Recently in Systems Category

Following the AT&T DNS poisoning late last month, one of China's largest ISPs, China Netcom, has suffered a similar setback. In the past, Chinese companies have had little trouble with information security as their domestic hackers primarily target foreign servers. This is starting to change, however, and China is going to have a huge problem trying to both maintain security and continue the fast pace of growth.

From ZDNet Blogs:

The DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer. [From ZDNet: Websense reports China Netcom DNS cache poisoning]

A Windows new remote-code execution vulnerability has been spotted in the wild. A proof-of-concept demonstration is available here.

From CyberInsecure:

a new public zero-day Windows vulnerability is being exploited in the wild. Microsoft Windows is prone to a remote code-execution vulnerability due to an unspecified error in 'NSlookup.exe'. Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is being actively exploited in the wild but details on the attacks are currently unavailable. At this moment there are no workarounds or vendor-supplied patches [From CyberInsecure:Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild]

Technorati Tags: microsoft,windows,vulnerability,exploit

It looks like glitches in Apple's MobileME rollout and the accompanying user frustration have created opportunities for phishing scams. I think Apple has already burned through their security goodwill. It's time for the company to step up and start dealing with the rapidly emerging threat that targets its customers.

From The Register:

Data obtained by CardCops, a credit card protection service owned by the Affinion Group, shows sensitive information belonging to several hundred people with Mac.com email addresses being traded in underground forums frequented by identity thieves. The details include social security numbers, birth dates, mothers' maiden names, credit card numbers and other sensitive information.

The graphic to the right, which has been edited to remove personally identifying details, shows some of the data that's been available.

The information was phished using emails that began circulating around the same time Apple began its ill-fated transition from Mac.com to Me.com. The scams bore subjects such as "Billing problem." Following the link as recently as Tuesday while using Apple's Safari browser, we were taken to an authentic-looking page purporting to belong to Apple. It asked users to reinstate their accounts by entering a dizzying array of personal details. (Interestingly, while Internet Explorer warned us the page was a scam, neither Safari nor Firefox flagged it.) [From The Register: Apple faithful snared in phishing scam targeting Mac.com users]

Despite being delicately handled and patched at an unprecedented rate, Kaminsky's DNS vulnerability researc may have opened up a huge can of worms. Russian developer Evgeniy Polyakov has announced that fully patched DNS systems are still vulnerable to poisoning.

From his blog, Zbr's Days:

Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... [From Zbr's days.]

This has also been mentioned in the New York Times and the Inquirer. He has posted his proof of concept code here.

It looks like some cyberwar is accompanying boots on the ground as Russian troops and tanks invade. The Georgian Ministry of Foreign Affairs website has been defaced, containing photos of President Mikheil Saakashvili alternating with images of Hitler. Here is a screen capture:

It looks like the Apple security problems that have been buried in the news this year are adding up. According to IBM's annual security report, they have more disclosed vulnerabilities than any other vendor.

While Microsoft has been making their security practices progressively more transparent, Apple is notoriously close-lipped; one can only speculate about the actual numbers.

From InfoWorld:

Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.

The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla.

Final results were close, according to the IBM X-Force 2008 mid-year report , with Apple achieving vulnerability disclosure score of 3.2 percent, followed by Joomla with 2.7 percent and Microsoft at 2.5 percent. [From Apple gets bruised in vulnerability report | InfoWorld | News | 2008-08-06 | By Darren Pauli, Computerworld Australia]

I am reminded of the Active Directory issue several years ago, in which all domains in a forrest were only as secure as the most poorly defended domain. In both that and this case, a fundamental architectural choice by Microsoft made patching impossible; only a complete shift in strategy and redesign can fix the problem.

With Microsoft's newfound religion around security, it is going to be very interesting to see how they handle this. It's the first major test of how seriously they take it (and of Ray Ozzie's leadership).

From Information Security Magazine:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

* * *

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it.

"The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. [From Windows Vista security 'rendered useless' by researchers]

Dan Kaminsky has posted his Blackhat slides on the bailiwacked dns vulnerability along with a fabulous animation of DNS servers being patched across the globe. His blog entry is here.

UPDATE: I should have noted that red means unpatched, yellow means patched but NAT is interfering, and green means good

Germany's CERT has issued a warning about Linux rootkits.

From Robert Penz:

The CERT of the Germany`s National Research and Education Network (DFN – Deutsches Forschungsnetz) warns about attacks on Linux servers, which hide with a root kit. This root kit hides directories and processes from the administrator. The attack is most likely carried out by stolen SSH keys.

Their experts found the directory /etc/khubd.p2/ on the compromised systems but this directory did not show up with ls -l /etc/. But it was possible to change into that directory. [From DFN CERT warns about Linux root kits | Robert Penz Blog]

It looks like Ray Ozzie has been making even more changes at Microsoft. First, he embraced the PHP community, joined the Apache Foundation, and released code under a GNU license. Now he is opening up the security patching process to give security vendors a head start on developing signatures.

For those without the budget or influence to be on the vendor list, he's also rating patches with a "exploitability index."

From Information Security Magazine:

The idea behind the early-access program is to give security vendors a head start on developing signatures and filters for attacks that follow the release of a new set of Microsoft patches on the second Tuesday of the month. Microsoft will announce its new plans at the Black Hat conference in Las Vegas this week.

Known as the Microsoft Active Protection Program (MAPP), the new plan will be open to security companies that provide defensive technology to large customer bases, meaning antivirus (AV), intrusion detection system (IDS) and intrusion prevention system (IPS) vendors. This kind of early notification is something that other companies have been calling for, and Microsoft officials said they've gotten to the point where they could use some help from the rest of the security community.

* * *

In addition to the MAPP announcement, Microsoft also plans to add a new component to its monthly security advisories: an exploitability index. The index will rank vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. [From Microsoft to revamp patching, add exploitability index]

Timed to coincide with the FCC's decision against Comcast over network netutrality, the Free Software Foundation has released a tool that can test your ISP for violations.

From fsf.org:

"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit."

"Until now, there hasn't been a reliable way to tell if somebody -- a hacker, an ISP, corporate firewall, or the Great Firewall of China -- is modifying your Internet traffic en route," said Peter Eckersley, EFF Staff Technologist and designer of Switzerland. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier." [From EFF Releases "Switzerland" ISP Testing Tool - eff.org]

It looks like deniability may become a thing of the past, in which case the FCC might have it's hands full in the forseeacble future. Perhaps some still fines would serve as a better deterrant then a slap on the wrist ...

The FCC has stopped short of fining Comcast over the p2p network throttling I mentioned several weeks ago.

From ZDNET:

The Federal Communications Commission on Friday ruled 3-2 that Comcast overstepped its network management authority by blocking BitTorrent peer to peer traffic, but stopped short of fining the cable company. The move clarifies the boundaries a bit for other carriers and sends the message that the FCC enforces network neutrality principles. [From FCC slaps Comcast's wrist over network neutrality; sets precedence -- zdnet.com]

While a demonstration of teeth behind the net neutrality principals would have sent a clearer message to ISPs. Hopefully, the FCC will also start looking at mobile providers as well as home ISPs.

Infobyte has released a tool that targets insecure online updates. This is a case where I'm not sure that an automated testing tool is actually a good thing -- I'm sure that the problem with many of the exploitable applications is the process itself rather than a bit of insecure code that can be patched or disabled. In that situation, I'm not sure how constructive this tool would be for a pentester or analyst.

On the other hand, if it is used widely enough for illicit purposes, it may put enough pressure on vendors to fix flawed processes. I'm sure the repercussions of this tool will be felt for a long time to come.

From the Metasploit blog:

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit [From Metasploit: Evilgrade Will Destroy Us All]

Kees Leune has pointed me towards some excellent pentest training resources, a set of live CD's that provide safe and legal targets for learning the tools included in Backtrack.

From Leune's blog:

I've been keeping an eye open for some other challenges, and I found one at The Last HOPE. One of the speakers mentioned that www.de-ice.net hosts some bootable CD images that are used to teach people pentesting skills. They author of the CD's did a nice job and grouped them in different levels of difficulty. The de-ice CD's are designed to be breakable with the tools included on the Backtrack Live CD.

After downloading the images, I was hooked.

Unfortunately there are only three CD's out at the moment, but I am proud to say that I managed to win all three challenges. I also admit that I needed some help getting the last one; I was unfamiliar with one of the tools used and needed a little hint. With that last hint, I was able to solve the third and final challenge. [From De-ice.net pentesting live CD's - Kees Leune]

Today at OSCON, hell froze over.

According to The Register, Microsoft has decided to embrace (some) free/open source software and has joined the Apache software foundation to the tune of $100k a year.

From The Register:

After years of hostility towards Free Software Foundation (FSF) licensing (here and here) Microsoft has announced the first in a series of PHP patches - and it's using an FSF license.

Microsoft told The Reg it's submitted a patch to the community for the ADOdb database abstraction library for PHP to add support for the PHP SQL Driver developed with PHP shop Zend Technologies. The patch is under the FSF's Lesser GPL (LGPL).

And, in a further move towards greater support of open source, Microsoft is becoming a platinum member of the Apache Software Foundation (ASF), paying $100,000 annual membership. The move follows work between the two to support the Office Open XML file formats in Apache's POI project. [From Microsoft pledges love and money to open source | The Register]

This is a smart move on Microsoft's part. There is an enormous amount of innovation going on in the open software communities, and rather than fighting that innovation, Microsoft can now leverage it. This move will make the Windows platform more compatible for open source projects and open a new marketplace for the core operating environments such as Windows Server and SQL server.

More importantly, though, it makes it much easier for many developers to jump back and forth between platforms, coding in whichever environment makes the most sense for a project.

One has to wonder if this is Ray Ozzie's first major change as the new Chief Software Architect at Microsoft. If so, he's started out on the right foot