It's That Time of the Week - Where's My Column? - 10 April 2006

Previously regular readers would note that the regular column for this week has not appeared. This is because we have changed our approach to publishing and have started producing content on a more frequent basis. The second most frequent content that does not appear in our mailing list or on our new IT Toolbox blog, is posted here on Skiifwrald.com. If readers would like their additional fix, or more of what we write about, take a look at some of our other content that is available:

• Our IT Toolbox blog http://blogs.ittoolbox.com/security/edge/
• Free security mailing list http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
• Hands on Information Security training and speaking engagements in Australia http://www.beskerming.com/training

    Microsoft 'Surprised' by 0.1% Infection Rate

Microsoft have been collecting information from their Malicious Software Removal Tool (MSRT) and their Windows Defender initiative and a recent statistic has 'surprised' them. After adding support for some malware that had been circulating since the middle of last year (a six month delay in recognition), they discovered that 250,000 systems out of the 250 million that had the MSRT installed were infected. While 0.1% does not appear to be a large amount, the raw figures are large. This goes to show that a piece of malicious software does not need to hit a large percentage of vulnerable systems to be numerically successful. Of more interest is the news that CME-24 (Blackmal) is still causing enough infections for 40,000 systems to require cleaning by the tool.

Fuzzy Wuzzy Was a Bear - 08 April 2006

    What is Fuzzing, and why do I need to know?

Fuzzing is the latest vulnerability discovery method to attract widespread attention from researchers and hackers alike. It is essentially the process of forcing an application or software function to accept input that may not be valid, in order to discover vulnerabilities related to input validation. Poor input validation can lead to a number of failures, from simple application crashes through to complete control of vulnerable systems.

One reason why it has attracted increased attention is that it is a fairly simple process to undertake. Increasing numbers of automated tools make vulnerability disclosure a point and click operation. This ease of operation means that some researchers look down on those who appear to do nothing else than point and click their way to vulnerability disclosure (and temporary InfoSec fame). Others have humorously opined that you aren't a real Information Security researcher unless you write your own fuzzing tool.

The rapid rise in web application development and usage, many of which are poorly coded, and increasing levels of networked / multi-user software which has not been designed with security in mind has seen an almost infinite number of opportunities for fuzzing researchers to find holes in critical applications. Tying sensitive personal and financial data to outward facing (Internet-facing) systems is even more incentive for attackers and researchers to find more holes.

    Should be a part of testing

A case could be made that a rigorous testing protocol for new code sections should include tests for handling of invalid and semi-valid input, to allow problems to be solved at development time. While standalone sections of code are relatively easy to test for input handling issues, when complex sections of code are linked together, strange input can come from unexpected places. What may pass as valid input for one section of the code might cause handling issues in code that is subsequently passed that input.

Development-time fuzzing helps to make for more secure code, though testing and Quality Assurance are the processes most likely to be overlooked in the march towards code release.

While it is fairly simple to truncate input of excessive length (one case of invalid input), it is harder to develop a whitelist of accepted character input, especially when support for international character sets and punctuation is required. For example, the humble apostrophe is one of the most dangerous characters when it comes to SQL injection opportunities. Content that the user supplies is not the only input that has to be considered - the validity of file data that is supplied should also be considered. If all it takes to wipe a server is a change to a single data file, then someone will find a way to do it.

As long as software is developed which handles input validation poorly, there will continue to be a need for fuzzing tools.

This Government's Security Brought to you by Microsoft - 05 April 2006

    Who don't you want to get in, today?

The Australian IT section has reported on the imminent announcement by the Australian Attorney General's Department that they have extended a 2003 agreement with Microsoft (the shared source agreement) to cover information security. The extended agreement claims to "help Australia tackle threats to 'national security, economic strength and public safety'",is similar to agreements held by the USA, Canada, Norway and Chile and will allow Microsoft staff to examine attacks against Australian government networks.

It will be interesting to see how the proposed data sharing works out, especially as Government agencies can be quite restrictive about sharing sensitive information with external bodies. The proposed advanced notice by Microsoft of upcoming updates and vulnerabilities being tracked (to allow the Government to plan and implement a response) introduces the dichotomy of all intelligence products - the more you share, the less useful it becomes.

Microsoft have been improving their security response timelines, but have still been hit with two 0-day exploit vectors in the last four months which this service would have done nothing to protect against (not many companies were placed for an immediate response, but some were), and which affected almost all Windows-based systems - the WMF vulnerability affected all the systems from Windows 95 through to Vista - all the systems which could connect to the Internet.

    Good News

The addition of community security awareness training is a good sign for some of the native Information Security companies, such as Sûnnet Beskerming (regarded by Microsoft as 'Security Experts'), that are likely to play some part in the eventual implementation of such training based on historical involvement with Microsoft Security events.

    What about the non Microsoft systems?

There is no indication as to the support or protective services that will be extended to non-Microsoft products. This could be a concern in the future as it is likely that there are still Government departments which have pockets of unsupported systems (i.e. Windows NT) connected to various networks, and other agencies of the Government have recently announced moves to centralise on non-Microsoft software.

In particular, the National Archives announced five days ago that it will standardise on OpenOffice.org 2.0 (OO.o 2.0) as its primary office file preservation format and that the OpenDocument Format will be the primary format used for archiving of electronic data (text, spreadsheets, charts and graphical documents).

Most of the government systems and interfaces that have successful attacks launched against them, and are known about, have been based on Microsoft technologies, which adds value to the extended agreement. The non-Microsoft based systems which have been successfully attacked may be left out in the cold as a result of this agreement.

Major data stores that rely upon Oracle, DB2 or other database platform (not MS SQL) could be overlooked even though they carry significant risk and recent history is suggesting that these are becoming the more valuable targets to attackers. For example, there are a number of serious Oracle issues that are evolving and have evolved recently almost on a par with MS SQL's historical 'sa' account.

It can not be realistically expected of Microsoft to provide security support and advice for these other systems and products. However, the reporting on the agreement makes it appear that they are supplying a 'Whole of Government' solution.

Different Looks & April Fools - 03 April 2006

Different Looks

Regular readers will note a different look for this column - formatting and posting frequency has changed. We have decided to provide readers a quicker turnaround on some of the stories and threats that we are tracking, and have moved from a primary weekly post, to a post probably once every 1-2 days - depending on news story frequency and importance. Our comment and analysis will lag what our paying clients receive by a couple of days but still represent an improved service over what was previously available.

April Fools

Though many sites vary in their observance of April Fool's Day, it does make it more difficult to filter the legitimate from the irrelevant in terms of Information Security research. News stories such as China purchasing Google, US President George Bush installing himself for a third term, and Duke Nukem: Forever is available for review are simple enough to pick out as being fake. However, there are many reports every day of the year which are difficult to interpret unless you are a subject matter expert on that particular technology, and even then there is no guarantee that you will be able to determine whether or not a claim is legitimate.

This has the unfortunate side effect that people readily dismiss what they do not know and prefer to remain ignorant of the real threats because they are unable to work out how something is happening - basically a return to the 'black box' method of operations. Most worrying is when this trend extends to companies that people rely upon for security or protection of their sensitive financial and personal data.

In research which has been correlated by Zone-h, the global authority on website defacement / digital attacks, Sûnnet Beskerming has observed that more than 80% of system administrators and webmasters tend to ignore reports of damage / attacks against sites that they are responsible for. Whether this is because the reports get eaten by spam filters or the administrators merely do not reply to notification is not known.

The more worrying statistic is that the next greatest percentage of administrator responses is to threaten and accuse those who report the damage of being responsible for the hack / defacement. Finally, there is a very small percentage (almost statistically insignificant) of administrators that respond positively to defacement notification.

    Aussie ISPs Breached

A similar situation was observed in the last week when two Australian ISPs were affected by problems with their primary web presence. In the first case, a Sydney based ISP was affected when a customer discovered that it was possible to view billing and call details for any customer by changing some parameters in one of the forms on the 'LiveBilling' area of the ISP's site. It was also demonstrated that it was possible for non-customers to gain access to the data.

Following publication of the issue by a major news agency, the affected area of the site was taken offline with the only reason being given as difficulty with 'security locks'. Even though a number of customers had contacted the ISP about the issue with little response from the ISP, it took massive publicity for it to begin being addressed. While no financial data was exposed, there was still a lot of privacy information readily available.

The second case affected a Queensland based ISP rated as one of Australia's best, which had its web site compromised by foreign hackers. Rather than defacing the main page (which would have led to a rapid repair and investigation), the defacement was out of the way and unlikely to have ever been found through normal web surfing. While this case has not received any publicity, it is likely that the attackers have gained access to sensitive databases and customer information.

Given the earlier statistic about the responses by system / site administrators, the chances are not good for customers of this second ISP for a resolution soon. If any readers of this column are customers of an ISP based in southern Queensland, it would be prudent to check your financial and other personal details.

    Affects Phishing

The same problem is affecting everyday users with the improvement phishers are demonstrating in improving the effectiveness of their attacks. The improvement of the attacks is getting to the point that most of the advice being given to users in how to detect and avoid being suckered by a phish attempt is becoming irrelevant. The last several days saw reports of banks having their websites compromised, redirecting requests for the legitimate site to locations that the attackers controlled.

Although the reported cases were fixed quickly, Sûnnet Beskerming has found and reported cases where financial institutions have had their sites (including intranets that were improperly configured) exposed to the outside world and which had been under the surreptitious control of attackers for some time.

News You Might Have Missed - 03 April 2006

A wrapup of some of the news stories from the last several days that you might have missed, or which grabbed our attention.

    Social Engineering Improving

Numerous sites have reported on the increasing use of extracts from real news stories as attempts to attract victims to websites where they are infected with a range of malware. Currently using a range of BBC news stories, the emails lure victims to sites that appear to be clones of the BBC (at least for that particular story), but which download malware in the background, compromising their systems. As the attacks improve in their ability to avoid detection, more victims are likely to be infected without their knowledge (and may even contribute to spreading the attack if the news story is relevant enough).

    Internet Explorer Exploit Expands?

As the users and administrators of systems using Internet Explorer wait anxiously for Microsoft to release an official patch to address the three vulnerabilities disclosed a couple of weeks ago, independent companies are releasing their own patches (eEye and Determina), and news is spreading of email being a potential exploit vector (despite Microsoft claims otherwise).

    Latest Privacy Losses Update

An earlier reported data loss of records related to HP employees has been pegged at 196,000 individuals affected, higher than the previous highest estimate. Elsewhere in the United States, the state of Florida had payroll and HR data for State employees (January 2003 to June 2004) send to an Indian firm after a contractor mistakenly forwarded the data by mistake. Up to 180,000 individuals are believed to be affected.

More than 500,000 members of the Georgia state pension plan could be at risk after a hacker gained access to a Georgia Technology Authority database which held confidential information on the pension holders. This is more than the 450,000 affected last year when an employee took home confidential information belonging to members of a state health plan. In Los Angeles, 40,000 county residents had their confidential personal data left next to a recycling bin in a parking garage and Nokia's US staff apparently have also been affected by the recent spate of Ernst & Young laptop losses.

    MPAA Accused of Improper Action

Following last year's US Supreme Court decision in what is commonly known as the 'Grokster' case various media groups and associations took the decision as free licence to continue to pressure downloaders and torrent search sites, citing the court case as legal justification. One site has decided to bite back. The TorrentSpy bittorrent search site has filed court documents to have the MPAA's attempt to shut them down dismissed. Torrentspy have pointed out that they host no infringing content and act as a search tool, providing no direct links to any infringing content. In the court filing, Torrentspy have accused the MPAA of 'attempting to steamroller defendants by means of an improper pleading', essentially meaning that they are taking an unrelated legal precedent and claiming that it has relevance in this particular case.

    Russian MP3 Sites Unsafe?

Wild claims were recently made on a music industry linked site which implied that numerous Russian MP3 retail sites are engaging in massive credit card fraud. The claim is that the sites are in the control of the Russian mafia (a reasonable claim) who are selecting cards at random from their databases to extract extra funds from ($1,000 to more than $3,000 USD per card). With no other news site backing up the claim and the original article appearing unsubstantiated, it is likely to have been an underhand attempt to get people to buy from authorised music industry sites. Even the technical data provided in the article is based on speculation and rumour. Subsequent discussion on message boards seems to substantiate the point of view that the claims of the article are untrustworthy.

    Trouble Ahead for UK High-Tech Crime Investigation?

First picked up by the UK focussed Spy Blog, it appears that the UK National High Tech Crime Unit (NHTCU) has been subsumed into a larger organisation, the newly formed Serious Organised Crime Agency (SOCA). Unfortunately, the public presence for SOCA doesn't acknowledge any focus on high tech crime, fails to mention computer, and the NHTCU website directs visitors to address their queries to SOCA. As a result, questions have been asked as to the long term importance of electronic crime investigation to the UK.

    Middle East on a Knife Edge

Some might ask what the relevance of middle-east politics to a technology blog, but bear with us. Iran recently test-fired a multi-warhead missile capable of reaching Israel, a test firing which went unnoticed by Israeli and US monitoring systems. To add concern, some Israelis have admitted that their anti-missile defence systems have little answer for this multi-warhead missile. The UK Telegraph is said to have claimed a US-led strike against Iran is inevitable and is due to be discussed in the coming week.

Now for the technology relevance. If there is a strike against Iran, many believe the country to be unstable enough to strike at Israel in an opening move. With multi-warhead missiles capable of reaching all of Israel, the many High-Technology companies with an Israeli base or heavy presence (Intel, Check Point, others) could face outages, supply issues or even be destroyed in that region.

The more pressing issue is the likely impact to the price of oil. With attacks in Saudi Arabia by internal groups, attacks in Iraq, and possible attacks in Iran - the higher the price of oil goes the more likely that companies will support telecommuting as commute costs skyrocket. Telecommuting introduces specific security risks and concerns which need to be considered as part of the planning phase.