Terms of Use
Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists.
Of Killbits and BlackWorm - 30 January 2006
Sûnnet Beskerming Security researchers have achieved another remarkable success in the last few days. Over the weekend, news started appearing via US-CERT, the ISC and SecurityFocus, of a problem with Internet Explorer's method for deactivating vulnerable ActiveX components. Basically, the 'killbit' method used by Microsoft to disable the calling of certain ActiveX controls could be bypassed through the use of a malicious web page. Sûnnet Beskerming provided this information to the Sûnnet Alert mailing list subscribers in mid September 2005, along with updated releases as more information came to hand, more than four months before it was noticed by other agencies.
ActiveX controls can be malicious due to their ability to hook into the underlying Operating System and can be commanded fully by the remote attacker, providing an easy means to compromise a system without the need to download additional files.
An 'average' computer worm infection might result in the victim's computer being controlled through IRC to send spam and have various pieces of malware installed to capture logins and passwords, and is probably the most significant threat to face Windows PC users. Recently, a new worm has emerged, originally dubbed 'Nyxem', but now commonly known as 'BlackWorm', which uses standard mechanisms to spread and infect systems, but which possesses a payload which will cause major problems for infected users.
Designed to delete or modify DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files on all available (including network) drives, the worm activates this nasty capability on the third of February, and repeats on the third of every subsequent month. While this sort of activity will be distressing for users who are infected on standalone systems, businesses that are infected could face a catastrophic outcome if the worm manages to penetrate their network.
The nasty payload has seen a massive coordination effort from security companies, malware researchers and ISPs to identify and notify infected clients. For such a destructive worm, the global rate of infection is still in the low hundreds of thousands (at the time of writing), although the counter being used to track infections shows over 4 million, due to a suspected Denial of Service attempt from one or more individuals.
The ISP which hosts the counter has been supplying logs to the coordination effort, and it has provided an unique look at the nature of the infection spread. While less than a thousand Australian systems have been infected, countries such as Malaysia (over 7,000), Mexico (over 2,000), China (over 2,000), Greece (over 4,000), Turkey (over 15,000), and the United States (over 15,000) have been hit worse. Italy, Peru and India appear to have been worst hit, with over 22,000, 54,000 and 80,000 infections, respectively. It is possible to surmise that some countries with smaller online populations which have high infection levels are involved with the original outbreak, and others which have a number of significant infection clusters (such as Government departments uniformly infected).
With the increased reporting on the worm, the active efforts from anti-malware providers, and the coordinated effort to identify, notify and quarantine infected systems, the spread of BlackWorm is expected to slow significantly. Should the coordinated notification effort be ceased, there is a fair chance that infection rates will rise, and there is a question of resource effectiveness should multiple new worms / malware threats arrive which have similar malicious payloads, or which do not report as easily to a single central location.
BlackWorm isn't the only new oddity to appear via email over the last couple of weeks, with numerous reports being seen of empty emails. These appear in inboxes as completely empty emails, with no sender, no subject, and no body. As there is no content to check against, some spam filtering software will not prevent the transmission of these empty messages, and they have been an interesting addition to many email inboxes. The first of these empty messages started to appear in late 2005, and it is believed that it might be the result of misconfigured, or otherwise poorly created, automated spamming software.
It has been another bad week for identity theft / loss of privacy data cases, with several moderate sized data losses. Notre Dame University discovered that a system which had been used to manage fundraising efforts had been compromised, exposing the credit card details and Social Security Numbers of numerous donors. While the compromise alone is a problem, it may have been actively compromised since November without being identified.
A three month period where compromise may have taken place almost appears reasonable, as Kansas State University found recently. They discovered that a system that was being used to handle applications for Student Housing had been actively compromised for more than four years. This exposed Social Security Numbers and other sensitive information about applicants.
Identity theft cases didn't just affect American Universities, with more than 350,000 people in the states of Oregon and Washington having their medical histories stolen following a car break in. The records were being stored on backup tapes and disks, and were being stored in the vehicle as part of the affected company's disaster recovery planning. While the tape data was encrypted, the much easier to read disk data was not. In addition to patient personal data, specific medical and insurance data was part of the record. Almost 250,000 of the patient records also had Social Security Numbers recorded, and some even had financial information.
Sick people and students can take comfort in knowing that almost 250,000 customers and financial advisors linked to Ameriprise Financial (a financial services company spun off from American Express) had their records stolen when a laptop containing the data was stolen from an Ameriprise employee's car in December 2005. Ameriprise considers it unlikely that the theft was targeting the information, and the subsequent risk of exposure is low. The US state of Rhode Island is also facing difficulties after more than 50,000 credit card details were discovered on a Russian site. Details which had been stolen from an online Government services gateway.
As part of plans to improve the laws related to Computer and electronic data security in the United Kingdom, the proposed revised Police and Justice Bill seems to have erred too far on the side of caution. In what is believed to have been an attempt to make possession of certain software tools the equivalent to being in possession of a safecracking set, the proposed laws include elements designed to stop the development, distribution and possession of 'hacker tools'. What is a 'hacker tool' is not explained, but should the relevant section of the proposal make it into law, then it will make a lot of System Administrators, Networking Administrators and Security Researchers very worried.
Complaints are being seen from UK researchers who claim that this will prevent them from understanding how the hackers are attacking their systems, and what the capabilities are that the tools provide to the hacker. Network and system defences will become reactionary, forced to respond to attack, rather than researched vulnerabilities. A lot of the tools in use by hackers and legitimate users are the same, it is just a matter of permission and ownership of the systems they are being used on.
A number of countries are currently evaluating the possibility of establishing national ID card systems, including the UK and Australia. Supporters of both sides of the argument have been quite vocal with publicizing their opinions, and an interesting voice has been added to the mix in the argument over the UK's proposed ID card. The Register has reported on the UK's IT trade association, Intellect, which has come out with a fairly pointed press release which calls on the Government to pay more attention to components of the IT services and product delivery chain which have routinely suffered in the past.
One interpretation of the report is that it is a damning accusation that the Government is to blame for the recent spate of public IT expenditure failures, and risks the same happening with the ID card implementation. This statement also comes after the industry has borne most of the public condemnation for previous failures.
What was surprising about Apple's recent announcement of Intel based Macintosh systems being available for purchase now was that it was less than 12 months since the initial announcement of the shift to Intel (although the rumoured Marklar OS X Intel version was confirmed as having existed for several years), and a lot earlier than anyone expected, given that the initial announcement was that the systems would be available in 2006. A number of review sites have already received their systems and have been putting them through their paces.
Early results suggest that the initial round of system delivery is not comprised of production machines, given the relatively poor internal hardware layout when compared to pretty much any production Macintosh from the first Mac. Difficulties have been reported by reviewers who have attempted to install Microsoft Windows for a dual boot experience, reporting that the Windows boot media isn't responding to the various boot methods available to the machines.
You Did Not Find This - 23 January 2006
A handful of security companies have recently turned their focus to the hidden menace behind the anti-spyware companies that advertise through deceptive website banners or popups, largely affecting Microsoft Windows-based systems. The general trend found is that these software tools tend to be extremely ineffective at identifying spyware, preferring to overhype non-threats, and forcing users to pay for a licenced copy before being able to remove any of the infections. Unfortunately, in most cases, the tools are not capable of removing any actual spyware, and tend to install more malware than they ever remove.
Removing the tools themselves is not as easy as deleting them, with hidden files, unmodifiable registry entries and other nasty components. What might help users once they end up with more legitimate spyware removal software, is that there only appears to be a handful of base applications being used to generate the multitude of fake antispyware software, which will make it easier to detect and eventually remove with a proper tool.
Following Microsoft's WMF patch release for their Vista Beta users, it seemed that more than the usual number of complaints were being put forward by users and observers. An expected percentage were criticizing Microsoft as they do normally, patch or not, but a not insignificant percentage seemed to be from dedicated Microsoft software users, especially the Vista Beta users.
A lot of the complaints were based around the perceived inability for Microsoft to develop a secure Operating System despite claiming for several years that Security is the biggest focus from Microsoft. This includes the code for their next generation Operating System (and also patches to their existing systems). Concern was raised about the actual level of improvement that Vista will bring to the market when it is released later in 2006, and just how much other legacy software was hidden within the system - leaving it vulnerable. Others postulated that if this incident was to be considered on a par with how it affected other Windows versions, then there are likely to be a number of very dangerous vulnerabilities within Vista which will be discovered and exploited by hackers.
Microsoft have also published the expected release date for the next major service pack to Windows XP (SP3), which will be in the last half of 2007. Interestingly, this is after the expected release date for Windows Vista, which is scheduled for the second half of 2006. Quite a number of Microsoft observers believed that SP3 for Windows XP would have arrived this year, or have even been released by now, and there are some murmurs from disaffected users who are feeling slighted that their security is being sidelined for the purpose of a new product arriving on the market.
Unlike SP2, SP3 is not expected to include any new functionality, but instead represent an amalgamation of the intervening security patches and minor updates, providing users with a suitable baseline for maintaining their systems. Historically, Microsoft's Service Packs for their next-to-last Operating System tend to dry up after the release of the next generation system, which means that the imminent arrival of Vista is likely to reduce the focus on Windows XP. When compared against the earlier reported data which indicates the extended support for Windows XP, it is possible that this will be one of the last, if not the last, Service Packs for Windows XP.
This reduction in the number of Service Packs is not as much of an issue as it once might have been, as the monthly 'Black Tuesday' security patch release has provided a means for Microsoft to provide essential updates which otherwise would have had to wait to be released in a Service Pack.
Enterprise Database vendor Oracle has faced more public humiliation when a handful of security researchers publicly released information about the vulnerabilities which were fixed with the latest patch release from Oracle. It was claimed that the vulnerabilities patched were discovered and alerted to Oracle hundreds of days prior to their eventual patching. The most recently discovered vulnerability was only 190 days old, while the oldest was almost 900 days old, with most of the identified vulnerabilities around 900 days post-discovery.
The value of data held in Enterprise class databases became a huge issue towards the end of the week, when it was revealed that a number of the major US-based search engines were subpoenaed to provide search records for arbitrary periods of time. Yahoo!, MSN and AOL were reported to have complied with the subpoena and provided the requested records, while Google initially refused to comply. Google has since been sued by the US Attorney General, through the courts, to supply the records initially requested.
Numerous sources cite the subpoena as requesting search records for certain periods of time (a million random addresses over a week in Google's case) in order to help test the scope and validity of the US Child Online Protection Act (COPA). While privacy and online rights advocates were cheering Google's refusal to hand over records, it is considered more likely that the decision was made for business reasons rather than concern for privacy or online rights.
Based on the available information regarding the subpoenas, many observers are having difficulty working out exactly how anonymous search engine records can identify the age of the user submitting the request, and whether the results returned are part of a set that the user was expecting. At the least, it would require manual confirmation whether the end address visited was providing pornographic content to minors.
The move by the US Government is being widely regarded as nothing more than a 'fishing expedition', where they are trying to establish stricter control over online pornographic content, through the auspices of the COPA.
Many of the observers are concerned about the attempts to secure records, and about the other providers that have provided details, as many have experienced first hand how sometimes the results being returned are not the sort of results they are really after, or should be looking at. They are especially concerned about how such a search result can be misconstrued, especially over a medium which does not indicate intent.
Google has also made the news with its refusal to comply with US ISP, Bell South's, demands that content providers are to pay for the entry of their data to the ISP's network. The refusal is based on the position that end users should already be supporting the cost of the networks, and it is not up to the content providers to further subsidise them. When the issue was first raised, that Bell South was proposing to charge content providers, the common perception was that it was a move to restrict the proliferation of VoIP service usage, which was suspected to be impacting on Bell South's other service offerings.
While Google may have acted to maintain the status quo in the above two cases, they have quickly found themselves in the position that they wield an immense power in the online world. While there are other search engines and service providers, none carry the kind of mindshare that Google does, and none are watched closely as a barometer for future trends as Google is.
It has been suggested that if Google's decisions on the above two cases were reversed, then it would provide a much greater backing than that which a comparably valued company would provide. It would also have had the effect of establishing artificial barriers to entry for companies that are seeking to establish themselves in dependent niches. If Google and other high powered tech stocks decided to form political lobby groups, it is considered that any effort they backed would almost certainly be well received.
Botnets generated from systems compromised through the recent WMF Windows flaw (patched with MS06-001) are believed to be coming under active control, at least according to one security researcher. This news is not surprising given that the WMF flaw was being compromised with active malware from the earliest days of discovery.
Normally controlled through IRC commands, systems infected from the same site, or by the same variant of attack via different sites, will form part of a loose network which can be managed by a hacker (or group of hackers) for their own ends. It is expected that these new botnets will soon be spewing spam and being used as the launcing pad for phishing attacks or new email worms. For users whose systems are already compromised or part of other botnets (via other infection mechanisms) they might find their systems becoming unresponsive as the various malware infections fight it out for control of the system.
While it is not related to the WMF flaw, Anti-Virus software maker, F-Secure, has released a set of patches for almost their complete range of products due to a flaw identified with the handling of ZIP and RAR archive scanning. The flaw could lead to a hacker being able to execute code of their choice on a vulnerable system. In addition to the arbitrary code execution issue, it is possible to provide archives which can not be scanned properly, potentially allowing malware that otherwise would have been stopped to pass through the software defences. Users of F-Secure software are advised to apply the appropriate patches as soon as possible.
After a number of months of waiting, Australian iTunes Music Store (iTMS) visitors now have the opportunity to purchase music from Sony/BMG. Sony/BMG was the primary major music licenser that was missing from the original Australian and Japanese iTMSs. It is not believed that any artists broke their contract to sign independently with the iTMS in Australia, unlike a number of Sony artists in Japan. The addition of the last major licenser means that the obvious holes in the iTMS music offerings have largely been filled.
Privacy Matters - 16 January 2006
The recent problems with the WMF image format, which led to Microsoft releasing an out of cycle patch a couple of weeks ago, have impacted on Microsoft's next operating system, Vista, even though it hasn't been released yet. Patches have been released for the Beta users of Vista, to help keep their installations secure from the image handling vulnerability. The previous information available about the flaw did not mention Vista as being vulnerable, and it is an early bloody nose for the new Operating System, which is said to be the most secure that Microsoft has ever developed.
The lack of a patch for Windows 9x derived Operating Systems for the same vulnerability has concerned some users, given that they have various requirements to keep older systems running on deprecated software. Microsoft have explained their lack of patching by explaining that the only exploitation route for these older systems is to require a user to print a document / image which makes calls to the vulnerable functions, and that it can not be called from other system actions.
An article was published last week in which it was claimed that the original WMF vulnerability was an intentional backdoor installed by Microsoft into their systems to allow certain parties unrestricted access to systems. Unfortunately for this argument there are several facts which negate it. If it is a backdoor into a system, it is somewhat odd as it requires the user to have some level of interaction with the vulnerability in order for any exploit to take effect (that is, it can not be fully automated). Secondly, software which recreates a number of Windows APIs under Linux, such as WINE, also demonstrate the WMF vulnerability. This negates the original claims because the WMF support in the software was developed from the original API specification. This means that the root cause for the vulnerability lies in the API specification, which is somewhere that is not normal for hidden backdoors to be specified.
Good news, however, for users of Microsoft's current Consumer / Pro Operating System Windows XP, with publication of information on Microsoft's extension of support for their current Operating System version (XP). Normally mainstream support would have ended on December 31, 2006, but due to the delays that have been encountered with releasing the next version of Windows (Vista), this date has been extended to an unconfirmed date two years after the release of Vista. Mainstream support means Microsoft will continue to supply security patches and hotfixes for the software until the end date, and Extended support for business users will continue for another five years beyond that (continuing to supply hotfixes).
A US High School student has discovered to his detriment that certain forms of online pranking can have serious real world outcomes. The student is being charged with a felony for encouraging other students to continually refresh their school's public website in their Internet browser, in order to deny service to other site visitors (or even to cause the site to crash). Ultimately, what the student encouraged was a distributed Denial of Service (dDoS), whereby numerous requests are sent from a wide variety of Internet addresses, ultimately preventing legitimate users access to a website. Due to the large number of source IP addresses, this sort of attack is very difficult to prevent against.
It is reported that the student's intent was to cause an outage of the school's website, but it is debatable whether he should have been charged with a felony for the case (perhaps a stern warning and a suspension from school would have been better). Online rights activists are all riled up over the case, with many claiming that by simply refreshing a webpage (which many would do anyway), it now makes them a criminal.
The above case alone wouldn't have stood out, except for new laws being passed in the United States which makes various forms of online stalking illegal. While the concept is well intentioned, the implementation probably doesn't take into account some of the finer points of how the Internet works. Even posting to a newsgroup or web forum could become illegal under these new laws.
To finish up the concerns over privacy, an ex-NSA employee went public about surveillance programs that the US was said to be running against its own citizens. With claim and counterclaim being thrown about with regards to the veracity of the ex-employee's claims, the mere publication of them throws up a range of concerns about the information gathering capabilities of a range of three letter agencies and also how those capabilities have been used against the people they are meant to protect. Some observers have even gone so far as to claim that a new form of McCarthyism has started to emerge amongst the agencies and Governments monitoring online activities.
Although the ex-employee claims that what he has released is at an appropriate classification level, observers who subscribe to the 'tip of the iceberg' approach were sent into a flurry of speculation as to what else the NSA is currently capable of doing, and what it is actually doing.
In the latest loss of identity data from a hotel group (following on from the Marriott losses), the Atlantis Resort in the Bahamas has disclosed that 50,000 identity records were stolen from a hotel database. No timeframe is given for when the compromise took place, but the resort has committed to providing 12 months of credit monitoring for affected individuals, has commenced notifying each person who was affected, and is working with law enforcement agencies to investigate the matter.
An attack directly against a target can net better results sometimes. A Credit Union in the United States had its website hacked recently, resulting in the theft of tens of thousands of US Dollars from Credit Union clients. The hack was achieved by redirecting the login script on the official site to a site in Greece which had been setup to mimic the look and feel of the legitimate banking solution. Because the implicit trust was already there (having logged on through the legitimate Credit Union site), clients were more inclined to believe the site even though it didn't appear exactly as the official site did.
The Credit Union was forced to take down their site while the issue was being resolved, and has also taken a credibility hit over the attack. Information Security company, Sunbelt, have also provided in depth details of some malware which redirects requests for a number of financial institutions to an excellent forgery of the sites (would be very difficult to determine), while still appearing as legitimate in the URL address bar.
Finally, the first Apple Macintosh machines with Intel chips powering them are scheduled for shipping in February. Although Apple has said that they will not prevent anyone from dual booting Windows and OS X on the Intel-based machines, and Apple and Microsoft have agreed to a five year arrangement where Microsoft will continue to develop software for OS X, the first warning shot may have been fired back by Microsoft. Microsoft have announced that they are to cease development of the Windows Media Player for OS X. In its place, they have provided a link to a third party provider who has specialised in providing additional support for OS X users who require to play back Windows media content.
Still More Fallout - 09 January 2006
Information from Netcraft, which follows on from last week's news about the rise in the use of SSL protection for phishing attacks, is that their Toolbar has reached 12 months of age. A feature of this Toolbar allows expert users to identify phishing frauds and the Toolbar then blocks the suspect sites for all other users. The statistics released by Netcraft show an almost tripling in the number of sites being identified as hosting phishing frauds for the closing months of the year, when compared to the first couple of months implementation. While this could be an indication of growing numbers of Toolbar users, it does match up with a more general trend of increased phishing efforts by the attackers, and is an interesting trend to ponder for the coming year.
Netcraft also took the opportunity to release figures outlining the total number of sites that they observe on the Internet, and the technologies which support them. Unsurprisingly, the total number of websites continued to increase, including the number of sites receiving active maintenance. An interesting observance from the results was a visible dip in the number of sites hosted on the Apache webserver software, which was matched with a corresponding rise in 'Unknown' hosting software. Netcraft explained this away as being due to a major US hosting provider changing their initial redirect software to an unknown product (postulated to be Apache, but currently unidentified). That such a noticeable change in the overall figures can be attributed to changes of operation from just one company speaks volumes about the effect that conglomeration of services can have on a system as large as the Internet.
Towards the end of the week early reports were received about new worms which are targeting the AIM network, and a worm which targets vulnerabilities in numerous Oracle products. While the Oracle worm is not self propagating, it is believed to only be a matter of time before it is. What may be more worrying for Oracle administrators is that the worm is an extension and redevelopment of an earlier worm, and has added numerous new features to improve it's attacking toolkit.
Although Microsoft initially provided no timeframe for patch release of a patch to fix their .wmf problems, that was quickly modified to a release with the January security patch release on 10 January, which was then modified further to an official out-of-cycle release on January 6. It has not been confirmed whether a leaked pre-release copy of the patch from Microsoft on January 5 was influential in ensuring the release of the final patch on January 6. If users have not already patched their Windows PCs, then they should as a matter of high priority.
Although Microsoft issued an out-of-cycle patch, arguments began to rage about the actual criticality and extent of the vulnerability and efforts to exploit it. Although a number of exploit vectors were being used actively, there was not a lot of mainstream exposure to these efforts, which led many to believe that the vulnerability was being blown out of proportion. One of the biggest fears, that an online banner ad hoster, such as Doubleclick, would start serving infected images, was almost a reality when a smaller banner hoster did start serving infected images across a range of sites. Some legitimate websites were attacked, and were modified to serve infected images, but were fixed fairly quickly. The vulnerability also made minor inroads through IM products and other lesser infection vectors.
In the end, the low level of apparent infection was most likely the result of a number of contributing factors. Firstly, the mass publication of exploit code and methodology came at a slow period, when most employees and vulnerable users would be away from their normal systems, limiting the rate of infections. Secondly, user input was required, even if it was extremely minimal (a number of infection methods displayed this). Thirdly, Microsoft released an out-of-cycle patch that came within a few weeks of the initial public disclosure, and was timed just as many companies were returning from their Christmas / New Year shutdown periods. Finally, the rapid response from the Information Security community ensured that administrators and security specialists were aware of the problems, how to mitigate some of the known attack methods, and what to do to prevent most of the common infection vectors.
It was expected that the recent Sober computer worm variants were to activate in the last week and try to contact a number of sites for possible updates or new commands. Given the early identification of this feature, and the widespread reporting at the time of the variant release, there was no reporting observed of network or system troubles due to the worms activating. Unfortunately for users who are still infected with this family of worm, their systems are still under the remote control of a hacker, and the worm will apparently be trying to contact a new (currently unknown) set of URLs in the next 14 days, and will continue the cycle into the future (for how long is not known).
US-CERT recently released figures for the number of vulnerabilities reported / released in 2005, which quickly drew sharp criticism from a number of observers for inaccurate reporting and a flawed accounting model. The report totaled 5198 vulnerabilities reported in 2005, with 812 targeting the Windows operating system, 2328 targeting all other operating systems, and 2058 affecting multiple operating systems.
Complaints from observers included observations that the same vulnerability was sometimes reported several times as updates on the issue were provided, and was also counted for each and every version / distribution of varying Operating systems (i.e. a single vulnerability could be counted as 1 for Windows, but 30 or more for everything else, due to the number of different distributions and Operating Systems it affects). They also included complaints that vulnerabilities for third party applications were counted against Unix/Linux/ OS X systems, but not against Windows systems; that the relative severity of the vulnerabilities was not assessed; that public release of an exploit and time between disclosure and patch were also ignored.
After news from last year, when Yahoo! was accused of handing over privacy related information which resulted in the jailing of a Chinese journalist, the actions of an American company providing services to Chinese citizens has again been called into question. This time, Microsoft has drawn some unwanted attention following the removal of a blog belonging to a Chinese pro-democracy supporter after a number of bloggers at a competing Chinese service (Bokee) complained. It is not so much the removal of the blog which has upset people (which it has), as much as it was the supposedly arbitrary cessation of service without notifying the blogger or otherwise identifying intent of actions.
Efforts by various interested parties to discover Microsoft's motive for closing the account have seen an interesting statement released by Microsoft that they have to comply with the laws of the nations that they operate in, and countries such as China have unique requirements established in local law. This reasoning opens a new line of argument, as to where the line is drawn for provision of services - if the service was being provided on US based systems, then which set of laws apply? If Microsoft's arguments are accurate, why was this particular user singled out for closure of his account, and pre-emptively closed without any request originating from the Chinese Government. Currently unproven, accusations have even been leveled against the Bokee blogging service that they were behind the move to have the blogger's account closed.
Finally, following the small run of Identity data losses at the end of 2005, more news has filtered through of other cases from the same timeframe, including cases affecting Tax Specialists H & R Block, the University of San Diego (7,800), and Iowa State University (3,000). Most worryingly, in this last example, the University administration has indicated that it will not be pursuing the identity of the thief.
An Inauspicious Start - 02 January 2006
Although attacks and threats are beginning to rise in number and severity again, the Christmas period, and a few days either side, was observed with a minimum of fuss and arrival of new attacks. That pattern was disrupted in a bad way only a few days after Christmas, and it is likely to cause major headaches for Information Technology personnel long into the New Year.
As reported by CNN Money, the Ford Motor Company in the US has discovered that a system with identity information for up to 70,000 current and former employees has been stolen. Containing the names and Social Security Numbers, the information from the system is not believed to have made it yet into the market for Identity Theft. Ford has offered to pay for the affected individuals to obtain credit-monitoring services, and has involved the US Secret Service and the FBI in the investigation. The theft was believed to have taken place in late November.
The loss of information from Ford was not the only major Identity related data loss to happen at the end of 2005. The Marriott hotel chain has disclosed that they have lost track of a number of backup tapes which hold identity related information, including credit card data and Social Security Numbers, for more than 200,000 people who were partners, employees and customers of their Marriott Vacation Club International (MVCI) group. It is not known where the tapes were lost from (transit, storage or other), but the Hotel has offered to pay for credit monitoring services for the affected individuals (at $100 USD per individual, a cost of over $20,000,000 USD).
Identity theft wasn't the only Information Security issue to attract attention over the latter weeks of 2005. A small number of unique phishing attacks were launched which could have interesting outcomes.
Of interest are attacks against the National Australian Bank (NAB), and a Saudi Arabian bank. The NAB has implemented one of the better transaction verification procedures in Australia, using SMS messages to provide users with a code which is to be used to complete online transactions, but this hasn't stopped it being a target of an attack which not only attempts to trick victims into supplying their banking login details, but also downloads and installs a keylogger onto the victim's computer. The Saudi Arabian phishing attempt had several noteworthy elements, including messages composed in Arabic, a reasonable URL derived from the original bank, and an explanation that it was linking to a proposed online IPO for an Industrial firm.
According to Netcraft, statistics gathered from their Netcraft Toolbar Community suggest that more than 450 phishing attacks in 2005 used SSL in one form or another to improve the efficiency of the phishing attacks. While this is something which Sûnnet Beskerming has been warning about for some time, and something which Netcraft suggests has been happening for quite a bit of time, the first step in educating users about phishing attacks is to get them to look for the https at the start of the URL, and to look for the lock icon in the corner of the browser window. The reasoning behind this is that the provision of SSL certificates by Certificate Authorities requires authentication of legitimate business details, which would remove phishers and other scammers from the process. In addition to the acquisition of SSL certificates, Netcraft identifies the use of XSS and browser vulnerabilities as other primary methods to allow phishing attacks to appear to have SSL validity.
Moving away from phishing and Identity theft, and one of the most interesting figures from the last twelve months has resigned from their post. The CIO of the US state of Massachusetts has resigned his position following what appears to have been a smear campaign against him. The CIO, Peter Quinn, gained fame for being instrumental in the state's move towards supporting the OpenDocument format over other proprietary formats for electronic storage of official state documentation. The state is expected to still implement support for the standard by 2007, but it not known how the plan is going to move forward following the CIO's resignation. A poorly researched article in the Boston Globe that sought to get an official investigation launched into the CIO's travel claims, which were later shown to be legitimate, was said to be the primary factor behind the resignation.
The biggest threat to come out of the last few days, however, was the release of a new vulnerability affecting all Windows Operating Systems.
All versions of the Windows Operating System (including all Service Packs and patches) are vulnerable to complete compromise through the simple act of previewing, viewing or indexing a malicious image file. This vulnerability is currently being actively exploited through numerous websites (including through Internet banner advertisements on legitimate websites), spam email, and has started to spread to Instant Messaging services. Although the user is required to view / preview the file for the attack to work (such as in a webpage), automated indexing by Windows (or additional software) will automate the attack without user intervention. There are no solutions guaranteed to protect a system. There is no indication from Microsoft when this issue will be resolved.
Originally thought to be an Internet Explorer specific vulnerability, it has now been confirmed as a full Windows vulnerability, affecting all applications which make use of the specific GDI library (shimgvw.dll) to render images. This includes applications such as Internet Explorer, Outlook, Firefox, Opera, and Lotus Notes.
Although the particular vulnerability is for .wmf (Windows Meta File) type images, it has been observed that a range of image extensions (BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF) have been used to carry the vulnerability onto systems. This technique works because Windows identifies a .wmf file type by certain 'magic bytes' towards the start of the actual file data, and not the file extension itself.
Working exploit code has been publicly released on the Internet, and multiple variations of the attack are already appearing, including one which can specifically avoid the majority of workaround / defences at this time. This latter variant appears to be very well designed, and may become the most prolific version over the next few days. It is also confirmed that this vulnerability is not related to the .wmf issues patched in the recent MS05-053 security patch.
Users who are infected may notice their Windows Picture and Fax Viewer application opening up to display a file (one of the first indications for some infection vectors). The issue has been deemed serious enough for the Internet Storm Centre to move to Yellow alert twice within the last five days (they only went to yellow once for the Zotob worms in August), and is drawing a lot of attention and concern from Information Security firms globally.
This is a major issue as it is currently unpatched and the workarounds being provided are not guaranteed to work. The end of the Christmas - New Year holiday period this coming week for many businesses and schools (mainly Northern Hemisphere), which means that a large number of vulnerable systems are going to be connecting to the Internet and are more likely to engage in risky behaviour. As the vulnerability is being exploited by a range of methods including websites, banner advertisements, spam, images embedded in documents, P2P, and Instant Messaging (AIM, Jabber, MSN) there are numerous infection vectors possible.
Infection results are varied, but manual removal of infected software will most likely be extremely difficult, if not impossible to achieve. The safest course of action is to reinstall Operating System software following the release of an official patch, don't connect to the Internet in the meantime, and consider the use of an alternate Operating System which is not affected (such as Linux or OS X).