A less-than-critical Vista hole could become more critical, as Microsoft’s security team says it’s aware of a published exploit that could enable an ordinary process to pass itself off as a system process with unrestricted access.

Last April, Microsoft admitted to a serious, though perhaps not critical, security hole in all modern versions of Windows including XP and Vista. But a notice posted last Thursday to the company’s Security Response Center blog, warning of a published exploit using that same technique, is an indication that the hole has gone unplugged all this time.

Tomorrow being “Patch Tuesday,” Microsoft has advised admins to prepare for four “critical” and six “important” patches, and among that latter group are three related to elevation of privilege in Windows. That’s all the general public is allowed to know for now, as Microsoft is now limiting the degree of information it shares prior to Patch Tuesday in an effort to thwart “zero-day” exploits. One of those patches could pertain to this particular exploit.

Microsoft made its original acknowledgement last spring after an independent researcher named Cesar Cerrudo gave a presentation in Dubai (PDF available here). There, Cerrudo demonstrated how a process Windows can obtain service-level privileges just by making any old API call that communicates with a service. In Windows, a service is a continually running program that provides functions to the operating system; there are typically dozens of services running in Windows at any one time. A technique with the unfortunate name of impersonation is legitimately used for that process to have the appearance of being qualified to communicate with that service.

Cerrudo showed how, in Windows XP, if the process can impersonate a service in order to talk with a service, it can trick the impersonation technique into giving it system-level privileges instead, which are the same as being completely unrestricted. He then demonstrated how Windows Vista implemented firewall techniques to prevent this from happening. Those prevention measures are largely successful, except in the case of so-called thread pool processes. For multithreaded applications, a single thread pool can be established for the legitimate purpose of performing certain functions on behalf of multiple threads, thus helping to make code tighter and more manageable. Vista’s service-impersonation protection, Cerrudo showed, did not extend to thread pools.

The Microsoft security team’s Bill Fisk said in a blog post Thursday he is unaware of any active attacks using the published exploit, adding, “Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory.” Those workarounds for admins involve IIS 6.0 and IIS 7.0, and include setting up provisions for so-called worker process identities, which would conceivably prevent a remote process from being able to pass itself off as a local process, in order to start impersonating a service or system-level process later.

Posted in Security | Leave a Comment | No Comments »

The world bank has been hacked repeatedly over the last year according to a report on Dark Reading, which once again brings out the question, where was the information security team on this one?

With the banks in crisis and contributing to a generalized distrust of the banking system, the news of the breech could not come at a worse time. While many in the information security world wondering who is running the servers and managing the security at many of the banking companies as they consolidate and shut down, news of a world bank hack, with five servers that contained sensitive data for a year comes as stunning information.

The data raids are not a matter of stealing inconsequential bits and bytes. The World Bank’s data center is literally a treasure trove of vital financial information from around the globe. As a clearinghouse for financial data from both governments and companies, the bank’s computers could provide intruders with both a financial and intelligence gold mine — from inside information on bids and contracts to the minutes of confidential board meetings. Source: Fox News

You can read the memos here and here, the dark reading article is right here.

In all this is going to end up not just compromising people, but compromising governmental information about money, how money is used, and where it is going around the world. The interesting part is that not just money movements, if you know what the World Bank is going to invest in next that can give a company a competitive advantage, or allow the hackers to follow the money to other banks where the security is much poorer than they were at the World Bank.

They also do not know what was stolen as they are still trying to figure out who got in, or how they compromised the systems. Dark Reading is calling it a spyware hack, but then that means that it would have to come in either via image, USB, or someone was surfing from the computer and did not have it patched, or patches were lacking and there was a hole that was exploited. There are any numbers of ways that the intruder got into the system.

There might just need to be a complete overhaul of the World Bank networks and systems to make sure that any additional back doors or other systems were not compromised. What is more worrisome though is that the key server for the bank was also hacked, meaning they have the keys that were stored on that system. This means that all the keys issued by that server are also going to have to be reissued. Interesting story, with many ideas on whom, what, and how. The cleanup is going to be very hard, and they will need to have a security crew that is capable of cleaning up the mess.

Posted in Security | Leave a Comment | No Comments »

The MPAA has approved the use of DreamSteam “military strength” 2048-bit encryption to protect online video streaming content in an effort to stop the unauthorized downloads of the content.

“We are very excited to have the MPAA stand behind our technology,” said Ulf Diebel, chief development officer for DreamStream. “The MPAA understands the need to be proactive - rather than reactive — in addressing the chokehold that piracy has on the motion picture industry. Their recommendation is not something that Hollywood will take lightly.”

Since being introduced to the system in March of this year, the MPAA has been reviewing the technology and has finally decided that it is a viable system for securing online content.

“We are very excited about our breakthrough technology. For the first time, digital content can be distributed without fear of piracy. By making it possible for studios and other copyright holders to secure their content, we can make it impossible for movies to be digitally pirated,” said Diebel. “DreamStream can restore property rights to their owners and restore the commercial success of music and video recordings with a solution that benefits both producers and consumers.”

As with all digital content, online media, including streaming, has fallen prey to piracy, but DreamSteam now feels they have the solution.

“The existing systems are broken,” said Diebel. “If studios and artists want to confront the problem of piracy they must embrace a comprehensive restructuring of their distribution methods.”

DreamSteam also says its media system gives users instant access to HD-quality content, including no processing delays. The technology also offers encryption never before seen for streaming content. Current systems use 128 bit encryption whereas DS uses 2048-bit encryption, and is considered military grade.
The company says its encryption has never been compromised by hackers or pirates. “Pirates are not just found in the movies anymore. Today’s pirate is a twelve-year-old sitting on a couch in Hong Kong. Or, worse yet, an unmanned fleet of Xbox’s all aimed at your server. Hacker attempts are no longer measured in how many per day but how many per second. It is just a matter of time until the pirate comes aboard your ship and breaks into the treasure chest. Unless they cannot see the ship. With DreamStream, your digital information is invisible. Your treasure chest is secured, and the key to it is encrypted with a 2048 bit encryption. Yes, a true digital fortress. A fortress that fits on a very small chip or hard drive!,” reads DS’ website.

“To win the war on piracy, the studios need DreamStream’s military grade capabilities,” concluded Diebel.

Posted in Security | Leave a Comment | No Comments »

An ActiveX control used to view Microsoft Access report snapshots poses a potential avenue for exploitation.

Microsoft confirmed the existence of a flaw in one of its complementary products. Advisory 955179 highlighted the issue with the ActiveX control for the Snapshot Viewer for Microsoft Access.

The flaw leaves unprotected users at risk from specifically crafted web pages aimed at breaking in through the exploit. If attacked, people run the risk of arbitrary code being executed on their machines.

“The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003,” Microsoft said.

“The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.”

US CERT said it knows of no “practical solution” for the problem. Instead, people may wish to try disabling the problematic ActiveX control by setting its kill bit in the registry. Such changes should be undertaken only by people who are comfortable with backing up and editing the Windows registry.

Running as a user with reduced privileges may mitigate the exploit until it is patched. However, Microsoft offered no guarantee that running with limited rights will completely protect against potential exploits against this vulnerability.

The recent holiday weekend also proved difficult from a security perspective from another avenue. Security vendor Symantec said it had blocked 3.5 million junk emails with 4th of July themes.

Since the Microsoft vulnerability could be exploited through an emailed link, people should continue to toss out suspicious emails, even from known senders, and avoid clicking links in messages.

Posted in Microsoft, Security | Leave a Comment | No Comments »

In its monthly advance notice the weekend before the second Tuesday of the month, Microsoft said it will only be addressing four security issues this time around, two dealing with Windows. But a surprisingly big Vista bug fix is under way.

If you think about it, the relative security of Windows Vista hasn’t been the subject of much debate recently. If there’s any problem consumers have with it, whether it’s born out of market perception or real-world experience, it’s a feeling that it’s not all that reliable.

So perhaps it’s not such a bad thing that next week’s Patch Tuesday round of fixes from Microsoft will focus less on security — with only four issues in that category to be addressed there — and more on Vista’s overall reliability. A single performance update announced by Microsoft on June 24 will tackle some real-world problems that Vista users have been facing, according to automated feedback the company’s servers receive when Internet-connected Vista users crash.Here’s a little annoyance: Have you ever tried to delete a user account from Vista’s Control Panel, only to be responded to by your system sitting there in an endless loop, doing nothing? Then when you reboot, the account’s not gone? That’s one of the issues this performance update will address.

And what is it about Vista, after you leave your computer on for an “extended period of time” (A day? Two days?) makes it decide that Excel is no longer a valid application for you to run? How many times has this happened to you, to paraphrase a TV infomercial? That’s another bug Vista users should find gone, hopefully.

There’s also interesting little problems such as certain builds of NVidia drivers that cause high-definition audio streams to sound like they’ve been fed through a chipper-shredder, and Windows Mail (the replacement for Outlook Express) triggering a crash when traffic monitoring is enabled through Windows, and e-mail security through ZoneAlarm is active at the same time. These are the little, everyday affairs that some people really look forward to seeing gone. Quite possibly, they impact more users than the average newly discovered vulnerability.

It’ll be nice to see how well this latest round of patches addresses these and a host of other Vista-related issues.

Posted in Security, Windows | Leave a Comment | No Comments »

Posted in Privacy, Security | Leave a Comment | No Comments »

Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.

Experts with Boston’s Core Security Technologies, who discovered the deficiency and described it to the Associated Press before they issued a security advisory, said there’s no evidence anyone else found or exploited the flaw.

Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.

But the vulnerability could have counterparts in other supervisory control and data acquisition, or SCADA, systems. And it’s not clear whether all Citect clients have installed the patch.

SCADA systems remotely manage computers that control machinery, including water supply valves, industrial baking equipment and security systems at nuclear power plants.

Customers that use CitectSCADA include natural gas pipelines in Chile, major copper and diamond mines in Australia and Botswana, a large pharmaceutical plant in Germany, and water treatment plants in Louisiana and North Carolina.

For an attack involving this vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but can happen when companies have lax security measures, such as connecting control systems’ computers and computers with Internet access to the same routers.

A rogue employee could also access the system internally.

Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment or cause a nuclear power plant to malfunction by attacking the utility’s controls.

That possibility has grown in recent years as more of those systems are connected to the Internet.

The Citect vulnerability is of a common type. Called a buffer overflow, it allows a hacker to gain control of a program by sending a computer too much data.

“It’s not a very elaborate problem,” said Ivan Arce, Core Security’s chief technology officer. “If we found this thing - and this was not that hard - it would be easy for someone else to do it.”

Posted in Security | Leave a Comment | No Comments »

A Chilean hacker posted sensitive information about six million of his compatriots on the Internet, apparently in an act of protest against the government’s lax data security.

According to Chilean newspaper El Mercurio, details including people’s address’, phone numbers, ID numbers, email addresses and even academic records were all laid bare for the world to see on a popular technology blog called FayerWayer. Links to additional information was also posted on a website called “ElAntro”.

The information was mined from various different Chilean government and military sites, including the Ministry of Education, state telephone firms and the Electoral Service website. “Nobody bothers protecting that information”, the hacker allegedly wrote in explanation of why he felt the urge to expose six million of his countrymen to identity theft.

Chilean Police commissioner Jaime Jara told El Mercurio that the police were investigating, however, the fact that it took the slow poke Chilean authorities hours to twig what had happened, and then several more hours to get round to removing the private data, goes quite a way to proving the hacker’s point. µ

L’Inq AFP

Posted in Hacking, Security | Leave a Comment | No Comments »

Yahoo opened the beta test of SearchScan in several countries to help safeguard people against potentially dangerous links in their search results. Searchers may notice something different about the search results in Yahoo. The company partnered with security vendor McAfee, which runs the SiteAdvisor service, to power a new feature called SearchScan. “While SearchScan will be on by default, users have control over how they use the feature,” said the Yahoo Search blog. “In preferences, users can choose to turn the feature off or choose to filter out all sites with warnings from their search results.” SearchScan compares links with an index of ones it has checked for possible problems, like browser exploits, unsafe downloads, or just the likelihood the site spams visitors who give it an email address. McAfee said its site ratings are based on automated safety tests of websites, and include feedback from volunteer reviewers and its analysts. Yahoo’s Vish Makhijani, SVP & GM for their search engine, noted on the official Yahoo blog how they are the only search site providing this type of advance warning today. People will see these warnings appear in red with the listing SearchScan flags. SearchScan should be of great benefit to people whose less than perfect spelling leads them to mistype a query, which could return a link or two that direct people to a dangerous website. Some scammers register incorrectly spelled domains in the hopes of bringing in visitors who hit a wrong letter or two. Other search sites may want to consider similar initiatives. Google for one has been vexed for months with SEO poisoning attacks that drop links to infected pages into its listings. Their work with StopBadware.org doesn’t seem to notice these links, and that’s not good for visitors.

Posted in Security, Yahoo | Leave a Comment | No Comments »

Posted in Hacking, Security | Leave a Comment | No Comments »