4 X Security Team

The police executed a bench warrant and arrested a 60-year-old man resident of Solana Beach, California. He is charged with computer intrusion and extortion and he is scheduled to appear in a federal court on October 31. Bruce Mengler is accused of hacking his way into a promotional website belonging to the US branch of car manufacturer Maserati and retrieving personal information about the company's potential customers.

The stolen personal data was gathered by Maserati as part of a promotion that was offering free gift certificates in exchange for participation in a test drive. The company distributed fliers to potential customers containing an invitation to test drive Maserati cars. The fliers contained a unique identification code intended to be used by the interested people on a promotional website in order to receive gift certificates usable at Omaha Steaks. Along with the code on the flier, people were asked on the website to also provide personal contact information.

The indictment does not specify exactly how Mengler accessed the information, but it suggests that he successfully downloaded the entire database, then blackmailed Maserati by asking money in return for his silence. He is supposed to have sent several letters from a “sol.beach@gmail.com” email address threatening to disclose the information and the incident publicly if he was not paid. To prove the authenticity of his claims, he included samples of the stolen information.

The company's losses are estimated at around $5,000, but the most important aspect of this incident is represented by the security policies adopted by companies in regard to customers’ personal data. 2008 has already been tagged by security researchers as “the data loss year” due to the increased number of cases where sensitive data was lost by employees, stolen by hackers or leaked through website security holes.

Graham Cluley, Senior Technology Consultant for security vendor Sophos, noted on his blog referring to the case that "if a hacker was able to gain access to customer information via the promotional website then there is a clear warning here to all companies that they need to properly secure their public websites". Undergoing such marketing campaigns where sensitive customer info is gathered is fine as long as they are performed in accordance to responsible security practices. “It’s all very well asking for potential customers to enter their names and addresses in exchange for free steaks, but you’ll be dealing with higher stakes (groan…) if your website is not properly defended,” Mr. Cluley adds.

[Source: softpedia]

Just days after shipping a patch for a dozen serious security holes in Firefox, Mozilla has rushed out another version to fix an annoying password manager bug.

The newest Firefox 3.0.3 basically fixes a problem where users were unable to retrieve saved passwords or save new passwords.

Firefox’s Mike Beltzner explains:

• The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible.

Also see Bug 454708.

[Source: zdnet]

Aditya K Sood from the EvilFingers community, which disclosed the first Chrome DoS vulnerability at the beginning of the month, has released a proof of concept demonstrating a memory exhaustion DoS vulnerability affecting Google’s Chrome versions Chrome/0.2.149.30 and Chrome/0.2.149.29 :

“The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability triggers when Carriage Return(\r\n\r\n) is passed as an argument to window.open() function. It makes the Google Chrome to generate number of windows at the same time thereby leading to memory exhaustion. The behavior can be easily checked by looking at the task manager as with no time the memory usage rises high. The problem lies in the handling of object and its value returned by the javascript function. Once it is triggered the pop ups are started generating. The Google Chrome browser generate object windows continuously there by affecting memory of the resultant system. Probably it can be crashed within no time. User interaction is required in this.”

What’s Google’s take on this flaw, and have they acknowledged it already? Zero Day asked the researchers.

Q: This is the second DoS vulnerability that members from EvilFingers disclose. How is the second one different than the first one, and how would a remote attacker take advantage of it?

A: Ideally, both are Denial of Service attacks. But second one is different for the matter that it does a memory exhaustion, or I would say “performance” peaks with the pop-ups. By default, all the pops are blocked by Chrome, but still the CPU usage jumps up to 98% and so does the memory consumption, therefore other processes will surely be affected. And then the PoC for the first one crashes the chrome right away without any reaction time to the user or any user way to prevent the loss of work. But with the second one, an experienced user can prevent the same and can save work of other tabs before resulting in a browser restart. Or put in another way, first one is a crash of all tabs, second one is a hang of tabs.

Q: Since you’re responsibly disclosing the vulnerabilities that you find to Google, what is your opinion on their current response time and overall attitude towards the vulnerabilities that you’ve reported?

A: Response time with the first one was well appreciable, as it was fixed within 24hrs though it took some days to roll out next 0.2.149.29 ‘patched’ version. For this newer DoS, the patch is yet to roll out and they have acknowledged the bug for now.

Has Google’s Chrome level of exploitability changed since the first DoS vulnerability? It may well be declining considering some recently published browser market-share statistics, clearly indicating that a lot of users seems to have given Chrome a try, and are back to their default browsers. According to published Chrome stats by Net Application :

“At the end of its third week of availability, Google Inc.’s Chrome accounted for 0.77% of the browsers that visited the 40,000 sites tracked by Net Applications, down from a 0.85% share the week before. “The trend line on Chrome still has a slight downward angle, and these weekly numbers reflect that,” said Vince Vizzaccaro, Net Applications’ executive vice president of marketing. Although Chrome popped above 1% within hours of its release, the new browser now reaches that mark only in the middle of the night, U.S. time, Vizzaccaro added.”

StatCounter’s latest Chrome stats of over 450M page views globally, also indicate the introduction period and the slight decline afterwards. Chrome’s popularity is proportional with its level of exploitability, so keeping an eye on how many users stick with the (BETA) browser, will either increase or decrease it.

[Source: zdnet]

In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid

Cheers,
Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

[Source: zdnet]

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

• In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

• Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

• In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.

[Source: zdnet]

Apple today released Java for Mac OS X 10.5 Update 2 with patches for a total of 25 documented security flaws that could expose Mac users to malicious code execution attacks.

Two of the 25 flaws are specific to Apple and could be exploited to launch drive-by attacks if a Mac user is tricked into visiting a maliciously rigged Web page.

The two bugs affect Mac OS X v10.5.4 and Mac OS X Server v10.5.4 and address:

• CVE-2008-3638: The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This is an Apple-specific issue. Credit to Nitesh Dhanjani and Billy Rios for reporting this issue.
• CVE-2008-3637: An error checking issue leading to the use of an uninitialized variable exists in the Hash-based Message Authentication Code (HMAC) provider used for generating MD5 and SHA-1 hashes. Visiting a website containing a maliciously crafted Java applet may lead to arbitrary code execution. This update addresses the issue through improved error handling. This is an Apple-specific issue. Credit to Radim Marek for reporting this issue.

The mega update also addresses multiple serious vulnerabilities in Java 1.4.2_16, Java 1.5.0_13 and Java 1.6.0_05.

[Source: zdnet]

Today is a very busy patch day for network administrations managing Cisco gear.

The networking giant released a whopping 12 bulletins with fixes for a wide range of security vulnerabilities in IOS, the underlying software that powers routers and network switches.

Some of the flaws could allow a malicious hacker to take complete control of vulnerable devices while others put Cisco customers at risk of denial-of-service attacks.

The most serious issue in this patch batch carries a maximum CVSS base score of 10.0 and affects the Cisco uBR10012 series devices:

Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard redundancy. This communication is based on SNMP (Simple Network Management Protocol). When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. Changing the default community string, adding access restrictions on SNMP or doing both will mitigate this vulnerability. The recommended mitigation is to do both.Blogger: 4 X Security Team - Create Post

Network administrators managing Cisco gear (with IOS) and strongly urged to review all the September 24 patches listed here and prioritize fixes according to severity rating scores. In cases where mitigations are offered, those should be applied where necessary.

[Source: zdnet]

If you still need a reason to patch that installation of Adobe Reader, pay close attention to this discovery by Secure Computing’s anti-malware research labs.

The group has stumbled upon an exploit pack that exclusively targets PDF vulnerabilities, exposing millions of Windows desktops to malicious hacker attacks.

Secure Computing warns:

This new toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this “ban time” the exploit is not delivered to that IP again, which is another burden for incident handling.

Other existing toolkits have also been enhanced with PDF exploits lately. For example we spotted the “El Fiesta” toolkit to have also added exploits for the Portable Document Format.

[ SEE: Flash attack may as well have been zero-day ]

Unpatched third-party desktop applications are a big, big part of the malware epidemic on the Windows platform. As we learned during that Adobe Flash attack earlier this year, end users are very slow to apply these patches, giving the bad guys a huge opening for targeted, localized malware attacks.

I can’t recommend Secunia’s PSI (personal software inspector) highly enough. Please patch now.

[Source: zdnet]

Following India’s threat to shut down the Blackberry network in the country unless Research in Motion allows the government to snoop on Blackberry users made earlier this year, the country seems to have found a more pragmatic solution, and in a surprising move has publicly announced that they have finally managed to crack Blackberry’s encryption :

“The government has decrypted the data on Research In Motion’s (RIM) BlackBerry networks. The department of telecommunication (DoT), Intelligence Bureau and security agency National Technical Research Organisation (NTRO) have done tests on service providers such as Bharti Airtel, BPL Mobile, Reliance Communications and Vodafone-Essar networks for interception of Internet messages from BlackBerry to non-BlackBerry devices.

Initially, there were difficulties in cracking the same on Vodafone-Essar network but that has also been solved. This means that the e-mail messages sent on Internet through your BlackBerry sets would no longer be exclusive and government would be able to track them.”

They either need to decompress, or emphasize on the fact that their efforts cannot affect BlackBerry Enterprise Service users.

The government’s “decompression tests” seems not to be affecting enterprise Blackberry solutions, but now that it’s becoming clear that they’re requiring all local telecoms to “make technical changes in their services to make them compatible for decompression”, the tests indicate that the government is on purposely weakening the security of transmitted data across the country.

Taking into consideration the multi-layered end-to-end encryption that a Blackberry user can archive, India’s claims to be able to eavesdrop Internet traffic of BlackBerry Internet Service, but naturally still unable to crack BlackBerry Enterprise Service’s end-to-end AES or Triple DES, doesn’t really count as cracking Blackberry’s encryption.

[Source: zdnet]

In what is slowly turning into a endless loop of hacktivism activities, Bill O’Reilly’s BillOreilly.com has been compromised during the weekend, with personal details including passwords in plain text for 205 of the site’s members already leaking across Internet forums, as a response to his remarks regarding Wikileaks as a “one of those despicable, slimy, scummy websites” which recently published private information of Sarah Palin’s private email.

On Friday, Wikileaks issued the following press release :

“Fox News demagogue, Bill O’Reilly, has been hacked and the details passed to Wikileaks. Wikileaks has been informed the hack was a response to the pundit’s scurrilous attacks over the Sarah Palin’s email story–including on Wikileaks and other members of the press, Hacktivists, thumbing their noses at the pundit, took control of O’Reilly’s main site, BillOReilly.com. According to our source, the security protecting O’Reilly’s site and subscribers was “non-existent”.

The following image, submitted to Wikileaks and confirmed by Wikileaks staff, offers proof of the hack. The image, clearly obtained from BillOreilly.com’s administrative interface, shows a detailed list — including passwords — of BillOreilly.com subscribers. Although Wikileaks has only released one page, it must be assumed that Bill O’Reilly’s entire subscriber list is, as of now, in the public domain.”

How did they do it “this time”?

According to the article at Wikileaks, the hacktivists seem to have been brute forcing the URL for the administration panel, and once successfully finding it, access the unencrypted data :

“According to Marston, the hackers were able to access the list by trying a large number of variations of the website’s administrative URL. He said all affected members have received an email and a phone call informing them of the breach and urging them to change their password. The site has since been completely locked down, Marston said.”

Moreover, it’s also worth pointing out that the passwords were stored unencrypted, evidence of the practice can also be seen within the screenshots of the admin panel. As far as the website’s administrative URL is concerned, it has since been changed once it leaked online (w3.billoreilly.com/pg/jsp/admin/managecustomers/newpremiummembers.jsp), which isn’t excluding the opportunity for abuse of the subscribers email addresses in spear phishing attacks, “for starters” since some of the users have already admitted of using the same password at different web sites, including PayPal.

The impact of the breach, and the measures taken to notify the victims according to the site :

“The BillOReilly.com site experienced a minor hacking incident on Friday, September 19th, 2008.

** ALL CREDIT CARD INFORMATION FOR EVERY MEMBER IS SAFE
** NO MEMBERS WHO JOINED BEFORE WEDNESDAY, SEPTEMBER 14th, 2008 WERE AFFECTED AT ALL.
** 205 new Premium Members who signed up last week had their name, hometown, email address, & BillOReilly.com password stolen.
** We have contacted those 205 members by email and telephone.
** We are working with the proper authorities to track down the perpetrators. “

Another personal message issued by Bill O’Reilly regarding the process of tracking down the “perpetrators” was posted on Sunday :

“The FBI and Secret Service are close to indicting some of the perpetrators and we will keep you posted when the arrests are made. All premium members receive the full backing of our legal team and if anyone is hassled in the least, please inform us immediately. In the latest case, no proprietary information was obtained by hackers and we have safeguards in place to protect everyone who does business with us.

Rest assured that we are on this. Our defense of Sarah Palin has led some criminals to attempt to disrupt our enterprise. At this moment federal authorites and our attorneys are compling information against these people. Again, if any person is bothered in any way - please let us know. We stand behind our products but, most importantly, we stand behind you. We’ll get the bad guys. Count on it.

Bill O’Reilly
9/21/08″

Who’s claimed responsibility? 4chan members planning at Ebaumsworld using “secret words” :

“According to my source this is a common tactic among the secret hacking group hidden amongst the users of ebaumsworld. he states “yeah we will start planning on 4chan so ebaums doesnt get in trouble…we use secret words and stuff to let the others know who we are” when i asked why he was telling me all this he said “man this has just gone too far.. at first it was a joke then we found out that the same usernames and passwords worked for those peoples paypal accounts and im afraid of what they will do.”

It appears that the “forum fraction” is also planning a DDoS attack against BillOreilly.com according to this interview, which wouldn’t be the first time the site has been under DDoS attack, and definitely not the last. From an analyst’s perspective, nation2nation hacktivism conflicts always provide the best and most accurate understanding of a particular’s country’s capabilities into this space, compared to hacktivism actions basically sticking to the standard practices as DDoS attacks, which just like any tip of the iceberg receive most of the attention due to the ease of measuring their impact next to the rest of the hacktivism tactics used.

The bottom line - good time to point out why you shouldn’t use the same password on different web services, and that the big picture having to do with Wikileak’s vision of a little less secrecy, and a little bit more transparency, ultimately better serves the world and gives power to the people whose collective consciousness, if not brainwashed, is supposed to be shaping the way we live.

[Source: zdnet]

ike every other red-blooded American I take a quick peak at my collapsing retirement and savings portfolios in the morning just to give me that extra kick to head into the office. So I pull up Google Finance to see Secure Computing (SCUR) is, up some 23%, one of the big movers for the day. There are very few things that could cause a tech company to jump so much in such a short period of time.

Apparently McAfee has decided to acquire the shop. This will help McAfee in not only the enterprise and edge space, they also will get an anti-spam offering in the 2 year old CipherTrust acquisition, which was then valued at around $275MM, or 58% of the current purchase price.

On a more personal note, I take this as a sign that I must finally throw away my SideWinder t-shirt.

[Source: zdnet]

Mozilla has released another point update for its flagship Firefox browser to provide fixes for at least 12 documented security vulnerabilities. Some of the flaws put millions of Web surfers at risk of remote code execution attacks.

The Firefox 3.0.2 update addresses two issues rated by Mozilla to be “critical,” meaning that the documented vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Here’s the skinny from Mozilla’s bulletins:

[ SEE: Talking Firefox security with Mozilla’s Window Snyder ]

• MFSA-2008-40 - Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.
• MFSA-2008-41 - Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities by which page content can pollute XPCNativeWrappers and have arbitrary code run with chrome privileges. One variant reported by moz_bug_r_a4 only affected Firefox 2. Mozilla developer Olli Pettay reported that XSLT can create documents which do not have script handling objects. moz_bug_r_a4 also reported that document.loadBindingDocument() returns a document that does not have a script handling object. These issues could also be used by an attacker to run arbitrary script with chrome privileges.
• MFSA-2008-42 - Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Drew Yao of Apple Product Security reported two crashes in Mozilla image rendering code. This vulnerability only affected Firefox 3. David Maciejak also reported a crash in graphics rendering which only affected Firefox 3.
• MFSA-2008-43 - Microsoft developer Dave Reed reported that certain BOM characters are stripped from JavaScript code before it is executed. This can lead to code, which would otherwise be treated as part of a quoted string, to be executed. The issue could potentially be used by an attacker to bypass or evade script filters and perform an XSS attack. Security researcher Gareth Heyes reported an issue with the HTML parser in which the parser ignored certain low surrogate characters if they were HTML-escaped. This issue could potentially be used to bypass naive script filtering and used in an XSS attack. This issue only affected Firefox 2.
• MFSA-2008-44 - Mozilla developer Boris Zbarsky reported that the resource: protocol allowed directory traversal on Linux when using URL-encoded slashes. Mozilla developer Georgi Guninski reported that the restrictions imposed on local HTML files could be bypassed using the resource: protocol. The vulnerability allowed an attacker to read information about the system and prompt the victim to save the information in a file.

[ ALSO SEE: Firefox scrambles to add ‘private mode’ browsing ]

The open-source group also released patches for multiple vulnerabilities affecting Firefox 2 but strongly recommends that users upgrade to Firefox 3.

[Source: zdnet]

Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.

The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).

Here’s the skinny on the Flash Player 10 changes:

[ SEE: Can Adobe mitigate ‘clipboard hijack’ issue? ]

• In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

• This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.

• Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.

* Photo credit: EdTarwinski’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

VMware has released new ESXi and ESX 3.5 packages to fix a “critical” security issue that allows a remote, unauthenticated attacker to launch harmful code on the host running the hypervisor.

According to this VMWare advisory, the patches fix two remote buffer overflows in the handling of HTTP basic authentication headers.

• This vulnerability could potentially be exploited by users without valid login credentials.

The vulnerability exists in the “Openwsman” system management platform which is enabled by default in ESX to implement the Web Services Management protocol (WS-Management).

[Source: zdnet]

Guest editorial by Andrew Storms

Last week Apple proved that they are not ready for prime time enterprise relationships.

Apple has tried to position the iPhone as enterprise-ready, but this last round of software updates demonstrated beyond a shadow of a doubt how far they have to go to understand the enterprise mentality.

On September 9th, Apple released updates to some 20 security vulnerabilities that included updates to QuickTime, iTunes and other software. On September 12th, Apple released iPhone version 2.1, which was intended to fix 8 security holes and repair 3G connections problems. On September 15th, Apple released updates to OSX that includes fixes to nearly 70 security problems. On September 16th, Apple released updates to Remote Desktop, again fixing more security problems.

[ SEE: Apple plugs iPhone code execution holes ]

In the matter of 8 days, Apple released updates to every one of its major platforms and applications. Those updates included over 100 security updates spanning Mac OSX, Windows Vista, Windows XP, the iPhone and the iPod Touch. So how did that affect enterprise security teams?

On September 9th, security teams met, reviewed the updates, set priorities and assigned resources. Remember that unlike other vendors, Apple did not provide any advanced notification on timing or the magnitude of the updates. This update caught everyone off guard. Then again, without notice, security teams were brought back to the meeting room to discuss the updates on September 12th (repeat drill above). Then yes, you guessed it, same story again on September 15th and again on the16th. Who knows, maybe by the time this is published, there will be another update?

Every IT staff is already resource constrained and some teams always are in a passive firefighting mode. If your security team thought it was almost caught up with Apple updates already issued this year, the last week set you back significantly and probably pushed other, potentially critical, scheduled work into a wait state.

[ SEE: iPhone passcode lock rendered useless ]

Mind you that last week’s updates just didn’t stop at OSX. Even if you run a Windows shop that permits QuickTime or iTunes, you couldn’t ignore this torrent of updates. The impact of this random update cycle from Apple may be serious enough that some companies decide to limit or stop using Apple hardware or software entirely. After last week, IT teams running ragged by the deluge of unannounced patches are wishing they could make the policy decision to get all Apple software off the network. With this kind of uncertainty and apparent lack of planning, who can blame them?

Apple had an opportunity to embrace the enterprise by showing leadership in its software development lifecycle. And while we would never expect Apple to follow Microsoft’s footsteps, they could have learned what works and what doesn’t in the enterprise, and then in their Apple way, take it to the next level. I think that’s what many Mac fans in the IT department were hoping for. Too bad we had such a big let down last week.

[ SEE: Apple plugs gaping QuickTime security holes ]

We’d like to see Apple embrace public discourse regarding security updates. We respectfully suggest that Apple sit with enterprise managers, listen and then take the information they receive and build a process that doesn’t leave IT teams staggering.

Instead of wasting the valuable time and resources of their target customers, Apple could take the opportunity to perform the way they have done in other markets. This assumes that Apple can apply their creative, customer focused energy that has made them a powerhouse in the consumer market and put some of that effort into collaborative partnerships.

[ SEE: Apple mega-patch covers 34 Mac OS X security issues ]

We’d love to see Apple step up and change the game in software development lifecycle, or at least learn to play the game with the best of them. Apple, we’re rooting for you, but it’s gonna take a whole lot more than you’ve shown us so far. And we have to tell ya, hip and cool can only take you so far in the enterprise.

* Andrew Storms is director of security operations at nCircle, where he is responsible for setting and enforcing the company’s security compliance programs as well as overseeing day-to-day operations for the IT department. His writing can be found on nCircle’s 360 Security blog.

* Image source: charliekwalker’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

A college student identified as Rubico has claimed responsibility for hacking into Sarah Palin’s personal email, and provided a detailed 1st person account of how he hacked into the email account using the password “popcorn” which he managed to reset by successfully answering her security question “Where did you meet your spouse?” by Googling for the answer :

“Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story. In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs. I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower.”

Originally blamed for the email hijacking, the Anonymous movement against the Church of Scientology has distanced from the hack :

“One of the main tenets of the anonymous movement against the Church of Scientology is to stay legal. Anonymous is no fixed group, just a term for anyone who acts without giving their name. We don’t know who is responsible for the hack on Sarah Palin’s mail account or what their attitudes to Scientology or anything else are. For us, they are anonymous, because we don’t know who they are and they are not us.”

Meanwhile, the owner of the Ctunnel.com service recently commented that if the attacker’s screenshot didn’t include the complete URl using Ctunnel.com it would have been hard to track him down through his service since a lot of people login to their Yahoo mailboxes while using it. And since the attacker did include the complete URL, and according to him did a mistake by using a single proxy service next to taking advantage of “proxy chaining” by using multiple different proxy servers/services across the globe, the FBI has already approached the owner of Ctunnel.com.

It’s also worth pointing out that in the time of posting this, Wikileaks.org’s article on “Sarah Palin Yahoo account 2008” has been defaced with the following message, reminding us that Wikileaks has a “fan club” too :

“I NOW HACK THIS WEBSITE! AREN’T YOUR PROUD OF ME, WIKILEAKS. I CAN PLAY YOUR GAME TOO!!!”

The massive media coverage is covering nothing else but an old school password reset tactic made possible due to the oversupply of personal information regarding the victim. Moreover, this incident once again puts the “security question vulnerability” in the spotlight. Last month, a posting at SecuriTeam’s blogs reasonably pointed out how personalizing the security question to something a little less obvious, is a feature currently offered only by Gmail, which shouldn’t be the case despite the fact that anyone can give an entirely different answer to each of the common “security” questions asked :

“Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account. By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.”

Hacking is supposed to be about intellectual exploration, so resetting the password of someone’s Yahoo mailbox no matter if it’s the Pope, requires no more than two brain cells put into action. However, the political consequences and the long-term impact of this hack are an entirely different topic yet to be discussed based on the interpretation of the data found within.

[Source: zdnet]

Norway’s largest BitTorrent tracker Norbits (norbits.net) with approximately 10,000 users, is currently under a DDoS attack launched from a group known as MORRADi, which is also speculating that it has managed to compromise the tracker and is threatening to release personal details of its users including IPs, until the tracker is closed :

“In an NFO file obtained by IT-Avisen, a group called MORRADi takes responsibility for the attack on Norbits. “Once again we show our power! Once again we show your foolishness! This is not the first time we have done it, and it won’t be the last,” they write (translated).

“Enough is enough, you are becoming a real nuisance, and you are also a bunch of idiots that try to hide, so it’s high time we punish you! P2P is not something we want, when will you understand that? Do we have to take it as far as publishing your user database online?””

This is the second time the tracker has been under a DDoS attack for the past two years, and no matter how futile the ambitions of the attackers are in respect to targeting the tracker due to the fact that it’s promoting the use of P2P, the success of Norbits seems to have already pissed off the local warez scene.

Further investigation indicates a conflict of interest on the Norwegian warez scene, with old school FTP warez groups clearly not in favor of emerging technologies like P2P directly undermining their outdated (pirated) content distribution models. The attack is very similar to an apparently still active campaign courtesy of old school warez traders, named “Destroying The P2P’s, One Step at a Time“, whose objective is to expose the owners of BitTorrent trackers, compromise their security and leak personally identifiable information of its users — if such exists at the first place — in order to damage their reputations.

Just when you through that the major threat a BitTorrent tracker faces is the threat from the entertainment industry and the local intellectual property enforcing organizations, fractions of the “warez scene” are waging a war against P2P. Will they also start targeting the mainstream torrent trackers?

[Source: zdnet]

Timing is everything, and from a cybercriminal’s perspective, a new school year means segmenting their email databases to launch a targeted attack welcoming everyone back online. According to MessageLabs Intelligence :

“Starting in early September, MessageLabs intercepted a targeted, email-borne malware attack on US schools and government organizations, a majority of which are located in New Mexico, Virginia, Illinois and Hawaii. The attack comprised more than 1000 emails from only 15 source IP addresses, most of which were located in the former Soviet Union on consumer-based address ranges signaling that the attacks are the result of a botnet that may be looking to expand. The attached table illustrates the distribution of mails intercepted from the source IP addresses used in the attack.”

Naturally, the attackers are taking advantage of already infected with malware hosts, and using them as stepping stones for launching the attacks ending up in anecdotal cases where U.S based infected hosts are used to launch targeted attacks against U.S schools and organizations.

Some more details on the specifics of the attack :

“Analysis reveals that dispersement lasted almost two days and used social engineering techniques to deliver the malware, Trojan-Spy.Win32.Zbot.ele, as both an executable email attachment and a link within an email, disguised as a Microsoft Windows Update. There were three similar attacks targeting US schools, businesses and state governments. According to MessageLabs, these attacks may be deploying the Antivirus XP 2008 malware.”

As of recently, cybercriminals are putting more efforts into the quality assurance of their campaigns by means of localizing the spam message to the native language of the receipts, known due to the segmented email database belonging to a particular sector that they’ve already purchased. However, in this particular targeted attack they seem to have underestimated the personalization of the emails, and despite the obvious segmentation of potential victims to spam, were taking advantage of average social engineering tactics more suitable for a large scale malware campaign.

The much more sophisticated from a social engineering perspective variant of this targeted attack, is spear phishing, which according to iDefense is increasing, with a few groups specializing into targeting high-profile targets :

“The victim counts from these attacks is staggering – over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms. In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime. Two groups of attackers have carried out 95 percent of these attacks.”

Earlier this month, South Korean officers were also reportedly under a targeted attack from North Korean hackers that managed to obtained the personal emails of the officers thanks to a “real life email harvester” collecting name cards with the emails on them, and spam them with malware :

“A North Korean spyware e-mail was reportedly transmitted to the computer of a colonel at a field army command via China in early August. The e-mail contained a typical program designed automatically to steal stored files if the recipient opens it. Some officers whose email addresses are on their name cards have suffered hacking attacks.”

What’s important to note is that in such cases a high-profile victim’s personal email address can easily turn to be the weakest link in an ongoing espionage campaign against a particular country, where despite that the adversaries aren’t capable of breaching their private emails, the ongoing and previous conversations found in their personal ones could contribute to real-life espionage attempts against them.

In times when phishers, spammers and malware authors are consolidating, it is logical to assume that targeted attacks will only get more personalized and well crafted in the very short term.

[Source: zdnet]

Searching for details regarding the latest celebrity gossip may expose you to everything the IT underground has to offer - from adware and spyware to misleading offers and fake newsletters enticing you to opt-in into a spammer’s campaign. McAfee owned SiteAdvisor has recently released the 2008 list of the celebrity names that are most actively abused by malicious attackers in order to attract legitimate traffic to their malicious sites.

“01. Brad Pitt — When “Brad Pitt screensavers” was searched, more than half of the resulting Web sites were identified as containing malicious downloads with spyware, adware and potential viruses.

02. Beyonce — Inputting “Beyonce ringtones” into a search engine yields risky Web sites that promote misleading offers to gather consumers’ personal information.

03. Justin Timberlake — Interest in his high-profile relationships makes him an easy target for spammers and hackers. When searching for “Justin Timberlake downloads” one Web site advertised free music downloads that were flagged as directly leading to spam, spyware and adware.

04. Heidi Montag — “The Hills” star is a popular search term when it comes to searching for wallpaper. A host of wallpaper Web sites contained hundreds of malware-laden downloads.

05. Mariah Carey — Spammers and hackers are using Mariah Carey screen saver Web sites to link to other sites proven to contain spyware, adware and other threatening downloads.”

Who else is on the list?

Celebrities like the following in order of maliciousness - Jessica Alba, Lindsay Lohan, Cameron Diaz, George Clooney, Rihanna, Angelina Jolie, Fergie, David Beckham, Katie Holmes, Katherine Heigl.

With the research originally based on SiteAdvisor’s rankings for related celebrity sites, it’s basically scratching the surface since these sites are only the tip of the iceberg beneath which lies an extensive network of blackhat search engine optimization campaigns and comprehensive portfolios of domains serving fake celebrity sites pushed in the form of spam. This approach is not exclusively targeting a particular celebrity more than another, it’s targeting all of them. Moreover, searching means that the end user is “pulling” the malicious sites, whereas “pushing” them through spam, blackhat SEO seems and SQL injections in order to acquire traffic, remains the tactic of choice. These traffic acquisition tactics are also abusing legitimate services like Blogspot, Google Groups or MSN Groups, instead of using separate domains and are consequently not flagged as malicious but reputation based services like SiteAdvisor.

With multiple vendors and security researchers continuing the see evidence that legitimate sites have started serving more malicious content that on purposely registered malicious domains, you may in fact be more susceptible to an attack while browsing your favorite site, than searching for a particular celebrity. And even if you don’t search for the celebrities, the celebrities are always searching for you, just check your spam/malware folder.

[Source: zdnet]

DarkMarket, an infamous underground message board that provides a haven for identity thieves to buy, trade and sell stolen data, plans to shut down operations.

According to Threat Level’s Kevin Poulsen, the three-year-old forum will go dark on October 4. The shutdown plan follows the recent arrest of Cagatay Evyapan, a Turkish hacker who was one of DarkMarket’s administrators. Evyapan, who used the hacker moniker “Cha0,” was a notorious underground figure who sold ATM-skimming devices.

Here’s a portion of the shutdown notice:

“[R]ecent events have proven that even in our best efforts to expel and deactivate the accounts of suspected LE [law enforcement], reporters, and security agents, it is obvious that we haven’t been entirely successful,” Splyntr wrote in a message on the site.

“It is apparent that this forum … is attracting too much attention from a lot of the world services (agents of FBI, SS, and Interpol),” wrote Splyntr. “I guess it was only time before this would happen. It is very unfortunate that we have come to this situation, because … we have established DM as the premier English speaking forum for conducting business. Such is life. When you are on top, people try to bring you down.”

Poulsen reports that DarkMarket was the last known survivor from a handful of underground forums used by online scammers to do business. Back in 2005, as part of “Operation Firewall,” law enforcement officials successfully infiltrated and shut down the ShadowCrew marketplace.

[Source: zdnet]

This week’s attack on Sarah Palin’s e-mail account highlights how the same application could have very different threat models depending on the technology used. While this is a general issue for all Software-as-a-Service offerings versus traditional desktop packages, let’s focus on just e-mail for now. Let’s first step into our adversary’s shoes and try to think like an attacker.

If your target is a webmail system, there are a variety of techniques you can use to compromise the account. You may attempt any of the following:

• Using a targeted phishing attack to grab the individual’s username and password.
• Requesting a password reset on the account.
• Researching sophisticated web attacks, XSS/CSRF style exploits, hoping to find one that works against your target’s current webmail provider.

Attacking a desktop machine would require a somewhat different set of techniques, such as:

• Stealing their computer.
• Infecting their system with a piece of malware that provides access to their local hard drive.

It appears that desktop-based applications are more secure from face value, but our model discounts data loss from hard drive failures, bad backups, and all of the other means that isolated pieces of hardware can refuse to work. When you add in the added convenience of accessible-from-anywhere, continuously backed-up, low administration services, it is quite easy to see how many people prefer using webmail and equivalent systems.

You do need to appreciate, though, how the threat model changes when you choose one technology over the other.

[Source: zdnet]

If you have a Macintosh you have likely received notice of the 10.5.5 update that arrived yesterday. The update includes multiple security fixes that should not be ignored, including vulnerabilities in common file parsers. Mac users and Windows users alike should patch their desktops as soon as possible when new patches arrive. When a Windows vulnerability is announced and patched, you can be reasonably sure that an exploit will be discovered in the wild in a short period of time. This was certainly the case for the MS08-053 vulnerability that was announced earlier this month and is currently being exploited in the wild. Unlike Windows users, Mac users can be reasonably certain that they have some breathing room before exploits appear for the newly announced vulnerabilities. Mac users would like to believe this has to do with their platform being more secure, but really it comes down to a question of market share and attacker effort.

Like all other limited resources, people try to allocate their time to whatever endeavor they believe will generate the greatest utility at that point in their lives. This rule obviously holds true for attack authors in our world of monetized malware. When faced with the opportunity to write an attack against Windows or an attack against OSX, they almost always choose the former. It is not because writing Windows malware is less difficult, but rather because they are guaranteed to generate more revenue from a novel Microsoft vulnerability than they will from a novel Apple vulnerability.

For now, Mac users can be relatively confident that they can hold off patching for a few days without being attacked. This will no longer hold true as Apple’s market share improves. It is possible to show using game theory that a tipping point exists where Mac users will start facing the same patch pressure experienced by Windows users, assuming that current purchasing trends continue. While it is difficult to name a specific day and time, there will be a point where Mac users, like today’s Windows users, will regret not rapidly applying security updates.

[Source: zdnet]

On the heels of media reports that Republican vice presidential candidate Sarah Palin was using a private Yahoo e-mail account (gov.palin@yahoo.com) to conduct Alaska state business, hackers have broken into the account and posted evidence of the hijack on Wikileaks.

An activist group calling itself ‘anonymous’ claimed responsibility for the compromise and released screenshots, photographs and the e-mail addresses of several people close to Palin, including her husband Todd and assistant Ivy Frye.

Here’s the announcement from Wikileaks:

Circa midnight Tuesday the 16th of September (EST) Wikileaks’ sources loosely affiliated with the activist group ‘anonymous’ gained access to U.S. Republican Party Vice-presidential candidate Sarah Palin’s Yahoo email account gov.palin@yahoo.com. Governor Palin has come under criticism for using private email accounts to avoid government transparency mechanisms. The zip archive made available by Wikileaks contains screen shots of Palin’s inbox, example emails, address book and two family photos. The list of correspondence, together with the account name, appears to re-enforce the criticism.

The list of e-mails include an exchange with Alaskan Lieutenant Governor Sean Parnell about his campaign for Congress and an e-mail from Amy McCorkell, whom Palin appointed to the Governor’s Advisory Board on Alcoholism and Drug Abuse in 2007.

Wired’s Threat Level reports that McMcCorkell confirmed that she did send the e-mail to Palin.

Following the release of this story, both Sarah Palin’s better known account gov.sarah@yahoo.com and the gov.palin@yahoo.com account have been suspended or deleted as revealed by a test email sent to these addresses by Wikileaks. Although the reasons for the deletion of both accounts can not not yet be established, one interpretation is that Palin is trying to destroy her email records.

Wikileaks said it may release additional e-mails should they prove be of political substance.

Here’s one screenshot of an e-mail released by the group.

* Hat tip: Chris Wysopal, Veracode. Image via CBS News.

[Source: zdnet]

In a recent Q&A with Google’s Brian Rakowski, Philipp Lenssen asked him a question in regard to Chrome’s carpet-bombing flaw. Not surprising, considering that Apple refused to admit Safari’s carpet-bombing flaw at the first place, Google is too, downplaying it :

“Lenssen: There are ways to make Chrome automatically download a file without the user confirming this (at least using Chrome’s default options). Don’t you consider that a potential problem?

Rakowski: On its own, downloading a file isn’t dangerous. It can be annoying if a site tries to download a bunch of files to fill up your hard drive, but there are other ways to do things like that and it hasn’t become a problem. The danger arises when an automatically downloaded file can be automatically executed. We’ve taken steps to prevent this in Google Chrome and will continue to make sure that this is the case. “

In reality, the danger arises from an automatically downloaded malicious file with a changed icon and a descriptive title or backdoored but legitimate Windows Office files downloaded without any notice, not from dumping hundreds of files on a particular desktop. Causing a denial of service attack next to dumping a piece of crimeware isn’t really going to do much for a malicious attacker wanting your Ebanking data.

The level or exploitability of any of Chrome’s vulnerabilities is proportional with its market share, and whereas there are no currently active malware attacks taking advantage of this particular flaw allowing them to dump a file on a visitor’s desktop, leaving this opportunity open won’t go unnoticed. As it appears, coming up with a simple script filling up someone’s hard drive upon visiting a specific site, seems to be the way to raise awareness on the potential for old school malware attacks relying on changed icons and the binaries spread across the desktop, and hopefully attract Google’s attention to the possibilities for abuse.

Chrome’s been receiving lots of criticism internationally, with Germany’s Federal Office for Information Security urging users not to use the browser, next to the Dutch Computer Emergency Response Team (Govcert.nl) recommending its use only in test environments due to the BETA release. For the time being, it’s clearly a wait and see how they threat security issues type of situation.

[Source: zdnet]

Apple has shipped another mega-update to address security vulnerabilities affecting Mac OS X users, warning that the most serious issues could lead to arbitrary code execution attacks.

The update, available for Tiger and Leopard, addresses a total of 34 documented vulnerabilities, some in third-party components like ClamAV, BIND, OpenSSH and Ruby.

It also provides fixes for the following Mac OS X flaws:

• CVE-2008-2305 — A heap buffer overflow exists in Apple Type Services’ handling of PostScript font names. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
• CVE-2008-2329 — An information disclosure issue exists in Login Window when it is configured to authenticate users with Active Directory. By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed.
• CVE-2008-2330 — An insecure file operation issue exists in the slapconfig tool used for configuring OpenLDAP. A local user can cause
  the password entered by a system administrator running slapconfig to be written to a file controlled by the user.
• CVE-2008-2331 – Finder does not update the displayed permissions under some circumstances in a Get Info window. After clicking the lock button, changes to the filesystem Sharing & Permissions will take effect, but will not be displayed.
• CVE-2008-3613 — A null pointer dereference issue exists in the Finder when it searches for a remote disc. An attacker with access to the local network can cause Finder to exit immediately after it starts, making the system unusable.
• CVE-2008-2327 – Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-2332 — A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-3608 — A memory corruption issue exists in ImageIO’s handling of embedded ICC profiles in JPEG images. Viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-1382 — libpng in ImageIO is updated to version 1.2.29. CVE-2008-1382 is not known to affect the use of libpng in ImageIO, and this update is applied as a precautionary measure.
• CVE-2008-3609 — Cached credentials are not always flushed when a vnode is recycled. This may allow a local user to read or write to a file
  where the permissions would not allow it. This update addresses the issue through improved handling of purged vnodes.
• CVE-2008-1447 — libresolv provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, applications that rely on libresolv for DNS may receive forged information.
• CVE-2008-3610 — A race condition exists in Login Window. To trigger this issue, the system must have the Guest account enabled or another account with no password. In a small proportion of attempts, an attempt to log in to such an account will not complete. The user list would then be presented again, and the person would be able to log in as any user without providing a password. If the original account were the Guest account, the contents of the new account will be deleted on logout.
• CVE-2008-3611 – When a system has been configured to enforce policies on login passwords, users may be required to change their password in the login screen. If a password change fails, an error message is displayed, but the current password is not cleared. This may not be obvious to the user. If the user leaves the system unattended with this error message displayed, a person with access to the login
  screen may be able to reset that user’s password.
• CVE-2008-1447 – mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.
• CVE-2008-3614 – An integer overflow exists in QuickDraw’s handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-3616 -- Integer overflow issues exist in functions within the SearchKit framework. Passing untrusted input to SearchKit via an application may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-2312 – Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. This update addresses the issue by storing PPP passwords in the system keychain when the password is changed.
• CVE-2008-3617 — Remote Management and Screen Sharing can be configured to require a password for VNC viewers. The maximum length for VNC viewer passwords is eight characters. The password field can display more than eight characters, implying that the additional characters are used in the password.

Other documented vulnerabilities affect System Preferences, Time Machine, VideoConference and Wiki Server.

* Image source: DeclanTM’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

With Facebook persistently under attacks from phishers and malware authors, looking for creative ways to efficiently exploit its users base, Facebook’s security team has silently introduced a new “security warning feature” alerting its users on the potential maliciousness of the third-party site they are about to visit. Is the newly introduced featured a PR move, and how applicable is this approach during an ongoing attack? Taking into consideration the fact that the competition in the face of MySpace have implemented their own centralized outgoing links redirector (Msplinks.com) in April, 2007, the current state of Facebook’s warning feature should have been the new benchmark. Sadly, it still isn’t.

What Facebook’s feature is doing, is simply adding a warning message to links it suspects of being spam or phishing like the following :

“You are about to leave Facebook to visit this address. For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site.”

And if it wasn’t Facebook’s mentality of making it hard for spammers to spread their campaigns across the network at the first place, perhaps the only useful feature of the warning message is its potential to slow down an ongoing malicious campaign by making the user think twice before clicking further. Whereas the feature is a step in the right direction, it’s still lacking some of the possible defenses whose implementation we would hopefully witness in the long-term, else it’s just good PR. What could be improved anyway?

• process all outgoing links through a leading provider of web filtering solutions, in fact cost-effectively outsource the entire process
• integrate freely available blacklists of malicious and phishing sites such as, Google’s Safe Browsing Diagnostic, SiteAdvisor, Phishtank, BrowserDefender and Norton’s SafeWeb, then cross check the outgoing link through them and come up with a score for potential maliciousness
• implement URL shortening and highlighting of the original domain in order to expose a phishing email relying on numerous subdomains aiming to visually social engineer the user
• take notice from the competition and how Msplinks.com evolved during the last year thanks to all the cybercriminals finding ways to bypass it

As far as MySpace’s Msplinks.com is concerned, the feature wasn’t proactively introduced, but was implemented in a rather reactive move to several massive phishing attacks that were hitting MySpace at the time. By the time MySpace’s Tom Anderson announced its release in April, 2007, malicious attackers started playing around with it, successfully finding ways to bypass it, with MySpace usually catching up with the technique several months after it’s been available. The vision behind this centralization is the following according to Anderson :

“Hey everybody, we just launched another program to stop dirty spammers from hasseling [sic] you. When you input a link in myspace it may be converted to a redirect link. You’ll start seeing them around the site. They look like this: msplinks.com/adf9sd9f. These links are legit and we are creating them. They are not viruses or whatever else your conspiracy theorist friends told you. They still point to their original url, but let us easily turn off links to spam, phishing, or virus sites. booyah!”

Then in March, 2007, a large scale phishing attack prompted MySpace to start using msplinks not only on comments, but also, on profiles :

“Tonight we started using msplinks on profiles, just like we’ve been using them in comments. Whenever you save a url in your myspace page, we convert it to an msplinks url. This allows us to easily and instantly disable links sitewide. If a phishing link gets out into common use, we can turn it of instantly.”

And despite that the move did slow down the phishing campaign, MySpace’s msplinks is anything but perfect, with another massive phishing campaign that hit the social networking site in November, successfully getting around the redirector.

Cybercriminals adapt more often to a particular service’s defenses in place than the service would like admit. While some are looking for ways to bypass the centralized redirector, opportunistic attackers are successfully finding ways to host the phishing profiles on the social network sites themselves. In times when the ongoing abuse of legitimate web services as redirectors or actual hosting providers of phishing and malware attacks is increasing, exposing your users wanting their “Web 2.0 experience” to already identified as malicious hosts shouldn’t be the case.

[Source: zdnet]

If you haven’t applied Microsoft’s MS08-053 security update, now might be a good time to hit that patch button.

Proof-of-concept exploit code for the vulnerability, which allows remote code execution attacks via the Web, has been posted online, raising the likelihood that we’ll soon see in-the-wild exploitation.

The exploit, available at Milw0rm.com, targets a critical flaw in the WMEX.DLL ActiveX control installed by the Windows Media Encoder 9 Series. This ActiveX control is marked as Safe for Scripting and can be exploited view the Internet Explorer browser.

[ SEE: MS Patch Tuesday: 8 critical security holes patched ]

From Microsoft’s bulletin:

• The vulnerability could allow remote code execution if a user views a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The bulletin is rated “critical” on supported/affected editions of Microsoft Windows 2000, Windows XP and Windows Vista. On Windows Server 2003 and Windows Server 2008, it carries a “moderate” severity rating.

[Source: zdnet]

Malicious hackers have broken into several sections of BusinessWeek.com and are now using the popular site to redirect visitors to malware-laden servers.

At the time of writing, hundreds of pages on BusinessWeek.com have been rigged with malicious JavaScript pointing to third-party servers. Visitors to the site execute the script, which attempts to launch drive-by malware downloads.

Firefox 3’s malware blocker is detecting some of the infection attempts but there are numerous malicious pages currently bypassing the browser’s blacklist-based filter.

[ SEE: Microsoft ships free code auditing tools to thwart SQL injection attacks ]

According to data from the Google Safe Browsing API, BusinessWeek.com has been flagged as malicious for a while:

• Of the 2157 pages we tested on the site over the past 90 days, 214 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/15/2008, and the last time suspicious content was found on this site was on 09/11/2008.
• Malicious software includes 721 scripting exploit(s), 4 trojan(s), 3 exploit(s). Successful infection resulted in an average of 2 new processes on the target machine.

SEE: SQL Injection attacks lead to wide-spread compromise of IIS servers ]

The use of legitimate Web sites in drive-by malware attacks has soared in recent months. According to expert estimates, at least 70 percent of all Web-based malware is now being hosted on legitimate Web sites. Some recent high-profile targets included Bank of India, China.com, and USA Today.

[Source: zdnet]

A spamming vendor known as the SET-X Corporation, has recently launched the distributed SET-X Mail System, a sophisticated managed spamming service available for rent on a monthly basis starting from $2000, promising to achieve “spamming speed” of 5000 to 7000 emails per minute and over 1 million spam messages per day, courtesy of the 5000 bots it comes preloaded with.

Let’s analyze the spamming service, what makes it tick, and discuss some of the emerging trends related to the overall outsourcing of each and every segment of cybercrime.

The market segment for managed spamming services is still in its introduction stage, with several unique providers of such managed services whose do-it-yourself systems and zero complexity mentality are poised to empower many new entrants into the spamming business. The SET-X Mail System in particular, is a typical example of a “one stop spamming shop”, which compared to legitimate companies that are able to occupy and serve all the market segments related to their particular product or a service through M&A (mergers and acquisitions) with different companies, has managed to vertically integrate on their own and logically provide anything a spammer could possible need from a spamming service such as :

• dedicated staff of four people updating the malware binaries and reachable 24/7
• daily introduction of new malware infected hosts
• the ability to purchase recently harvested email databases for a particular country in order to use them in localized spam campaigns, with the translation service for the messages provided by the same vendor
• the option to purchase an unlimited number of automatically registered email accounts at popular web based email providers in order to integrate them within the “unique legitimate senders” spamming method
• unlimited support of spam templates also known as macroses
• unlimited number of email databases to integrate and use simultaneously
• low total cost of ownership (TCO) and 99% uptime of the command and control server due to the fact that the malware infected hosts obtain commands dynamically from secondary servers in order to ensure that they never expose the central one

Speaking of vertical integration, SET-X Corporation’s current inventory of harvested email addresses available for sale to customers of its spamming service seems to have been anticipated as a possible revenue source, aiming to further develop the business relationship with the current customers. Their current inventory :

“Russia (private citizens) - 16 000 000 emails
Ukraine (commercial) - 3 300 000 emails
U.S.A (private citizens) - 118 000 000 emails
Western Europe (private citizens) - 13 000 000 emails
Europe (private citizens) - 46 000 000 emails”

How sophisticated is in fact the service? SET-X Corporation has extensively described the spamming service in their marketing pitch, translated from Russian to English as follows :

“- Flexible and convenient Web based interface, detailed statistics while sending, changing any settings (mail databases, texts, macros)

- User-friendly web based interface - start spamming from day one

- Automatic “spamming capabilities” assessments of the bot allowing you to think about your business and not about the technical details behind it

- Daily malware updates, four programmers allocated for every server, sending automatic ICQ notifications whenever the malware gets updated

- Automatic optimization of the spam campaign by first allocating the bots with clean IP reputation

- Optional is the option to chose whether or not a dedicated “spamming engineer” should be allocated to your server

- His responsibilities include introducing a higher number of bots if requested, ensuring that dead bots get disconnected from your server, and providing personal advice on optimizing your campaigns and bypassing anti-spam filtering through the built-in multi RBL checking feature

A brief description of the system:

1. The system is automatically harvesting the outgoing and incoming email addresses on the infected hosts and the associated accounting data, supporting the following clients :
- Mozilla Thunderbird
- Outlook Express
- MS Outlook
- The Bat
- Opera

2. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

3. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

4. The central control server automatically assigns different regional servers to the bots, and rotates them periodically for security purposes

5. All the information about the spam campaigns and the bots can be exported and syndicated with another regional server as requested, with the regional server dynamically establishing links with other regional servers so that it never really knows the address of the central command server

6. There are several different ways of sending spam using this service :

1) Direct spamming from the legitimate email accounts of the infected computers, with the system automatically syndicating all the available legitimate emails whose accounting data naturally stolen due to the malware infection is again, automatically integrated in a “unique legitimate senders” database. Full support for web based email accounts in the form of domain:username:password

2) Sending via Direct SMTP: send messages directly using the MX and PTR records of the infected host’s gateway

3) Sending to direct recipient

4) Sending through open relays and socks servers, both of which can provided at an additional cost

7. SET-X Mail System is highly modular, with unique features easily coded and implemented as requested by the customer

The average speed from one server is 5000/7000 emails per minute, over 1 million emails per day, and if requested you can purchase as many servers as you would like. The price of rent per month is $2000 with additional $1000 for each additional server if the servers are ordered at the same time.”

An inside look of the system obtained on 2008-08-12 indicates that they are indeed capable of delivering what they promise - speed, simplicity and 5000 malware infected hosts. Moreover, the attached screenshot demonstrates that 20 different email databases can be simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to ensure that the central server never gets exposed, is in fact fast-flux which depending on how many bots they are willing to put into “regional server mode” shapes the size of the fast-flux network at a later stage.

Spam is definitely not going away, especially nowadays when the whole process that used to require a decent investment of time and resources, has matured into an emerging market for managed service providers of spamming services whose web based interfaces successfully mimic the look and feel of anti-spam appliances. And whereas for the time being each of managed spamming services outperforms the other on different fronts, in the long-term the natural market competition forces will result in more extensive development of these systems next to the plain simple theft of intellectual property in the form of integrating a competing system’s unique features within another service.

[Source: zdnet]