Friday the 13th…queue ominous music…
Just when I thought winter was over Mother Nature shuffled the deck and dealt Fredericton another snow storm. We received about 15cm (~6in) in a 7 hour period. An hour away in St. John they only received 2cm (0.8in) which was quickly washed away by the rain that followed. I’m not sure how that’s fair, nor how it relates to security, but I had to rant about it.
Some interesting things happened this Friday, including the reports of a Zero-day RPC flaw in Microsoft DNS, details on the new Storm virus, an interesting article on “Top 10 Unusual Excuses Given for Losing Customer Data”, and a great paper on manipulating FTP clients using the PASV command.
Zero-day RPC flaw in Microsoft DNS
According to David Maynor of Erratasec, a zero-day exploit against Microsoft DNS server is being seen in the wild. This affects the most up-to-date Windows Server 2000, 2003, and 2003 R2 for all service packs. This is somewhat unusual for Microsoft’s DNS service because it’s been rock solid for many years without any DNS server flaws. Fortunately the attacks seem to be limited because this vulnerability isn’t normally exposed to the Internet on a properly configured firewall. I’ll also show you how to protect your Microsoft DNS servers below.
EXE/ZIP e-mail viruses (editorial)
Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new “Storm” virus, used an encrypted ZIP file.
If I sound bitter, it’s because I’ve seen my taxpaying dollars wasted for the past five years while various unauthorized parties have their way with these agencies. FISMA is not working.
Security Response has seen a large spam run of what appears to be the latest in the line of Trojan.Peacomm variants. While this is nothing new, this time around the attachments are in the form of password-protected zip files. The recipient is being coerced into unzipping the attachment with the included password, then running the unzipped file, to counteract activity related to an unknown worm (with which the recipient has undoubtedly been infected).
Top 10 Unusual Excuses Given for Losing Customer Data
Keeping data secure is no easy task and requires constant vigilance. Turn your back for just a moment and just like Keyser Söze — POOF — it’s gone. All that’s left then is the dubious task of explaining to your customers why their credit card information or patient data is missing.
Tech//404, a new venture by insurance company Darwin, sells insurance for losses due to technology and security failures. And they now publish a “Data Loss Archive”, a sort of repository of horrible acts of corporate data theft (it has potential, but should it only has a number of recent events and really should have an RSS feed).
Last year I vowed to do whatever I could to get myself weaned off as much dependence on Microsoft patches as I could. To wit; I started purchasing IPS and UTM devices for our offices. The main offices got the IPS units behind the beefcake firewalls and the satellite offices got UTM devices in lieu of a firewall. I also aggressively ramped up our HIPS deployment to try to get as close to 100% of our laptops covered as possible.
The WEP patient has been on life support for too long. Zero brain activity. Everyone agrees WEP should never be used now that WPA-PSK ships in all wireless equipment.
Good medicine addresses root causes; bad medicine merely addresses symptoms. Likewise, good risk management methodologies address root causes; bad risk management merely addresses symptoms.
Vulnerabilities like draining my battery? Maybe I’m goofy, but I tend to think that these sorts of articles have that “cry wolf” impact on real vulnerability/malware articles. How do we know if we can really expect an increase in Threat Events if articles like these are used to make up for a “slow news day”?
Manipulating FTP Clients Using the PASV Command
This paper discusses the FTP client flaw in detail and demonstrates how it can be used to attack common web browsers such as Konqueror, Opera and Firefox. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements “port banning” restrictions). Because of the way the same-origin policy is applied it is also possible to perform banner-grabbing scans against arbitrary hosts. Finally, for services that don’t return a banner an alternative fingerprinting technique is demonstrated which measures the time it takes servers to close inactive TCP connections.
I’m not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.
‘Storm Trojan’ biggest spam run this year
According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. “We’re seeing 50 to 60 times the normal volume of spam,” said Adam Swidler, senior manager of solutions marketing at Postini.
Bank Botches Two-Factor Authentication
Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.