Forgot your password?
typodupeerror
Security

Journal: A Phishing Evolution

Journal by SkiifGeek

While many of us encounter traditional spamming and phishing on a daily basis in our inboxes, and the growing annoyance of comment spam / messaging spam on blogs, forums and other interactive sites, not many of us will have experienced the high quality identity fraud that is being used to develop and implement phishing / scams on professional networking sites. The Register has recently run an article on one such scam, which was identified and shut down last week.

Originally identified by a Sûnnet Beskerming researcher, a report into the incident has been created and placed online (direct pdf link). While the end scam was a typical 419-type scam, it is believed that the methods used to initiate communication, build trust, and seed the scam have not previously been seen in the wild (and then successfully identified as a scam).

A clued in user with a decent level of IT experience will probably be able to identify the scam before they get fleeced. The big risk is for the many users we are responsible for who will not be able to identify the scam once the scammer has gained their trust, particularly the business operators and managers with access to significant wealth.

User Journal

Journal: It's Been A While

Journal by SkiifGeek

Sure, it's been a while since I last posted, but the mailing lists and other data sources that I tend to use have been consistently updated and kept current. Journal entries will probably be a little inconsistent until our website has finished being updated and upgraded. Important stories and news will still be posted from time to time, but there are plenty of ways to read the regular material that is created.

Security

Journal: Microsoft's December Patches

Journal by SkiifGeek

Coming as somewhat of a surprise, Microsoft released seven patches with their December Security Patch Update. Even though most patches were only rated as Important, almost all patches do have an arbitrary code execution component for at least some end users. This will raise the criticality of some patches to Critical for those specific users. The unexpected patch was for the Windows Media Format, though there is some outstanding dispute over the actual criticality of the affected components and the extent / availability of public exploit code.

Proof of concept code has been made available for at least one of the recent arbitrary code execution vulnerabilities associated with Microsoft Word (there are at least two), and the ISC has identified that Microsoft Office (Mac) was updated quietly today as well, including at least one security fix in the update.

Detailed vulnerability reports and exploit code are starting to surface for the patched vulnerabilities, as well as what appears to be opportunistic attacks by unrelated attackers (according to the ISC there is a massive spike in attacks exploiting an historic Symantec Antivirus vulnerability).

Security

Journal: Microsoft (Multiple) - Remote Hacker Automatic Control

Journal by SkiifGeek

Microsoft (Multiple) - Remote Hacker Automatic Control

        -- Products Affected --
        Windows 2000, XP, 2003
        Internet Explorer
        Visual Studio

        -- Technical Description --
        MS06-072 - Internet Explorer cumulative update. Arbitrary code execution affecting DHTML and active scripting, information disclosure affecting Temporary Internet Files (TIF) folder. Critical.
        MS06-073 - Visual Studio 2005. Arbitrary code execution due to WMI Object Broker ActiveX control. Critical.
        MS06-074 - SNMP implementation error can lead to arbitrary code execution. Important.
        MS06-075 - File Manifest Corruption leading to Privilege Escalation. Important.
        MS06-076 - Outlook Express arbitrary code execution at the local user level. Important.
        MS06-077 - Remote Installation Service arbitrary code execution (Windows 2000 ONLY). Important.
        MS06-078 - Windows Media Format remote arbitrary code execution. This is the .asx playlist issue brought to light in the last couple of weeks, along with another issue. Critical.

        -- Description --
        Microsoft delivered seven patches, instead of the expected six, with the December Security Update released today. Even though less than half of the patches are rated as Critical, almost all vulnerabilities can lead to arbitrary code execution for at least some end users. Notable by omission are the most recent Microsoft Word vulnerabilities for which there are targeted exploit attempts in use.

        -- Recommended Action --
        All users and administrators should apply the updates at the earliest opportunity.

        -- Source --
        http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx
        http://www.beskerming.com/premium/patch_pack.html
        http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

        -- Updates Available --
        http://www.microsoft.com/technet/security/bulletin/ms06-072.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-074.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-075.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-076.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-077.mspx
        http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx

        -- External Tracking Data --
        CVE-ID: CVE-2006-5579 (MS06-072)
        CVE-ID: CVE-2006-5581 (MS06-072)
        CVE-ID: CVE-2006-5578 (MS06-072)
        CVE-ID: CVE-2006-5577 (MS06-072)
        CVE-ID: CVE-2006-4704 (MS06-073)
        CVE-ID: CVE-2006-5583 (MS06-074)
        CVE-ID: CVE-2006-5585 (MS06-075)
        CVE-ID: CVE-2006-2386 (MS06-076)
        CVE-ID: CVE-2006-5584 (MS06-077)
        CVE-ID: CVE-2006-4702 (MS06-078)
        CVE-ID: CVE-2006-6134 (MS06-078)

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)

Security

Journal: RSA Attack Efficiency Improves

Journal by SkiifGeek

August 2006 saw the disclosure of a fairly interesting attack against the RSA encryption algorithm (most famously being used in SSL - protecting online transactions). While it didn't target the actual algorithm, which still has not been broken, it is a so-called side channel attack, targeting the peculiarities associated with implementing the algorithm on various computing hardware.

The team behind the initial disclosure have recently submitted a modified approach to the attack, resulting in almost-astronomical improvements in attack efficiency.

In basic terms, the attacks rely upon a phenomenon known as 'Branch Prediction Analysis', where a program / attacker is able to predict what other software is doing as it passes through the CPU of a system.

In the first iteration of the described attack, the method required snooping on what was happening with the CPU for a relatively long period (or number of cycles), and certain software that implemented SSL protection (OpenSSL) quickly introduced patches to protect against this listening attack.

While many hardware manufacturers and Operating System developers have introduced defensive mechanisms to try and prevent this sort of attack taking place, it has been discovered that Pentium-IV (PIV) chips with Hyper-Threading enabled still have two caches that are not adequately protected. The new iteration of the attack, using a technique dubbed 'Simple Branch Prediction Analysis' (SBPA) targets both of these caches and can extract almost the complete secret SSL key in just one cycle. Running as an unprivileged user, this method can also target and extract data from any other software processes running on the system (SSL is an example in this case).

The technical black magic of how a branch predictor attack works can be explained as follows. Although modern CPUs are very quick, they still can't process absolutely every bit of information that they need to without a queue building up. This queue of instructions / data waiting for processing sits in a cache next to the CPU and they are executed in order of priority / time spent in the queue (various tuning settings come into play). By attempting to monopolise the CPU's attention, and filling the cache, the miniscule timing differences between when instructions from the same process are executed can give hints about what other instructions and data are moving through the CPU. Being able to interpret what this data is exactly, is key to branch prediction.

Mitigating the issue is the requirement to be running secure and insecure processes on the same processor at the same time, and for the attacker being able to run their process as a local user. Due the spying process capturing almost 100% CPU continuously while it is running, normal system monitoring software should be alerting administrators to something out of the ordinary running on the system.

What real-world threat exists for this relatively esoteric attack? Shared-server installations. It would be possible for a lesser-privileged account holder on a shared server to run the spying process while other account holders are negotiating SSL connections. A well timed attack will allow them to run their spying process once (and thus minimise the attention drawn to it), and then be able to effectively intercept SSL communications directed at the target.

Security

Journal: Worm Attacks Media Files

Journal by SkiifGeek

According to the McAfee Avert Labs (http://www.avertlabs.com/research/blog/?p=132), an interesting new worm has recently been discovered circulating in the wild. This particular worm attacks all Real Media content that it can find, modifying them to launch a website when they are viewed with the Real Media player. While the payload of the malicious website that is opened has not been disclosed, the 'Realor' worm is an interesting addition to the collection of malicious software that targets non-executable files.

Users should be applying the same level of caution and filtering to non-executable files as they do to executable files, and ensure that they maintain current antivirus protection (also being aware of the weaknesses in a range of antivirus products).

Security

Journal: Here Come The Exploits

Journal by SkiifGeek

As expected, the day after Microsoft released their November round of patches, the exploits started arriving. Although there were known exploits for some of the vulnerabilities prior to the patch release, exploit code has begun circulating for the WinZip vulnerability patched by MS06-067, and exploit code for the Workstation service vulnerability (MS06-070) is also available. Detailed technical descriptions of the attackable vulnerability have been released, and it is only a matter of time until workable exploits surface.

A number of sources have been covering the appearance of what appears to be random files and directories (folders) on computer systems following the application of Microsoft's November security patches. The folders appear to be randomly named strings of hex and appear to contain a log file that relates to the MS XML patch (MS06-071).

While the directories and files do not appear to be harmful in any way, their appearance has come as a bit of a surprise to people who closely manage their systems. Users who do not normally delve into the detailed levels of their hard drive structure will probably not even notice the directory and leftover files at the top level (C:\). A growing consensus is that the installation process was a little messy and failed to completely clean up after it had finished.

Security

Journal: NetGear - Remote Hacker Automatic Control

Journal by SkiifGeek

-- Products Affected --
        NetGear WG111v2 Wireless Driver
        NetGear devices with MA521 drivers (the MA521 device is a PCMCIA card).

        -- Technical Description --
        Malicious beacon or probe responses as part of an 802.11 frame can lead to arbitrary kernel-level code execution on a vulnerable system. The underlying vulnerability is specifically the way that the driver handles the 'rates information' element while the device is in active scanning mode (no information has been released about whether it is vulnerable while not in this mode). Fully automated exploit code is readily available and NetGear were not notified about the issue prior to disclosure. The second vulnerability is due to poor handling of over-sized beacon data responses.

        -- Description --
        Two serious vulnerabilities have been disclosed with NetGear devices. A number of NetGear products have been found to be vulnerable to an attack that can allow an attacker on the same wireless network to run software of their choice on a vulnerable system. NetGear were not notified at the time of the vulnerability and code release.

        -- Recommended Action --
        Apply caution when enabling NetGear wireless cards, and consider the use of alternate vendor cards if possible.

        -- Source --
        http://projects.info-pull.com/mokb/MOKB-16-11-2006.html
        http://projects.info-pull.com/mokb/MOKB-18-11-2006.html

        -- Threat Matrix --
                        U O
        Home User 9 9 (Critical)
        Corporate 9 9 (Critical)

Security

Journal: Windows (Update) - Remote Hacker Automatic Control

Journal by SkiifGeek

-- Products Affected --
        Windows 2000, XP, 2003

        -- Technical Description --
        Sample exploit code for the Workstation service vulnerability patched by MS06-070 has begun circulating. Mitigating the effect of the current code is the necessity to have an accurate IP and Domain Name. Code samples have been distributed to Sûnnet Beskerming technical partners to assist with the development of effective protection mechanisms.

        -- Description --
        Well-developed exploit code that targets the vulnerability patched by MS06-070 (released November 14), and which was initially targeted at the Chinese version of Windows, has begun circulating amongst various websites and security mailing lists. The rapid spread of the code suggests strong interest from developers and researchers keen to better understand the vulnerability mechanism. Worryingly for end users, this particular vulnerability can be targeted through remote attack, and can easily lead to serious compromise of networks and systems.

        -- Recommended Action --
        Apply MS06-070 as soon as possible

        -- Source --
        Multiple Sources

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)

Security

Journal: BroadComm Wireless Device Driver - Remote Auto Control

Journal by SkiifGeek

-- Products Affected --
        Broadcom Wireless Driver version 3.50.21.10 and earlier
        Products that use this include devices from Linksys, Zonet, Dell, HP, Gateway, eMachines, and others.
        A similar vulnerability affects D-Link products

        -- Technical Description --
        A stack-based buffer overflow attack against the SSID field can lead to arbitrary code execution at the highest system privilege levels. The particular issue is due to poor handling of lengthy content in the SSID field. Exploit code is readily available, and has been available since this vulnerability was first disclosed a couple of days ago. It is claimed that DEP, as implemented by Windows, may be enough to prevent the current exploit code from functioning correctly. Although the most common target will be Windows systems, Linux and FreeBSD users may be at risk if they are using this driver through the ndiswrapper utility.

        -- Description --
        A serious problem was recently disclosed with a popular wireless card driver that is supplied with many current PCs, from a range of manufacturers (including, but not limited to: HP, Dell, Gateway, eMachines, and other computer manufacturers, as well as Linksys, Zonet, and other wireless card manufacturers) . The vulnerability allows an attacker that is connected to the same wireless network to take complete control of a victim's system. Due to the need for physical proximity of the attacker (on the same wireless network), the Threat Matrix has only been set at Critical. Exploit code is readily available, and has been available publicly since the date of initial disclosure.

        -- Recommended Action --
        Concerned users should apply the latest updates from their system distributors. Alternatively, the updates from Linksys can be applied by following the guidance provided at the ZDnet link.

        -- Source --
        http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
        http://blogs.zdnet.com/Ou/?p=365

        -- Threat Matrix --
                        U O
        Home User 9 9 (Critical)
        Corporate 9 9 (Critical)

Security

Journal: Microsoft (Multiple) - Remote Hacker Automatic Control

Journal by SkiifGeek

-- Products Affected --
        Windows 2000, XP, 2003
        Internet Explorer
        Microsoft Office 2000, XP (2002), 2003, 2004, v.X

        -- Technical Description --
        MS06-066 - Memory corruption leading to arbitrary code execution and Denial of Service in Netware Client Services. Moderate
        MS06-067 - ActiveX (DirectAnimation) and HTML rendering memory corruption leading to arbitrary code execution with Internet Explorer. Patch also sets the ActiveX killbit on the control associated with WinZip 10.0, and permanently sets the ActiveX activation setting to 'notify before use', in line with the change attempted earlier this year. Exploits have been circulating for some time. Critical
        MS06-068 - Microsoft Agent (which includes Clippy) contains a buffer overflow that can lead to arbitrary code execution. Although this is ActiveX related and can be activated from Internet Explorer, Microsoft have not linked it to MS06-067. Critical
        MS06-069 - Adobe Flash Player (formerly Macromedia Flash Player) has several vulnerabilities that can lead to a buffer overflow condition and arbitrary code execution. Critical
        MS06-070 - Workstation service has a buffer overflow that can lead to arbitrary code execution. Critical
        MS06-071 - XML Core Services (XMLHTTP ActiveX object) has a vulnerability that leads to arbitrary code execution. Critical

        -- Description --
        Microsoft have issued six patches for the November Security Patch Update. All but one of the patches are rated as Critical, but all patches address serious vulnerabilities that allow an attacker to take complete control of a vulnerable system. Users and administrators should be aware that Microsoft has ceased supporting Windows systems derived from the 9x kernel (95, 98, ME), and have also ceased supporting the Windows XP SP1 system. Exploits have been circulating, with detailed source code, for a number of the patched vulnerabilities, so it is considered essential that patches are applied as soon as possible.

        -- Recommended Action --
        Apply the numerous patches from Microsoft at the earliest opportunity.

        -- Source --
        Multiple, including
        feed://blogs.technet.com/msrc/atom.xml
        http://www.beskerming.com/premium/patch_pack.html
        http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=BUY&SKURefnum=SKU10225855655
        http://www.microsoft.com/technet/security/Bulletin/MS06-066.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-067.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-068.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-071.mspx

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)

Security

Journal: Safari - Remote Hacker Automatic Denial of Service

Journal by SkiifGeek

-- Products Affected --
        Safari on at least OS X 10.4.8

        -- Technical Description --
        A new denial of service type attack against Apple's Safari web browser has been disclosed, leading to a browser crash, and possible arbitrary code execution (claimed only at this stage).

        -- Description --
        A new issue with Apple's Safari Internet browser has been disclosed on a security mailing list. The disclosed vulnerability leads to an application crash in browsers that have JavaScript support enabled (by default), and it is claimed that it could lead to arbitrary code execution, though there is little evidence to support this claim at the moment (will be upgraded as circumstances direct).

        -- Recommended Action --
        Disable support for JavaScript (Safari->Preferences->Security->Enable JavaScript (deselect))

        -- Source --
        jbh_cg yahoo.fr

        -- Threat Matrix --
                        U O
        Home User 4 4 (Low - Moderate)
        Corporate 4 4 (Low - Moderate)

Security

Journal: New Exploit Samples

Journal by SkiifGeek

New exploit code is available and circulating for vulnerabilities in OpenBase on OS X (local root exploits), and for the current XMLHTTP and WMI Object Broker ActiveX control vulnerabilities. Exploit code had previously only been available to a limited number of individuals (mainly attackers), and the recent change has been the public availability of this code from a number of sites.

Administrators and users who are seeking to defend against these attacks should be able to find appropriate IDS/IPS signatures and antivirus definitions updates from their respective vendors. It should be understood that exploits that have been heavily obfuscated before use may not be detectable, even with these protection mechanisms in place.

Find out about this information and more, when it happens, with Sûnnet Beskerming Security Notification Services.

Security

Journal: MySpace And Fake Videos

Journal by SkiifGeek

Continuing with their disclosure of security issues on MySpace, Mashable.com have reported that over a thousand MySpace user accounts are being used to spread malware from noted adware purveyors Zango. Posing as fake video links to YouTube, the images presented on the MySpace pages redirect to an adult site before installing (following a licence agreement) adware from Zango.

While the ratio of MySpace accounts that are exploiting this dubious ethical process are extremely small when compared to the tens of millions of valid accounts, comments posted in response to the Mashable article suggest that the process has been in use since the start of October, and has only recently had action taken on it.

Find out about this information and more, when it happens, with Sunnet Beskerming Security Notification Services.

Security

Journal: Vista and Office Broken Already?

Journal by SkiifGeek

Claims have been made already that Microsoft's next-generation Operating System and Office Productivity Suite, Vista and Office 2007 respectively, have had their registration mechanism cracked. That is, if you believe the files that can be downloaded through a number of file trading / sharing / downloading services. Given that the software has only just been declared 'Gold' and released to the manufacturing plants for production into retail boxes, this rapid release of files should be relatively easy for Microsoft to track down - given the low numbers of people that should have hands-on availability of the software.

A slightly positive outcome is that it appears that the cracked Vista install that is available has not been completely cracked. It bypasses the need for a valid Vista product key by replacing the different authentication elements with those from Vista Beta. As pointed out in the linked article, this should be fairly simple for Microsoft to identify and shut down - they already know the keys that were issued for the Beta testing phase, and it will be a straight forward process to prevent them from being used for final product activation.

The more concerning aspect is the Office 2007 cracked version that is available. The Enterprise version of the office productivity suite has been made available, and because it uses Volume Activation, there is no need for an activation key.

The sooner you fall behind, the more time you have to catch up.

Working...