[Sunnet Alert] Advisory #257 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Jul 18 17:48:30 EST 2008
Sûnnet Beskerming Alert List Advisory #257
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contactinfo at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - >1 week
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 $1 Million gets you International Hacking Capabilities
2.2 Online Attacks for Political Reasons
2.3 You can Only Blame Technology so Often
=====================================
1. SECURITY
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Exchange Server
SQL Server
-- Technical Description --
MS08-037 - DNS Server / Client. Spoofing / Cache poisoning. Important
MS08-038 - Windows Explorer. Multiple remote code execution. Important
MS08-039 - Exchange Server - Outlook Web Access. Privilege
Elevation. Replaces MS07-026. Important
MS08-040 - SQL Server. Privilege Elevation. Important
-- Description --
Microsoft provided four Important patches with the July Security
Patch Release. Only one of the patches had any vulnerability or
exploit data available
Microsoft has provided seven patches with the June Security Patch
Release. Of the patches, three are rated as Critical, three as
Important, and the remaining patch as Moderate. Exploit data for some
of the Internet Explorer (MS08-031) and Speech API (MS08-032)
vulnerabilities has been publicly available, but limited in
distribution.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-1447 (MS08-037)
CVE-ID: CVE-2008-1454 (MS08-037)
CVE-ID: CVE-2008-1435 (MS08-038)
CVE-ID: CVE-2008-0951 (MS08-038)
CVE-ID: CVE-2008-2247 (MS08-039)
CVE-ID: CVE-2008-2248 (MS08-039)
CVE-ID: CVE-2008-0085 (MS08-040)
CVE-ID: CVE-2008-0086 (MS08-040)
CVE-ID: CVE-2008-0106 (MS08-040)
CVE-ID: CVE-2008-0107 (MS08-040)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 $1 Million gets you International Hacking Capabilities
A recent briefing by the US Department of Homeland Security has thrown
up some interesting figures about the level of online attack
capability that a number of designated terrorist organisations are
believed to possess. What is somewhat surprising is the level of
capability being claimed for a relatively low level of investment.
That a number of these organisations are developing an ability and
commensurate plans to target online services and data stores is not a
surprise. After all, online attacks represent almost the perfect form
of attack - significant short to medium term effect for almost no
personal risk, easy to set up and administer and have effects far
beyond the immediate region.
Figures were quoted in the report for Hezbollah, which is estimated to
be devoting almost $1 million of the estimated $60 million annually
that it receives to electronic warfare. From that amount it has
apparently developed the capability to tap and monitor / hijack fiber
optic networks, though it could be assumed that much of whatever
capability they have has come direct from their state sponsors (Syria
and Iran).
While people are coming to rely upon the Internet as an essential
service, it wasn't all that long ago that there was no real level of
interconnection as such and so the wider community probably won't be
too greatly affected by an attack on an individual level. Communities
as a whole may suffer due to outages with essential services and
service providers that may be relying upon the Internet for operations.
How the terrorist organisations compare to the existing spam networks,
Russian and Chinese controlled botnets, and system and software
updates going awry remains to be seen. Perhaps now that Information
Security threats have been linked with terrorist groups, the
Information Security may start to see some of the funds set aside to
combat terrorism.
2.2 Online Attacks for Political Reasons
It seems that the only time that state-sponsored online attacks are
covered in the media is when someone wants to create a short term
scare campaign that is focussed on driving business to a company, or
on increasing funding or perceived relevancy for a government agency
or group of agencies. Perhaps the best known case in the last few
years was in Estonia, though there remains contention about who
exactly was behind the attacks. Even though the official story is that
an ethnic Russian in Estonia was responsible, there are those who
still believe that the attacks were coordinated and managed from Russia.
State sponsored attacks are always guaranteed to attract interest, but
the idea of semi-state and stateless organisations developing online
attack capabilities for political goals is also starting to attract
attention. With many of the groups that have openly admitted to
developing such capability already engaged in open attacks in other
environments and many also attracting designation as 'terrorist'
groups, an online attack that is claimed by or attributed to one of
these groups is considered far more likely than a state-sponsored
attack. While the technology and methods used may be no different from
those used in spam, phishing, and other online criminal activity, it
is the political intent behind their use which places them in a
separate class.
Supporting this argument is a number of claims by different terror
groups that they have access to an electronic attack capability
surfacing in recent weeks and months. These claims are actively
promoted by the groups, who argue that it allows them to level the
playing field against their opponents and, more importantly for them,
it provides a means to disrupt their opponents without significant
risk to themselves.
Even though online attacks offer far less personal risk to the
instigators, there are still some global regions where this is not the
case. Earlier this year Israel killed a Palestinian believed to have
been in charge of the online attack element for a Palestinian militant
organisation, but this is probably the only global region where an
electronic attacker may be at significant personal risk.
India is the latest country to join the ranks of those accusing China
of attacking their internal networks and systems. This accusation is
more significant than most, given the geographic proximity of the two
countries and their historical military and political tension
(including two current disputed regions and a number of historical
armed conflicts).
It will be interesting to see how the two most populous and rapidly
developing countries in the world handle this sort of activity and how
each responds to claimed attack and counter attack, given that the
attacks may be attributed to state-sponsored, semi-state, and
stateless bodies in varying proportions. Though the scale of the
attacks is relatively small, given the overall size of both countries,
the economic and technological boost that has been delivered with the
outsourcing industry means that some of the juciest targets in India
are actually datasets belonging to foreign companies.
There is no sign that these sorts of attacks will increase in scope
anytime soon, but it is something to consider with data security
concerns - especially in an outsourced environment. You might wake up
one day to find that your data is being held ransom or under attack by
an external party that is actually targeting your supplier and not you
directly. That is cold comfort for the people whose data lies within
that dataset and it will be you ultimately held responsible for its
safety.
2.3 You can Only Blame Technology so Often
Is the latest defence against embarrassing or criminal emails, text
messages, and Internet activity that a hacker did it? Detroit's Mayor
is currently the subject of a lawsuit alleging that he and a former
aide conspired to lie under oath in a previous investigation.
That in itself isn't too much out of the ordinary, but the Mayor's
lawyers are arguing that allegedly incriminating text messages that
are supposed to have been sent between the parties were actually the
work of hackers.
It is assumed that the text messages will provide sufficient evidence
of guilt but it does make for an interesting defence tactic to prevent
the release of the messages. What it leaves most people with is the
impression that the text messages will implicate the Mayor and his
aide and that it is a wildly speculative attempt from his defence
lawyers to avoid them having to be shown in court.
It has been pointed out that while it is technically feasible to have
had hackers create the messages, it is fairly straight forward to
correlate messaging activity with other events on the Mayor's
schedule. A further reason why the defence lawyers seem to be pushing
hard to suppress release of the records is the belief that the
messages are the key component to the prosecution's case, and without
them the case will fail.
Making matters worse, when it can be shown that there is a reasonable
assumption that the person involved has actually been the victim of a
malware author / hacker, such as the Julie Amero case, it can be
difficult to convince people that it actually is the case.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list