Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at Sûnnet Beskerming.

Username: | Password: Contact us to request an account

The Coming Storm

A broad range of vulnerabilities have been disclosed and patched by Microsoft with their monthly patch release. The impact of the vulnerabilities range from local user privilege escalation (e.g. normal -> admin), through remote Denial of Service, to potentially total compromise of a vulnerable system. Exploits for a number of the issues are already in active circulation, and have been for some time. For detailed description, reference should be made to the applicable security updates from Microsoft. It is strongly recommended that all Windows users update to the latest security patches.

The vulnerabilities are being actively exploited on a wide scale. Although exploits were circulating prior to the patch releases, there has been an explosion in the number of attacks, with the start of the working week in the US expected to be a critical turning point. The Universal Plug and Play vulnerability is expected to become a major exploitation route, with multiple examples of exploits currently circulating.

A number of months ago, Microsoft announced the existence of their Honeymonkey network. Similar to a Honeypot, which is a fake server which is designed to lure malicious attackers to demonstrate their skills, a Honeymonkey is a system which is designed to actively surf a network and monitor for any automated style attacks. According to SecurityFocus, the Microsoft project has already identified nearly 300 sites which launch automated attacks against standard Windows XP systems, including one claimed 'zero-day' exploit. A 'zero-day' exploit is an exploit which has been released without the target software vendor being aware of the vulnerability being exploited. The exploit in question uses the JView vulnerability which was mentioned last month in this column. The JView vulnerability is just one symptom of the underlying COM Object instantiation problem, and the early news notification was suggesting that exploits were in the wild at the time (so it appears that Microsoft missed the boat on this one, again). The vulnerability exploited by the so-called 'zero-day' exploit was fixed in the recent 'Black Tuesday' updates from Microsoft.

News surfaced a little more than a week ago about moves by the US Government, through the FCC, to expand the Communications Assistance to Law Enforcement Act (CALEA). This is apparently being done to ensure that law enforcement agencies will still be able to conduct wiretaps even if alternative communications technology such as VoIP is being used. The practical implementation of the expansion is requiring networking hardware vendors to include a 'backdoor' in all their products, which can allow for access by law enforcement agencies as required. There are significant privacy and security concerns which arise from this expansion of the CALEA. From a security standing, it creates a known weakness in all networking hardware, a weakness which will not remain secret forever. Privacy activists are worried, because the access being granted allows for all the traffic flowing through the hardware to be grabbed (even if the CALEA provisions don't allow it).

Some observers have suggested that it is a slippery slope trying to maintain an effective balance between privacy and oversight. Although it has been said multiple times, the Internet is not a medium for storing or transmitting information that should not be seen by everybody. It is not a suitable place to store confidential information, and users should not expect to maintain confidentiality. Wireless technologies and the rise in broadband connections only makes it more difficult to ensure that adequate trust exists. Assuming that the Internet is anything other than that is a dangerous and naive stance to take, and is what leads to people getting themselves into trouble unintentionally.

One industry which has introduced strict rules in an attempt to enforce a reasonable level of information security is the Medical sector. Laws such as HIPAA are designed to ensure that adequate steps are taken in order to protect client privacy and medical results. Efforts to digitise medical records are fraught with greater risk of information disclosure, although it can expedite the net care delivery, which is the desired outcome. Various Governments in different countries have attempted to implement electronic medical records management, with varying levels of success, such as the OACIS system in South Australia, and the NHS Medical Record System in Britain. The NHS project has been a spectacular failure in terms of money spent, and lack of deliverable results. The Times came out with an article which claims that a large number of end users are becoming demoralised with the system, and that the £6 billion GBP system might be better off being written off. The project is already the most expensive Information Technology project in Britain, and the article claims that there are fears that the total cost of the project could explode to £30 billion GBP over the next 10 years. In a spectacular example of shooting the messenger, the report which prompted the article blamed the disaffected users for the delays in implementing the project.

Another company which has recently been shooting messengers publicly, is Oracle (of course Cisco has done it, too). As a part of their series on Information Security specialists, ZDNet Australia interviewed the Chief Security Officer at Oracle. The resulting article was more of a PR piece than a detailed look at the security practices at Oracle, which makes it like the other articles in the series by lacking real depth of technical information. What did make the article, however, was clear indication that Oracle (amongst other companies) prefers to shoot messengers who are bearing information that they don't want to know about, or admit to. One of the responses by the Oracle CSO appeared to be establishing an 'us and them' approach to security vulnerabilities, denigrating the input from independent security researchers.

When a short lead time is given between vulnerability notification and public release (such as a matter of days), it places software vendors in a bind as they are unable to produce results, even if they throw resources at fixing issues. When the software vendors have had several hundred days to fix reported vulnerabilities, however, their complaints about unethical treatment from the independent researchers wear a little thin, especially if the vulnerabilities remain unfixed.

In the defence of the software vendors, it does become difficult to implement security fixes without breaking other functionality that the application has. This is especially true with any large scale application or product line, where the codebase is immense. As a result, being able to respond in a timely manner with a fix is sometimes near to impossible.

Snake oil is still being sold by the marketers, as the 'unbreakable' databases from Oracle aren't as secure as they are made out to be, and the 'self defending' network hardware from Cisco can't prevent against itself being attacked. If your security is not at a suitable level, then people will tell you about it.

In shorter news, Japanese online music purchasers have recently gained access to a localised iTunes Music Store, and have celebrated the access by purchasing a million tracks within the first four days. Australian online music buyers are still unable to utilise the popular online music store, with rumours suggesting that the holdup has been as a result of music companies holding out for a better deal.

Multiple news agencies were reporting mid last week on the settlement between Microsoft and notorious Spammer, Scott Richter. The settlement is conditional on the lifting of bankruptcy claims by Scott Richter, and his company, along with compliance with extant anti-spam laws, and acceptance of three years oversight of his operations. Notorious as a former 'Spam King', as one of the top 3 global spammers, Richter has since cleaned up his act significantly, recently being removed from a list of Known Spam Operators. The $7 million USD settlement also includes a statement of contrition by Richter.

15 August 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.