Romanian Pleads Guilty In US Phishing Case 07/23/2008

Eighteen months after being indicted by a federal court, one of a group of seven Romanian citizens pleaded guilty to involvement with phishing bank details from people. Romanian Pleads Guilty In US Phishing Case Ovidiu-Ionut Nicola-Roman admitted to one count of conspiracy to commit fraud in connection with access devices in US District Court in Connecticut, the US Attorney's Office for the state said. Nicola-Roman and six other Romanians had been indicted in January 2007 for their roles in a phishing scheme that sought banking information from victims. The group compromised a computer in Minnesota and published a fake site for Connecticut-based People's Bank. The group also took on numerous other financial targets. Those institutions included Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal. One unnamed bank claimed losses of $150,000 from the phishing scheme. Nicola-Roman faces up to five years and a $250,000 fine for his role in the program. Such news comes as major web-based email providers like Google and Yahoo make gains by supporting DomainKeys Identified Mail (DKIM) to identify and weed out emails coming from domains other than the one they pretend to be. Broader adoption of DKIM may be what email needs these days.

DNS Flaw Details Emerge 07/23/2008

Security pros have been urged to patch vulnerable DNS systems if they have not done so already. DNS Flaw Details Emerge A post by Halvar Flake regarding the critical but undisclosed DNS flaw being quietly patched apparently hit the mark. Flake's hypothesis received a quickly-retracted confirmation from a security firm that had been briefed on the vulnerability. "We confirmed the severity of the problem then and, by inadvertently verifying another researcher's results today, reconfirm it today," Thomas Ptacek at Matasano Security said in an apologetic post. Spoofing referrals to a nameserver could ultimately yield a way to bring legitimate DNS requests to a malicious system, according to Flake. Once the attacker manages to poison a DNS cache, people could be redirected from a legitimate destination to a bogus one. "Patch. Today. Now. Yes, stay late," Dan Kaminsky, the DNS researcher who discovered the flaw and reported it to security vendors, said on his blog today. The issue of whether or not this flaw was publicly disclosed inappropriately appears moot. A security advisory from earlier in July confirmed the existence of a problem with randomization of transaction IDs (TXID). Flake mentioned TXID as well, making it likely this flaw has been known for weeks already.

Server Theft Trumps Server Hacking 07/23/2008

The brute force technique applied to physical goods long before it ever came up in the conversation about breaking passwords to gain access to resources. Server Theft Trumps Server Hacking Spend a lot of time carefully tweaking your router, your firewall, your on-board security software, and you probably feel reasonably confident about the state of security for your computer. That will last until someone kicks in the door while you're away, and carts off the hardware. Such base crimes seem almost quaint when thinking of computer security, but a smash and grab yields as much of a device, if not more, than any software or network approach to cracking a machine. Pingdom picked up on the theme of theft of hardware in a blog post. The solution to physical security, one might think, would be hosting with a dedicated center where physical protection comes along as part of the package. But that thinking stops with the news of several robberies of servers from their colocation facilities. In one example in Chicago, thieves cut through a wall, tasered an employee, and walked out with at least 20 servers. Verizon, the Financial Times, and musician Peter Gabriel all suffered at the hands of thieves who liberated servers with their content from purportedly secure facilities. Thefts at private offices also add up to a common theme: machines that have value to criminal sellers, and a market for those devices. Regular backups and encryption help get a victimized business up and running, while keeping sensitive data safe from prying eyes when a hard drive gets stolen. There's little reason not to safeguard information on a storage device anyway; security pros ought to evaluate their options here and make encryption part of a standard hardware build in enterprises of all sizes.

Critical DNS Issue Threatens Internet 07/23/2008

No hyperbole, no joke. People familiar with a flaw in the domain name system sounded a sobering call to administrators everywhere to fix their systems. Critical DNS Issue Threatens Internet One might think it a ploy worthy of the Black Hat Conference. Reveal how a noted security researcher found a fundamental flaw in DNS with major ramifications, put him on the conference schedule, and watch the attention and attendees roll into Las Vegas. Except, the problem is real. Dan Kaminsky is no Peter crying 'wolf', but a Roy Schneider who's spotted a massive great white shark near the beach. Like the mayor of Amity in Jaws, the Internet needs to listen. Kaminsky will discuss the DNS flaw on July 24 via webcast. It will take place as admins around the globe work to update their systems. Legendary BIND creator Paul Vixie has been coordinating the vendor response to the DNS flaw. He took time to respond to sniping from the security pro community about Kaminsky's work in disclosing the problem. "Everything we thought we knew was wrong," Vixie said of contentions that DNS has always been known to be terribly insecure. OpenDNS founder David Ulevitch told SecurityProNews the DNS flaw was the most serious vulnerability he's ever seen. Ulevitch said the attack necessary to exploit the problem will be easy to do, enabling anyone who understands the flaw to try and exploit it. He also noted OpenDNS has been secure well before Kaminsky discovered the problem, so networks using OpenDNS for their services today will be protected from those potential attacks.

Mozilla Patches Firefox 3 07/23/2008

A fix for a vulnerability reported a few hours after the Firefox 3 Download Day opened began arriving on people's computers. Mozilla Patches Firefox 3 Last month's effort by Mozilla to set a world's record for most downloads in a 24-hour period received a damper from a security researcher. About five hours after the start of the event, TippingPoint revealed a flaw in Firefox 3 had been reported to them and shared with Mozilla's engineers. Mozilla revealed some additional information about the issue reported by TippingPoint, which acquired the vulnerability from its discoverer and passed it to the Firefox team. A remote code execution situation could have resulted if the flaw were exploited. Mozilla said the vulnerability had to do with Mozilla's internal CSSValue array data structure. Too many references to a CSS object would create an overflow condition in the browser. When the browser crashed from this, the attacker may have been able to run code on the targeted machine. Mozilla also warned the Thunderbird mail client, which shares an engine with Firefox, could be vulnerable if JavaScript is enabled; by default JavaScript is not enabled in Thunderbird. They reasonably recommend not enabling JavaScript in the mail client in order to mitigate emailed threats.

Oracle Troubled By Web Component Security 07/23/2008

The latest run of vulnerability fixes released by Oracle showed troubling trends with making services available with web-facing resources. Oracle Troubled By Web Component Security Not only were previous versions of Oracle's signature database impacted by recently discovered vulnerabilities, but the latest version of their product, 11g, also contained flaws addressed in the newest patch updates released by Oracle. Imperva CTO Amichai Shulman told SecurityProNews his first look at Oracle's updates noted that disturbing revelation. Along its Internet-facing products, many web components required fixes for the usual threats like code injection or buffer overflows. Shulman said there was "definitely a trend" toward more of these kinds of problems being revealed. On the positive side, he cited Oracle's move toward denoting security issues with a CVE code to make them uniform with how the security industry tracks flaws and their resolutions. According to security vendor iDefense Labs, Oracle needed to fix a critical issue in its Internet Directory. A malformed LDAP request could enable an attacker to hit a vulnerable host with a denial of service attack. Another problem highlighted by iDefense that received a fix posed a remotely exploitable threat. A buffer overflow vulnerability in the DBMS_AQELM package in Oracle's Database, due to a failure to properly validate input, might allow an attacker to execute arbitrary code as the database user.

Unpatched Systems Survive Four Minutes Online 07/23/2008

The presence of a firewall helps, but without something blocking the path from automated probes to one's PC, its survivability declines rapidly. Unpatched Systems Survive Four Minutes Online Venturing onto the Internet brings along a sizable share of risks. Doing so with an unpatched system looks like the height of folly; we would be surprised if any security pro did this for a home or a production system. SANS' Lorna Hutcheson said she gets questions on the four-minute figure for unpatched systems. People seem to disbelieve it happens this quickly. Hutcheson said the four-minute window is accurate, modified by whatever may be between the unpatched system and external threats. For those who want to have fun testing this, Hutcheson suggested the Honeynet Project. "Placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas," she said. "Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC."

Internet Cafes Threatened Ahead Of Olympics 07/23/2008

Throngs of visitors to China during the Summer Olympics will include many who want to check up on their email or other online resources. That could be a problem. Internet Cafes Threatened Ahead Of Olympics Circulation of a new rootkit aroused attention from the Chinese research community. What they have found so far looks like a major problem for the operators of Internet cafes, which hold plenty of popularity in China. Security vendor McAfee said on its Avert Labs blog that the piece of malware, dubbed MachineDog, harbors a particularly insidious threat to cafe owners and how they generally protect the systems used by the public. "Most internet bars and cafes rely on hard disk protection software excessively," McAfee noted. "Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect." The problem stems from MachineDog dropping a driver into the kernel of the operating system. Once in place, an administrator likely won't detect it as many of these cafes may not be running security software to complement their hard drive security methods. Visitors to China for the Olympics may be best served by limiting their usage of Internet cafes to general, non-personal surfing. Many will want to check their email, or even other services that use secure http connections. China's active malicious hacker community makes us wary of recommending this at Internet cafes.

Swiss Slammed By Lots Of Spam 07/23/2008

Inboxes in the tiny European country picked up far more spam than anywhere else in the world during the month of June. Swiss Slammed By Lots Of Spam Pity Switzerland. The nation experienced so much spam circulating that exceeded usual list topper Hong Kong for the ignominious honor of most spammed country last month. Security vendor MessageLabs said in its monthly report spam overall decreased 0.3 percent from May to June, to account for 76.5 percent of emails. Some countries saw higher ratios of spam to legitimate messages. Switzerland's uncomfortable percentage of spam out of all email hit 84.8 percent. Hong Kong, France, Israel, and Austria followed in that list. Those countries made the US spam level of 68.8 percent in June look virtually manageable. Australia fared better at 66.9 percent, while Canada experienced 77.8 percent and the UK 74.3 percent. Political and celebrity topics continued to prove popular with spammers in June. Democratic Presidential candidate Barack Obama's campaign probably did not enjoy seeing spam titled "Scandal rocks Obama as lurid sex video leaked!' making the rounds. That and similar spam alluding to illicit videos featuring Brad Pitt, Christina Aguilera, and Scarlett Johansson led people to a malicious file, video.exe, hosted on a compromised domain. MessageLabs said the file resides on a page linked from the spam; the visitor is prompted to grab the ActiveX control to view the video, but instead ends up with malware related to the Storm botnet.

Microsoft Patch, ZoneAlarm Make PCs Too Secure 07/23/2008

A little incompatibility between a fix for the Windows Domain Name System caused users of a popular firewall product to lose their Internet connections. Microsoft Patch, ZoneAlarm Make PCs Too Secure Woops. One combination of security fix and security software added up to a big fat zero for some computer users. Microsoft's light Patch Tuesday updates weighed heavily on users of the ZoneAlarm family of security software. The fix for a DNS issue, referenced in Microsoft's Knowledge Base as 951748, caused ZoneAlarm users to experience a loss of Internet access. People using ZoneAlarm products on Windows Vista, Microsoft's most current version of its operating system, were not affected. However, the update created problems for people still on Windows XP or 2000. Updated versions of ZoneAlarm's products listed on an advisory page fix the problem. ZoneAlarm also listed a workaround for the issue. Defensive Computing blogger Michael Horowitz said this situation demonstrated why people should wait a couple of days before installing Microsoft's patches, in case something like this happens and requires a fix. "This is exactly the sort of situation for which that advice was intended," he said of the ZoneAlarm kerfuffle.

Current Blog

2008 Security Blog Archive
May-June Archive
April Archive
March Archive
February Archive
January Archive

2007 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive

2006 Security Blog Archive
December Archive
November Archive
October Archive
September Archive
August Archive
July Archive
June Archive
May Archive
April Archive
March Archive
February Archive
January Archive