the playing field against their opponents and, more importantly for them, it provides a means to disrupt their opponents without significant risk to themselves. Even though online attacks offer far less personal risk to the instigators, there are still some global regions where this is not the case. Earlier this year Israel killed a Palestinian believed to have been in charge of the online attack element for a Palestinian militant organisation, but this is probably the only global region where an electronic attacker may be at significant personal risk. India is the latest country to join the ranks of those accusing China of attacking their internal networks and systems. This accusation is more significant than most, given the geographic proximity of the two countries and their historical military and political tension (including two current disputed regions and a number of historical armed conflicts). It will be interesting to see how the two most populous and rapidly developing countries in the world handle this sort of activity and how each responds to claimed attack and counter attack, given that the attacks may be attributed to state-sponsored, semi-state, and stateless bodies in varying proportions. Though the scale of the attacks is relatively small, given the overall size of both countries, the economic and technological boost that has been delivered with the outsourcing industry means that some of the juciest targets in India are actually datasets belonging to foreign companies. There is no sign that these sorts of attacks will increase in scope anytime soon, but it is something to consider with data security concerns - especially in an outsourced environment. You might wake up one day to find that your data is being held ransom or under attack by an external party that is actually targeting your supplier and not you directly. That is cold comfort for the people whose data lies within that dataset and it will be you ultimately held responsible for its safety. 2.3 You can Only Blame Technology so Often Is the latest defence against embarrassing or criminal emails, text messages, and Internet activity that a hacker did it? Detroit's Mayor is currently the subject of a lawsuit alleging that he and a former aide conspired to lie under oath in a previous investigation. That in itself isn't too much out of the ordinary, but the Mayor's lawyers are arguing that allegedly incriminating text messages that are supposed to have been sent between the parties were actually the work of hackers. It is assumed that the text messages will provide sufficient evidence of guilt but it does make for an interesting defence tactic to prevent the release of the messages. What it leaves most people with is the impression that the text messages will implicate the Mayor and his aide and that it is a wildly speculative attempt from his defence lawyers to avoid them having to be shown in court. It has been pointed out that while it is technically feasible to have had hackers create the messages, it is fairly straight forward to correlate messaging activity with other events on the Mayor's schedule. A further reason why the defence lawyers seem to be pushing hard to suppress release of the records is the belief that the messages are the key component to the prosecution's case, and without them the case will fail. Making matters worse, when it can be shown that there is a reasonable assumption that the person involved has actually been the victim of a malware author / hacker, such as the Julie Amero case, it can be difficult to convince people that it actually is the case. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.